Page MenuHomeFreeBSD

Verified execution (veriexec) library interface to MAC/veriexec per-policy syscall

Authored by stevek on Nov 18 2016, 4:07 AM.



This library allows for user space applications to check file descriptors
or paths to see if they can be verified by MAC/veriexec.

Depends on D8554

Test Plan

Various versions of this code (with some differences) has been in use for a few years and has gone through in-house testing.

Diff Detail

rS FreeBSD src repository
Automatic diff as part of commit; lint not applicable.
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

stevek updated this revision to Diff 22311.Nov 18 2016, 4:07 AM
stevek retitled this revision from to Verified execution (veriexec) library interface to MAC/veriexec per-policy syscall.
stevek updated this object.
stevek edited the test plan for this revision. (Show Details)
stevek added a reviewer: rwatson.
stevek added a subscriber: sjg.
stevek updated this object.Nov 18 2016, 4:38 PM
stevek edited edge metadata.
wblock added a subscriber: wblock.Nov 18 2016, 5:23 PM
wblock added inline comments.
27 ↗(On Diff #22311)

This needs to be bumped.

48 ↗(On Diff #22311)

Maybe simplify this?

.Fn veriexec_check_fd
​function checks the signature of the file represented by the
.Fa fd
file descriptor.
54 ↗(On Diff #22311)

Likewise, can't this just be:

(There's a typo on "specfied", which this avoids.)

function checks the signature of the file path
.Fa file .
63 ↗(On Diff #22311)

Um... if not the first thing or the second thing?

functions return zero on a successful signature match or if veriexec is not enabled.
If the signature does not match,
.Va errno
is set.

(Although "set" is a little ambiguous. Set in the binary sense (non-zero) or set to a particular number?

jtl accepted this revision.Jan 10 2018, 12:30 AM
jtl added a subscriber: jtl.

I think this should be committed after addressing @wblock's comments.

This revision is now accepted and ready to land.Jan 10 2018, 12:30 AM
This revision was automatically updated to reflect the committed changes.