HBSD: Ungate the privilege checks for KLD-related syscalls

There's no need to gate the privilege checks with HARDEN_KLD. They're useful outside of HARDEN_KLD. Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org> issue: #22 MFC-to: 12-STABLE MFC-with: 155335e
HardenedBSD · Dec 13, 2020 · fc99fc6 · fc99fc6
1 parent 155335e
commit fc99fc6
Show file tree

Hide file tree

Showing 2 changed files with 1 addition and 19 deletions.
diff --git a/sys/kern/kern_module.c b/sys/kern/kern_module.c
@@ -314,13 +314,10 @@ sys_modnext(struct thread *td, struct modnext_args *uap)
 	module_t mod;
 	int error;
 
-#ifdef HARDEN_KLD
 	error = priv_check(td, PRIV_KLD_STAT);
 	if (error)
 		return (error);
-#else
 	error = 0;
-#endif
 
 	td->td_retval[0] = -1;
 
@@ -353,11 +350,9 @@ sys_modfnext(struct thread *td, struct modfnext_args *uap)
 	module_t mod;
 	int error;
 
-#ifdef HARDEN_KLD
 	error = priv_check(td, PRIV_KLD_STAT);
 	if (error)
 		return (error);
-#endif
 
 	td->td_retval[0] = -1;
 
@@ -393,11 +388,9 @@ sys_modstat(struct thread *td, struct modstat_args *uap)
 	struct module_stat *stat;
 	char *name;
 
-#ifdef HARDEN_KLD
 	error = priv_check(td, PRIV_KLD_STAT);
 	if (error)
 		return (error);
-#endif
 
 	MOD_SLOCK;
 	mod = module_lookupbyid(uap->modid);
@@ -449,11 +442,9 @@ sys_modfind(struct thread *td, struct modfind_args *uap)
 	char name[MAXMODNAME];
 	module_t mod;
 
-#ifdef HARDEN_KLD
 	error = priv_check(td, PRIV_KLD_STAT);
 	if (error)
 		return (error);
-#endif
 
 	if ((error = copyinstr(uap->name, name, sizeof name, 0)) != 0)
 		return (error);
@@ -502,11 +493,9 @@ freebsd32_modstat(struct thread *td, struct freebsd32_modstat_args *uap)
 	struct module_stat32 *stat32;
 	char *name;
 
-#ifdef HARDEN_KLD
 	error = priv_check(td, PRIV_KLD_STAT);
 	if (error)
 		return (error);
-#endif
 
 	MOD_SLOCK;
 	mod = module_lookupbyid(uap->modid);

diff --git a/sys/kern/kern_priv.c b/sys/kern/kern_priv.c
@@ -271,26 +271,19 @@ priv_check_cred(struct ucred *cred, int priv)
 		}
 	}
 
-#if !defined(HARDEN_KLD)
 	/*
-	 * Inspecting kernel module information should be root-only
-	 * when PAX_HARDENING is set.
+	 * Inspecting kernel module information should be root-only.
 	 */
 	if (priv == PRIV_KLD_STAT) {
 		error = 0;
 		goto out;
 	}
-#endif
 
 	if (priv == PRIV_SYSCTL_ROOTONLY) {
-#ifdef PAX_HARDENING
 		if (cred->cr_uid == 0) {
-#endif
 			error = 0;
 			goto out;
-#ifdef PAX_HARDENING
 		}
-#endif
 	}
 
 	/*