aboutsummaryrefslogtreecommitdiff
path: root/sys
diff options
context:
space:
mode:
authorStephen J. Kiernan <stevek@FreeBSD.org>2019-05-17 18:02:26 +0000
committerStephen J. Kiernan <stevek@FreeBSD.org>2019-05-17 18:02:26 +0000
commit9ce904dfde0ce588eea3f090adf79f54a56c6c2e (patch)
treeba075803a864a7fe14a3299ae05f87b5d72e6096 /sys
parent3da3012ace35d97e4e41ae256e63119786c36596 (diff)
downloadsrc-9ce904dfde0ce588eea3f090adf79f54a56c6c2e.tar.gz
src-9ce904dfde0ce588eea3f090adf79f54a56c6c2e.zip
Protect commands that are considered dangerous with checks for kmem write
priv. This allows for MAC/veriexec to prevent apps that are not "trusted" from using these commands. Obtained from: Juniper Networks, Inc. MFC after: 1 week
Notes
Notes: svn path=/head/; revision=347934
Diffstat (limited to 'sys')
-rw-r--r--sys/dev/veriexec/verified_exec.c44
1 files changed, 33 insertions, 11 deletions
diff --git a/sys/dev/veriexec/verified_exec.c b/sys/dev/veriexec/verified_exec.c
index 8f255ed9efc2..12f69433e528 100644
--- a/sys/dev/veriexec/verified_exec.c
+++ b/sys/dev/veriexec/verified_exec.c
@@ -1,7 +1,7 @@
/*
* $FreeBSD$
*
- * Copyright (c) 2011-2013, 2015, Juniper Networks, Inc.
+ * Copyright (c) 2011-2013, 2015, 2019 Juniper Networks, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -44,6 +44,7 @@
#include <sys/mount.h>
#include <sys/mutex.h>
#include <sys/namei.h>
+#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/queue.h>
#include <sys/vnode.h>
@@ -70,6 +71,37 @@ verifiedexecioctl(struct cdev *dev __unused, u_long cmd, caddr_t data,
struct verified_exec_params *params;
int error = 0;
+ /*
+ * These commands are considered safe requests for anyone who has
+ * permission to access to device node.
+ */
+ switch (cmd) {
+ case VERIEXEC_GETSTATE:
+ {
+ int *ip = (int *)data;
+
+ if (ip)
+ *ip = mac_veriexec_get_state();
+ else
+ error = EINVAL;
+
+ return (error);
+ }
+ break;
+ default:
+ break;
+ }
+
+ /*
+ * Anything beyond this point is considered dangerous, so we need to
+ * only allow processes that have kmem write privs to do them.
+ *
+ * MAC/veriexec will grant kmem write privs to "trusted" processes.
+ */
+ error = priv_check(td, PRIV_KMEM_WRITE);
+ if (error)
+ return (error);
+
params = (struct verified_exec_params *)data;
switch (cmd) {
case VERIEXEC_ACTIVE:
@@ -106,16 +138,6 @@ verifiedexecioctl(struct cdev *dev __unused, u_long cmd, caddr_t data,
error = EINVAL;
mtx_unlock(&ve_mutex);
break;
- case VERIEXEC_GETSTATE:
- {
- int *ip = (int *)data;
-
- if (ip)
- *ip = mac_veriexec_get_state();
- else
- error = EINVAL;
- }
- break;
case VERIEXEC_LOCK:
mtx_lock(&ve_mutex);
mac_veriexec_set_state(VERIEXEC_STATE_LOCKED);
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-24 04:26:58 +0000