mac_veriexec: Authorize reads of secured sysctls
ClosedPublic
Actions

Authored by sebastien.bini_stormshield.eu on Feb 21 2022, 10:21 AM.

Details

Reviewers

stevek
sjg
kd
wma

Commits

rG15c362aeb778: mac_veriexec: Authorize reads of secured sysctls

Summary

Writes to sysctls flagged with CTLFLAG_SECURE are blocked if the appropriate secure level is set. mac_veriexec does not behave this way, it blocks such sysctls in read-only mode as well.

This change aims to make mac_veriexec behave like secure levels, as it was meant by the original commit ed377cf41.

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Passed

Unit

No Test Coverage

Build Status

Buildable 44522
Build 41410: arc lint + arc unit

Event Timeline

sebastien.bini_stormshield.eu created this revision.Feb 21 2022, 10:21 AM

Herald added subscribers: Contributor Reviews (src), dab, imp. · View Herald TranscriptFeb 21 2022, 10:21 AM

sebastien.bini_stormshield.eu requested review of this revision.Feb 21 2022, 10:21 AM

Harbormaster completed remote builds in B44522: Diff 103023.Feb 21 2022, 10:21 AM

sebastien.bini_stormshield.eu retitled this revision from Writes to sysctls flagged with CTLFLAG_SECURE are blocked if the appropriate secure level is set. mac_veriexec does not behave this way, it blocks such sysctls in read-only mode as well. to mac_veriexec: Authorize reads of secured sysctls.Feb 21 2022, 10:23 AM

sebastien.bini_stormshield.eu edited the summary of this revision. (Show Details)

sebastien.bini_stormshield.eu added reviewers: stevek, sjg, kd, wma.

Thanks

This revision is now accepted and ready to land.Feb 21 2022, 5:13 PM

Closed by commit rG15c362aeb778: mac_veriexec: Authorize reads of secured sysctls (authored by wma). · Explain WhyJun 29 2022, 8:49 AM

This revision was automatically updated to reflect the committed changes.

wma added a commit: rG15c362aeb778: mac_veriexec: Authorize reads of secured sysctls.