src-test/sys/dev/veriexec, branch main

src-test/sys/dev/veriexec, branch main FreeBSD source tree https://cgit-dev.freebsd.org/src-test/atom?h=main 2020-01-03T22:29:58Z vfs: drop the mostly unused flags argument from VOP_UNLOCK 2020-01-03T22:29:58Z Mateusz Guzik mjg@FreeBSD.org 2020-01-03T22:29:58Z urn:sha1:b249ce48ea5560afdcff57e72a9880b7d3132434 Filesystems which want to use it in limited capacity can employ the VOP_UNLOCK_FLAGS macro. Reviewed by: kib (previous version) Differential Revision: https://reviews.freebsd.org/D21427 Add a new ioctl for the larger params struct that includes the label. 2019-05-17T19:27:07Z Stephen J. Kiernan stevek@FreeBSD.org 2019-05-17T19:27:07Z urn:sha1:942886743b18da416fd96e85787a49a8e160e060 We need to make the find_veriexec_file() function available publicly, so rename it to mac_veriexec_metadata_find_file_info() and make it non-static. Bump the version of the veriexec device interface so user space will know the labelized version of fingerprint loading is available. Approved by: sjg Obtained from: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D20295 Add command to get version of the ioctl interface for the veriexec device. 2019-05-17T18:25:53Z Stephen J. Kiernan stevek@FreeBSD.org 2019-05-17T18:25:53Z urn:sha1:910013c6a8c398d4335c713c4a1416658f026afc Obtained from: Juniper Networks, Inc. MFC after: 1 week Protect commands that are considered dangerous with checks for kmem write 2019-05-17T18:02:26Z Stephen J. Kiernan stevek@FreeBSD.org 2019-05-17T18:02:26Z urn:sha1:9ce904dfde0ce588eea3f090adf79f54a56c6c2e priv. This allows for MAC/veriexec to prevent apps that are not "trusted" from using these commands. Obtained from: Juniper Networks, Inc. MFC after: 1 week Device for user space to interface with MAC/veriexec. 2018-06-20T00:48:46Z Stephen J. Kiernan stevek@FreeBSD.org 2018-06-20T00:48:46Z urn:sha1:ed7b25da7828ebf46eb180ed5fd94f8ce42cc90d The veriexec device features the following ioctl commands: VERIEXEC_ACTIVE Activate veriexec functionality VERIEXEC_DEBUG_ON Enable debugging mode and increment or set the debug level VERIEXEC_DEBUG_OFF Disable debugging mode VERIEXEC_ENFORCE Enforce veriexec fingerprinting (and acitvate if not already) VERIEXEC_GETSTATE Get current veriexec state VERIEXEC_LOCK Lock changes to veriexec meta-data store VERIEXEC_LOAD Load veriexec fingerprint if secure level is not raised (and passes the checks for VERIEXEC_SIGNED_LOAD) VERIEXEC_SIGNED_LOAD Load veriexec fingerprints from loader that supports signed manifest (and thus we can be more lenient about secure level being raised.) Fingerprints can be loaded if the meta-data store is not locked. Also securelevel must not have been raised or some fingerprints must have already been loaded, otherwise it would be dangerous to allow loading. (Note: this assumes that the fingerprints in the meta-data store at least cover the fingerprint loader.) Reviewed by: jtl Obtained from: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D8561