mac_veriexec: Authorize reads of secured sysctls
ClosedPublic
Actions

Authored by sebastien.bini_stormshield.eu on Feb 21 2022, 10:21 AM.

Details

Reviewers

stevek
sjg
kd
wma

Commits

rG15c362aeb778: mac_veriexec: Authorize reads of secured sysctls

Summary

Writes to sysctls flagged with CTLFLAG_SECURE are blocked if the appropriate secure level is set. mac_veriexec does not behave this way, it blocks such sysctls in read-only mode as well.

This change aims to make mac_veriexec behave like secure levels, as it was meant by the original commit ed377cf41.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

sebastien.bini_stormshield.eu created this revision.Feb 21 2022, 10:21 AM

Herald added subscribers: Contributor Reviews (src), dab, imp. · View Herald TranscriptFeb 21 2022, 10:21 AM

sebastien.bini_stormshield.eu requested review of this revision.Feb 21 2022, 10:21 AM

Harbormaster completed remote builds in B44522: Diff 103023.Feb 21 2022, 10:21 AM

sebastien.bini_stormshield.eu retitled this revision from Writes to sysctls flagged with CTLFLAG_SECURE are blocked if the appropriate secure level is set. mac_veriexec does not behave this way, it blocks such sysctls in read-only mode as well. to mac_veriexec: Authorize reads of secured sysctls.Feb 21 2022, 10:23 AM

sebastien.bini_stormshield.eu edited the summary of this revision. (Show Details)

sebastien.bini_stormshield.eu added reviewers: stevek, sjg, kd, wma.

Thanks

This revision is now accepted and ready to land.Feb 21 2022, 5:13 PM

Closed by commit rG15c362aeb778: mac_veriexec: Authorize reads of secured sysctls (authored by wma). · Explain WhyJun 29 2022, 8:49 AM

This revision was automatically updated to reflect the committed changes.

wma added a commit: rG15c362aeb778: mac_veriexec: Authorize reads of secured sysctls.