Page MenuHomeFreeBSD

Add mac_grantbylabel
ClosedPublic

Authored by sjg on Aug 11 2023, 10:02 PM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, Oct 30, 3:20 AM
Unknown Object (File)
Thu, Oct 24, 9:29 PM
Unknown Object (File)
Mon, Oct 21, 8:27 AM
Unknown Object (File)
Sep 26 2024, 2:11 PM
Unknown Object (File)
Sep 24 2024, 3:10 PM
Unknown Object (File)
Sep 23 2024, 8:38 PM
Unknown Object (File)
Sep 19 2024, 7:49 PM
Unknown Object (File)
Sep 9 2024, 7:08 PM
Subscribers

Details

Summary

This module allows controlled privilege escallation via mac labels
securely associated with a process via mac_veriexec.

There are over 700 PRIV_* but we can compress many of them into
a single GBL_* thus constraining the size of gbl labels.

The goal is to allow a daemon to run as an unprivileged process while
still being able a set of privileged operations needed.

We add APIs to libveriexec so that userland processes can check labels
and an exec_script API that allows a suitably labeled process to run
something like a python interpreter directly if necessary;
overcomming the 'indirect' flag applied to the interpreter.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 53099
Build 49990: arc lint + arc unit

Event Timeline

sjg requested review of this revision.Aug 11 2023, 10:02 PM

Use correct MAC_VERIEXEC_VERSION in MODULE_DEPEND

Add veriexec_get_{path,pid}_label

Add -l option to veriexec

sys/security/mac_grantbylabel/mac_grantbylabel.c
60

This sysctl and variable used by it should be under #ifdef MAC_DEBUG since the MAC_GRANTBYLABEL_DBG is only filled out when MAC_DEBUG is defined.

66

This line looks like it ran a bit long?

501

Either drop this bit entirely and use MPC_LOADTIME_FLAG_NOTLATE or add MAC_GRANTBYLABEL_DEBUG to the "options"

Update more copyright years

rebase and remove $FreeBSD$

sjg marked 3 inline comments as done.Aug 17 2023, 4:45 PM

If someone could explain the rubbish about libveriexc.h being copied to mac_grantbylabel.h

This revision is now accepted and ready to land.Aug 24 2023, 7:10 PM
This revision was automatically updated to reflect the committed changes.