From 7bb4d1302cf76bf84a76232532a3b7d4d28554bf Mon Sep 17 00:00:00 2001
From: "Stephen J. Kiernan" <stevek@FreeBSD.org>
Date: Fri, 9 Jun 2023 10:38:07 -0400
Subject: veriexec: Do not save error from file info in fingerprint status

We do not want or need to propagate the error from fetching file info
when determining the file status. It could cause open(2) and similar
calls to fail when trying to access devices.

Obtained from:	Juniper Networks, Inc.
---
 sys/security/mac_veriexec/veriexec_metadata.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'sys/security')

diff --git a/sys/security/mac_veriexec/veriexec_metadata.c b/sys/security/mac_veriexec/veriexec_metadata.c
index 4ff635335e9f..4e25b1672575 100644
--- a/sys/security/mac_veriexec/veriexec_metadata.c
+++ b/sys/security/mac_veriexec/veriexec_metadata.c
@@ -516,9 +516,9 @@ mac_veriexec_metadata_fetch_fingerprint_status(struct vnode *vp,
 	status = mac_veriexec_get_fingerprint_status(vp);
 	if (status == FINGERPRINT_INVALID || status == FINGERPRINT_NODEV) {
 		found_dev = 0;
-		error = mac_veriexec_metadata_get_file_info(vap->va_fsid,
-		    vap->va_fileid, vap->va_gen, &found_dev, &ip, check_files);
-		if (error != 0) {
+		if (mac_veriexec_metadata_get_file_info(vap->va_fsid,
+		    vap->va_fileid, vap->va_gen, &found_dev, &ip,
+		    check_files) != 0) {
 			status = (found_dev) ? FINGERPRINT_NOENTRY :
 			    FINGERPRINT_NODEV;
 			VERIEXEC_DEBUG(3,
-- 
cgit v1.3