en Copyright 2015 Java http://kernelsources.org:8080/source/history/freebsd/sys/modules/mac_veriexec_sha512/Makefile#e9ac41698b2f322d55ccf9da50a3596edb2c1800 Remove residual blank line at start of MakefileThis is a residual of the $FreeBSD$ removal.MFC After: 3 days (though I'll just run the command on the branches)Sponsored by: Netflix List of files: /freebsd/sys/modules/mac_veriexec_sha512/Makefile Mon, 15 Jul 2024 06:46:32 +0200 Warner Losh <imp@FreeBSD.org> http://kernelsources.org:8080/source/history/freebsd/sys/modules/mac_veriexec_sha512/Makefile#031beb4e239bfce798af17f5fe8dba8bcaf13d99 sys: Remove $FreeBSD$: one-line sh patternRemove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/ List of files: /freebsd/sys/modules/mac_veriexec_sha512/Makefile Wed, 16 Aug 2023 19:54:58 +0200 Warner Losh <imp@FreeBSD.org> http://kernelsources.org:8080/source/history/freebsd/sys/modules/mac_veriexec_sha512/Makefile#fb47a3769c514735bceb2822a64e5e70c3d2f7a4 MAC/veriexec implements a verified execution environment using the MACframework.The code is organized into a few distinct pieces:* The meta-data store (in veriexec_metadata.c) which maps a file system identifier, file identifier, and generation key tuple to veriexec meta-data record.* Fingerprint management (in veriexec_fingerprint.c) which deals with calculating the cryptographic hash for a file and verifying it. It also manages the loadable fingerprint modules.* MAC policy implementation (in mac_veriexec.c) which implements the following MAC methods:mpo_init Initializes the veriexec state, meta-data store, fingerprint modules, and registers mount and unmount EVENTHANDLERsmpo_syscall Implements the following per-policy system calls: MAC_VERIEXEC_CHECK_FD_SYSCALL Check a file descriptor to see if the referenced file has a valid fingerprint. MAC_VERIEXEC_CHECK_PATH_SYSCALL Check a path to see if the referenced file has a valid fingerprint.mpo_kld_check_load Check if loading a kld is allowed. This checks if the referenced vnode has a valid fingerprint.mpo_mount_destroy_label Clears the veriexec slot data in a mount point label.mpo_mount_init_label Initializes the veriexec slot data in a mount point label. The file system identifier is saved in the veriexec slot data.mpo_priv_check Check if a process is allowed to write to /dev/kmem and /dev/mem devices. If a process is flagged as trusted, it is allowed to write.mpo_proc_check_debug Check if a process is allowed to be debugged. If a process is not flagged with VERIEXEC_NOTRACE, then debugging is allowed.mpo_vnode_check_exec Check is an exectuable is allowed to run. If veriexec is not enforcing or the executable has a valid fingerprint, then it is allowed to run. NOTE: veriexec will complain about mismatched fingerprints if it is active, regardless of the state of the enforcement.mpo_vnode_check_open Check is a file is allowed to be opened. If verification was not requested, veriexec is not enforcing, or the file has a valid fingerprint, then veriexec will allow the file to be opened.mpo_vnode_copy_label Copies the veriexec slot data from one label to another.mpo_vnode_destroy_label Clears the veriexec slot data in a vnode label.mpo_vnode_init_label Initializes the veriexec slot data in a vnode label. The fingerprint status for the file is stored in the veriexec slot data.* Some sysctls, under security.mac.veriexec, for setting debug level, fetching the current state in a human-readable form, and dumping the fingerprint database are implemented.* The MAC policy implementation source file also contains some utility functions.* A set of fingerprint modules for the following cryptographic hash algorithms: RIPEMD-160, SHA1, SHA2-256, SHA2-384, SHA2-512* Loadable module builds for MAC/veriexec and fingerprint modules. WARNING: Using veriexec with NFS (or other network-based) file systems is not recommended as one cannot guarantee the integrity of the files served, nor the uniqueness of file system identifiers which are used as key in the meta-data store.Reviewed by: ian, jtlObtained from: Juniper Networks, Inc.Differential Revision: https://reviews.freebsd.org/D8554 List of files: /freebsd/sys/modules/mac_veriexec_sha512/Makefile Wed, 20 Jun 2018 02:41:30 +0200 Stephen J. Kiernan <stevek@FreeBSD.org>