d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
8512d82ea0
freebsd-dev/sys
History
Steve Kiernan 8512d82ea0 veriexec: Additional functionality for MAC/veriexec 
Ensure veriexec opens the file before doing any read operations.

When the MAC_VERIEXEC_CHECK_PATH_SYSCALL syscall is requested, veriexec
needs to open the file before calling mac_veriexec_check_vp. This is to
ensure any set up is done by the file system. Most file systems do not
explicitly need an open, but some (e.g. virtfs) require initialization
of access tokens (file identifiers, etc.) before doing any read or write
operations.

The evaluate_fingerprint() function needs to ensure it has an open file
for reading in order to evaluate the fingerprint. The ideal solution is
to have a hook after the VOP_OPEN call in vn_open. For now, we open the
file for reading, envaluate the fingerprint, and close the file. While
this leaves a potential hole that could possibly be taken advantage of
by a dedicated aversary, this code path is not typically visited often
in our use cases, as we primarily encounter verified mounts and not
individual files. This should be considered a temporary workaround until
discussions about the post-open hook have concluded and the hook becomes
available.

Add MAC_VERIEXEC_GET_PARAMS_PATH_SYSCALL and
MAC_VERIEXEC_GET_PARAMS_PID_SYSCALL to mac_veriexec_syscall so we can
fetch and check label contents in an unconstrained manner.

Add a check for PRIV_VERIEXEC_CONTROL to do ioctl on /dev/veriexec

Make it clear that trusted process cannot be debugged. Attempts to debug
a trusted process already fail, but the failure path is very obscure.
Add an explicit check for VERIEXEC_TRUSTED in
mac_veriexec_proc_check_debug.

We need mac_veriexec_priv_check to not block PRIV_KMEM_WRITE if
mac_priv_gant() says it is ok.

Reviewed by:	sjg
Obtained from:	Juniper Networks, Inc.
2023-04-17 11:47:32 -04:00
..
amd64 amd64: fix PKRU and swapout interaction 2023-04-15 02:53:59 +03:00
arm amd64: fix PKRU and swapout interaction 2023-04-15 02:53:59 +03:00
arm64 amd64: fix PKRU and swapout interaction 2023-04-15 02:53:59 +03:00
bsm
cam Revert "cam: fix up world compilation after previous" 2023-04-15 18:25:55 -06:00
cddl dtrace: handle NOP instructions in the riscv invop handler 2023-04-10 12:14:11 -04:00
compat linux(4): Implement close_range over native 2023-04-04 23:24:04 +03:00
conf sys/modules/Makefile: conditionally add MAC/veriexec modules 2023-04-16 20:24:54 -04:00
contrib zfs: Add vfs.zfs.bclone_enabled sysctl. 2023-04-17 03:38:30 -07:00
crypto OpenSSL: Regen an assembly file for arm 2023-03-21 15:13:51 -04:00
ddb ddb: ansify 2023-02-08 00:09:23 +00:00
dev veriexec: Additional functionality for MAC/veriexec 2023-04-17 11:47:32 -04:00
dts
fs tarfs: Use the existing CTLFLAG_RWTUN flag definition 2023-04-12 12:20:38 +08:00
gdb
geom Implement GEOM::rotation_rate for gmirror 2023-04-10 10:27:10 -06:00
gnu
i386 amd64: fix PKRU and swapout interaction 2023-04-15 02:53:59 +03:00
isa
kern Add new privilege PRIV_KDB_SET_BACKEND 2023-04-16 14:37:58 -04:00
kgssapi nfsd: Enable the NFSD_VNET vnet front end macros 2023-02-18 14:59:36 -08:00
libkern ashldi3: Use C89-style function definition 2022-11-27 13:23:25 -07:00
modules tests: add ktest modules to build 2023-04-17 10:46:05 +00:00
net lagg(4): Correctly define some sysctl variables 2023-04-17 18:24:35 +08:00
net80211 net80211: fix a typo in Rx MCS set for unequal modulation case 2023-04-14 18:20:09 +03:00
netgraph ng_atmllc: remove 2023-03-09 18:04:21 +00:00
netinet tcp: stack unloading crash in rack and bbr 2023-04-14 15:42:23 -04:00
netinet6 inet6: protect address manipulation with a lock 2023-03-30 08:46:38 +00:00
netipsec ipsec: only update lastused when it changes 2023-02-16 07:33:51 +00:00
netlink netlink: fix operations with link-local routes/gateways. 2023-04-17 12:04:43 +00:00
netpfil pf: backport OpenBSD syntax of "scrub" option for "match" and "pass" rules 2023-04-14 09:04:06 +02:00
netsmb
nfs Allow any user to read the NFS stats, for example with nfsstat(1). 2022-12-01 22:21:14 -07:00
nfsclient
nfsserver
nlm
ofed infiniband: Opt-in for net epoch 2023-04-06 00:08:23 +08:00
opencrypto Complete removal of opt_compat.h 2023-02-13 19:07:38 +03:00
powerpc amd64: fix PKRU and swapout interaction 2023-04-15 02:53:59 +03:00
riscv riscv: save the thread pointer in both modes 2023-04-17 09:49:52 -04:00
rpc svc_rpcsec_gss.c: Separate out the non-vnet initialization 2023-03-01 15:29:25 -08:00
security veriexec: Additional functionality for MAC/veriexec 2023-04-17 11:47:32 -04:00
sys veriexec: Additional functionality for MAC/veriexec 2023-04-17 11:47:32 -04:00
teken
tests tests: make ktest build on ppc. 2023-04-17 13:47:07 +00:00
tools vfs: validate that vop vectors provide all or none fplookup vops 2023-04-06 15:20:41 +00:00
ufs vn_lock_pair(): allow to request shared locking 2023-04-08 01:58:26 +03:00
vm amd64: fix PKRU and swapout interaction 2023-04-15 02:53:59 +03:00
x86 xen: move common variables off of sys/x86/xen/hvm.c 2023-04-14 15:59:11 +02:00
xdr xdr: ansify 2023-02-13 18:37:31 +00:00
xen xen: move common variables off of sys/x86/xen/hvm.c 2023-04-14 15:59:11 +02:00
Makefile
README.md note that some arch independent code can live in dev (e.g. SMBios) 2023-03-03 01:54:07 -08:00

README.md

FreeBSD Kernel Source:

This directory contains the source files and build glue that make up the FreeBSD kernel and its modules, including both original and contributed software.

Kernel configuration files are located in the conf/ subdirectory of each architecture. GENERIC is the configuration used in release builds. NOTES contains documentation of all possible entries. LINT is a compile-only configuration used to maximize build coverage and detect regressions.

Source Roadmap:

Directory Description
amd64 AMD64 (64-bit x86) architecture support
arm 32-bit ARM architecture support
arm64 64-bit ARM (AArch64) architecture support
cam Common Access Method storage subsystem - cam(4) and ctl(4)
cddl CDDL-licensed optional sources such as DTrace
conf kernel build glue
compat Linux compatibility layer, FreeBSD 32-bit compatibility
contrib 3rd-party imported software such as OpenZFS
crypto crypto drivers
ddb interactive kernel debugger - ddb(4)
fs most filesystems, excluding UFS, NFS, and ZFS
dev device drivers and other arch independent code
gdb kernel remote GDB stub - gdb(4)
geom GEOM framework - geom(4)
i386 i386 (32-bit x86) architecture support
kern main part of the kernel
libkern libc-like and other support functions for kernel use
modules kernel module infrastructure
net core networking code
net80211 wireless networking (IEEE 802.11) - net80211(4)
netgraph graph-based networking subsystem - netgraph(4)
netinet IPv4 protocol implementation - inet(4)
netinet6 IPv6 protocol implementation - inet6(4)
netipsec IPsec protocol implementation - ipsec(4)
netpfil packet filters - ipfw(4), pf(4), and ipfilter(4)
opencrypto OpenCrypto framework - crypto(7)
powerpc PowerPC/POWER (32 and 64-bit) architecture support
riscv 64-bit RISC-V architecture support
security security facilities - audit(4) and mac(4)
sys kernel headers
tests kernel unit tests
ufs Unix File System - ffs(7)
vm virtual memory system
x86 code shared by AMD64 and i386 architectures