Page MenuHomeFreeBSD
Differential D41431

Add mac_grantbylabel
ClosedPublic
Actions

Authored by sjg on Aug 11 2023, 10:02 PM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, Dec 24, 8:04 AM
Unknown Object (File)
Wed, Dec 10, 12:10 AM
Unknown Object (File)
Tue, Dec 9, 3:49 PM
Unknown Object (File)
Fri, Nov 28, 9:34 PM
Unknown Object (File)
Nov 26 2025, 1:47 AM
Unknown Object (File)
Nov 25 2025, 6:20 PM
Unknown Object (File)
Nov 23 2025, 5:21 PM
Unknown Object (File)
Nov 19 2025, 4:10 AM
View All Files
Subscribers
dab
imp
jonathan

Details

Reviewers
stevek
rwatson
Commits
rG1554ba03b651: Add mac_grantbylabel
Summary

This module allows controlled privilege escallation via mac labels
securely associated with a process via mac_veriexec.

There are over 700 PRIV_* but we can compress many of them into
a single GBL_* thus constraining the size of gbl labels.

The goal is to allow a daemon to run as an unprivileged process while
still being able a set of privileged operations needed.

We add APIs to libveriexec so that userland processes can check labels
and an exec_script API that allows a suitably labeled process to run
something like a python interpreter directly if necessary;
overcomming the 'indirect' flag applied to the interpreter.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

sjg created this revision.Aug 11 2023, 10:02 PM
Herald added subscribers: dab, jonathan, imp. · View Herald TranscriptAug 11 2023, 10:02 PM
sjg requested review of this revision.Aug 11 2023, 10:02 PM
Harbormaster completed remote builds in B53054: Diff 125891.Aug 11 2023, 10:02 PM
sjg updated this revision to Diff 125892.Aug 11 2023, 11:42 PM

Missed two files

Harbormaster completed remote builds in B53055: Diff 125892.Aug 11 2023, 11:43 PM
sjg updated this revision to Diff 125893.Aug 11 2023, 11:46 PM

Use SPDX

Harbormaster completed remote builds in B53056: Diff 125893.Aug 11 2023, 11:46 PM
sjg updated this revision to Diff 125894.Aug 12 2023, 1:22 AM

Use correct MAC_VERIEXEC_VERSION in MODULE_DEPEND

Harbormaster completed remote builds in B53057: Diff 125894.Aug 12 2023, 1:23 AM
sjg mentioned this in D36506: veriexec: add syscall to retrieve veriexec label.Aug 14 2023, 7:28 PM
sjg updated this revision to Diff 125995.Aug 14 2023, 8:20 PM

Add veriexec_get_{path,pid}_label

Harbormaster completed remote builds in B53099: Diff 125995.Aug 14 2023, 8:21 PM
sjg updated this revision to Diff 126063.Aug 16 2023, 2:34 AM

Add -l option to veriexec

Harbormaster completed remote builds in B53128: Diff 126063.Aug 16 2023, 2:34 AM
sjg updated this revision to Diff 126097.Aug 16 2023, 10:18 PM

Update copyright year

Harbormaster completed remote builds in B53139: Diff 126097.Aug 16 2023, 10:18 PM
stevek added inline comments.Aug 16 2023, 10:31 PM
sys/security/mac_grantbylabel/mac_grantbylabel.c
60

This sysctl and variable used by it should be under #ifdef MAC_DEBUG since the MAC_GRANTBYLABEL_DBG is only filled out when MAC_DEBUG is defined.

66

This line looks like it ran a bit long?

501

Either drop this bit entirely and use MPC_LOADTIME_FLAG_NOTLATE or add MAC_GRANTBYLABEL_DEBUG to the "options"

sjg updated this revision to Diff 126106.Aug 17 2023, 1:47 AM

Cleanup per feedback

Harbormaster completed remote builds in B53146: Diff 126106.Aug 17 2023, 1:47 AM
sjg updated this revision to Diff 126132.Aug 17 2023, 3:46 PM

Update more copyright years

Harbormaster completed remote builds in B53154: Diff 126132.Aug 17 2023, 3:46 PM
sjg updated this revision to Diff 126134.Aug 17 2023, 4:41 PM

rebase and remove $FreeBSD$

Harbormaster completed remote builds in B53156: Diff 126134.Aug 17 2023, 4:41 PM
sjg marked 3 inline comments as done.Aug 17 2023, 4:45 PM

If someone could explain the rubbish about libveriexc.h being copied to mac_grantbylabel.h

stevek accepted this revision.Aug 24 2023, 7:10 PM
This revision is now accepted and ready to land.Aug 24 2023, 7:10 PM
Closed by commit rG1554ba03b651: Add mac_grantbylabel (authored by sjg). · Explain WhyAug 25 2023, 12:43 AM
This revision was automatically updated to reflect the committed changes.
sjg added a commit: rG1554ba03b651: Add mac_grantbylabel.

Revision Contents
Changeset List

PathSize
etc/
mtree/
2 lines
include/
4 lines
lib/
libveriexec/
4 lines
159 lines
125 lines
13 lines
174 lines
sbin/
veriexec/
2 lines
17 lines
58 lines
sys/
conf/
1 line
1 line
security/
mac_grantbylabel/
506 lines
sys/
security/
mac_grantbylabel/
lib/
libveriexec/
mac_grantbylabel.h
libveriexec.h
49 lines

Diff 126511

View Options

etc/mtree/BSD.include.dist

Loading...
View Options

include/Makefile

Loading...
View Options

lib/libveriexec/Makefile

Loading...
View Options

lib/libveriexec/exec_script.c

Loading...
View Options

lib/libveriexec/gbl_check.c

Loading...
View Options

lib/libveriexec/libveriexec.h

Loading...
View Options

lib/libveriexec/veriexec_get.c

Loading...
View Options

sbin/veriexec/Makefile.depend

Loading...
View Options

sbin/veriexec/veriexec.8

Loading...
View Options

sbin/veriexec/veriexec.c

Loading...
View Options

sys/conf/files

Loading...
View Options

sys/conf/options

Loading...
View Options

sys/security/mac_grantbylabel/mac_grantbylabel.h

Loading...
View Options

sys/security/mac_grantbylabel/mac_grantbylabel.c

Loading...