freebsd-src/sys
Stephen J. Kiernan fb47a3769c MAC/veriexec implements a verified execution environment using the MAC
framework.

The code is organized into a few distinct pieces:

* The meta-data store (in veriexec_metadata.c) which maps a file system
  identifier, file identifier, and generation key tuple to veriexec
  meta-data record.

* Fingerprint management (in veriexec_fingerprint.c) which deals with
  calculating the cryptographic hash for a file and verifying it. It also
  manages the loadable fingerprint modules.

* MAC policy implementation (in mac_veriexec.c) which implements the
  following MAC methods:

mpo_init
  Initializes the veriexec state, meta-data store, fingerprint modules,
  and registers mount and unmount EVENTHANDLERs

mpo_syscall
  Implements the following per-policy system calls:
  MAC_VERIEXEC_CHECK_FD_SYSCALL
    Check a file descriptor to see if the referenced file has a valid
    fingerprint.
  MAC_VERIEXEC_CHECK_PATH_SYSCALL
    Check a path to see if the referenced file has a valid fingerprint.

mpo_kld_check_load
  Check if loading a kld is allowed. This checks if the referenced vnode
  has a valid fingerprint.

mpo_mount_destroy_label
  Clears the veriexec slot data in a mount point label.

mpo_mount_init_label
  Initializes the veriexec slot data in a mount point label.
  The file system identifier is saved in the veriexec slot data.

mpo_priv_check
  Check if a process is allowed to write to /dev/kmem and /dev/mem
  devices.
  If a process is flagged as trusted, it is allowed to write.

mpo_proc_check_debug
  Check if a process is allowed to be debugged. If a process is not
  flagged with VERIEXEC_NOTRACE, then debugging is allowed.

mpo_vnode_check_exec
  Check is an exectuable is allowed to run. If veriexec is not enforcing
  or the executable has a valid fingerprint, then it is allowed to run.
  NOTE: veriexec will complain about mismatched fingerprints if it is
  active, regardless of the state of the enforcement.

mpo_vnode_check_open
  Check is a file is allowed to be opened. If verification was not
  requested, veriexec is not enforcing, or the file has a valid
  fingerprint, then veriexec will allow the file to be opened.

mpo_vnode_copy_label
  Copies the veriexec slot data from one label to another.

mpo_vnode_destroy_label
  Clears the veriexec slot data in a vnode label.

mpo_vnode_init_label
  Initializes the veriexec slot data in a vnode label.
  The fingerprint status for the file is stored in the veriexec slot data.

* Some sysctls, under security.mac.veriexec, for setting debug level,
  fetching the current state in a human-readable form, and dumping the
  fingerprint database are implemented.

* The MAC policy implementation source file also contains some utility
  functions.

* A set of fingerprint modules for the following cryptographic hash
  algorithms:
  RIPEMD-160, SHA1, SHA2-256, SHA2-384, SHA2-512

* Loadable module builds for MAC/veriexec and fingerprint modules.

 WARNING: Using veriexec with NFS (or other network-based) file systems is
          not recommended as one cannot guarantee the integrity of the files
          served, nor the uniqueness of file system identifiers which are
          used as key in the meta-data store.

Reviewed by:	ian, jtl
Obtained from:	Juniper Networks, Inc.
Differential Revision:	https://reviews.freebsd.org/D8554
2018-06-20 00:41:30 +00:00
..
amd64 remove ixl iwarp and ixlv from the build until they are in a working state 2018-06-19 02:48:53 +00:00
arm Move common GIC interrupt numbers to the common header. These are the same 2018-06-19 16:14:23 +00:00
arm64 Move common GIC interrupt numbers to the common header. These are the same 2018-06-19 16:14:23 +00:00
bsm
cam Fix setting RCA for MMC cards 2018-06-19 20:02:03 +00:00
cddl This originated from ZFS On Linux, as 2018-06-08 17:38:28 +00:00
compat linuxulator: handle V3 capget/capset 2018-06-19 21:26:23 +00:00
conf MAC/veriexec implements a verified execution environment using the MAC 2018-06-20 00:41:30 +00:00
contrib Really fix the style. 2018-06-19 18:43:02 +00:00
crypto disable printing value of SKEIN_LOOP during standard out, 2018-05-19 18:27:14 +00:00
ddb Extend show proc with reaper, sigparent, and vmspace information 2018-05-25 13:59:48 +00:00
dev Remove "diff" line indicator. Next to see if this code works or not. 2018-06-19 15:55:21 +00:00
dts
fs Revert r335263, since it can cause crashes in unusual circumstances. 2018-06-17 23:08:54 +00:00
gdb
geom gpart: add EFI alias for MBR partition scheme 2018-06-17 20:10:48 +00:00
gnu dts: Update our copy to Linux 4.17 2018-06-14 07:12:10 +00:00
i386 linuxulator: do not include legacy syscalls on arm64 2018-06-15 14:41:51 +00:00
isa
kern convert inpcbinfo hash and info rwlocks to epoch + mutex 2018-06-19 01:54:00 +00:00
kgssapi
libkern str(r)chr: Replace union abuse with __DECONST 2018-06-04 18:47:14 +00:00
mips hwpmc: yet another missed fixup 2018-06-08 18:54:47 +00:00
modules MAC/veriexec implements a verified execution environment using the MAC 2018-06-20 00:41:30 +00:00
net Move BPFIF_* macro definitions into .c file, where struct bpf_if is 2018-06-19 10:34:45 +00:00
net80211
netgraph Catch up two more places to the V_ifnet change to a CK_STAILQ. 2018-05-24 00:06:55 +00:00
netinet Make sure that the t_peakrate_thr is not compiled in 2018-06-19 11:20:28 +00:00
netinet6 Switch RIB and RADIX_NODE_HEAD lock from rwlock(9) to rmlock(9). 2018-06-16 08:26:23 +00:00
netipsec uma: implement provisional api for per-cpu zones 2018-06-08 21:40:03 +00:00
netpfil Switch RIB and RADIX_NODE_HEAD lock from rwlock(9) to rmlock(9). 2018-06-16 08:26:23 +00:00
netsmb Eliminate the overhead of gratuitous repeated reinitialization of cap_rights 2018-05-09 18:47:24 +00:00
nfs Switch RIB and RADIX_NODE_HEAD lock from rwlock(9) to rmlock(9). 2018-06-16 08:26:23 +00:00
nfsclient
nfsserver
nlm
ofed Revert r335094 and properly fix OFED build after r335053. 2018-06-14 07:55:10 +00:00
opencrypto
powerpc Split the PowerISA 3.0 HPT implementation from historic 2018-06-14 17:23:51 +00:00
riscv Don't jump to VA space until kernel is ready. 2018-06-13 10:32:21 +00:00
rpc
security MAC/veriexec implements a verified execution environment using the MAC 2018-06-20 00:41:30 +00:00
sparc64 Define memmove and make bcopy alt entry point 2018-05-24 21:11:28 +00:00
sys libnv: Add nvlist_append_*_array() family of functions. 2018-06-18 22:57:32 +00:00
teken teken: Fix sequences header which was crossing the 80-col boundary 2018-05-29 08:41:44 +00:00
tests epoch(9): Make epochs non-preemptible by default 2018-05-18 17:29:43 +00:00
tools
ufs ufs: remove cgbno variable where unused 2018-05-19 19:30:42 +00:00
vm Name the implementation of brk and sbrk sys_break(). 2018-06-14 21:27:25 +00:00
x86 Untangle configuration ifdefs a little. On x86, msi is optional on pci, 2018-06-10 14:49:13 +00:00
xdr
xen xen: remove dead code from gnttab.h 2018-05-25 08:44:00 +00:00
Makefile