upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-05-28 04:12:45 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

mac_veriexec: Authorize reads of secured sysctls

Browse source 
Writes to sysctls flagged with CTLFLAG_SECURE are blocked if the appropriate secure level is set. mac_veriexec does not behave this way, it blocks such sysctls in read-only mode as well.

This change aims to make mac_veriexec behave like secure levels, as it was meant by the original commit ed377cf41.

Reviewed by:		sjg
Differential revision:	https://reviews.freebsd.org/D34327
Obtained from:		Stormshield
This commit is contained in:
Wojciech Macek 2022-06-29 10:48:01 +02:00
parent 8cff8e6e13
commit 15c362aeb7
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
sys/security/mac_veriexec/mac_veriexec.c
View file

@ -437,7 +437,7 @@ mac_veriexec_sysctl_check(struct ucred *cred, struct sysctl_oid *oidp,
return (0);
oid = oidp;
if (oid->oid_kind & CTLFLAG_SECURE) {
if (req->newptr && (oid->oid_kind & CTLFLAG_SECURE)) {
return (EPERM); /* XXX call mac_veriexec_priv_check? */
}
return 0;