Page MenuHomeFreeBSD

init: allow to start script executions with sh -o verify
ClosedPublic

Authored by sebastien.bini_stormshield.eu on Mar 21 2022, 2:17 PM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, Jan 4, 7:35 PM
Unknown Object (File)
Dec 29 2022, 8:42 AM
Unknown Object (File)
Dec 14 2022, 6:56 PM
Unknown Object (File)
Dec 8 2022, 8:28 AM
Unknown Object (File)
Dec 2 2022, 3:03 AM
Unknown Object (File)
Nov 29 2022, 9:22 AM

Details

Summary

On systems where mac_veriexec is enforced, init should run its scripts in verified mode.

This relies on the verify shell option introduced by D30464. init will detect if the shell is /bin/sh, and in which case, add the verify option to the argument vector.

The verify option propagates to all files sourced by the shell, ensuring a better protection than if the script was tested against an open(O_VERIFY) before running it.

This security can be bypassed with the kenv which overloads the shell to use. However we feel confident that on systems running with mac_veriexec, this kenv will be blocked somehow.

Also, the verify option has no effect on systems where mac_veriexec is not loaded nor enforced.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

sbin/init/init.c
1085

brace should be on previous line

1091

can't say I'm crazy about his bit.

Are there any more issues to be resolved? Can we proceed with committing this patch?

@sebastien.bini_stormshield.eu could you confirm if this changes still apply to HEAD? I was trying to find anything related to -oVERIFY in init.c but there is none such string. Is there anything missing which needs to be merged before this patch?

In D34622#834000, @wma wrote:

@sebastien.bini_stormshield.eu could you confirm if this changes still apply to HEAD? I was trying to find anything related to -oVERIFY in init.c but there is none such string. Is there anything missing which needs to be merged before this patch?

I just rebased the whole patch locally to main and it applied with no conflict. I think I know what you mean ; in the History tab you can see two commits, although only the last one appears in the diff viewer. Does it cause any problem to close the review?

This revision was not accepted when it landed; it landed in state Needs Review.Oct 11 2022, 7:52 AM
This revision was automatically updated to reflect the committed changes.

Oh, I see now.
@sebastien.bini_stormshield.eu The best way to send patches to Phabricator is preparing them as diff-to-baseline (to main in this case). This way the most up=to-date patch contains all necessary changes. Phabricator will automatically handle all modifications in lines which had some todo/comment attached and mark those issues as resolved.