Hey Stephen, On Sat, Jul 14, 2018 at 05:21:17PM +0000, Stephen J. Kiernan wrote: > Author: stevek > Date: Sat Jul 14 17:21:16 2018 > New Revision: 336289 > URL: https://svnweb.freebsd.org/changeset/base/336289 > > Log: > Add mpo_vnode_check_setmode MAC method to MAC/veriexec. > In the method, disallow changing SUID/SGID on verified files. > > Obtained from: Juniper Networks, Inc. > > Modified: > head/sys/security/mac_veriexec/mac_veriexec.c > > Modified: head/sys/security/mac_veriexec/mac_veriexec.c > ============================================================================== > --- head/sys/security/mac_veriexec/mac_veriexec.c Sat Jul 14 17:20:27 > 2018 (r336288) > +++ head/sys/security/mac_veriexec/mac_veriexec.c Sat Jul 14 17:21:16 > 2018 (r336289) > @@ -550,6 +550,38 @@ mac_veriexec_vnode_check_open(struct ucred *cred, stru > } > > /** > + * @brief Check mode changes on file to ensure they should be allowed. > + * > + * We cannot allow chmod of SUID or SGID on verified files. > + * > + * @param cred credentials to use > + * @param vp vnode of the file to open > + * @param label vnode label assigned to the vnode > + * @param mode mode flags to set > + * > + * @return 0 if the mode change should be allowed, EAUTH otherwise. > + */ > +static int > +mac_veriexec_vnode_check_setmode(struct ucred *cred, struct vnode *vp, > + struct label *label __unused, mode_t mode) > +{ > + int error; > + > + if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0) > + return (0); > + > + /* > + * Do not allow chmod (set-[gu]id) of verified file > + */ > + error = mac_veriexec_check_vp(cred, vp, VVERIFY); > + if (error == EAUTH) /* it isn't verified */
Is EAUTH the right error to return? errno(2) shows that EAUTH signifies: "Authentication error. Attempted to use an invalid authentication ticket to mount a NFS file system." Perhaps EPERM would be better suited? > + return (0); > + if (error == 0 && (mode & (S_ISUID|S_ISGID)) != 0) > + return (EAUTH); > + return (0); > +} > + > +/** > * @internal > * @brief Initialize the mac_veriexec MAC policy > * > @@ -673,6 +705,7 @@ static struct mac_policy_ops mac_veriexec_ops = > .mpo_proc_check_debug = mac_veriexec_proc_check_debug, > .mpo_vnode_check_exec = mac_veriexec_vnode_check_exec, > .mpo_vnode_check_open = mac_veriexec_vnode_check_open, > + .mpo_vnode_check_setmode = mac_veriexec_vnode_check_setmode, > .mpo_vnode_copy_label = mac_veriexec_copy_label, > .mpo_vnode_destroy_label = mac_veriexec_vnode_destroy_label, > .mpo_vnode_init_label = mac_veriexec_vnode_init_label, Thanks, -- Shawn Webb Cofounder and Security Engineer HardenedBSD Tor-ified Signal: +1 443-546-8752 Tor+XMPP+OTR: latt...@is.a.hacker.sx GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE
signature.asc
Description: PGP signature
