The branch main has been updated by wma:
URL:
https://cgit.FreeBSD.org/src/commit/?id=15c362aeb7784385cb464fa364cbdd7a1e64e787
commit 15c362aeb7784385cb464fa364cbdd7a1e64e787
Author: Wojciech Macek <w...@freebsd.org>
AuthorDate: 2022-06-29 08:48:01 +0000
Commit: Wojciech Macek <w...@freebsd.org>
CommitDate: 2022-06-29 08:48:01 +0000
mac_veriexec: Authorize reads of secured sysctls
Writes to sysctls flagged with CTLFLAG_SECURE are blocked if the
appropriate secure level is set. mac_veriexec does not behave this way, it
blocks such sysctls in read-only mode as well.
This change aims to make mac_veriexec behave like secure levels, as it was
meant by the original commit ed377cf41.
Reviewed by: sjg
Differential revision: https://reviews.freebsd.org/D34327
Obtained from: Stormshield
---
sys/security/mac_veriexec/mac_veriexec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sys/security/mac_veriexec/mac_veriexec.c
b/sys/security/mac_veriexec/mac_veriexec.c
index 7a5b747ef7a2..99a76abd4afb 100644
--- a/sys/security/mac_veriexec/mac_veriexec.c
+++ b/sys/security/mac_veriexec/mac_veriexec.c
@@ -437,7 +437,7 @@ mac_veriexec_sysctl_check(struct ucred *cred, struct
sysctl_oid *oidp,
return (0);
oid = oidp;
- if (oid->oid_kind & CTLFLAG_SECURE) {
+ if (req->newptr && (oid->oid_kind & CTLFLAG_SECURE)) {
return (EPERM); /* XXX call mac_veriexec_priv_check? */
}
return 0;
