Unverified Commit 9291b24e authored by Shawn Webb's avatar Shawn Webb
Browse files

Allow conditional deletion and modification of files.



While here, remove code that shouldn't have been. Only rules that are
protected by Integriforce should prevent modification. Files with PaX
rules can still be modified.

Only allow deletion of Integriforce-protected files or files with PaX
rules if the rule pertaining to that file is disabled. Under no
circumstance, allow deletion of files under Integriforce in whitelist
mode.
Signed-off-by: Shawn Webb's avatarShawn Webb <shawn.webb@hardenedbsd.org>
github-issue:	#10
parent 800f2f3d
......@@ -214,30 +214,16 @@ secadm_vnode_check_open(struct ucred *ucred, struct vnode *vp,
rule = RB_FIND(secadm_rules_tree, &(entry->sp_rules), &r);
if (rule) {
printf(
"[SECADM] Prevented modification of (%s): "
"protected by a SECADM rule.\n",
rule->sr_integriforce_data->si_path);
PE_RUNLOCK(entry);
return (EPERM);
}
}
if (entry->sp_num_pax_rules) {
key.sk_type = secadm_pax_rule;
r.sr_key = fnv_32_buf(&key, sizeof(secadm_key_t), FNV1_32_INIT);
rule = RB_FIND(secadm_rules_tree, &(entry->sp_rules), &r);
if (rule) {
printf(
"[SECADM] Prevented modification of (%s): "
"protected by a SECADM rule.\n",
rule->sr_pax_data->sp_path);
if (rule->sr_active ||
(entry->sp_integriforce_flags & SECADM_INTEGRIFORCE_FLAGS_WHITELIST)) {
printf(
"[SECADM] Prevented modification of (%s): "
"protected by a SECADM rule.\n",
rule->sr_integriforce_data->si_path);
PE_RUNLOCK(entry);
return (EPERM);
PE_RUNLOCK(entry);
return (EPERM);
}
}
}
......@@ -277,13 +263,16 @@ secadm_vnode_check_unlink(struct ucred *ucred, struct vnode *dvp,
rule = RB_FIND(secadm_rules_tree, &(entry->sp_rules), &r);
if (rule) {
printf(
"[SECADM] Prevented unlink of (%s): "
"protected by a SECADM rule.\n",
rule->sr_integriforce_data->si_path);
if (rule->sr_active ||
(entry->sp_integriforce_flags & SECADM_INTEGRIFORCE_FLAGS_WHITELIST)) {
printf(
"[SECADM] Prevented unlink of (%s): "
"protected by a SECADM rule.\n",
rule->sr_integriforce_data->si_path);
PE_RUNLOCK(entry);
return (EPERM);
PE_RUNLOCK(entry);
return (EPERM);
}
}
}
......@@ -293,7 +282,7 @@ secadm_vnode_check_unlink(struct ucred *ucred, struct vnode *dvp,
rule = RB_FIND(secadm_rules_tree, &(entry->sp_rules), &r);
if (rule) {
if (rule && rule->sr_active) {
printf(
"[SECADM] Prevented unlink of (%s): "
"protected by a SECADM rule.\n",
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment