Page MenuHomeFreeBSD
Differential D8562

Verified execution (veriexec) library interface to MAC/veriexec per-policy syscall
ClosedPublic
Actions

Authored by stevek on Nov 18 2016, 4:07 AM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Nov 8, 12:46 AM
Unknown Object (File)
Wed, Nov 6, 9:35 PM
Unknown Object (File)
Wed, Oct 23, 2:43 PM
Unknown Object (File)
Wed, Oct 16, 4:42 PM
Unknown Object (File)
Oct 14 2024, 10:05 PM
Unknown Object (File)
Oct 13 2024, 5:11 PM
Unknown Object (File)
Oct 8 2024, 8:50 PM
Unknown Object (File)
Oct 7 2024, 11:31 AM
View All 95 Files
Subscribers
imp
jtl
sjg
wblock

Details

Reviewers
rwatson
jtl
Group Reviewers
manpages
Commits
rS335401: This library allows for user space applications to check file descriptors
Summary

This library allows for user space applications to check file descriptors
or paths to see if they can be verified by MAC/veriexec.

Depends on D8554

Test Plan

Various versions of this code (with some differences) has been in use for a few years and has gone through in-house testing.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

stevek updated this revision to Diff 22311.Nov 18 2016, 4:07 AM
stevek retitled this revision from to Verified execution (veriexec) library interface to MAC/veriexec per-policy syscall.
stevek updated this object.
stevek edited the test plan for this revision. (Show Details)
stevek added a reviewer: rwatson.
stevek added a subscriber: sjg.
Herald added a reviewer: manpages. · View Herald TranscriptNov 18 2016, 4:07 AM
Herald added a subscriber: imp. · View Herald Transcript
stevek updated this object.Nov 18 2016, 4:38 PM
stevek edited edge metadata.
stevek added a parent revision: D8554: Verified execution (veriexec) as a MAC module..
wblock added a subscriber: wblock.Nov 18 2016, 5:23 PM
wblock added inline comments.
lib/libveriexec/veriexec.3
27 ↗(On Diff #22311)

This needs to be bumped.

48 ↗(On Diff #22311)

Maybe simplify this?

.Fn veriexec_check_fd
​function checks the signature of the file represented by the
.Fa fd
file descriptor.
54 ↗(On Diff #22311)

Likewise, can't this just be:

(There's a typo on "specfied", which this avoids.)

function checks the signature of the file path
.Fa file .
63 ↗(On Diff #22311)

Um... if not the first thing or the second thing?

functions return zero on a successful signature match or if veriexec is not enabled.
If the signature does not match,
.Va errno
is set.

(Although "set" is a little ambiguous. Set in the binary sense (non-zero) or set to a particular number?

jtl accepted this revision.Jan 10 2018, 12:30 AM
jtl added a subscriber: jtl.

I think this should be committed after addressing @wblock's comments.

This revision is now accepted and ready to land.Jan 10 2018, 12:30 AM
Closed by commit rS335401: This library allows for user space applications to check file descriptors (authored by stevek). · Explain WhyJun 20 2018, 12:55 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

PathSize
head/
lib/
libveriexec/
14 lines
37 lines
65 lines
146 lines

Diff 44115

View Options

head/lib/libveriexec/Makefile

Loading...
View Options

head/lib/libveriexec/libveriexec.h

Loading...
View Options

head/lib/libveriexec/veriexec.3

Loading...
View Options

head/lib/libveriexec/veriexec_check.c

Loading...