#
1554ba03 |
|
24-Aug-2023 |
Simon J. Gerraty <sjg@FreeBSD.org> |
Add mac_grantbylabel This module allows controlled privilege escallation via mac labels securely associated with a process via mac_veriexec. There are over 700 PRIV_* but we can compress many of them into a single GBL_* thus constraining the size of gbl labels. The goal is to allow a daemon to run as an unprivileged process while still being able a set of privileged operations needed. We add APIs to libveriexec so that userland processes can check labels and an exec_script API that allows a suitably labeled process to run something like a python interpreter directly if necessary; overcomming the 'indirect' flag applied to the interpreter. Add -l option to sbin/veriexec to report labels. Reviewed by: stevek Sponsored by: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D41431
|
#
1d386b48 |
|
16-Aug-2023 |
Warner Losh <imp@FreeBSD.org> |
Remove $FreeBSD$: one-line .c pattern Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/
|
#
88a3358e |
|
16-Apr-2023 |
Stephen J. Kiernan <stevek@FreeBSD.org> |
veriexec: Add SPDX-License-Identifier
|
#
1c7ac0c2 |
|
16-Apr-2023 |
Stephen J. Kiernan <stevek@FreeBSD.org> |
veriexec: fix use of getopt getopt(3) returns int type not char. Using char triggers the -Wtautological-constant-out-of-range-compare warning with clang. Change the type of the variable used for holding the return value of getopt(3) to int to match the prototype and eliminate the warning. MFC after: 1 week
|
#
7e2af4f9 |
|
22-Feb-2023 |
Mina Galić <freebsd@igalic.co> |
veriexec(4): Fix a compiler error When building WITH_BEARSSL=1 veriexec(4) failes to compile. So update the function prototype so that veriexec(4) compiles again. Reported by: gbe Reviewed by: mjg, gbe Approved by: mjg Pull Request: https://github.com/freebsd/freebsd-src/pull/657
|
#
ab4f0a15 |
|
19-Jul-2022 |
Simon J. Gerraty <sjg@FreeBSD.org> |
Add -S option to veriexec During software installation, use veriexec -S to strictly enforce certificate validity checks (notBefore, notAfter). Otherwise ignore certificate validity period. It is generally unacceptible for the Internet to stop working just because someone did not upgrade their infrastructure for a decade. Sponsored by: Juniper Networks, Inc. Reviewed by: sebastien.bini_stormshield.eu Differential Revision: https://reviews.freebsd.org/D35758
|
#
b439f64a |
|
29-Jun-2022 |
Hubert Mazur <hum@semihalf.com> |
Improve parameters handling in veriexec Provide more robust parameter parsing in veriexec. Do a little cleanup as well. Differential revision: https://reviews.freebsd.org/D33246 Obtained from: Semihalf Reviewed by: sjg, sebastien.bini_stormshield.eu
|
#
492bf4fd |
|
23-Sep-2021 |
Stephane Rochoy <stephane.rochoy@stormshield.eu> |
veriexec: Fix veriexec -i's confusion between loaded and locked states Calling veriexec -i locked return the state of loaded and vice-versa. Differential revision: https://reviews.freebsd.org/D30952 Reviewed by: sjg,imp Obtained from: Stromshield
|
#
e5be21d1 |
|
20-Oct-2020 |
sebastien.bini <sebastien.bini@stormshield.eu> |
sbin/veriexec: fixed parameter parsing of option -x The -x parameter doesn't take any arguments. It says that all further arguments are paths to check. Reviewed by: imp@ Sponsored by: Netflix Pull Request: https://github.com/freebsd/freebsd-src/pull/443/files
|
#
eb12b8ea |
|
25-Feb-2019 |
Simon J. Gerraty <sjg@FreeBSD.org> |
Add verifying manifest loader for mac_veriexec This tool will verify a signed manifest and load contents into mac_veriexec for storage Sponsored by: Juniper Networks Differential Revision: D16575
|