Page MenuHomeFreeBSD

Add mac_grantbylabel
ClosedPublic

Authored by sjg on Aug 11 2023, 10:02 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Nov 22, 11:16 AM
Unknown Object (File)
Fri, Nov 22, 11:16 AM
Unknown Object (File)
Fri, Nov 22, 11:16 AM
Unknown Object (File)
Thu, Nov 21, 6:44 AM
Unknown Object (File)
Tue, Nov 12, 12:38 AM
Unknown Object (File)
Thu, Nov 7, 3:30 PM
Unknown Object (File)
Thu, Nov 7, 2:48 PM
Unknown Object (File)
Thu, Nov 7, 2:44 PM
Subscribers

Details

Summary

This module allows controlled privilege escallation via mac labels
securely associated with a process via mac_veriexec.

There are over 700 PRIV_* but we can compress many of them into
a single GBL_* thus constraining the size of gbl labels.

The goal is to allow a daemon to run as an unprivileged process while
still being able a set of privileged operations needed.

We add APIs to libveriexec so that userland processes can check labels
and an exec_script API that allows a suitably labeled process to run
something like a python interpreter directly if necessary;
overcomming the 'indirect' flag applied to the interpreter.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

sjg requested review of this revision.Aug 11 2023, 10:02 PM

Use correct MAC_VERIEXEC_VERSION in MODULE_DEPEND

Add veriexec_get_{path,pid}_label

Add -l option to veriexec

sys/security/mac_grantbylabel/mac_grantbylabel.c
60

This sysctl and variable used by it should be under #ifdef MAC_DEBUG since the MAC_GRANTBYLABEL_DBG is only filled out when MAC_DEBUG is defined.

66

This line looks like it ran a bit long?

501

Either drop this bit entirely and use MPC_LOADTIME_FLAG_NOTLATE or add MAC_GRANTBYLABEL_DEBUG to the "options"

Update more copyright years

rebase and remove $FreeBSD$

sjg marked 3 inline comments as done.Aug 17 2023, 4:45 PM

If someone could explain the rubbish about libveriexc.h being copied to mac_grantbylabel.h

This revision is now accepted and ready to land.Aug 24 2023, 7:10 PM
This revision was automatically updated to reflect the committed changes.