hardenedbsd/HardenedBSD
1
0
Fork 0
mirror of https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git synced 2024-11-25 10:01:02 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity
1554ba03b6
HardenedBSD/sys
History
Simon J. Gerraty 1554ba03b6 Add mac_grantbylabel 
This module allows controlled privilege escallation via mac labels
securely associated with a process via mac_veriexec.

There are over 700 PRIV_* but we can compress many of them into
a single GBL_* thus constraining the size of gbl labels.

The goal is to allow a daemon to run as an unprivileged process while
still being able a set of privileged operations needed.

We add APIs to libveriexec so that userland processes can check labels
and an exec_script API that allows a suitably labeled process to run
something like a python interpreter directly if necessary;
overcomming the 'indirect' flag applied to the interpreter.

Add -l option to sbin/veriexec to report labels.

Reviewed by:	stevek
Sponsored by:	Juniper Networks, Inc.
Differential Revision:	https://reviews.freebsd.org/D41431
2023-08-24 17:42:11 -07:00
..
amd64
arm
arm64 gicv3: Add checks for the device ID 2023-08-23 17:38:20 +01:00
bsm timerfd: Move implementation from linux compat to sys/kern 2023-08-24 14:28:56 -06:00
cam cam/scsi_da: Bump deprecation one release. 2023-08-23 22:34:41 -06:00
cddl
compat freebsd32: Remove mac_syscall from the unimpl list 2023-08-24 18:45:31 -04:00
conf Add mac_grantbylabel 2023-08-24 17:42:11 -07:00
contrib
crypto
ddb
dev smartpqi: update to version 4410.0.2005 2023-08-24 15:25:09 -06:00
dts
fs
gdb
geom
gnu
i386
isa
kern vfs: retried++ -> retried = true for the boolean 2023-08-24 22:50:31 +00:00
kgssapi
libkern
modules smartpqi: update to version 4410.0.2005 2023-08-24 15:25:09 -06:00
net iflib: invert default restart on VLAN changes 2023-08-24 13:48:19 -07:00
net80211
netgraph
netinet sctp: improve handling of socket shutdown for reading 2023-08-24 15:52:55 +02:00
netinet6
netipsec
netlink
netpfil pf: Access r->rpool.cur->kif under mutex protection 2023-08-24 13:05:33 +02:00
netsmb
nfs
nfsclient
nfsserver
nlm
ofed
opencrypto
powerpc
riscv
rpc
security Add mac_grantbylabel 2023-08-24 17:42:11 -07:00
sys update main to 15 2023-08-24 19:10:35 -04:00
teken
tests
tools
ufs
vm
x86
xdr
xen
Makefile
README.md

README.md

FreeBSD Kernel Source:

This directory contains the source files and build glue that make up the FreeBSD kernel and its modules, including both original and contributed software.

Kernel configuration files are located in the conf/ subdirectory of each architecture. GENERIC is the configuration used in release builds. NOTES contains documentation of all possible entries. LINT is a compile-only configuration used to maximize build coverage and detect regressions.

Documentation:

Source code documentation is maintained in a set of man pages, under section 9. These pages are located in share/man/man9, from the top-level of the src tree. Consult intro(9) for an overview of existing pages.

Some additional high-level documentation of the kernel is maintained in the Architecture Handbook.

Source Roadmap:

Directory Description
amd64 AMD64 (64-bit x86) architecture support
arm 32-bit ARM architecture support
arm64 64-bit ARM (AArch64) architecture support
cam Common Access Method storage subsystem - cam(4) and ctl(4)
cddl CDDL-licensed optional sources such as DTrace
conf kernel build glue
compat Linux compatibility layer, FreeBSD 32-bit compatibility
contrib 3rd-party imported software such as OpenZFS
crypto crypto drivers
ddb interactive kernel debugger - ddb(4)
fs most filesystems, excluding UFS, NFS, and ZFS
dev device drivers and other arch independent code
gdb kernel remote GDB stub - gdb(4)
geom GEOM framework - geom(4)
i386 i386 (32-bit x86) architecture support
kern main part of the kernel
libkern libc-like and other support functions for kernel use
modules kernel module infrastructure
net core networking code
net80211 wireless networking (IEEE 802.11) - net80211(4)
netgraph graph-based networking subsystem - netgraph(4)
netinet IPv4 protocol implementation - inet(4)
netinet6 IPv6 protocol implementation - inet6(4)
netipsec IPsec protocol implementation - ipsec(4)
netpfil packet filters - ipfw(4), pf(4), and ipfilter(4)
opencrypto OpenCrypto framework - crypto(7)
powerpc PowerPC/POWER (32 and 64-bit) architecture support
riscv 64-bit RISC-V architecture support
security security facilities - audit(4) and mac(4)
sys kernel headers
tests kernel unit tests
ufs Unix File System - ffs(7)
vm virtual memory system
x86 code shared by AMD64 and i386 architectures