en Copyright 2025 Java http://opengrok.net:8080/history/src/lib/libveriexec/Makefile#e9ac41698b2f322d55ccf9da50a3596edb2c1800 Remove residual blank line at start of MakefileThis is a residual of the $FreeBSD$ removal.MFC After: 3 days (though I'll just run the command on the branches)Sponsored by: Netflix List of files: /src/lib/libveriexec/Makefile Mon, 15 Jul 2024 04:46:32 +0000 Warner Losh <imp@FreeBSD.org> http://opengrok.net:8080/history/src/lib/libveriexec/Makefile#1554ba03b651319ab0e1cde8492ea4516afc648b Add mac_grantbylabelThis module allows controlled privilege escallation via mac labelssecurely associated with a process via mac_veriexec.There are over 700 PRIV_* but we can compress many of them intoa single GBL_* thus constraining the size of gbl labels.The goal is to allow a daemon to run as an unprivileged process whilestill being able a set of privileged operations needed.We add APIs to libveriexec so that userland processes can check labelsand an exec_script API that allows a suitably labeled process to runsomething like a python interpreter directly if necessary;overcomming the 'indirect' flag applied to the interpreter.Add -l option to sbin/veriexec to report labels.Reviewed by: stevekSponsored by: Juniper Networks, Inc.Differential Revision: https://reviews.freebsd.org/D41431 List of files: /src/lib/libveriexec/Makefile Fri, 25 Aug 2023 00:41:22 +0000 Simon J. Gerraty <sjg@FreeBSD.org> http://opengrok.net:8080/history/src/lib/libveriexec/Makefile#d0b2dbfa0ecf2bbc9709efc5e20baf8e4b44bbbf Remove $FreeBSD$: one-line sh patternRemove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/ List of files: /src/lib/libveriexec/Makefile Wed, 16 Aug 2023 17:55:03 +0000 Warner Losh <imp@FreeBSD.org> http://opengrok.net:8080/history/src/lib/libveriexec/Makefile#8512d82ea0700df1c31232a0fe4c777d95600de3 veriexec: Additional functionality for MAC/veriexecEnsure veriexec opens the file before doing any read operations.When the MAC_VERIEXEC_CHECK_PATH_SYSCALL syscall is requested, veriexecneeds to open the file before calling mac_veriexec_check_vp. This is toensure any set up is done by the file system. Most file systems do notexplicitly need an open, but some (e.g. virtfs) require initializationof access tokens (file identifiers, etc.) before doing any read or writeoperations.The evaluate_fingerprint() function needs to ensure it has an open filefor reading in order to evaluate the fingerprint. The ideal solution isto have a hook after the VOP_OPEN call in vn_open. For now, we open thefile for reading, envaluate the fingerprint, and close the file. Whilethis leaves a potential hole that could possibly be taken advantage ofby a dedicated aversary, this code path is not typically visited oftenin our use cases, as we primarily encounter verified mounts and notindividual files. This should be considered a temporary workaround untildiscussions about the post-open hook have concluded and the hook becomesavailable.Add MAC_VERIEXEC_GET_PARAMS_PATH_SYSCALL andMAC_VERIEXEC_GET_PARAMS_PID_SYSCALL to mac_veriexec_syscall so we canfetch and check label contents in an unconstrained manner.Add a check for PRIV_VERIEXEC_CONTROL to do ioctl on /dev/veriexecMake it clear that trusted process cannot be debugged. Attempts to debuga trusted process already fail, but the failure path is very obscure.Add an explicit check for VERIEXEC_TRUSTED inmac_veriexec_proc_check_debug.We need mac_veriexec_priv_check to not block PRIV_KMEM_WRITE ifmac_priv_gant() says it is ok.Reviewed by: sjgObtained from: Juniper Networks, Inc. List of files: /src/lib/libveriexec/Makefile Sun, 02 Apr 2023 19:33:10 +0000 Steve Kiernan <stevek@juniper.net> http://opengrok.net:8080/history/src/lib/libveriexec/Makefile#5ea556d98ce7971950c11bc7102dc57ed4f7711b Do not claim libbearssl et al are INTERNALLIBIf INTERNALLIB is defined we need PIE and bsd.incs.mk isnot included.PR: 245189Reviewed by: emasteMFC after: 1 weekDifferential Revision: https://reviews.freebsd.org//D24233 List of files: /src/lib/libveriexec/Makefile Wed, 01 Apr 2020 05:45:12 +0000 Simon J. Gerraty <sjg@FreeBSD.org> http://opengrok.net:8080/history/src/lib/libveriexec/Makefile#e9ac41698b2f322d55ccf9da50a3596edb2c1800 Remove residual blank line at start of MakefileThis is a residual of the $FreeBSD$ removal.MFC After: 3 days (though I'll just run the command on the branches)Sponsored by: Netflix List of files: /src/lib/libveriexec/Makefile Mon, 15 Jul 2024 04:46:32 +0000 Warner Losh <imp@FreeBSD.org> http://opengrok.net:8080/history/src/lib/libveriexec/Makefile#1554ba03b651319ab0e1cde8492ea4516afc648b Add mac_grantbylabelThis module allows controlled privilege escallation via mac labelssecurely associated with a process via mac_veriexec.There are over 700 PRIV_* but we can compress many of them intoa single GBL_* thus constraining the size of gbl labels.The goal is to allow a daemon to run as an unprivileged process whilestill being able a set of privileged operations needed.We add APIs to libveriexec so that userland processes can check labelsand an exec_script API that allows a suitably labeled process to runsomething like a python interpreter directly if necessary;overcomming the 'indirect' flag applied to the interpreter.Add -l option to sbin/veriexec to report labels.Reviewed by: stevekSponsored by: Juniper Networks, Inc.Differential Revision: https://reviews.freebsd.org/D41431 List of files: /src/lib/libveriexec/Makefile Fri, 25 Aug 2023 00:41:22 +0000 Simon J. Gerraty <sjg@FreeBSD.org> http://opengrok.net:8080/history/src/lib/libveriexec/Makefile#d0b2dbfa0ecf2bbc9709efc5e20baf8e4b44bbbf Remove $FreeBSD$: one-line sh patternRemove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/ List of files: /src/lib/libveriexec/Makefile Wed, 16 Aug 2023 17:55:03 +0000 Warner Losh <imp@FreeBSD.org> http://opengrok.net:8080/history/src/lib/libveriexec/Makefile#8512d82ea0700df1c31232a0fe4c777d95600de3 veriexec: Additional functionality for MAC/veriexecEnsure veriexec opens the file before doing any read operations.When the MAC_VERIEXEC_CHECK_PATH_SYSCALL syscall is requested, veriexecneeds to open the file before calling mac_veriexec_check_vp. This is toensure any set up is done by the file system. Most file systems do notexplicitly need an open, but some (e.g. virtfs) require initializationof access tokens (file identifiers, etc.) before doing any read or writeoperations.The evaluate_fingerprint() function needs to ensure it has an open filefor reading in order to evaluate the fingerprint. The ideal solution isto have a hook after the VOP_OPEN call in vn_open. For now, we open thefile for reading, envaluate the fingerprint, and close the file. Whilethis leaves a potential hole that could possibly be taken advantage ofby a dedicated aversary, this code path is not typically visited oftenin our use cases, as we primarily encounter verified mounts and notindividual files. This should be considered a temporary workaround untildiscussions about the post-open hook have concluded and the hook becomesavailable.Add MAC_VERIEXEC_GET_PARAMS_PATH_SYSCALL andMAC_VERIEXEC_GET_PARAMS_PID_SYSCALL to mac_veriexec_syscall so we canfetch and check label contents in an unconstrained manner.Add a check for PRIV_VERIEXEC_CONTROL to do ioctl on /dev/veriexecMake it clear that trusted process cannot be debugged. Attempts to debuga trusted process already fail, but the failure path is very obscure.Add an explicit check for VERIEXEC_TRUSTED inmac_veriexec_proc_check_debug.We need mac_veriexec_priv_check to not block PRIV_KMEM_WRITE ifmac_priv_gant() says it is ok.Reviewed by: sjgObtained from: Juniper Networks, Inc. List of files: /src/lib/libveriexec/Makefile Sun, 02 Apr 2023 19:33:10 +0000 Steve Kiernan <stevek@juniper.net> http://opengrok.net:8080/history/src/lib/libveriexec/Makefile#5ea556d98ce7971950c11bc7102dc57ed4f7711b Do not claim libbearssl et al are INTERNALLIBIf INTERNALLIB is defined we need PIE and bsd.incs.mk isnot included.PR: 245189Reviewed by: emasteMFC after: 1 weekDifferential Revision: https://reviews.freebsd.org//D24233 List of files: /src/lib/libveriexec/Makefile Wed, 01 Apr 2020 05:45:12 +0000 Simon J. Gerraty <sjg@FreeBSD.org> http://opengrok.net:8080/history/src/lib/libveriexec/Makefile#b6b5dcf2d12e904a751298d75ea36f2e138e20b8 This library allows for user space applications to check file descriptorsor paths to see if they can be verified by MAC/veriexec.Reviewed by: jtl, wblockObtained from: Juniper Networks, Inc.Differential Revision: https://reviews.freebsd.org/D8562 List of files: /src/lib/libveriexec/Makefile Wed, 20 Jun 2018 00:55:18 +0000 Stephen J. Kiernan <stevek@FreeBSD.org> http://opengrok.net:8080/history/src/lib/libveriexec/Makefile#b6b5dcf2d12e904a751298d75ea36f2e138e20b8 This library allows for user space applications to check file descriptorsor paths to see if they can be verified by MAC/veriexec.Reviewed by: jtl, wblockObtained from: Juniper Networks, Inc.Differential Revision: https://reviews.freebsd.org/D8562 List of files: /src/lib/libveriexec/Makefile Wed, 20 Jun 2018 00:55:18 +0000 Stephen J. Kiernan <stevek@FreeBSD.org> http://opengrok.net:8080/history/src/lib/libveriexec/Makefile#e9ac41698b2f322d55ccf9da50a3596edb2c1800 Remove residual blank line at start of MakefileThis is a residual of the $FreeBSD$ removal.MFC After: 3 days (though I'll just run the command on the branches)Sponsored by: Netflix List of files: /src/lib/libveriexec/Makefile Mon, 15 Jul 2024 04:46:32 +0000 Warner Losh <imp@FreeBSD.org> http://opengrok.net:8080/history/src/lib/libveriexec/Makefile#1554ba03b651319ab0e1cde8492ea4516afc648b Add mac_grantbylabelThis module allows controlled privilege escallation via mac labelssecurely associated with a process via mac_veriexec.There are over 700 PRIV_* but we can compress many of them intoa single GBL_* thus constraining the size of gbl labels.The goal is to allow a daemon to run as an unprivileged process whilestill being able a set of privileged operations needed.We add APIs to libveriexec so that userland processes can check labelsand an exec_script API that allows a suitably labeled process to runsomething like a python interpreter directly if necessary;overcomming the 'indirect' flag applied to the interpreter.Add -l option to sbin/veriexec to report labels.Reviewed by: stevekSponsored by: Juniper Networks, Inc.Differential Revision: https://reviews.freebsd.org/D41431 List of files: /src/lib/libveriexec/Makefile Fri, 25 Aug 2023 00:41:22 +0000 Simon J. Gerraty <sjg@FreeBSD.org> http://opengrok.net:8080/history/src/lib/libveriexec/Makefile#d0b2dbfa0ecf2bbc9709efc5e20baf8e4b44bbbf Remove $FreeBSD$: one-line sh patternRemove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/ List of files: /src/lib/libveriexec/Makefile Wed, 16 Aug 2023 17:55:03 +0000 Warner Losh <imp@FreeBSD.org> http://opengrok.net:8080/history/src/lib/libveriexec/Makefile#8512d82ea0700df1c31232a0fe4c777d95600de3 veriexec: Additional functionality for MAC/veriexecEnsure veriexec opens the file before doing any read operations.When the MAC_VERIEXEC_CHECK_PATH_SYSCALL syscall is requested, veriexecneeds to open the file before calling mac_veriexec_check_vp. This is toensure any set up is done by the file system. Most file systems do notexplicitly need an open, but some (e.g. virtfs) require initializationof access tokens (file identifiers, etc.) before doing any read or writeoperations.The evaluate_fingerprint() function needs to ensure it has an open filefor reading in order to evaluate the fingerprint. The ideal solution isto have a hook after the VOP_OPEN call in vn_open. For now, we open thefile for reading, envaluate the fingerprint, and close the file. Whilethis leaves a potential hole that could possibly be taken advantage ofby a dedicated aversary, this code path is not typically visited oftenin our use cases, as we primarily encounter verified mounts and notindividual files. This should be considered a temporary workaround untildiscussions about the post-open hook have concluded and the hook becomesavailable.Add MAC_VERIEXEC_GET_PARAMS_PATH_SYSCALL andMAC_VERIEXEC_GET_PARAMS_PID_SYSCALL to mac_veriexec_syscall so we canfetch and check label contents in an unconstrained manner.Add a check for PRIV_VERIEXEC_CONTROL to do ioctl on /dev/veriexecMake it clear that trusted process cannot be debugged. Attempts to debuga trusted process already fail, but the failure path is very obscure.Add an explicit check for VERIEXEC_TRUSTED inmac_veriexec_proc_check_debug.We need mac_veriexec_priv_check to not block PRIV_KMEM_WRITE ifmac_priv_gant() says it is ok.Reviewed by: sjgObtained from: Juniper Networks, Inc. List of files: /src/lib/libveriexec/Makefile Sun, 02 Apr 2023 19:33:10 +0000 Steve Kiernan <stevek@juniper.net> http://opengrok.net:8080/history/src/lib/libveriexec/Makefile#5ea556d98ce7971950c11bc7102dc57ed4f7711b Do not claim libbearssl et al are INTERNALLIBIf INTERNALLIB is defined we need PIE and bsd.incs.mk isnot included.PR: 245189Reviewed by: emasteMFC after: 1 weekDifferential Revision: https://reviews.freebsd.org//D24233 List of files: /src/lib/libveriexec/Makefile Wed, 01 Apr 2020 05:45:12 +0000 Simon J. Gerraty <sjg@FreeBSD.org> http://opengrok.net:8080/history/src/lib/libveriexec/Makefile#b6b5dcf2d12e904a751298d75ea36f2e138e20b8 This library allows for user space applications to check file descriptorsor paths to see if they can be verified by MAC/veriexec.Reviewed by: jtl, wblockObtained from: Juniper Networks, Inc.Differential Revision: https://reviews.freebsd.org/D8562 List of files: /src/lib/libveriexec/Makefile Wed, 20 Jun 2018 00:55:18 +0000 Stephen J. Kiernan <stevek@FreeBSD.org>