Differential D39537

mac_veriexec: add mac_priv_grant check for NODEV
ClosedPublic
Actions

Authored by stevek on Apr 12 2023, 5:18 PM.

Tags

None

Referenced Files

	F102669659: D39537.diff
	Fri, Nov 15, 3:18 PM

	Unknown Object (File)
	Oct 2 2024, 2:19 PM

	Unknown Object (File)
	Sep 27 2024, 10:28 AM

	Unknown Object (File)
	Sep 19 2024, 6:44 AM

	Unknown Object (File)
	Sep 10 2024, 6:02 AM

	Unknown Object (File)
	Sep 8 2024, 10:32 PM

	Unknown Object (File)
	Sep 8 2024, 6:54 AM

	Unknown Object (File)
	Sep 7 2024, 10:26 PM

View All 38 Files

Subscribers

Details

Reviewers

Commits

rG6ae8d57652fa: mac_veriexec: add mac_priv_grant check for NODEV

Summary

Allow other MAC modules to override some veriexec checks.

We need two new privileges:
PRIV_VERIEXEC_DIRECT - process wants to override 'indirect' flag on interpreter
PRIV_VERIEXEC_NOVERIFY - typically associated with PRIV_VERIEXEC_DIRECT allow override of O_VERIFY

We also need to check for PRIV_VERIEXEC_NOVERIFY override
for FINGERPRINT_NODEV and FINGERPRINT_NOENTRY.
This will only happen if parent had PRIV_VERIEXEC_DIRECT override.

This allows for MAC modules to selectively allow some applications to
run without verification.

Needless to say, this is extremely dangerous and should only be used
sparingly and carefully.

Obtained from: Juniper Networks, Inc.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

stevek created this revision.Apr 12 2023, 5:18 PM

Herald added subscribers: dab, imp. · View Herald TranscriptApr 12 2023, 5:18 PM

stevek requested review of this revision.Apr 12 2023, 5:18 PM

Harbormaster completed remote builds in B50868: Diff 120224.Apr 12 2023, 5:18 PM

stevek edited the summary of this revision. (Show Details)Apr 12 2023, 5:19 PM

sjg accepted this revision.Apr 12 2023, 5:42 PM

This revision is now accepted and ready to land.Apr 12 2023, 5:42 PM

sjg mentioned this in D39538: Add new privilege PRIV_KDB_SET_BACKEND.Apr 12 2023, 5:45 PM

emaste added a subscriber: emaste.Apr 12 2023, 7:18 PM

Closed by commit rG6ae8d57652fa: mac_veriexec: add mac_priv_grant check for NODEV (authored by Simon J. Gerraty <sjg@juniper.net>, committed by stevek). · Explain WhyApr 16 2023, 11:15 PM

This revision was automatically updated to reflect the committed changes.

stevek added a commit: rG6ae8d57652fa: mac_veriexec: add mac_priv_grant check for NODEV.

Revision Contents
Changeset List

Path

Size

sys/

security/

mac_veriexec/

16 lines

veriexec_fingerprint.c

23 lines

sys/

8 lines

Diff 120429

sys/security/mac_veriexec/mac_veriexec.c

Loading...

sys/security/mac_veriexec/veriexec_fingerprint.c

Loading...

sys/sys/priv.h

Loading...