| #
1554ba03
|
| 25-Aug-2023 |
Simon J. Gerraty <sjg@FreeBSD.org> |
Add mac_grantbylabel
This module allows controlled privilege escallation via mac labels
securely associated with a process via mac_veriexec.
There are over 700 PRIV_* but we can compress many of th
Add mac_grantbylabel
This module allows controlled privilege escallation via mac labels
securely associated with a process via mac_veriexec.
There are over 700 PRIV_* but we can compress many of them into
a single GBL_* thus constraining the size of gbl labels.
The goal is to allow a daemon to run as an unprivileged process while
still being able a set of privileged operations needed.
We add APIs to libveriexec so that userland processes can check labels
and an exec_script API that allows a suitably labeled process to run
something like a python interpreter directly if necessary;
overcomming the 'indirect' flag applied to the interpreter.
Add -l option to sbin/veriexec to report labels.
Reviewed by: stevek
Sponsored by: Juniper Networks, Inc.
Differential Revision: https://reviews.freebsd.org/D41431
show more ...
|
| #
d0b2dbfa
|
| 16-Aug-2023 |
Warner Losh <imp@FreeBSD.org> |
Remove $FreeBSD$: one-line sh pattern
Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/
|
| #
f2be828f
|
| 19-Jul-2020 |
Simon J. Gerraty <sjg@FreeBSD.org> |
Revert that!
|
| #
e17f5b1d
|
| 19-Jul-2020 |
Simon J. Gerraty <sjg@FreeBSD.org> |
Oops missed Makefile.config
|
| #
2aaf9152
|
| 18-Mar-2019 |
Alan Somers <asomers@FreeBSD.org> |
MFHead@r345275
|
| #
b18a4cca
|
| 05-Mar-2019 |
Enji Cooper <ngie@FreeBSD.org> |
MFhead@r344786
|
| #
844fc3e9
|
| 04-Mar-2019 |
Dimitry Andric <dim@FreeBSD.org> |
Merge ^/head r344549 through r344775.
|
| #
eb12b8ea
|
| 26-Feb-2019 |
Simon J. Gerraty <sjg@FreeBSD.org> |
Add verifying manifest loader for mac_veriexec
This tool will verify a signed manifest and load contents into
mac_veriexec for storage
Sponsored by: Juniper Networks
Differential Revision: D16575
|
| #
1554ba03
|
| 25-Aug-2023 |
Simon J. Gerraty <sjg@FreeBSD.org> |
Add mac_grantbylabel
This module allows controlled privilege escallation via mac labels
securely associated with a process via mac_veriexec.
There are over 700 PRIV_* but we can compress many of th
Add mac_grantbylabel
This module allows controlled privilege escallation via mac labels
securely associated with a process via mac_veriexec.
There are over 700 PRIV_* but we can compress many of them into
a single GBL_* thus constraining the size of gbl labels.
The goal is to allow a daemon to run as an unprivileged process while
still being able a set of privileged operations needed.
We add APIs to libveriexec so that userland processes can check labels
and an exec_script API that allows a suitably labeled process to run
something like a python interpreter directly if necessary;
overcomming the 'indirect' flag applied to the interpreter.
Add -l option to sbin/veriexec to report labels.
Reviewed by: stevek
Sponsored by: Juniper Networks, Inc.
Differential Revision: https://reviews.freebsd.org/D41431
show more ...
|
| #
d0b2dbfa
|
| 16-Aug-2023 |
Warner Losh <imp@FreeBSD.org> |
Remove $FreeBSD$: one-line sh pattern
Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/
|
| #
f2be828f
|
| 19-Jul-2020 |
Simon J. Gerraty <sjg@FreeBSD.org> |
Revert that!
|
| #
e17f5b1d
|
| 19-Jul-2020 |
Simon J. Gerraty <sjg@FreeBSD.org> |
Oops missed Makefile.config
|
| #
2aaf9152
|
| 18-Mar-2019 |
Alan Somers <asomers@FreeBSD.org> |
MFHead@r345275
|
| #
b18a4cca
|
| 05-Mar-2019 |
Enji Cooper <ngie@FreeBSD.org> |
MFhead@r344786
|
| #
844fc3e9
|
| 04-Mar-2019 |
Dimitry Andric <dim@FreeBSD.org> |
Merge ^/head r344549 through r344775.
|
| #
eb12b8ea
|
| 26-Feb-2019 |
Simon J. Gerraty <sjg@FreeBSD.org> |
Add verifying manifest loader for mac_veriexec
This tool will verify a signed manifest and load contents into
mac_veriexec for storage
Sponsored by: Juniper Networks
Differential Revision: D16575
|
| #
1554ba03
|
| 25-Aug-2023 |
Simon J. Gerraty <sjg@FreeBSD.org> |
Add mac_grantbylabel
This module allows controlled privilege escallation via mac labels
securely associated with a process via mac_veriexec.
There are over 700 PRIV_* but we can compress many of th
Add mac_grantbylabel
This module allows controlled privilege escallation via mac labels
securely associated with a process via mac_veriexec.
There are over 700 PRIV_* but we can compress many of them into
a single GBL_* thus constraining the size of gbl labels.
The goal is to allow a daemon to run as an unprivileged process while
still being able a set of privileged operations needed.
We add APIs to libveriexec so that userland processes can check labels
and an exec_script API that allows a suitably labeled process to run
something like a python interpreter directly if necessary;
overcomming the 'indirect' flag applied to the interpreter.
Add -l option to sbin/veriexec to report labels.
Reviewed by: stevek
Sponsored by: Juniper Networks, Inc.
Differential Revision: https://reviews.freebsd.org/D41431
show more ...
|
| #
d0b2dbfa
|
| 16-Aug-2023 |
Warner Losh <imp@FreeBSD.org> |
Remove $FreeBSD$: one-line sh pattern
Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/
|
| #
f2be828f
|
| 19-Jul-2020 |
Simon J. Gerraty <sjg@FreeBSD.org> |
Revert that!
|
| #
e17f5b1d
|
| 19-Jul-2020 |
Simon J. Gerraty <sjg@FreeBSD.org> |
Oops missed Makefile.config
|
| #
2aaf9152
|
| 18-Mar-2019 |
Alan Somers <asomers@FreeBSD.org> |
MFHead@r345275
|
| #
b18a4cca
|
| 05-Mar-2019 |
Enji Cooper <ngie@FreeBSD.org> |
MFhead@r344786
|
| #
844fc3e9
|
| 04-Mar-2019 |
Dimitry Andric <dim@FreeBSD.org> |
Merge ^/head r344549 through r344775.
|
| #
eb12b8ea
|
| 26-Feb-2019 |
Simon J. Gerraty <sjg@FreeBSD.org> |
Add verifying manifest loader for mac_veriexec
This tool will verify a signed manifest and load contents into
mac_veriexec for storage
Sponsored by: Juniper Networks
Differential Revision: D16575
|