subject:"svn commit\: r336289 \- head\/sys\/security\/mac

Re: svn commit: r336289 - head/sys/security/mac_veriexec

2018-07-14 Thread Shawn Webb

Hey Stephen,

On Sat, Jul 14, 2018 at 05:21:17PM +, Stephen J. Kiernan wrote:
> Author: stevek
> Date: Sat Jul 14 17:21:16 2018
> New Revision: 336289
> URL: https://svnweb.freebsd.org/changeset/base/336289
> 
> Log:
>   Add mpo_vnode_check_setmode MAC method to MAC/veriexec.
>   In the method, disallow changing SUID/SGID on verified files.
>   
>   Obtained from:  Juniper Networks, Inc.
> 
> Modified:
>   head/sys/security/mac_veriexec/mac_veriexec.c
> 
> Modified: head/sys/security/mac_veriexec/mac_veriexec.c
> ==
> --- head/sys/security/mac_veriexec/mac_veriexec.c Sat Jul 14 17:20:27 
> 2018(r336288)
> +++ head/sys/security/mac_veriexec/mac_veriexec.c Sat Jul 14 17:21:16 
> 2018(r336289)
> @@ -550,6 +550,38 @@ mac_veriexec_vnode_check_open(struct ucred *cred, stru
>  }
>  
>  /**
> + * @brief Check mode changes on file to ensure they should be allowed.
> + *
> + * We cannot allow chmod of SUID or SGID on verified files.
> + *
> + * @param cred   credentials to use
> + * @param vp vnode of the file to open
> + * @param label  vnode label assigned to the vnode
> + * @param mode   mode flags to set
> + *
> + * @return 0 if the mode change should be allowed, EAUTH otherwise.
> + */
> +static int
> +mac_veriexec_vnode_check_setmode(struct ucred *cred, struct vnode *vp,
> +struct label *label __unused, mode_t mode)
> +{
> + int error;
> +
> + if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0)
> + return (0);
> +
> + /*
> +  * Do not allow chmod (set-[gu]id) of verified file
> +  */
> + error = mac_veriexec_check_vp(cred, vp, VVERIFY);
> + if (error == EAUTH) /* it isn't verified */

Is EAUTH the right error to return? errno(2) shows that EAUTH
signifies: "Authentication error. Attempted to use an invalid
authentication ticket to mount a NFS file system."

Perhaps EPERM would be better suited?

> + return (0);
> + if (error == 0 && (mode & (S_ISUID|S_ISGID)) != 0)
> + return (EAUTH);
> + return (0);
> +}
> +
> +/**
>   * @internal
>   * @brief Initialize the mac_veriexec MAC policy
>   *
> @@ -673,6 +705,7 @@ static struct mac_policy_ops mac_veriexec_ops =
>   .mpo_proc_check_debug = mac_veriexec_proc_check_debug,
>   .mpo_vnode_check_exec = mac_veriexec_vnode_check_exec,
>   .mpo_vnode_check_open = mac_veriexec_vnode_check_open,
> + .mpo_vnode_check_setmode = mac_veriexec_vnode_check_setmode,
>   .mpo_vnode_copy_label = mac_veriexec_copy_label,
>   .mpo_vnode_destroy_label = mac_veriexec_vnode_destroy_label,
>   .mpo_vnode_init_label = mac_veriexec_vnode_init_label,

Thanks,

-- 
Shawn Webb
Cofounder and Security Engineer
HardenedBSD

Tor-ified Signal:+1 443-546-8752
Tor+XMPP+OTR:latt...@is.a.hacker.sx
GPG Key ID:  0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89  3D9E 6A84 658F 5245 6EEE


signature.asc
Description: PGP signature

svn commit: r336289 - head/sys/security/mac_veriexec

2018-07-14 Thread Stephen J. Kiernan

Author: stevek
Date: Sat Jul 14 17:21:16 2018
New Revision: 336289
URL: https://svnweb.freebsd.org/changeset/base/336289

Log:
  Add mpo_vnode_check_setmode MAC method to MAC/veriexec.
  In the method, disallow changing SUID/SGID on verified files.
  
  Obtained from:Juniper Networks, Inc.

Modified:
  head/sys/security/mac_veriexec/mac_veriexec.c

Modified: head/sys/security/mac_veriexec/mac_veriexec.c
==
--- head/sys/security/mac_veriexec/mac_veriexec.c   Sat Jul 14 17:20:27 
2018(r336288)
+++ head/sys/security/mac_veriexec/mac_veriexec.c   Sat Jul 14 17:21:16 
2018(r336289)
@@ -550,6 +550,38 @@ mac_veriexec_vnode_check_open(struct ucred *cred, stru
 }
 
 /**
+ * @brief Check mode changes on file to ensure they should be allowed.
+ *
+ * We cannot allow chmod of SUID or SGID on verified files.
+ *
+ * @param cred credentials to use
+ * @param vp   vnode of the file to open
+ * @param labelvnode label assigned to the vnode
+ * @param mode mode flags to set
+ *
+ * @return 0 if the mode change should be allowed, EAUTH otherwise.
+ */
+static int
+mac_veriexec_vnode_check_setmode(struct ucred *cred, struct vnode *vp,
+struct label *label __unused, mode_t mode)
+{
+   int error;
+
+   if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0)
+   return (0);
+
+   /*
+* Do not allow chmod (set-[gu]id) of verified file
+*/
+   error = mac_veriexec_check_vp(cred, vp, VVERIFY);
+   if (error == EAUTH) /* it isn't verified */
+   return (0);
+   if (error == 0 && (mode & (S_ISUID|S_ISGID)) != 0)
+   return (EAUTH);
+   return (0);
+}
+
+/**
  * @internal
  * @brief Initialize the mac_veriexec MAC policy
  *
@@ -673,6 +705,7 @@ static struct mac_policy_ops mac_veriexec_ops =
.mpo_proc_check_debug = mac_veriexec_proc_check_debug,
.mpo_vnode_check_exec = mac_veriexec_vnode_check_exec,
.mpo_vnode_check_open = mac_veriexec_vnode_check_open,
+   .mpo_vnode_check_setmode = mac_veriexec_vnode_check_setmode,
.mpo_vnode_copy_label = mac_veriexec_copy_label,
.mpo_vnode_destroy_label = mac_veriexec_vnode_destroy_label,
.mpo_vnode_init_label = mac_veriexec_vnode_init_label,
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"

Re: svn commit: r336289 - head/sys/security/mac_veriexec

svn commit: r336289 - head/sys/security/mac_veriexec

2 matches

Site Navigation

Mail list logo

Footer information