From 15c362aeb7784385cb464fa364cbdd7a1e64e787 Mon Sep 17 00:00:00 2001 From: Wojciech Macek Date: Wed, 29 Jun 2022 10:48:01 +0200 Subject: [PATCH] mac_veriexec: Authorize reads of secured sysctls Writes to sysctls flagged with CTLFLAG_SECURE are blocked if the appropriate secure level is set. mac_veriexec does not behave this way, it blocks such sysctls in read-only mode as well. This change aims to make mac_veriexec behave like secure levels, as it was meant by the original commit ed377cf41. Reviewed by: sjg Differential revision: https://reviews.freebsd.org/D34327 Obtained from: Stormshield --- sys/security/mac_veriexec/mac_veriexec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/security/mac_veriexec/mac_veriexec.c b/sys/security/mac_veriexec/mac_veriexec.c index 7a5b747ef7a2..99a76abd4afb 100644 --- a/sys/security/mac_veriexec/mac_veriexec.c +++ b/sys/security/mac_veriexec/mac_veriexec.c @@ -437,7 +437,7 @@ mac_veriexec_sysctl_check(struct ucred *cred, struct sysctl_oid *oidp, return (0); oid = oidp; - if (oid->oid_kind & CTLFLAG_SECURE) { + if (req->newptr && (oid->oid_kind & CTLFLAG_SECURE)) { return (EPERM); /* XXX call mac_veriexec_priv_check? */ } return 0;