mirror of
https://github.com/freebsd/freebsd-src
synced 2024-10-15 12:54:27 +00:00
1554ba03b6
This module allows controlled privilege escallation via mac labels securely associated with a process via mac_veriexec. There are over 700 PRIV_* but we can compress many of them into a single GBL_* thus constraining the size of gbl labels. The goal is to allow a daemon to run as an unprivileged process while still being able a set of privileged operations needed. We add APIs to libveriexec so that userland processes can check labels and an exec_script API that allows a suitably labeled process to run something like a python interpreter directly if necessary; overcomming the 'indirect' flag applied to the interpreter. Add -l option to sbin/veriexec to report labels. Reviewed by: stevek Sponsored by: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D41431
18 lines
193 B
Makefile
18 lines
193 B
Makefile
|
|
.include <src.opts.mk>
|
|
|
|
LIB= veriexec
|
|
MAN= veriexec.3
|
|
INCS= libveriexec.h
|
|
|
|
WARNS?= 2
|
|
|
|
SRCS= \
|
|
exec_script.c \
|
|
gbl_check.c \
|
|
veriexec_check.c \
|
|
veriexec_get.c \
|
|
|
|
.include <bsd.lib.mk>
|
|
|