git: 559e41a11b32 - main - veriexec: Improve comments

Tue, 14 Mar 2023 22:00:33 -0700 

The branch main has been updated by imp:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=559e41a11b325b4292531069a697ce6da7e2e4fa

commit 559e41a11b325b4292531069a697ce6da7e2e4fa
Author:     Warner Losh <[email protected]>
AuthorDate: 2023-03-15 04:59:20 +0000
Commit:     Warner Losh <[email protected]>
CommitDate: 2023-03-15 05:00:16 +0000

    veriexec: Improve comments
    
    Make it clear we're checking to see if the target is a verified file and
    prevent its replacement if so.
    
    Sponsored by:           Netflix
    Reviewed by:            rpokala
    Differential Revision:  https://reviews.freebsd.org/D39079
---
 sys/security/mac_veriexec/mac_veriexec.c | 29 +++++++++++++++--------------
 1 file changed, 15 insertions(+), 14 deletions(-)

diff --git a/sys/security/mac_veriexec/mac_veriexec.c 
b/sys/security/mac_veriexec/mac_veriexec.c
index 6f06a8577212..e377f61ad21c 100644
--- a/sys/security/mac_veriexec/mac_veriexec.c
+++ b/sys/security/mac_veriexec/mac_veriexec.c
@@ -602,11 +602,11 @@ mac_veriexec_vnode_check_unlink(struct ucred *cred, 
struct vnode *dvp __unused,
        if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0)
                return (0);
 
-       /*
-        * Check if it's a verified file
-        */
        error = mac_veriexec_check_vp(cred, vp, VVERIFY);
-       if (error == 0) {             /* file is verified */
+       if (error == 0) {
+               /*
+                * The target is verified, so disallow replacement.
+                */
                MAC_VERIEXEC_DBG(2,
     "(UNLINK) attempted to unlink a protected file (euid: %u)", cred->cr_uid);
 
@@ -643,11 +643,11 @@ mac_veriexec_vnode_check_rename_from(struct ucred *cred,
        if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0)
                return (0);
 
-       /*
-        * Check if it's a verified file
-        */
        error = mac_veriexec_check_vp(cred, vp, VVERIFY);
-       if (error == 0) {            /* file is verified */
+       if (error == 0) {
+               /*
+                * The target is verified, so disallow replacement.
+                */
                MAC_VERIEXEC_DBG(2,
     "(RENAME_FROM) attempted to rename a protected file (euid: %u)", 
cred->cr_uid);
                return (EAUTH);
@@ -692,11 +692,11 @@ mac_veriexec_vnode_check_rename_to(struct ucred *cred, 
struct vnode *dvp __unuse
        if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0)
                return (0);
 
-       /*
-        * Check if it's a verified file
-        */
        error = mac_veriexec_check_vp(cred, vp, VVERIFY);
-       if (error == 0) {             /* file is verified */
+       if (error == 0) {
+               /*
+                * The target is verified, so disallow replacement.
+                */
                MAC_VERIEXEC_DBG(2,
     "(RENAME_TO) attempted to overwrite a protected file (euid: %u)", 
cred->cr_uid);
                return (EAUTH);
@@ -727,13 +727,14 @@ mac_veriexec_vnode_check_setmode(struct ucred *cred, 
struct vnode *vp,
                return (0);
 
        /*
-        * Do not allow chmod (set-[gu]id) of verified file
+        * Prohibit chmod of verified set-[gu]id file.
         */
        error = mac_veriexec_check_vp(cred, vp, VVERIFY);
-       if (error == EAUTH)             /* it isn't verified */
+       if (error == EAUTH)             /* target not verified */
                return (0);
        if (error == 0 && (mode & (S_ISUID|S_ISGID)) != 0)
                return (EAUTH);
+
        return (0);
 }

Reply via email to