d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
FreeBSD src
282,878 Commits 72 Branches 135 Tags 3.2 GiB
C 59.6%
C++ 25.5%
Roff 5.1%
Shell 2.9%
Assembly 2.7%
Other 3.6%
8512d82ea0
Go to file
Steve Kiernan 8512d82ea0 veriexec: Additional functionality for MAC/veriexec 
Ensure veriexec opens the file before doing any read operations.

When the MAC_VERIEXEC_CHECK_PATH_SYSCALL syscall is requested, veriexec
needs to open the file before calling mac_veriexec_check_vp. This is to
ensure any set up is done by the file system. Most file systems do not
explicitly need an open, but some (e.g. virtfs) require initialization
of access tokens (file identifiers, etc.) before doing any read or write
operations.

The evaluate_fingerprint() function needs to ensure it has an open file
for reading in order to evaluate the fingerprint. The ideal solution is
to have a hook after the VOP_OPEN call in vn_open. For now, we open the
file for reading, envaluate the fingerprint, and close the file. While
this leaves a potential hole that could possibly be taken advantage of
by a dedicated aversary, this code path is not typically visited often
in our use cases, as we primarily encounter verified mounts and not
individual files. This should be considered a temporary workaround until
discussions about the post-open hook have concluded and the hook becomes
available.

Add MAC_VERIEXEC_GET_PARAMS_PATH_SYSCALL and
MAC_VERIEXEC_GET_PARAMS_PID_SYSCALL to mac_veriexec_syscall so we can
fetch and check label contents in an unconstrained manner.

Add a check for PRIV_VERIEXEC_CONTROL to do ioctl on /dev/veriexec

Make it clear that trusted process cannot be debugged. Attempts to debug
a trusted process already fail, but the failure path is very obscure.
Add an explicit check for VERIEXEC_TRUSTED in
mac_veriexec_proc_check_debug.

We need mac_veriexec_priv_check to not block PRIV_KMEM_WRITE if
mac_priv_gant() says it is ok.

Reviewed by:	sjg
Obtained from:	Juniper Networks, Inc.
2023-04-17 11:47:32 -04:00
.cirrus-ci Cirrus-CI: add some timing info on pkg install failure 2021-08-04 15:02:00 -04:00
.github Vendor import of OpenSSH 9.3p1 2023-03-16 08:41:22 -04:00
bin date.1: Make sure that the example works in any locale 2023-04-13 13:02:20 +02:00
cddl zfsd: add support for hotplugging spares 2023-04-06 11:58:55 -06:00
contrib awk: errror on printf format strings lacking conversion specifier 2023-04-14 13:31:02 -04:00
crypto ssh: update FREEBSD-upgrade for upstream CheckHostIP default change 2023-03-29 19:32:44 -04:00
etc libcasper: Move helper libraries from /lib/casper to /lib. 2023-03-29 15:04:28 -07:00
gnu gnu diff3: apply patch to committed src, rather than at build time 2022-11-13 21:33:40 -05:00
include Fixes in persistent error log 2023-03-28 16:51:58 -07:00
kerberos5 heimdal: Do not build a redundant source file 2023-04-01 19:18:05 -07:00
lib veriexec: Additional functionality for MAC/veriexec 2023-04-17 11:47:32 -04:00
libexec rtld: fixes for handling of the grouped options 2023-04-13 17:37:33 +03:00
release release: Remove "All Rights Reserved" from FreeBSD Foundation copyrights 2023-04-17 10:56:59 -04:00
rescue rescue: Fix link order of SSL libraries and fetch. 2023-02-02 09:23:02 -08:00
sbin veriexec: Add SPDX-License-Identifier 2023-04-16 21:23:00 -04:00
secure ssh: Update to OpenSSH 9.3p1 2023-03-16 10:29:55 -04:00
share Update meta mode makefiles 2023-04-16 18:40:53 -07:00
stand loader: lua: disable autoboot timer after password entry 2023-04-15 21:39:56 -05:00
sys veriexec: Additional functionality for MAC/veriexec 2023-04-17 11:47:32 -04:00
targets retire sconfig(8) ce(4)/cp(4) configuration tool 2022-12-13 15:25:13 -05:00
tests Testing: add framework for the kernel unit tests. 2023-04-14 15:47:55 +00:00
tools stress2: Added comment about a new panic found. Test both SU and SU+J. 2023-04-14 09:55:10 +02:00
usr.bin morse.6: Mention to standards in the SEE ALSO section 2023-04-16 11:46:09 +02:00
usr.sbin makefs: remove unused variable 2023-04-17 08:22:12 -04:00
.arcconfig arcanist: use FreeBSD/git project repository instead of FreeBSD/svn 2022-08-23 14:16:41 +00:00
.arclint arc lint: ignore /tests/ in chmod 2017-12-19 03:38:06 +00:00
.cirrus.yml CI: Run pkgbase METALOG lint script 2023-03-14 21:13:46 -04:00
.clang-format clang-format: Add bitset loop macros 2021-09-21 12:08:01 -04:00
.git-blame-ignore-revs Add git-blame ignore file 2023-01-23 15:27:25 -05:00
.gitattributes Add a basic clang-format configuration file 2019-06-07 15:23:52 +00:00
.gitignore .gitignore: Ignore LSP generated .cache 2023-03-07 10:04:18 -05:00
CONTRIBUTING.md CONTRIBUTING.md: Fix checkstyle9.pl name 2023-03-27 16:23:13 -04:00
COPYRIGHT Happy New Year 2023! 2023-01-01 13:44:43 +08:00
LOCKS LOCKS: update current locks 2018-06-09 03:08:04 +00:00
MAINTAINERS MAINTAINERS: Remove myself from OpenSSL maintenance 2023-03-28 15:44:26 -04:00
Makefile Remove the riscv64sf architecture. 2023-04-12 11:09:27 -07:00
Makefile.inc1 Stop stripping 'sf' suffixes from architecture names. 2023-04-12 11:11:02 -07:00
Makefile.libcompat libcompat: avoid installing include files twice 2022-11-16 19:15:20 -05:00
Makefile.sys.inc AUTO_OBJ: For all top-level targets enforce using an OBJDIR. 2017-12-05 21:29:47 +00:00
ObsoleteFiles.inc Add libcap_netdb.so.1 to the list of libcasper helper libraries. 2023-03-30 14:54:48 -07:00
README.md Vendor import of OpenSSH 9.3p1 2023-03-16 08:41:22 -04:00
RELNOTES RELNOTES: Add entries for two new NFS features 2023-04-16 12:34:52 -07:00
UPDATING UPDATING: Document arm video devices renaming. 2023-03-17 13:35:03 +01:00

README.md

FreeBSD Source:

This is the top level of the FreeBSD source directory.

FreeBSD is an operating system used to power modern servers, desktops, and embedded platforms. A large community has continually developed it for more than thirty years. Its advanced networking, security, and storage features have made FreeBSD the platform of choice for many of the busiest web sites and most pervasive embedded networking and storage devices.

For copyright information, please see the file COPYRIGHT in this directory. Additional copyright information also exists for some sources in this tree - please see the specific source directories for more information.

The Makefile in this directory supports a number of targets for building components (or all) of the FreeBSD source tree. See build(7), config(8), FreeBSD handbook on building userland, and Handbook for kernels for more information, including setting make(1) variables.

For information on the CPU architectures and platforms supported by FreeBSD, see the FreeBSD website's Platforms page.

Source Roadmap:

Directory Description
bin System/user commands.
cddl Various commands and libraries under the Common Development and Distribution License.
contrib Packages contributed by 3rd parties.
crypto Cryptography stuff (see crypto/README).
etc Template files for /etc.
gnu Commands and libraries under the GNU General Public License (GPL) or Lesser General Public License (LGPL). Please see gnu/COPYING and gnu/COPYING.LIB for more information.
include System include files.
kerberos5 Kerberos5 (Heimdal) package.
lib System libraries.
libexec System daemons.
release Release building Makefile & associated tools.
rescue Build system for statically linked /rescue utilities.
sbin System commands.
secure Cryptographic libraries and commands.
share Shared resources.
stand Boot loader sources.
sys Kernel sources (see sys/README.md).
targets Support for experimental DIRDEPS_BUILD
tests Regression tests which can be run by Kyua. See tests/README for additional information.
tools Utilities for regression testing and miscellaneous tasks.
usr.bin User commands.
usr.sbin System administration commands.

For information on synchronizing your source tree with one or more of the FreeBSD Project's development branches, please see FreeBSD Handbook.