JavaScript promise rejection: Loading CSS chunk katex failed. (error: https://git.quacker.org/assets/css/katex.fb6ef55c.css). Open browser console to see more details.
freebsd with flexible iflib nic queues
Go to file
Stephen J. Kiernan fb47a3769c MAC/veriexec implements a verified execution environment using the MAC
framework.

The code is organized into a few distinct pieces:

* The meta-data store (in veriexec_metadata.c) which maps a file system
  identifier, file identifier, and generation key tuple to veriexec
  meta-data record.

* Fingerprint management (in veriexec_fingerprint.c) which deals with
  calculating the cryptographic hash for a file and verifying it. It also
  manages the loadable fingerprint modules.

* MAC policy implementation (in mac_veriexec.c) which implements the
  following MAC methods:

mpo_init
  Initializes the veriexec state, meta-data store, fingerprint modules,
  and registers mount and unmount EVENTHANDLERs

mpo_syscall
  Implements the following per-policy system calls:
  MAC_VERIEXEC_CHECK_FD_SYSCALL
    Check a file descriptor to see if the referenced file has a valid
    fingerprint.
  MAC_VERIEXEC_CHECK_PATH_SYSCALL
    Check a path to see if the referenced file has a valid fingerprint.

mpo_kld_check_load
  Check if loading a kld is allowed. This checks if the referenced vnode
  has a valid fingerprint.

mpo_mount_destroy_label
  Clears the veriexec slot data in a mount point label.

mpo_mount_init_label
  Initializes the veriexec slot data in a mount point label.
  The file system identifier is saved in the veriexec slot data.

mpo_priv_check
  Check if a process is allowed to write to /dev/kmem and /dev/mem
  devices.
  If a process is flagged as trusted, it is allowed to write.

mpo_proc_check_debug
  Check if a process is allowed to be debugged. If a process is not
  flagged with VERIEXEC_NOTRACE, then debugging is allowed.

mpo_vnode_check_exec
  Check is an exectuable is allowed to run. If veriexec is not enforcing
  or the executable has a valid fingerprint, then it is allowed to run.
  NOTE: veriexec will complain about mismatched fingerprints if it is
  active, regardless of the state of the enforcement.

mpo_vnode_check_open
  Check is a file is allowed to be opened. If verification was not
  requested, veriexec is not enforcing, or the file has a valid
  fingerprint, then veriexec will allow the file to be opened.

mpo_vnode_copy_label
  Copies the veriexec slot data from one label to another.

mpo_vnode_destroy_label
  Clears the veriexec slot data in a vnode label.

mpo_vnode_init_label
  Initializes the veriexec slot data in a vnode label.
  The fingerprint status for the file is stored in the veriexec slot data.

* Some sysctls, under security.mac.veriexec, for setting debug level,
  fetching the current state in a human-readable form, and dumping the
  fingerprint database are implemented.

* The MAC policy implementation source file also contains some utility
  functions.

* A set of fingerprint modules for the following cryptographic hash
  algorithms:
  RIPEMD-160, SHA1, SHA2-256, SHA2-384, SHA2-512

* Loadable module builds for MAC/veriexec and fingerprint modules.

 WARNING: Using veriexec with NFS (or other network-based) file systems is
          not recommended as one cannot guarantee the integrity of the files
          served, nor the uniqueness of file system identifiers which are
          used as key in the meta-data store.

Reviewed by:	ian, jtl
Obtained from:	Juniper Networks, Inc.
Differential Revision:	https://reviews.freebsd.org/D8554
2018-06-20 00:41:30 +00:00
bin Convert cap_enter() < 0 && errno != ENOSYS to caph_enter() < 0. 2018-06-19 23:43:14 +00:00
cddl The IP, TCP, and UDP provider report IP addresses as strings. 2018-06-18 18:35:29 +00:00
contrib Convert cap_enter() < 0 && errno != ENOSYS to caph_enter() < 0. 2018-06-19 23:43:14 +00:00
crypto Merge upstream patch to unbreak tunnel forwarding. 2018-05-16 14:04:39 +00:00
etc praudit(1): add tests 2018-06-17 17:31:16 +00:00
gnu objdump.1: manually apply r229046 to the rendered man page 2018-06-15 17:16:27 +00:00
include Add time2posix and posix2time to time.h 2018-05-25 13:40:05 +00:00
kerberos5 various: general adoption of SPDX licensing ID tags. 2017-11-27 15:37:16 +00:00
lib Fix typo. 2018-06-19 22:19:42 +00:00
libexec Make rtld use libc_nossp_pic.a. Remove SSP shims. 2018-05-09 10:30:56 +00:00
release Enable USB OTG serial terminal on ARM SD card images. This configures 2018-06-12 16:45:52 +00:00
rescue Avoid referencing private lib names directly. 2017-11-10 07:53:02 +00:00
sbin Convert cap_enter() < 0 && errno != ENOSYS to caph_enter() < 0. 2018-06-19 23:43:14 +00:00
secure Upgrade to OpenSSH 7.7p1. 2018-05-11 13:22:43 +00:00
share MK_EFI - Add uefisign and friends to this knob and ensure that we don't 2018-06-19 21:07:25 +00:00
stand Revert r335276 2018-06-20 00:14:54 +00:00
sys MAC/veriexec implements a verified execution environment using the MAC 2018-06-20 00:41:30 +00:00
targets Remove obsolete asf(8) 2018-06-15 17:44:21 +00:00
tests audit(4): add tests for sendmsg, recvmsg, shutdown, and sendfile 2018-06-19 17:41:46 +00:00
tools Fix typo noticed by pstef@. 2018-06-19 21:58:04 +00:00
usr.bin Use capsicum helpers to cache NLS data. 2018-06-20 00:13:09 +00:00
usr.sbin Convert cap_enter() < 0 && errno != ENOSYS to caph_enter() < 0. 2018-06-19 23:43:14 +00:00
.arcconfig
.arclint arc lint: ignore /tests/ in chmod 2017-12-19 03:38:06 +00:00
.gitattributes .git*: add gitattributes and gitignore 2017-12-25 21:07:54 +00:00
.gitignore .git*: add gitattributes and gitignore 2017-12-25 21:07:54 +00:00
COPYRIGHT Remove 'All Rights Reserved' from the collection copyright and templates. 2018-05-09 02:02:49 +00:00
LOCKS LOCKS: update current locks 2018-06-09 03:08:04 +00:00
MAINTAINERS Pass on bhyve kernel module maintenance to 2018-06-10 04:25:19 +00:00
Makefile Restore arm, riscv, sparc64, and mips to UNIVERSE after r334128 2018-05-24 14:01:22 +00:00
Makefile.inc1 TARGET_TRIPLE is needed much earlier now for CROSS_BINUTILS_PREFIX check. 2018-06-19 23:57:12 +00:00
Makefile.libcompat lib32: Fix lib/libpmc/pmu-events files ending up in source directory. 2018-06-15 18:50:24 +00:00
Makefile.sys.inc AUTO_OBJ: For all top-level targets enforce using an OBJDIR. 2017-12-05 21:29:47 +00:00
ObsoleteFiles.inc Remove obsolete asf(8) 2018-06-15 17:44:21 +00:00
README README: add generic notes about GENERIC and NOTES 2018-06-17 19:44:24 +00:00
README.md README: add generic notes about GENERIC and NOTES 2018-06-17 19:44:24 +00:00
UPDATING Explain why a __FreeBSD_version bump was done for r334930. 2018-06-12 22:52:27 +00:00

FreeBSD Source:

This is the top level of the FreeBSD source directory. This file was last revised on: FreeBSD

FreeBSD is an operating system used to power modern servers, desktops, and embedded platforms. A large community has continually developed it for more than thirty years. Its advanced networking, security, and storage features have made FreeBSD the platform of choice for many of the busiest web sites and most pervasive embedded networking and storage devices.

For copyright information, please see the file COPYRIGHT in this directory. Additional copyright information also exists for some sources in this tree - please see the specific source directories for more information.

The Makefile in this directory supports a number of targets for building components (or all) of the FreeBSD source tree. See build(7), config(8), https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/makeworld.html, and https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig.html for more information, including setting make(1) variables.

Source Roadmap:

bin		System/user commands.

cddl		Various commands and libraries under the Common Development
		and Distribution License.

contrib		Packages contributed by 3rd parties.

crypto		Cryptography stuff (see crypto/README).

etc		Template files for /etc.

gnu		Various commands and libraries under the GNU Public License.
		Please see gnu/COPYING* for more information.

include		System include files.

kerberos5	Kerberos5 (Heimdal) package.

lib		System libraries.

libexec		System daemons.

release		Release building Makefile & associated tools.

rescue		Build system for statically linked /rescue utilities.

sbin		System commands.

secure		Cryptographic libraries and commands.

share		Shared resources.

stand		Boot loader sources.

sys		Kernel sources.

sys/<arch>/conf Kernel configuration files. GENERIC is the configuration
		used in release builds. NOTES contains documentation of
		all possible entries.

tests		Regression tests which can be run by Kyua.  See tests/README
		for additional information.

tools		Utilities for regression testing and miscellaneous tasks.

usr.bin		User commands.

usr.sbin	System administration commands.

For information on synchronizing your source tree with one or more of the FreeBSD Project's development branches, please see:

https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/current-stable.html