From owner-svn-src-head@freebsd.org Sat Jul 14 17:25:47 2018 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DEDBC1033FC4 for ; Sat, 14 Jul 2018 17:25:46 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-ed1-x531.google.com (mail-ed1-x531.google.com [IPv6:2a00:1450:4864:20::531]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5371881E27 for ; Sat, 14 Jul 2018 17:25:46 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: by mail-ed1-x531.google.com with SMTP id w14-v6so26907600eds.6 for ; Sat, 14 Jul 2018 10:25:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=VHL6otcmwI/geiTOLaxUyUcuBrB6c9ebXHMrp/a6kiw=; b=QHCL72AnL2QDOP+zh/pIJjhGgEsKP6trAkdbnl/N8FvCPNVetyt1rjkKXTr6hw/m0C 7l7pgVn1I4JJvqOVXBg7PO2crJiWY7LSV/PLHohLxiUXvIcNRoXwRWr9wgg5DYnsPiSg e1i6QYVCOSOdxhfmSe8z9CR/mNnbWtU0wRibI3cJGF045MhvleXOn+rWhYD/2XyUohvg 0IDtqPZNPSbFQD7WQjx4HBFllfmKPWHu9Vm3QHkqX8TPc759LJES10yDW9JZabI+dzi9 zIgUIZUC/hTo+89RNczMUk6vugl03r+GywTmZOE/MewJPHedq1jNjr4Yb3AIkupNKSG7 f5UQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=VHL6otcmwI/geiTOLaxUyUcuBrB6c9ebXHMrp/a6kiw=; b=W38YyzzvkSCzXBegsix6Y+YLDtGmv/5sRd7A8dg3Slh5vpvFnuezmfMLi56jcqCRil c8SUbeLiqLWLCyaMEY0wXEKpIRZp17bsyoLb0687r7bE/F6dUQeK2wpdgBpGMS829S8T chS6bMNxB74PpMcZ7qwXeFVGJ9Z9ynvDzOk6+lQEIXIuhUwEvSC5tQ7ka+Nul6DzAEJY aeYxd3SrWshXVz/fTLcW6utaWOS9kWoQfzdnqWF5H2cGb6uAzT/w6YlFxf1vsfy7I0Ob hrnjTJg16BzMVTx7H7lQMKa8LEWAJKUNrEsW7TGDi7ej9CLOg28jSuJZVmX49ywhG/d9 KeGw== X-Gm-Message-State: AOUpUlEBQuPTbH23HODWodNEFXkKC0++oDX9VmBsOSsDtecvqpz3QsJ7 S57+whT38SZBJy2adL3lCkMs9Q== X-Google-Smtp-Source: AAOMgpfe50nzAq1MnNXmaJkyXsDHk8afAKXJGbJ6y73Y95PjJVo5S7hzYrDHbS67eYXUC5/DxBmYXQ== X-Received: by 2002:a50:8fe6:: with SMTP id y93-v6mr11552490edy.290.1531589144485; Sat, 14 Jul 2018 10:25:44 -0700 (PDT) Received: from mutt-hbsd ([141.255.162.35]) by smtp.gmail.com with ESMTPSA id y32-v6sm13395250eda.38.2018.07.14.10.25.41 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 14 Jul 2018 10:25:43 -0700 (PDT) Date: Sat, 14 Jul 2018 13:25:04 -0400 From: Shawn Webb To: "Stephen J. Kiernan" Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r336289 - head/sys/security/mac_veriexec Message-ID: <20180714172504.p4zntlfveopmui2o@mutt-hbsd> References: <201807141721.w6EHLHIU047725@repo.freebsd.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="alujffhh45ntpwos" Content-Disposition: inline In-Reply-To: <201807141721.w6EHLHIU047725@repo.freebsd.org> X-Operating-System: FreeBSD mutt-hbsd 12.0-CURRENT FreeBSD 12.0-CURRENT X-PGP-Key: http://pgp.mit.edu/pks/lookup?op=vindex&search=0x6A84658F52456EEE User-Agent: NeoMutt/20180622 X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Jul 2018 17:25:47 -0000 --alujffhh45ntpwos Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hey Stephen, On Sat, Jul 14, 2018 at 05:21:17PM +0000, Stephen J. Kiernan wrote: > Author: stevek > Date: Sat Jul 14 17:21:16 2018 > New Revision: 336289 > URL: https://svnweb.freebsd.org/changeset/base/336289 >=20 > Log: > Add mpo_vnode_check_setmode MAC method to MAC/veriexec. > In the method, disallow changing SUID/SGID on verified files. > =20 > Obtained from: Juniper Networks, Inc. >=20 > Modified: > head/sys/security/mac_veriexec/mac_veriexec.c >=20 > Modified: head/sys/security/mac_veriexec/mac_veriexec.c > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D > --- head/sys/security/mac_veriexec/mac_veriexec.c Sat Jul 14 17:20:27 201= 8 (r336288) > +++ head/sys/security/mac_veriexec/mac_veriexec.c Sat Jul 14 17:21:16 201= 8 (r336289) > @@ -550,6 +550,38 @@ mac_veriexec_vnode_check_open(struct ucred *cred, st= ru > } > =20 > /** > + * @brief Check mode changes on file to ensure they should be allowed. > + * > + * We cannot allow chmod of SUID or SGID on verified files. > + * > + * @param cred credentials to use > + * @param vp vnode of the file to open > + * @param label vnode label assigned to the vnode > + * @param mode mode flags to set > + * > + * @return 0 if the mode change should be allowed, EAUTH otherwise. > + */ > +static int > +mac_veriexec_vnode_check_setmode(struct ucred *cred, struct vnode *vp, > + struct label *label __unused, mode_t mode) > +{ > + int error; > + > + if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) =3D=3D 0) > + return (0); > + > + /* > + * Do not allow chmod (set-[gu]id) of verified file > + */ > + error =3D mac_veriexec_check_vp(cred, vp, VVERIFY); > + if (error =3D=3D EAUTH) /* it isn't verified */ Is EAUTH the right error to return? errno(2) shows that EAUTH signifies: "Authentication error. Attempted to use an invalid authentication ticket to mount a NFS file system." Perhaps EPERM would be better suited? > + return (0); > + if (error =3D=3D 0 && (mode & (S_ISUID|S_ISGID)) !=3D 0) > + return (EAUTH); > + return (0); > +} > + > +/** > * @internal > * @brief Initialize the mac_veriexec MAC policy > * > @@ -673,6 +705,7 @@ static struct mac_policy_ops mac_veriexec_ops =3D > .mpo_proc_check_debug =3D mac_veriexec_proc_check_debug, > .mpo_vnode_check_exec =3D mac_veriexec_vnode_check_exec, > .mpo_vnode_check_open =3D mac_veriexec_vnode_check_open, > + .mpo_vnode_check_setmode =3D mac_veriexec_vnode_check_setmode, > .mpo_vnode_copy_label =3D mac_veriexec_copy_label, > .mpo_vnode_destroy_label =3D mac_veriexec_vnode_destroy_label, > .mpo_vnode_init_label =3D mac_veriexec_vnode_init_label, Thanks, --=20 Shawn Webb Cofounder and Security Engineer HardenedBSD Tor-ified Signal: +1 443-546-8752 Tor+XMPP+OTR: lattera@is.a.hacker.sx GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE --alujffhh45ntpwos Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKrq2ve9q9Ia+iT2eaoRlj1JFbu4FAltKMesACgkQaoRlj1JF bu7NBQ/+JwUPh3ESPWahhkW3TCE1KWHAfNKWTad53w6LYf9025nlgwMx4Yy6coNn S5U0GsaLI7KT31b+o3WjCV838OiIkK1iLbtN+1usX16/muwbzRYDKIlSjysOZ++W MiZVDC5rFaCqnl/po3jD5Ndp3k4RtCTYlAiDH7oFruRTpBEI1hcVHvyZuiBljLP0 hDXuUumfRBEs7fxX2/hXuAusozkKj1k/OG+tDH/ULf5BO7AkeXl2fweT8HTRwI6r NUiOGGWF2Z0GXdOCzj9Of6/SjVx2Z6uSsKjBodU0a0IX9V4FXSJ1Xn7NGgnskvWb 6Lr1DD130rYIrELbPWiWfituxlmtTjMOGUEIa/oEx2Zwdar28r7LyBfwp3YaSA1D E5/02b015Em8GqJMXPr2gNWwRuHlgNh7OfNAq5w0+d+omT7PfudUN1yL27WXBYTk rWxcIujUKnELsyx7EvJipq2T/09ifMSGosl4O7UnphfuO1h6jRv6azOT48FSwRbB /ZmS9a4cJPUGCkLupai6VbzobBaacGaUKt+RumLjMdo5UMco3qI4nHAp+6uR3mV7 59fldHe8TkPmUXuytYJNplJ32QTYvDOYZxGoxob9tCAe/XH3q0LHbkZbmJPlVxJu xoUB+S1ofH0Wtp3O0SWBaGyQeusvL31PpkiCB0h5b/TNT5mTKw0= =BfuE -----END PGP SIGNATURE----- --alujffhh45ntpwos--