/freebsd/sys/security/mac_grantbylabel/ |
H A D | mac_grantbylabel.c | 1554ba03 Fri Aug 25 00:41:22 GMT 2023 Simon J. Gerraty <sjg@FreeBSD.org> Add mac_grantbylabel
This module allows controlled privilege escallation via mac labels securely associated with a process via mac_veriexec.
There are over 700 PRIV_* but we can compress many of them into a single GBL_* thus constraining the size of gbl labels.
The goal is to allow a daemon to run as an unprivileged process while still being able a set of privileged operations needed.
We add APIs to libveriexec so that userland processes can check labels and an exec_script API that allows a suitably labeled process to run something like a python interpreter directly if necessary; overcomming the 'indirect' flag applied to the interpreter.
Add -l option to sbin/veriexec to report labels.
Reviewed by: stevek Sponsored by: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D41431 1554ba03 Fri Aug 25 00:41:22 GMT 2023 Simon J. Gerraty <sjg@FreeBSD.org> Add mac_grantbylabel
This module allows controlled privilege escallation via mac labels securely associated with a process via mac_veriexec.
There are over 700 PRIV_* but we can compress many of them into a single GBL_* thus constraining the size of gbl labels.
The goal is to allow a daemon to run as an unprivileged process while still being able a set of privileged operations needed.
We add APIs to libveriexec so that userland processes can check labels and an exec_script API that allows a suitably labeled process to run something like a python interpreter directly if necessary; overcomming the 'indirect' flag applied to the interpreter.
Add -l option to sbin/veriexec to report labels.
Reviewed by: stevek Sponsored by: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D41431
|
H A D | mac_grantbylabel.h | 1554ba03 Fri Aug 25 00:41:22 GMT 2023 Simon J. Gerraty <sjg@FreeBSD.org> Add mac_grantbylabel
This module allows controlled privilege escallation via mac labels securely associated with a process via mac_veriexec.
There are over 700 PRIV_* but we can compress many of them into a single GBL_* thus constraining the size of gbl labels.
The goal is to allow a daemon to run as an unprivileged process while still being able a set of privileged operations needed.
We add APIs to libveriexec so that userland processes can check labels and an exec_script API that allows a suitably labeled process to run something like a python interpreter directly if necessary; overcomming the 'indirect' flag applied to the interpreter.
Add -l option to sbin/veriexec to report labels.
Reviewed by: stevek Sponsored by: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D41431 1554ba03 Fri Aug 25 00:41:22 GMT 2023 Simon J. Gerraty <sjg@FreeBSD.org> Add mac_grantbylabel
This module allows controlled privilege escallation via mac labels securely associated with a process via mac_veriexec.
There are over 700 PRIV_* but we can compress many of them into a single GBL_* thus constraining the size of gbl labels.
The goal is to allow a daemon to run as an unprivileged process while still being able a set of privileged operations needed.
We add APIs to libveriexec so that userland processes can check labels and an exec_script API that allows a suitably labeled process to run something like a python interpreter directly if necessary; overcomming the 'indirect' flag applied to the interpreter.
Add -l option to sbin/veriexec to report labels.
Reviewed by: stevek Sponsored by: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D41431
|
/freebsd/lib/libveriexec/ |
H A D | exec_script.c | 1554ba03 Fri Aug 25 00:41:22 GMT 2023 Simon J. Gerraty <sjg@FreeBSD.org> Add mac_grantbylabel
This module allows controlled privilege escallation via mac labels securely associated with a process via mac_veriexec.
There are over 700 PRIV_* but we can compress many of them into a single GBL_* thus constraining the size of gbl labels.
The goal is to allow a daemon to run as an unprivileged process while still being able a set of privileged operations needed.
We add APIs to libveriexec so that userland processes can check labels and an exec_script API that allows a suitably labeled process to run something like a python interpreter directly if necessary; overcomming the 'indirect' flag applied to the interpreter.
Add -l option to sbin/veriexec to report labels.
Reviewed by: stevek Sponsored by: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D41431 1554ba03 Fri Aug 25 00:41:22 GMT 2023 Simon J. Gerraty <sjg@FreeBSD.org> Add mac_grantbylabel
This module allows controlled privilege escallation via mac labels securely associated with a process via mac_veriexec.
There are over 700 PRIV_* but we can compress many of them into a single GBL_* thus constraining the size of gbl labels.
The goal is to allow a daemon to run as an unprivileged process while still being able a set of privileged operations needed.
We add APIs to libveriexec so that userland processes can check labels and an exec_script API that allows a suitably labeled process to run something like a python interpreter directly if necessary; overcomming the 'indirect' flag applied to the interpreter.
Add -l option to sbin/veriexec to report labels.
Reviewed by: stevek Sponsored by: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D41431
|
H A D | gbl_check.c | 1554ba03 Fri Aug 25 00:41:22 GMT 2023 Simon J. Gerraty <sjg@FreeBSD.org> Add mac_grantbylabel
This module allows controlled privilege escallation via mac labels securely associated with a process via mac_veriexec.
There are over 700 PRIV_* but we can compress many of them into a single GBL_* thus constraining the size of gbl labels.
The goal is to allow a daemon to run as an unprivileged process while still being able a set of privileged operations needed.
We add APIs to libveriexec so that userland processes can check labels and an exec_script API that allows a suitably labeled process to run something like a python interpreter directly if necessary; overcomming the 'indirect' flag applied to the interpreter.
Add -l option to sbin/veriexec to report labels.
Reviewed by: stevek Sponsored by: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D41431 1554ba03 Fri Aug 25 00:41:22 GMT 2023 Simon J. Gerraty <sjg@FreeBSD.org> Add mac_grantbylabel
This module allows controlled privilege escallation via mac labels securely associated with a process via mac_veriexec.
There are over 700 PRIV_* but we can compress many of them into a single GBL_* thus constraining the size of gbl labels.
The goal is to allow a daemon to run as an unprivileged process while still being able a set of privileged operations needed.
We add APIs to libveriexec so that userland processes can check labels and an exec_script API that allows a suitably labeled process to run something like a python interpreter directly if necessary; overcomming the 'indirect' flag applied to the interpreter.
Add -l option to sbin/veriexec to report labels.
Reviewed by: stevek Sponsored by: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D41431
|
H A D | veriexec_get.c | 1554ba03 Fri Aug 25 00:41:22 GMT 2023 Simon J. Gerraty <sjg@FreeBSD.org> Add mac_grantbylabel
This module allows controlled privilege escallation via mac labels securely associated with a process via mac_veriexec.
There are over 700 PRIV_* but we can compress many of them into a single GBL_* thus constraining the size of gbl labels.
The goal is to allow a daemon to run as an unprivileged process while still being able a set of privileged operations needed.
We add APIs to libveriexec so that userland processes can check labels and an exec_script API that allows a suitably labeled process to run something like a python interpreter directly if necessary; overcomming the 'indirect' flag applied to the interpreter.
Add -l option to sbin/veriexec to report labels.
Reviewed by: stevek Sponsored by: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D41431 1554ba03 Fri Aug 25 00:41:22 GMT 2023 Simon J. Gerraty <sjg@FreeBSD.org> Add mac_grantbylabel
This module allows controlled privilege escallation via mac labels securely associated with a process via mac_veriexec.
There are over 700 PRIV_* but we can compress many of them into a single GBL_* thus constraining the size of gbl labels.
The goal is to allow a daemon to run as an unprivileged process while still being able a set of privileged operations needed.
We add APIs to libveriexec so that userland processes can check labels and an exec_script API that allows a suitably labeled process to run something like a python interpreter directly if necessary; overcomming the 'indirect' flag applied to the interpreter.
Add -l option to sbin/veriexec to report labels.
Reviewed by: stevek Sponsored by: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D41431
|
H A D | libveriexec.h | 1554ba03 Fri Aug 25 00:41:22 GMT 2023 Simon J. Gerraty <sjg@FreeBSD.org> Add mac_grantbylabel
This module allows controlled privilege escallation via mac labels securely associated with a process via mac_veriexec.
There are over 700 PRIV_* but we can compress many of them into a single GBL_* thus constraining the size of gbl labels.
The goal is to allow a daemon to run as an unprivileged process while still being able a set of privileged operations needed.
We add APIs to libveriexec so that userland processes can check labels and an exec_script API that allows a suitably labeled process to run something like a python interpreter directly if necessary; overcomming the 'indirect' flag applied to the interpreter.
Add -l option to sbin/veriexec to report labels.
Reviewed by: stevek Sponsored by: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D41431 1554ba03 Fri Aug 25 00:41:22 GMT 2023 Simon J. Gerraty <sjg@FreeBSD.org> Add mac_grantbylabel
This module allows controlled privilege escallation via mac labels securely associated with a process via mac_veriexec.
There are over 700 PRIV_* but we can compress many of them into a single GBL_* thus constraining the size of gbl labels.
The goal is to allow a daemon to run as an unprivileged process while still being able a set of privileged operations needed.
We add APIs to libveriexec so that userland processes can check labels and an exec_script API that allows a suitably labeled process to run something like a python interpreter directly if necessary; overcomming the 'indirect' flag applied to the interpreter.
Add -l option to sbin/veriexec to report labels.
Reviewed by: stevek Sponsored by: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D41431
|
H A D | Makefile | 1554ba03 Fri Aug 25 00:41:22 GMT 2023 Simon J. Gerraty <sjg@FreeBSD.org> Add mac_grantbylabel
This module allows controlled privilege escallation via mac labels securely associated with a process via mac_veriexec.
There are over 700 PRIV_* but we can compress many of them into a single GBL_* thus constraining the size of gbl labels.
The goal is to allow a daemon to run as an unprivileged process while still being able a set of privileged operations needed.
We add APIs to libveriexec so that userland processes can check labels and an exec_script API that allows a suitably labeled process to run something like a python interpreter directly if necessary; overcomming the 'indirect' flag applied to the interpreter.
Add -l option to sbin/veriexec to report labels.
Reviewed by: stevek Sponsored by: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D41431 1554ba03 Fri Aug 25 00:41:22 GMT 2023 Simon J. Gerraty <sjg@FreeBSD.org> Add mac_grantbylabel
This module allows controlled privilege escallation via mac labels securely associated with a process via mac_veriexec.
There are over 700 PRIV_* but we can compress many of them into a single GBL_* thus constraining the size of gbl labels.
The goal is to allow a daemon to run as an unprivileged process while still being able a set of privileged operations needed.
We add APIs to libveriexec so that userland processes can check labels and an exec_script API that allows a suitably labeled process to run something like a python interpreter directly if necessary; overcomming the 'indirect' flag applied to the interpreter.
Add -l option to sbin/veriexec to report labels.
Reviewed by: stevek Sponsored by: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D41431
|
/freebsd/sbin/veriexec/ |
H A D | Makefile.depend | 1554ba03 Fri Aug 25 00:41:22 GMT 2023 Simon J. Gerraty <sjg@FreeBSD.org> Add mac_grantbylabel
This module allows controlled privilege escallation via mac labels securely associated with a process via mac_veriexec.
There are over 700 PRIV_* but we can compress many of them into a single GBL_* thus constraining the size of gbl labels.
The goal is to allow a daemon to run as an unprivileged process while still being able a set of privileged operations needed.
We add APIs to libveriexec so that userland processes can check labels and an exec_script API that allows a suitably labeled process to run something like a python interpreter directly if necessary; overcomming the 'indirect' flag applied to the interpreter.
Add -l option to sbin/veriexec to report labels.
Reviewed by: stevek Sponsored by: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D41431 1554ba03 Fri Aug 25 00:41:22 GMT 2023 Simon J. Gerraty <sjg@FreeBSD.org> Add mac_grantbylabel
This module allows controlled privilege escallation via mac labels securely associated with a process via mac_veriexec.
There are over 700 PRIV_* but we can compress many of them into a single GBL_* thus constraining the size of gbl labels.
The goal is to allow a daemon to run as an unprivileged process while still being able a set of privileged operations needed.
We add APIs to libveriexec so that userland processes can check labels and an exec_script API that allows a suitably labeled process to run something like a python interpreter directly if necessary; overcomming the 'indirect' flag applied to the interpreter.
Add -l option to sbin/veriexec to report labels.
Reviewed by: stevek Sponsored by: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D41431
|
H A D | veriexec.8 | 1554ba03 Fri Aug 25 00:41:22 GMT 2023 Simon J. Gerraty <sjg@FreeBSD.org> Add mac_grantbylabel
This module allows controlled privilege escallation via mac labels securely associated with a process via mac_veriexec.
There are over 700 PRIV_* but we can compress many of them into a single GBL_* thus constraining the size of gbl labels.
The goal is to allow a daemon to run as an unprivileged process while still being able a set of privileged operations needed.
We add APIs to libveriexec so that userland processes can check labels and an exec_script API that allows a suitably labeled process to run something like a python interpreter directly if necessary; overcomming the 'indirect' flag applied to the interpreter.
Add -l option to sbin/veriexec to report labels.
Reviewed by: stevek Sponsored by: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D41431 1554ba03 Fri Aug 25 00:41:22 GMT 2023 Simon J. Gerraty <sjg@FreeBSD.org> Add mac_grantbylabel
This module allows controlled privilege escallation via mac labels securely associated with a process via mac_veriexec.
There are over 700 PRIV_* but we can compress many of them into a single GBL_* thus constraining the size of gbl labels.
The goal is to allow a daemon to run as an unprivileged process while still being able a set of privileged operations needed.
We add APIs to libveriexec so that userland processes can check labels and an exec_script API that allows a suitably labeled process to run something like a python interpreter directly if necessary; overcomming the 'indirect' flag applied to the interpreter.
Add -l option to sbin/veriexec to report labels.
Reviewed by: stevek Sponsored by: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D41431
|
H A D | veriexec.c | 1554ba03 Fri Aug 25 00:41:22 GMT 2023 Simon J. Gerraty <sjg@FreeBSD.org> Add mac_grantbylabel
This module allows controlled privilege escallation via mac labels securely associated with a process via mac_veriexec.
There are over 700 PRIV_* but we can compress many of them into a single GBL_* thus constraining the size of gbl labels.
The goal is to allow a daemon to run as an unprivileged process while still being able a set of privileged operations needed.
We add APIs to libveriexec so that userland processes can check labels and an exec_script API that allows a suitably labeled process to run something like a python interpreter directly if necessary; overcomming the 'indirect' flag applied to the interpreter.
Add -l option to sbin/veriexec to report labels.
Reviewed by: stevek Sponsored by: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D41431 1554ba03 Fri Aug 25 00:41:22 GMT 2023 Simon J. Gerraty <sjg@FreeBSD.org> Add mac_grantbylabel
This module allows controlled privilege escallation via mac labels securely associated with a process via mac_veriexec.
There are over 700 PRIV_* but we can compress many of them into a single GBL_* thus constraining the size of gbl labels.
The goal is to allow a daemon to run as an unprivileged process while still being able a set of privileged operations needed.
We add APIs to libveriexec so that userland processes can check labels and an exec_script API that allows a suitably labeled process to run something like a python interpreter directly if necessary; overcomming the 'indirect' flag applied to the interpreter.
Add -l option to sbin/veriexec to report labels.
Reviewed by: stevek Sponsored by: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D41431
|
/freebsd/etc/mtree/ |
H A D | BSD.include.dist | 1554ba03 Fri Aug 25 00:41:22 GMT 2023 Simon J. Gerraty <sjg@FreeBSD.org> Add mac_grantbylabel
This module allows controlled privilege escallation via mac labels securely associated with a process via mac_veriexec.
There are over 700 PRIV_* but we can compress many of them into a single GBL_* thus constraining the size of gbl labels.
The goal is to allow a daemon to run as an unprivileged process while still being able a set of privileged operations needed.
We add APIs to libveriexec so that userland processes can check labels and an exec_script API that allows a suitably labeled process to run something like a python interpreter directly if necessary; overcomming the 'indirect' flag applied to the interpreter.
Add -l option to sbin/veriexec to report labels.
Reviewed by: stevek Sponsored by: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D41431 1554ba03 Fri Aug 25 00:41:22 GMT 2023 Simon J. Gerraty <sjg@FreeBSD.org> Add mac_grantbylabel
This module allows controlled privilege escallation via mac labels securely associated with a process via mac_veriexec.
There are over 700 PRIV_* but we can compress many of them into a single GBL_* thus constraining the size of gbl labels.
The goal is to allow a daemon to run as an unprivileged process while still being able a set of privileged operations needed.
We add APIs to libveriexec so that userland processes can check labels and an exec_script API that allows a suitably labeled process to run something like a python interpreter directly if necessary; overcomming the 'indirect' flag applied to the interpreter.
Add -l option to sbin/veriexec to report labels.
Reviewed by: stevek Sponsored by: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D41431
|
/freebsd/include/ |
H A D | Makefile | 1554ba03 Fri Aug 25 00:41:22 GMT 2023 Simon J. Gerraty <sjg@FreeBSD.org> Add mac_grantbylabel
This module allows controlled privilege escallation via mac labels securely associated with a process via mac_veriexec.
There are over 700 PRIV_* but we can compress many of them into a single GBL_* thus constraining the size of gbl labels.
The goal is to allow a daemon to run as an unprivileged process while still being able a set of privileged operations needed.
We add APIs to libveriexec so that userland processes can check labels and an exec_script API that allows a suitably labeled process to run something like a python interpreter directly if necessary; overcomming the 'indirect' flag applied to the interpreter.
Add -l option to sbin/veriexec to report labels.
Reviewed by: stevek Sponsored by: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D41431 1554ba03 Fri Aug 25 00:41:22 GMT 2023 Simon J. Gerraty <sjg@FreeBSD.org> Add mac_grantbylabel
This module allows controlled privilege escallation via mac labels securely associated with a process via mac_veriexec.
There are over 700 PRIV_* but we can compress many of them into a single GBL_* thus constraining the size of gbl labels.
The goal is to allow a daemon to run as an unprivileged process while still being able a set of privileged operations needed.
We add APIs to libveriexec so that userland processes can check labels and an exec_script API that allows a suitably labeled process to run something like a python interpreter directly if necessary; overcomming the 'indirect' flag applied to the interpreter.
Add -l option to sbin/veriexec to report labels.
Reviewed by: stevek Sponsored by: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D41431
|
/freebsd/sys/conf/ |
H A D | options | 1554ba03 Fri Aug 25 00:41:22 GMT 2023 Simon J. Gerraty <sjg@FreeBSD.org> Add mac_grantbylabel
This module allows controlled privilege escallation via mac labels securely associated with a process via mac_veriexec.
There are over 700 PRIV_* but we can compress many of them into a single GBL_* thus constraining the size of gbl labels.
The goal is to allow a daemon to run as an unprivileged process while still being able a set of privileged operations needed.
We add APIs to libveriexec so that userland processes can check labels and an exec_script API that allows a suitably labeled process to run something like a python interpreter directly if necessary; overcomming the 'indirect' flag applied to the interpreter.
Add -l option to sbin/veriexec to report labels.
Reviewed by: stevek Sponsored by: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D41431 1554ba03 Fri Aug 25 00:41:22 GMT 2023 Simon J. Gerraty <sjg@FreeBSD.org> Add mac_grantbylabel
This module allows controlled privilege escallation via mac labels securely associated with a process via mac_veriexec.
There are over 700 PRIV_* but we can compress many of them into a single GBL_* thus constraining the size of gbl labels.
The goal is to allow a daemon to run as an unprivileged process while still being able a set of privileged operations needed.
We add APIs to libveriexec so that userland processes can check labels and an exec_script API that allows a suitably labeled process to run something like a python interpreter directly if necessary; overcomming the 'indirect' flag applied to the interpreter.
Add -l option to sbin/veriexec to report labels.
Reviewed by: stevek Sponsored by: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D41431
|
H A D | files | 1554ba03 Fri Aug 25 00:41:22 GMT 2023 Simon J. Gerraty <sjg@FreeBSD.org> Add mac_grantbylabel
This module allows controlled privilege escallation via mac labels securely associated with a process via mac_veriexec.
There are over 700 PRIV_* but we can compress many of them into a single GBL_* thus constraining the size of gbl labels.
The goal is to allow a daemon to run as an unprivileged process while still being able a set of privileged operations needed.
We add APIs to libveriexec so that userland processes can check labels and an exec_script API that allows a suitably labeled process to run something like a python interpreter directly if necessary; overcomming the 'indirect' flag applied to the interpreter.
Add -l option to sbin/veriexec to report labels.
Reviewed by: stevek Sponsored by: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D41431 1554ba03 Fri Aug 25 00:41:22 GMT 2023 Simon J. Gerraty <sjg@FreeBSD.org> Add mac_grantbylabel
This module allows controlled privilege escallation via mac labels securely associated with a process via mac_veriexec.
There are over 700 PRIV_* but we can compress many of them into a single GBL_* thus constraining the size of gbl labels.
The goal is to allow a daemon to run as an unprivileged process while still being able a set of privileged operations needed.
We add APIs to libveriexec so that userland processes can check labels and an exec_script API that allows a suitably labeled process to run something like a python interpreter directly if necessary; overcomming the 'indirect' flag applied to the interpreter.
Add -l option to sbin/veriexec to report labels.
Reviewed by: stevek Sponsored by: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D41431
|