freebsd-nq

History

Sebastien Bini f3dba162bd init: allow to start script executions with sh -o verify On systems where mac_veriexec is enforced, init should run its scripts in verified mode. This relies on the verify shell option introduced by D30464. init will detect if the shell is /bin/sh, and in which case, add the verify option to the argument vector. The verify option propagates to all files sourced by the shell, ensuring a better protection than if the script was tested against an open(O_VERIFY) before running it. This security can be bypassed with the kenv which overloads the shell to use. However we feel confident that on systems running with mac_veriexec, this kenv will be blocked somehow. Also, the verify option has no effect on systems where mac_veriexec is not loaded nor enforced. Differential revision: https://reviews.freebsd.org/D34622 Reviewed by: sjg, wma		2022-10-11 09:48:04 +02:00
..
init.8	init: execute /etc/rc.final after all user processes have terminated	2021-07-22 23:26:11 -05:00
init.c	init: allow to start script executions with sh -o verify	2022-10-11 09:48:04 +02:00
Makefile	etc/ttys: merge ttys file down to single file	2021-07-06 11:53:10 -03:00
Makefile.depend
NOTES
pathnames.h	init: execute /etc/rc.final after all user processes have terminated	2021-07-22 23:26:11 -05:00
ttys	etc/ttys: add xen console	2021-07-06 11:53:10 -03:00