#
1554ba03 |
|
24-Aug-2023 |
Simon J. Gerraty <sjg@FreeBSD.org> |
Add mac_grantbylabel This module allows controlled privilege escallation via mac labels securely associated with a process via mac_veriexec. There are over 700 PRIV_* but we can compress many of them into a single GBL_* thus constraining the size of gbl labels. The goal is to allow a daemon to run as an unprivileged process while still being able a set of privileged operations needed. We add APIs to libveriexec so that userland processes can check labels and an exec_script API that allows a suitably labeled process to run something like a python interpreter directly if necessary; overcomming the 'indirect' flag applied to the interpreter. Add -l option to sbin/veriexec to report labels. Reviewed by: stevek Sponsored by: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D41431
|
#
d0b2dbfa |
|
16-Aug-2023 |
Warner Losh <imp@FreeBSD.org> |
Remove $FreeBSD$: one-line sh pattern Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/
|
#
f2be828f |
|
19-Jul-2020 |
Simon J. Gerraty <sjg@FreeBSD.org> |
Revert that!
|
#
e17f5b1d |
|
19-Jul-2020 |
Simon J. Gerraty <sjg@FreeBSD.org> |
Oops missed Makefile.config
|
#
eb12b8ea |
|
25-Feb-2019 |
Simon J. Gerraty <sjg@FreeBSD.org> |
Add verifying manifest loader for mac_veriexec This tool will verify a signed manifest and load contents into mac_veriexec for storage Sponsored by: Juniper Networks Differential Revision: D16575
|