hardenedbsd/HardenedBSD
1
0
Fork 0
mirror of https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git synced 2024-11-14 22:32:30 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity
33ccf36671
HardenedBSD/etc/mtree/BSD.include.dist
Simon J. Gerraty 1554ba03b6 Add mac_grantbylabel 
This module allows controlled privilege escallation via mac labels
securely associated with a process via mac_veriexec.

There are over 700 PRIV_* but we can compress many of them into
a single GBL_* thus constraining the size of gbl labels.

The goal is to allow a daemon to run as an unprivileged process while
still being able a set of privileged operations needed.

We add APIs to libveriexec so that userland processes can check labels
and an exec_script API that allows a suitably labeled process to run
something like a python interpreter directly if necessary;
overcomming the 'indirect' flag applied to the interpreter.

Add -l option to sbin/veriexec to report labels.

Reviewed by:	stevek
Sponsored by:	Juniper Networks, Inc.
Differential Revision:	https://reviews.freebsd.org/D41431
2023-08-24 17:42:11 -07:00

364 lines
4.5 KiB
Plaintext
Raw Blame History

#
# Please see the file src/etc/mtree/README before making changes to this file.
#
/set type=dir uname=root gname=wheel mode=0755
.
arpa
..
atf-c
..
atf-c++
..
bsm
..
bsnmp
..
c++
v1
__algorithm
..
__bit
..
__charconv
..
__chrono
..
__compare
..
__concepts
..
__coroutine
..
__debug_utils
..
__expected
..
__filesystem
..
__format
..
__functional
..
__fwd
..
__ios
..
__iterator
..
__memory
..
__memory_resource
..
__numeric
..
__random
..
__ranges
..
__string
..
__thread
..
__tuple_dir
..
__type_traits
..
__utility
..
__variant
..
experimental
..
ext
..
..
..
cam
ata
..
mmc
..
nvme
..
scsi
..
..
casper
..
crypto
..
dev
acpica
..
agp
..
an
..
ciss
..
evdev
..
filemon
..
firewire
..
hid
..
hwpmc
..
hyperv
..
ic
..
iicbus
..
io
..
mfi
..
mlx5
..
mmc
..
mpt
mpilib
..
..
nvme
..
ofw
..
pbio
..
pci
..
powermac_nvram
..
ppbus
..
pwm
..
smbus
..
speaker
..
tcp_log
..
usb
..
veriexec
..
vkbd
..
wg
..
wi
..
..
devdctl
..
edit
readline
..
..
fs
cuse
..
devfs
..
fdescfs
..
msdosfs
..
nfs
..
nullfs
..
procfs
..
smbfs
..
udf
..
unionfs
..
..
geom
cache
..
concat
..
eli
..
gate
..
journal
..
label
..
mirror
..
mountver
..
multipath
..
nop
..
raid
..
raid3
..
shsec
..
stripe
..
union
..
virstor
..
..
gssapi
..
infiniband
complib
..
iba
..
opensm
..
vendor
..
..
isofs
cd9660
..
..
kadm5
..
krb5
..
lib80211
..
lib9p
..
libipt
..
libmilter
..
libxo
..
lzma
..
machine
pc
..
..
net
altq
..
route
..
..
net80211
..
netgraph
atm
..
bluetooth
include
..
..
netflow
..
..
netinet
cc
..
netdump
..
tcp_stacks
..
..
netinet6
..
netlink
route
..
..
netipsec
..
netpfil
pf
..
..
netsmb
..
nfs
..
nfsclient
..
nfsserver
..
opencsd
c_api
..
ete
..
etmv3
..
etmv4
..
ptm
..
stm
..
..
openssl
..
pcap
..
protocols
..
rdma
..
rpc
..
rpcsvc
..
security
audit
..
mac_biba
..
mac_bsdextended
..
mac_grantbylabel
..
mac_lomac
..
mac_mls
..
mac_partition
..
mac_veriexec
..
..
sys
disk
..
..
teken
..
ufs
ffs
..
ufs
..
..
vm
..
xlocale
..
..
Reference in New Issue View Git Blame Copy Permalink