1554ba03b6
This module allows controlled privilege escallation via mac labels securely associated with a process via mac_veriexec. There are over 700 PRIV_* but we can compress many of them into a single GBL_* thus constraining the size of gbl labels. The goal is to allow a daemon to run as an unprivileged process while still being able a set of privileged operations needed. We add APIs to libveriexec so that userland processes can check labels and an exec_script API that allows a suitably labeled process to run something like a python interpreter directly if necessary; overcomming the 'indirect' flag applied to the interpreter. Add -l option to sbin/veriexec to report labels. Reviewed by: stevek Sponsored by: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D41431 |
||
|---|---|---|
| .. | ||
| arm | ||
| arpa | ||
| gssapi | ||
| i386 | ||
| protocols | ||
| rpc | ||
| rpcsvc | ||
| xlocale | ||
| Makefile | ||
| Makefile.depend | ||
| _ctype.h | ||
| a.out.h | ||
| ar.h | ||
| assert.h | ||
| bitstring.h | ||
| byteswap.h | ||
| complex.h | ||
| cpio.h | ||
| ctype.h | ||
| db.h | ||
| dirent.h | ||
| dlfcn.h | ||
| elf-hints.h | ||
| elf.h | ||
| endian.h | ||
| err.h | ||
| fmtmsg.h | ||
| fnmatch.h | ||
| fstab.h | ||
| fts.h | ||
| ftw.h | ||
| getopt.h | ||
| glob.h | ||
| grp.h | ||
| gssapi.h | ||
| hesiod.h | ||
| iconv.h | ||
| ieeefp.h | ||
| ifaddrs.h | ||
| inttypes.h | ||
| iso646.h | ||
| kenv.h | ||
| langinfo.h | ||
| libgen.h | ||
| limits.h | ||
| link.h | ||
| locale.h | ||
| malloc.h | ||
| malloc_np.h | ||
| memory.h | ||
| mk-osreldate.sh | ||
| monetary.h | ||
| mpool.h | ||
| mqueue.h | ||
| ndbm.h | ||
| netconfig.h | ||
| netdb.h | ||
| nl_types.h | ||
| nlist.h | ||
| nss.h | ||
| nsswitch.h | ||
| paths.h | ||
| printf.h | ||
| proc_service.h | ||
| pthread.h | ||
| pthread_np.h | ||
| pwd.h | ||
| ranlib.h | ||
| readpassphrase.h | ||
| regex.h | ||
| res_update.h | ||
| resolv.h | ||
| runetype.h | ||
| sched.h | ||
| search.h | ||
| semaphore.h | ||
| setjmp.h | ||
| signal.h | ||
| spawn.h | ||
| stab.h | ||
| stdalign.h | ||
| stdbool.h | ||
| stddef.h | ||
| stdio.h | ||
| stdlib.h | ||
| stdnoreturn.h | ||
| string.h | ||
| stringlist.h | ||
| strings.h | ||
| sysexits.h | ||
| tar.h | ||
| termios.h | ||
| tgmath.h | ||
| time.h | ||
| timeconv.h | ||
| timers.h | ||
| ttyent.h | ||
| uchar.h | ||
| ulimit.h | ||
| unistd.h | ||
| utime.h | ||
| utmpx.h | ||
| uuid.h | ||
| varargs.h | ||
| wchar.h | ||
| wctype.h | ||
| wordexp.h | ||
| xlocale.h | ||