freebsd-dev/sys/conf
Stephen J. Kiernan fb47a3769c MAC/veriexec implements a verified execution environment using the MAC
framework.

The code is organized into a few distinct pieces:

* The meta-data store (in veriexec_metadata.c) which maps a file system
  identifier, file identifier, and generation key tuple to veriexec
  meta-data record.

* Fingerprint management (in veriexec_fingerprint.c) which deals with
  calculating the cryptographic hash for a file and verifying it. It also
  manages the loadable fingerprint modules.

* MAC policy implementation (in mac_veriexec.c) which implements the
  following MAC methods:

mpo_init
  Initializes the veriexec state, meta-data store, fingerprint modules,
  and registers mount and unmount EVENTHANDLERs

mpo_syscall
  Implements the following per-policy system calls:
  MAC_VERIEXEC_CHECK_FD_SYSCALL
    Check a file descriptor to see if the referenced file has a valid
    fingerprint.
  MAC_VERIEXEC_CHECK_PATH_SYSCALL
    Check a path to see if the referenced file has a valid fingerprint.

mpo_kld_check_load
  Check if loading a kld is allowed. This checks if the referenced vnode
  has a valid fingerprint.

mpo_mount_destroy_label
  Clears the veriexec slot data in a mount point label.

mpo_mount_init_label
  Initializes the veriexec slot data in a mount point label.
  The file system identifier is saved in the veriexec slot data.

mpo_priv_check
  Check if a process is allowed to write to /dev/kmem and /dev/mem
  devices.
  If a process is flagged as trusted, it is allowed to write.

mpo_proc_check_debug
  Check if a process is allowed to be debugged. If a process is not
  flagged with VERIEXEC_NOTRACE, then debugging is allowed.

mpo_vnode_check_exec
  Check is an exectuable is allowed to run. If veriexec is not enforcing
  or the executable has a valid fingerprint, then it is allowed to run.
  NOTE: veriexec will complain about mismatched fingerprints if it is
  active, regardless of the state of the enforcement.

mpo_vnode_check_open
  Check is a file is allowed to be opened. If verification was not
  requested, veriexec is not enforcing, or the file has a valid
  fingerprint, then veriexec will allow the file to be opened.

mpo_vnode_copy_label
  Copies the veriexec slot data from one label to another.

mpo_vnode_destroy_label
  Clears the veriexec slot data in a vnode label.

mpo_vnode_init_label
  Initializes the veriexec slot data in a vnode label.
  The fingerprint status for the file is stored in the veriexec slot data.

* Some sysctls, under security.mac.veriexec, for setting debug level,
  fetching the current state in a human-readable form, and dumping the
  fingerprint database are implemented.

* The MAC policy implementation source file also contains some utility
  functions.

* A set of fingerprint modules for the following cryptographic hash
  algorithms:
  RIPEMD-160, SHA1, SHA2-256, SHA2-384, SHA2-512

* Loadable module builds for MAC/veriexec and fingerprint modules.

 WARNING: Using veriexec with NFS (or other network-based) file systems is
          not recommended as one cannot guarantee the integrity of the files
          served, nor the uniqueness of file system identifiers which are
          used as key in the meta-data store.

Reviewed by:	ian, jtl
Obtained from:	Juniper Networks, Inc.
Differential Revision:	https://reviews.freebsd.org/D8554
2018-06-20 00:41:30 +00:00
..
config.mk Reduce overhead for simple 'make -V' lookups by avoiding 'find sys/'. 2018-03-10 02:09:36 +00:00
dtb.mk Add dtb overlays support 2018-03-24 21:30:24 +00:00
files MAC/veriexec implements a verified execution environment using the MAC 2018-06-20 00:41:30 +00:00
files.amd64 ixl(4): Remove ixlvc.c from files.amd64 2018-06-19 03:11:09 +00:00
files.arm Revert r327250 as it broke the build for some armv6 kernel and all armv4/5 2017-12-28 07:31:14 +00:00
files.arm64 rk_i2c: Add driver for the I2C controller present in RockChip SoC 2018-06-14 06:39:33 +00:00
files.i386 hwpmc: remove unused pre-table driven bits for intel 2018-05-31 22:41:07 +00:00
files.mips Make memmove an alias for memcpy 2018-05-24 21:11:24 +00:00
files.powerpc Split the PowerISA 3.0 HPT implementation from historic 2018-06-14 17:23:51 +00:00
files.riscv o Add driver for PLIC (Platform-Level Interrupt Controller) device. 2018-06-12 17:45:15 +00:00
files.sparc64 Define memmove and make bcopy alt entry point 2018-05-24 21:11:28 +00:00
kern.mk Fix build: ignore a GCC 7.2.0 warning which says that third argument of 2018-06-04 16:20:22 +00:00
kern.opts.mk Add EFI to kernel options. 2018-03-17 17:18:29 +00:00
kern.post.mk Remove MK_AUTO_OBJ from env passed to PORTS_MODULES 2018-03-31 05:17:12 +00:00
kern.pre.mk Correct kern.pre.mk comment: objcopy, not objdump, copies objects. 2018-06-15 16:32:18 +00:00
kmod_syms_prefix.awk Add the infrastructure to support loading multiple versions of TCP 2017-06-08 20:41:28 +00:00
kmod_syms.awk
kmod.mk Allocate epoch for networking at startup 2018-05-10 19:13:00 +00:00
ldscript.amd64 amd64: tweak the read_frequently section 2018-05-18 07:31:26 +00:00
ldscript.arm remove CONSTRUCTORS from kernel linker scripts 2016-07-28 13:54:46 +00:00
ldscript.arm64 Explicitly include all .rodata.* sections in the kernel .rodata. This 2016-09-03 17:23:24 +00:00
ldscript.i386 i386 4/4G split. 2018-04-13 20:30:49 +00:00
ldscript.mips remove CONSTRUCTORS from kernel linker scripts 2016-07-28 13:54:46 +00:00
ldscript.mips.cfe remove CONSTRUCTORS from kernel linker scripts 2016-07-28 13:54:46 +00:00
ldscript.mips.mips64 remove CONSTRUCTORS from kernel linker scripts 2016-07-28 13:54:46 +00:00
ldscript.mips.octeon1 remove CONSTRUCTORS from kernel linker scripts 2016-07-28 13:54:46 +00:00
ldscript.powerpc remove CONSTRUCTORS from kernel linker scripts 2016-07-28 13:54:46 +00:00
ldscript.powerpc64 Add support for 64-bit PowerPC kernels to be directly loaded by kexec, which 2017-12-29 20:30:10 +00:00
ldscript.powerpcspe Create a new MACHINE_ARCH for Freescale PowerPC e500v2 2016-10-22 01:57:15 +00:00
ldscript.riscv o Remove operation in machine mode. 2016-08-10 12:41:36 +00:00
ldscript.sparc64 remove CONSTRUCTORS from kernel linker scripts 2016-07-28 13:54:46 +00:00
Makefile.amd64
Makefile.arm Make kernel option KERNVIRTADDR optional, remove it from std.<platform> 2017-12-30 00:20:49 +00:00
Makefile.arm64 Build changes that allow the modules on arm64. 2015-10-08 17:42:08 +00:00
Makefile.i386
Makefile.mips Compile trampoline with soft-float on MIPS, to match the rest of the kernel 2016-11-16 03:24:20 +00:00
Makefile.powerpc Don't pass -Wa,-many through clang, the integrated as doesn't support it. 2017-01-22 06:00:05 +00:00
Makefile.riscv Support for v1.10 (latest) of RISC-V privilege specification. 2017-08-10 14:18:09 +00:00
Makefile.sparc64
makeLINT.mk Remove the mlx5 driver from LINT kernel config for 32-bit PPC 2018-05-30 02:26:36 +00:00
makeLINT.sed
newvers.sh Indent protection and some other oops from the prvious commits. 2017-11-20 19:56:11 +00:00
NOTES unbreak LINT build after r334804 2018-06-08 05:48:36 +00:00
options md: use prestaged mfs_root 2018-06-07 13:57:34 +00:00
options.amd64 Finish COMPAT_AOUT support for amd64. It wasn't in any amd64 or MI 2018-06-02 06:40:15 +00:00
options.arm Add a new ARM kernel option, LOCORE_MAP_MB, to control the size of the 2017-12-26 19:02:56 +00:00
options.arm64 Remove the psci option from arm64. It is now a standard option as it is 2018-06-10 19:42:44 +00:00
options.i386 Remove SVR4 (System V Release 4) binary compatibility support. 2017-02-28 05:14:42 +00:00
options.mips Add SMP support for BERI CPU. 2018-04-12 17:43:19 +00:00
options.powerpc Move most of the contents of opt_compat.h to opt_global.h. 2018-04-06 17:35:35 +00:00
options.riscv o Add driver for PLIC (Platform-Level Interrupt Controller) device. 2018-06-12 17:45:15 +00:00
options.sparc64
systags.sh sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
WITHOUT_SOURCELESS
WITHOUT_SOURCELESS_HOST
WITHOUT_SOURCELESS_UCODE rtwn(4), urtwn(4): merge common code, add support for 11ac devices. 2016-10-17 20:38:24 +00:00