Page MenuHomeFreeBSD

stephane.rochoy_stormshield.eu (Stéphane Rochoy)
User

Projects

User does not belong to any projects.

User Details

User Since
Mar 8 2021, 9:19 AM (33 w, 1 d)

Recent Activity

Aug 2 2021

stephane.rochoy_stormshield.eu updated the diff for D30464: sh: Add -o verify to use O_VERIFY when sourcing scripts.

@jilles I took some time to think about fc -e (sorry for the lag). The only viable approach seems to just never enforce O_VERIFY with edited history entries. Not sure it's worth trying to ensure the shell is interactive. What do you think?

Aug 2 2021, 9:23 AM

Jun 30 2021

stephane.rochoy_stormshield.eu added a comment to D30952: veriexec: Fix veriexec -i's confusion between loaded and locked states.

By the way, -i and -z are handled in a very similar fashion. There's probably some room for refactoring while at it.

Jun 30 2021, 10:06 AM
stephane.rochoy_stormshield.eu retitled D30952: veriexec: Fix veriexec -i's confusion between loaded and locked states from veriexec: Fix `veriexec -i`'s confusion between loaded and locked states to veriexec: Fix veriexec -i's confusion between loaded and locked states.
Jun 30 2021, 6:19 AM
stephane.rochoy_stormshield.eu added a reviewer for D30952: veriexec: Fix veriexec -i's confusion between loaded and locked states: mw.
Jun 30 2021, 6:17 AM
stephane.rochoy_stormshield.eu requested review of D30952: veriexec: Fix veriexec -i's confusion between loaded and locked states.
Jun 30 2021, 6:17 AM

Jun 14 2021

stephane.rochoy_stormshield.eu added a comment to D30464: sh: Add -o verify to use O_VERIFY when sourcing scripts.
In D30464#686275, @sjg wrote:
veriexec=/sbin/veriexec
if test -s $veriexec && $veriexec -i active > /dev/null 2>&1; then
_rc_verify() { $veriexec -x $1; }
else
_rc_verify() { : ; }
fi
Jun 14 2021, 12:30 PM
stephane.rochoy_stormshield.eu added a comment to D30464: sh: Add -o verify to use O_VERIFY when sourcing scripts.

It is not documented, although example functions exist in /usr/src/bin/sh/funcs/. There is more information about this feature at https://www.in-ulm.de/~mascheck/various/ash/functionpathsearch.html .

Jun 14 2021, 12:21 PM

Jun 11 2021

stephane.rochoy_stormshield.eu added a comment to D30464: sh: Add -o verify to use O_VERIFY when sourcing scripts.

@imp @jilles @sjg @mw Is there anything that still prevent this patch from landing?

Jun 11 2021, 1:50 PM

Jun 7 2021

stephane.rochoy_stormshield.eu added a comment to D30464: sh: Add -o verify to use O_VERIFY when sourcing scripts.

Looks reasonable, assuming veriexec itself is reasonable (in many cases, it seems to me that verifying the root filesystem would be a simpler and more reliable approach).

The verify option affects:

[…]

  • function autoloading via a DIR%func entry in PATH
Jun 7 2021, 11:29 AM

Jun 4 2021

stephane.rochoy_stormshield.eu added a comment to D30464: sh: Add -o verify to use O_VERIFY when sourcing scripts.
In D30464#687944, @sjg wrote:

BTW wrt creating test cases, assuming you have a system which is capable of enforcing veriexec and still operate, a package which contains a manifest with various failures is handy.
I have something like that for testing the verifying loader - it cannot be installed using my package system; since it would fail all the pre-install checks, so a manual install.sh
script is provided.

You can also do simple tests by just copying a verified file such. that it gets a new inode.
Eg /bin/sh may be verified and work just fine, cp /bin/sh /tmp; /tmp/sh - Authentication error same trick applies to any file.

Jun 4 2021, 8:15 AM

May 31 2021

stephane.rochoy_stormshield.eu added a comment to D30464: sh: Add -o verify to use O_VERIFY when sourcing scripts.
In D30464#686275, @sjg wrote:

Neat, but not going to be portable.
FWIW I use veriexec -x some/file to test whether the file is verified.
Eg. we modify rc.subr to provide a couple of functions is_verified and vdot which does . only after verify file.
This allows shell scripts to be careful about what they consume, while still being portable (not that big. a deal really ;-)

May 31 2021, 7:56 AM

May 26 2021

stephane.rochoy_stormshield.eu retitled D30464: sh: Add -o verify to use O_VERIFY when sourcing scripts from sh: Add -o verify to use O_VERIFY when sourceing scripts to sh: Add -o verify to use O_VERIFY when sourcing scripts.
May 26 2021, 7:33 AM
stephane.rochoy_stormshield.eu published D30464: sh: Add -o verify to use O_VERIFY when sourcing scripts for review.
May 26 2021, 7:31 AM