| #
1554ba03 |
|
24-Aug-2023 |
Simon J. Gerraty <sjg@FreeBSD.org> |
Add mac_grantbylabel
This module allows controlled privilege escallation via mac labels
securely associated with a process via mac_veriexec.
There are over 700 PRIV_* but we can compress many of them into
a single GBL_* thus constraining the size of gbl labels.
The goal is to allow a daemon to run as an unprivileged process while
still being able a set of privileged operations needed.
We add APIs to libveriexec so that userland processes can check labels
and an exec_script API that allows a suitably labeled process to run
something like a python interpreter directly if necessary;
overcomming the 'indirect' flag applied to the interpreter.
Add -l option to sbin/veriexec to report labels.
Reviewed by: stevek
Sponsored by: Juniper Networks, Inc.
Differential Revision: https://reviews.freebsd.org/D41431
|
| #
d0b2dbfa |
|
16-Aug-2023 |
Warner Losh <imp@FreeBSD.org> |
Remove $FreeBSD$: one-line sh pattern
Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/
|
| #
f2be828f |
|
19-Jul-2020 |
Simon J. Gerraty <sjg@FreeBSD.org> |
Revert that!
|
| #
e17f5b1d |
|
19-Jul-2020 |
Simon J. Gerraty <sjg@FreeBSD.org> |
Oops missed Makefile.config
|
| #
eb12b8ea |
|
25-Feb-2019 |
Simon J. Gerraty <sjg@FreeBSD.org> |
Add verifying manifest loader for mac_veriexec
This tool will verify a signed manifest and load contents into
mac_veriexec for storage
Sponsored by: Juniper Networks
Differential Revision: D16575
|