6ae8d57652
Allow other MAC modules to override some veriexec checks. We need two new privileges: PRIV_VERIEXEC_DIRECT process wants to override 'indirect' flag on interpreter PRIV_VERIEXEC_NOVERIFY typically associated with PRIV_VERIEXEC_DIRECT allow override of O_VERIFY We also need to check for PRIV_VERIEXEC_NOVERIFY override for FINGERPRINT_NODEV and FINGERPRINT_NOENTRY. This will only happen if parent had PRIV_VERIEXEC_DIRECT override. This allows for MAC modules to selectively allow some applications to run without verification. Needless to say, this is extremely dangerous and should only be used sparingly and carefully. Obtained from: Juniper Networks, Inc. Reviewers: sjg Subscribers: imp, dab Differential Revision: https://reviews.freebsd.org/D39537 |
||
---|---|---|
.. | ||
audit | ||
mac | ||
mac_biba | ||
mac_bsdextended | ||
mac_ddb | ||
mac_ifoff | ||
mac_lomac | ||
mac_mls | ||
mac_none | ||
mac_ntpd | ||
mac_partition | ||
mac_pimd | ||
mac_portacl | ||
mac_priority | ||
mac_seeotheruids | ||
mac_stub | ||
mac_test | ||
mac_veriexec | ||
mac_veriexec_parser |