mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2024-11-25 10:01:02 +01:00
1554ba03b6
This module allows controlled privilege escallation via mac labels securely associated with a process via mac_veriexec. There are over 700 PRIV_* but we can compress many of them into a single GBL_* thus constraining the size of gbl labels. The goal is to allow a daemon to run as an unprivileged process while still being able a set of privileged operations needed. We add APIs to libveriexec so that userland processes can check labels and an exec_script API that allows a suitably labeled process to run something like a python interpreter directly if necessary; overcomming the 'indirect' flag applied to the interpreter. Add -l option to sbin/veriexec to report labels. Reviewed by: stevek Sponsored by: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D41431 |
||
|---|---|---|
| .. | ||
| config.mk | ||
| dtb.build.mk | ||
| dtb.mk | ||
| files | ||
| files.amd64 | ||
| files.arm | ||
| files.arm64 | ||
| files.i386 | ||
| files.powerpc | ||
| files.riscv | ||
| files.x86 | ||
| kern.mk | ||
| kern.opts.mk | ||
| kern.post.mk | ||
| kern.pre.mk | ||
| kmod_syms_prefix.awk | ||
| kmod_syms.awk | ||
| kmod.mk | ||
| kmod.opts.mk | ||
| ldscript.amd64 | ||
| ldscript.arm | ||
| ldscript.arm64 | ||
| ldscript.i386 | ||
| ldscript.kmod.amd64 | ||
| ldscript.kmod.i386 | ||
| ldscript.powerpc | ||
| ldscript.powerpc64 | ||
| ldscript.powerpc64le | ||
| ldscript.powerpcspe | ||
| ldscript.riscv | ||
| Makefile.amd64 | ||
| Makefile.arm | ||
| Makefile.arm64 | ||
| Makefile.i386 | ||
| Makefile.powerpc | ||
| Makefile.riscv | ||
| newvers.sh | ||
| NOTES | ||
| options | ||
| options.amd64 | ||
| options.arm | ||
| options.arm64 | ||
| options.i386 | ||
| options.powerpc | ||
| options.riscv | ||
| std.nodebug | ||
| sysent.mk | ||
| systags.sh | ||
| vdso_amd64_ia32.ldscript | ||
| vdso_amd64.ldscript | ||
| WITHOUT_SOURCELESS | ||
| WITHOUT_SOURCELESS_HOST | ||
| WITHOUT_SOURCELESS_UCODE | ||