Page MenuHomeFreeBSD

Add mac_grantbylabel
ClosedPublic

Authored by sjg on Aug 11 2023, 10:02 PM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Nov 25, 2:47 AM
Unknown Object (File)
Mon, Nov 25, 12:20 AM
Unknown Object (File)
Fri, Nov 22, 11:16 AM
Unknown Object (File)
Fri, Nov 22, 11:16 AM
Unknown Object (File)
Fri, Nov 22, 11:16 AM
Unknown Object (File)
Thu, Nov 21, 6:44 AM
Unknown Object (File)
Tue, Nov 12, 12:38 AM
Unknown Object (File)
Thu, Nov 7, 3:30 PM
Subscribers

Details

Summary

This module allows controlled privilege escallation via mac labels
securely associated with a process via mac_veriexec.

There are over 700 PRIV_* but we can compress many of them into
a single GBL_* thus constraining the size of gbl labels.

The goal is to allow a daemon to run as an unprivileged process while
still being able a set of privileged operations needed.

We add APIs to libveriexec so that userland processes can check labels
and an exec_script API that allows a suitably labeled process to run
something like a python interpreter directly if necessary;
overcomming the 'indirect' flag applied to the interpreter.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 53056
Build 49947: arc lint + arc unit

Event Timeline

sjg requested review of this revision.Aug 11 2023, 10:02 PM

Use correct MAC_VERIEXEC_VERSION in MODULE_DEPEND

Add veriexec_get_{path,pid}_label

Add -l option to veriexec

sys/security/mac_grantbylabel/mac_grantbylabel.c
60

This sysctl and variable used by it should be under #ifdef MAC_DEBUG since the MAC_GRANTBYLABEL_DBG is only filled out when MAC_DEBUG is defined.

66

This line looks like it ran a bit long?

501

Either drop this bit entirely and use MPC_LOADTIME_FLAG_NOTLATE or add MAC_GRANTBYLABEL_DEBUG to the "options"

Update more copyright years

rebase and remove $FreeBSD$

sjg marked 3 inline comments as done.Aug 17 2023, 4:45 PM

If someone could explain the rubbish about libveriexc.h being copied to mac_grantbylabel.h

This revision is now accepted and ready to land.Aug 24 2023, 7:10 PM
This revision was automatically updated to reflect the committed changes.