Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 17 May 2019 18:02:26 +0000 (UTC)
From:      "Stephen J. Kiernan" <stevek@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r347934 - head/sys/dev/veriexec
Message-ID:  <201905171802.x4HI2QpV090926@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: stevek
Date: Fri May 17 18:02:26 2019
New Revision: 347934
URL: https://svnweb.freebsd.org/changeset/base/347934

Log:
  Protect commands that are considered dangerous with checks for kmem write
  priv. This allows for MAC/veriexec to prevent apps that are not "trusted"
  from using these commands.
  
  Obtained from:	Juniper Networks, Inc.
  MFC after:	1 week

Modified:
  head/sys/dev/veriexec/verified_exec.c

Modified: head/sys/dev/veriexec/verified_exec.c
==============================================================================
--- head/sys/dev/veriexec/verified_exec.c	Fri May 17 17:50:01 2019	(r347933)
+++ head/sys/dev/veriexec/verified_exec.c	Fri May 17 18:02:26 2019	(r347934)
@@ -1,7 +1,7 @@
 /*
  * $FreeBSD$
  *
- * Copyright (c) 2011-2013, 2015, Juniper Networks, Inc.
+ * Copyright (c) 2011-2013, 2015, 2019 Juniper Networks, Inc.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -44,6 +44,7 @@
 #include <sys/mount.h>
 #include <sys/mutex.h>
 #include <sys/namei.h>
+#include <sys/priv.h>
 #include <sys/proc.h>
 #include <sys/queue.h>
 #include <sys/vnode.h>
@@ -70,6 +71,37 @@ verifiedexecioctl(struct cdev *dev __unused, u_long cm
 	struct verified_exec_params *params;
 	int error = 0;
 
+	/*
+	 * These commands are considered safe requests for anyone who has
+	 * permission to access to device node.
+	 */
+	switch (cmd) {
+	case VERIEXEC_GETSTATE:
+		{
+			int *ip = (int *)data;
+
+			if (ip)
+				*ip = mac_veriexec_get_state();
+			else
+			    error = EINVAL;
+
+			return (error);
+		}
+		break;
+	default:
+		break;
+	}
+
+	/*
+	 * Anything beyond this point is considered dangerous, so we need to
+	 * only allow processes that have kmem write privs to do them.
+	 *
+	 * MAC/veriexec will grant kmem write privs to "trusted" processes.
+	 */
+	error = priv_check(td, PRIV_KMEM_WRITE);
+	if (error)
+		return (error);
+
 	params = (struct verified_exec_params *)data;
 	switch (cmd) {
 	case VERIEXEC_ACTIVE:
@@ -105,16 +137,6 @@ verifiedexecioctl(struct cdev *dev __unused, u_long cm
 		else
 			error = EINVAL;
 		mtx_unlock(&ve_mutex);
-		break;
-	case VERIEXEC_GETSTATE:
-		{
-			int *ip = (int *)data;
-			
-			if (ip)
-				*ip = mac_veriexec_get_state();
-			else
-			    error = EINVAL;
-		}
 		break;
 	case VERIEXEC_LOCK:
 		mtx_lock(&ve_mutex);



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201905171802.x4HI2QpV090926>