d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
283,688 Commits 72 Branches 135 Tags 3.2 GiB
2b519b1707
Commit Graph

6 Commits

Author SHA1 Message Date
Steve Kiernan
9bc96108d1 libveriexec: add function to check a label based on a path 
veriexec_check_path_label() can be used to check if a specified
path has a label associated with it that contains the what we
want.

Obtained from:	Juniper Networks, Inc.
 2023-04-17 11:47:33 -04:00
Steve Kiernan
8512d82ea0 veriexec: Additional functionality for MAC/veriexec 
Ensure veriexec opens the file before doing any read operations.

When the MAC_VERIEXEC_CHECK_PATH_SYSCALL syscall is requested, veriexec
needs to open the file before calling mac_veriexec_check_vp. This is to
ensure any set up is done by the file system. Most file systems do not
explicitly need an open, but some (e.g. virtfs) require initialization
of access tokens (file identifiers, etc.) before doing any read or write
operations.

The evaluate_fingerprint() function needs to ensure it has an open file
for reading in order to evaluate the fingerprint. The ideal solution is
to have a hook after the VOP_OPEN call in vn_open. For now, we open the
file for reading, envaluate the fingerprint, and close the file. While
this leaves a potential hole that could possibly be taken advantage of
by a dedicated aversary, this code path is not typically visited often
in our use cases, as we primarily encounter verified mounts and not
individual files. This should be considered a temporary workaround until
discussions about the post-open hook have concluded and the hook becomes
available.

Add MAC_VERIEXEC_GET_PARAMS_PATH_SYSCALL and
MAC_VERIEXEC_GET_PARAMS_PID_SYSCALL to mac_veriexec_syscall so we can
fetch and check label contents in an unconstrained manner.

Add a check for PRIV_VERIEXEC_CONTROL to do ioctl on /dev/veriexec

Make it clear that trusted process cannot be debugged. Attempts to debug
a trusted process already fail, but the failure path is very obscure.
Add an explicit check for VERIEXEC_TRUSTED in
mac_veriexec_proc_check_debug.

We need mac_veriexec_priv_check to not block PRIV_KMEM_WRITE if
mac_priv_gant() says it is ok.

Reviewed by:	sjg
Obtained from:	Juniper Networks, Inc.
 2023-04-17 11:47:32 -04:00
Stephen J. Kiernan
88a3358ea4 veriexec: Add SPDX-License-Identifier 2023-04-16 21:23:00 -04:00
Simon J. Gerraty
5ea556d98c Do not claim libbearssl et al are INTERNALLIB 
If INTERNALLIB is defined we need PIE and bsd.incs.mk is
not included.

PR:		245189
Reviewed by:	emaste
MFC after:	1 week
Differential Revision: https://reviews.freebsd.org//D24233
 2020-04-01 05:45:12 +00:00
Simon J. Gerraty
2c9a9dfc18 Update Makefile.depend files 
Update a bunch of Makefile.depend files as
a result of adding Makefile.depend.options files

Reviewed by:	 bdrewery
MFC after:	1 week
Sponsored by:   Juniper Networks
Differential Revision:  https://reviews.freebsd.org/D22494
 2019-12-11 17:37:53 +00:00
Stephen J. Kiernan
b6b5dcf2d1 This library allows for user space applications to check file descriptors 
or paths to see if they can be verified by MAC/veriexec.

Reviewed by:	jtl, wblock
Obtained from:	Juniper Networks, Inc.
Differential Revision:	https://reviews.freebsd.org/D8562
 2018-06-20 00:55:18 +00:00