Page MenuHomeFreeBSD

mac_veriexec: add mac_priv_grant check for NODEV
ClosedPublic

Authored by stevek on Apr 12 2023, 5:18 PM.
Tags
None
Referenced Files
Unknown Object (File)
Oct 2 2024, 2:19 PM
Unknown Object (File)
Sep 27 2024, 10:28 AM
Unknown Object (File)
Sep 19 2024, 6:44 AM
Unknown Object (File)
Sep 10 2024, 6:02 AM
Unknown Object (File)
Sep 8 2024, 10:32 PM
Unknown Object (File)
Sep 8 2024, 6:54 AM
Unknown Object (File)
Sep 7 2024, 10:26 PM
Unknown Object (File)
Sep 7 2024, 4:55 AM
Subscribers

Details

Summary

Allow other MAC modules to override some veriexec checks.

We need two new privileges:
PRIV_VERIEXEC_DIRECT - process wants to override 'indirect' flag on interpreter
PRIV_VERIEXEC_NOVERIFY - typically associated with PRIV_VERIEXEC_DIRECT allow override of O_VERIFY

We also need to check for PRIV_VERIEXEC_NOVERIFY override
for FINGERPRINT_NODEV and FINGERPRINT_NOENTRY.
This will only happen if parent had PRIV_VERIEXEC_DIRECT override.

This allows for MAC modules to selectively allow some applications to
run without verification.

Needless to say, this is extremely dangerous and should only be used
sparingly and carefully.

Obtained from: Juniper Networks, Inc.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable