From 97d75abb70a730a75afe7f475c017d0b99da85bf Mon Sep 17 00:00:00 2001 From: elad Date: Fri, 17 Jun 2005 22:39:08 +0000 Subject: [PATCH] Oops. Don't allow file delete even if it's not monitored if we're in lockdown mode (strict level 3). --- sys/kern/kern_verifiedexec.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/sys/kern/kern_verifiedexec.c b/sys/kern/kern_verifiedexec.c index 02daa88648a7..606a938c5332 100644 --- a/sys/kern/kern_verifiedexec.c +++ b/sys/kern/kern_verifiedexec.c @@ -1,4 +1,4 @@ -/* $NetBSD: kern_verifiedexec.c,v 1.26 2005/06/17 17:46:18 elad Exp $ */ +/* $NetBSD: kern_verifiedexec.c,v 1.27 2005/06/17 22:39:08 elad Exp $ */ /*- * Copyright 2005 Elad Efrat @@ -30,7 +30,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: kern_verifiedexec.c,v 1.26 2005/06/17 17:46:18 elad Exp $"); +__KERNEL_RCSID(0, "$NetBSD: kern_verifiedexec.c,v 1.27 2005/06/17 22:39:08 elad Exp $"); #include #include @@ -467,8 +467,13 @@ veriexec_removechk(struct proc *p, struct vnode *vp, const char *pathbuf) return (error); vhe = veriexec_lookup(va.va_fsid, va.va_fileid); - if (vhe == NULL) + if (vhe == NULL) { + /* Lockdown mode: Deny access to non-monitored files. */ + if (veriexec_strict >= 3) + return (EPERM); + return (0); + } veriexec_report("Remove request.", pathbuf, &va, p, REPORT_NOVERBOSE, REPORT_ALARM, REPORT_NOPANIC);