|
Revision tags: release/14.0.0 |
|
| #
1554ba03 |
| 25-Aug-2023 |
Simon J. Gerraty <sjg@FreeBSD.org> |
Add mac_grantbylabel
This module allows controlled privilege escallation via mac labels
securely associated with a process via mac_veriexec.
There are over 700 PRIV_* but we can compress many of th
Add mac_grantbylabel
This module allows controlled privilege escallation via mac labels
securely associated with a process via mac_veriexec.
There are over 700 PRIV_* but we can compress many of them into
a single GBL_* thus constraining the size of gbl labels.
The goal is to allow a daemon to run as an unprivileged process while
still being able a set of privileged operations needed.
We add APIs to libveriexec so that userland processes can check labels
and an exec_script API that allows a suitably labeled process to run
something like a python interpreter directly if necessary;
overcomming the 'indirect' flag applied to the interpreter.
Add -l option to sbin/veriexec to report labels.
Reviewed by: stevek
Sponsored by: Juniper Networks, Inc.
Differential Revision: https://reviews.freebsd.org/D41431
show more ...
|
| #
1d386b48 |
| 16-Aug-2023 |
Warner Losh <imp@FreeBSD.org> |
Remove $FreeBSD$: one-line .c pattern
Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/
|
| #
88a3358e |
| 17-Apr-2023 |
Stephen J. Kiernan <stevek@FreeBSD.org> |
veriexec: Add SPDX-License-Identifier
|
| #
1c7ac0c2 |
| 17-Apr-2023 |
Stephen J. Kiernan <stevek@FreeBSD.org> |
veriexec: fix use of getopt
getopt(3) returns int type not char. Using char triggers the
-Wtautological-constant-out-of-range-compare warning with clang.
Change the type of the variable used for hol
veriexec: fix use of getopt
getopt(3) returns int type not char. Using char triggers the
-Wtautological-constant-out-of-range-compare warning with clang.
Change the type of the variable used for holding the return value
of getopt(3) to int to match the prototype and eliminate the warning.
MFC after: 1 week
show more ...
|
|
Revision tags: release/13.2.0 |
|
| #
7e2af4f9 |
| 23-Feb-2023 |
Mina Galić <freebsd@igalic.co> |
veriexec(4): Fix a compiler error
When building WITH_BEARSSL=1 veriexec(4) failes to compile.
So update the function prototype so that veriexec(4)
compiles again.
Reported by: gbe
Reviewed by: mjg,
veriexec(4): Fix a compiler error
When building WITH_BEARSSL=1 veriexec(4) failes to compile.
So update the function prototype so that veriexec(4)
compiles again.
Reported by: gbe
Reviewed by: mjg, gbe
Approved by: mjg
Pull Request: https://github.com/freebsd/freebsd-src/pull/657
show more ...
|
|
Revision tags: release/12.4.0 |
|
| #
ab4f0a15 |
| 19-Jul-2022 |
Simon J. Gerraty <sjg@FreeBSD.org> |
Add -S option to veriexec
During software installation, use veriexec -S to strictly
enforce certificate validity checks (notBefore, notAfter).
Otherwise ignore certificate validity period.
It is ge
Add -S option to veriexec
During software installation, use veriexec -S to strictly
enforce certificate validity checks (notBefore, notAfter).
Otherwise ignore certificate validity period.
It is generally unacceptible for the Internet to stop working
just because someone did not upgrade their infrastructure for a decade.
Sponsored by: Juniper Networks, Inc.
Reviewed by: sebastien.bini_stormshield.eu
Differential Revision: https://reviews.freebsd.org/D35758
show more ...
|
| #
b439f64a |
| 29-Jun-2022 |
Hubert Mazur <hum@semihalf.com> |
Improve parameters handling in veriexec
Provide more robust parameter parsing in veriexec. Do a little cleanup as well.
Differential revision: https://reviews.freebsd.org/D33246
Obtained from: Sem
Improve parameters handling in veriexec
Provide more robust parameter parsing in veriexec. Do a little cleanup as well.
Differential revision: https://reviews.freebsd.org/D33246
Obtained from: Semihalf
Reviewed by: sjg, sebastien.bini_stormshield.eu
show more ...
|
|
Revision tags: release/13.1.0, release/12.3.0 |
|
| #
492bf4fd |
| 23-Sep-2021 |
Stephane Rochoy <stephane.rochoy@stormshield.eu> |
veriexec: Fix veriexec -i's confusion between loaded and locked states
Calling veriexec -i locked return the state of loaded and vice-versa.
Differential revision: https://reviews.freebsd.org/D3095
veriexec: Fix veriexec -i's confusion between loaded and locked states
Calling veriexec -i locked return the state of loaded and vice-versa.
Differential revision: https://reviews.freebsd.org/D30952
Reviewed by: sjg,imp
Obtained from: Stromshield
show more ...
|
|
Revision tags: release/13.0.0, release/12.2.0 |
|
| #
e5be21d1 |
| 20-Oct-2020 |
sebastien.bini <sebastien.bini@stormshield.eu> |
sbin/veriexec: fixed parameter parsing of option -x
The -x parameter doesn't take any arguments. It says that all further
arguments are paths to check.
Reviewed by: imp@
Sponsored by: Netflix
Pull
sbin/veriexec: fixed parameter parsing of option -x
The -x parameter doesn't take any arguments. It says that all further
arguments are paths to check.
Reviewed by: imp@
Sponsored by: Netflix
Pull Request: https://github.com/freebsd/freebsd-src/pull/443/files
show more ...
|
|
Revision tags: release/11.4.0, release/12.1.0, release/11.3.0 |
|
| #
2aaf9152 |
| 18-Mar-2019 |
Alan Somers <asomers@FreeBSD.org> |
MFHead@r345275
|
| #
b18a4cca |
| 05-Mar-2019 |
Enji Cooper <ngie@FreeBSD.org> |
MFhead@r344786
|
| #
844fc3e9 |
| 04-Mar-2019 |
Dimitry Andric <dim@FreeBSD.org> |
Merge ^/head r344549 through r344775.
|
| #
eb12b8ea |
| 26-Feb-2019 |
Simon J. Gerraty <sjg@FreeBSD.org> |
Add verifying manifest loader for mac_veriexec
This tool will verify a signed manifest and load contents into
mac_veriexec for storage
Sponsored by: Juniper Networks
Differential Revision: D16575
|