Date: Sat, 14 Jul 2018 13:25:04 -0400 From: Shawn Webb <shawn.webb@hardenedbsd.org> To: "Stephen J. Kiernan" <stevek@FreeBSD.org> Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r336289 - head/sys/security/mac_veriexec Message-ID: <20180714172504.p4zntlfveopmui2o@mutt-hbsd> In-Reply-To: <201807141721.w6EHLHIU047725@repo.freebsd.org> References: <201807141721.w6EHLHIU047725@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--alujffhh45ntpwos Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hey Stephen, On Sat, Jul 14, 2018 at 05:21:17PM +0000, Stephen J. Kiernan wrote: > Author: stevek > Date: Sat Jul 14 17:21:16 2018 > New Revision: 336289 > URL: https://svnweb.freebsd.org/changeset/base/336289 >=20 > Log: > Add mpo_vnode_check_setmode MAC method to MAC/veriexec. > In the method, disallow changing SUID/SGID on verified files. > =20 > Obtained from: Juniper Networks, Inc. >=20 > Modified: > head/sys/security/mac_veriexec/mac_veriexec.c >=20 > Modified: head/sys/security/mac_veriexec/mac_veriexec.c > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D > --- head/sys/security/mac_veriexec/mac_veriexec.c Sat Jul 14 17:20:27 201= 8 (r336288) > +++ head/sys/security/mac_veriexec/mac_veriexec.c Sat Jul 14 17:21:16 201= 8 (r336289) > @@ -550,6 +550,38 @@ mac_veriexec_vnode_check_open(struct ucred *cred, st= ru > } > =20 > /** > + * @brief Check mode changes on file to ensure they should be allowed. > + * > + * We cannot allow chmod of SUID or SGID on verified files. > + * > + * @param cred credentials to use > + * @param vp vnode of the file to open > + * @param label vnode label assigned to the vnode > + * @param mode mode flags to set > + * > + * @return 0 if the mode change should be allowed, EAUTH otherwise. > + */ > +static int > +mac_veriexec_vnode_check_setmode(struct ucred *cred, struct vnode *vp, > + struct label *label __unused, mode_t mode) > +{ > + int error; > + > + if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) =3D=3D 0) > + return (0); > + > + /* > + * Do not allow chmod (set-[gu]id) of verified file > + */ > + error =3D mac_veriexec_check_vp(cred, vp, VVERIFY); > + if (error =3D=3D EAUTH) /* it isn't verified */ Is EAUTH the right error to return? errno(2) shows that EAUTH signifies: "Authentication error. Attempted to use an invalid authentication ticket to mount a NFS file system." Perhaps EPERM would be better suited? > + return (0); > + if (error =3D=3D 0 && (mode & (S_ISUID|S_ISGID)) !=3D 0) > + return (EAUTH); > + return (0); > +} > + > +/** > * @internal > * @brief Initialize the mac_veriexec MAC policy > * > @@ -673,6 +705,7 @@ static struct mac_policy_ops mac_veriexec_ops =3D > .mpo_proc_check_debug =3D mac_veriexec_proc_check_debug, > .mpo_vnode_check_exec =3D mac_veriexec_vnode_check_exec, > .mpo_vnode_check_open =3D mac_veriexec_vnode_check_open, > + .mpo_vnode_check_setmode =3D mac_veriexec_vnode_check_setmode, > .mpo_vnode_copy_label =3D mac_veriexec_copy_label, > .mpo_vnode_destroy_label =3D mac_veriexec_vnode_destroy_label, > .mpo_vnode_init_label =3D mac_veriexec_vnode_init_label, Thanks, --=20 Shawn Webb Cofounder and Security Engineer HardenedBSD Tor-ified Signal: +1 443-546-8752 Tor+XMPP+OTR: lattera@is.a.hacker.sx GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE --alujffhh45ntpwos Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKrq2ve9q9Ia+iT2eaoRlj1JFbu4FAltKMesACgkQaoRlj1JF bu7NBQ/+JwUPh3ESPWahhkW3TCE1KWHAfNKWTad53w6LYf9025nlgwMx4Yy6coNn S5U0GsaLI7KT31b+o3WjCV838OiIkK1iLbtN+1usX16/muwbzRYDKIlSjysOZ++W MiZVDC5rFaCqnl/po3jD5Ndp3k4RtCTYlAiDH7oFruRTpBEI1hcVHvyZuiBljLP0 hDXuUumfRBEs7fxX2/hXuAusozkKj1k/OG+tDH/ULf5BO7AkeXl2fweT8HTRwI6r NUiOGGWF2Z0GXdOCzj9Of6/SjVx2Z6uSsKjBodU0a0IX9V4FXSJ1Xn7NGgnskvWb 6Lr1DD130rYIrELbPWiWfituxlmtTjMOGUEIa/oEx2Zwdar28r7LyBfwp3YaSA1D E5/02b015Em8GqJMXPr2gNWwRuHlgNh7OfNAq5w0+d+omT7PfudUN1yL27WXBYTk rWxcIujUKnELsyx7EvJipq2T/09ifMSGosl4O7UnphfuO1h6jRv6azOT48FSwRbB /ZmS9a4cJPUGCkLupai6VbzobBaacGaUKt+RumLjMdo5UMco3qI4nHAp+6uR3mV7 59fldHe8TkPmUXuytYJNplJ32QTYvDOYZxGoxob9tCAe/XH3q0LHbkZbmJPlVxJu xoUB+S1ofH0Wtp3O0SWBaGyQeusvL31PpkiCB0h5b/TNT5mTKw0= =BfuE -----END PGP SIGNATURE----- --alujffhh45ntpwos--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20180714172504.p4zntlfveopmui2o>