src/sys/security/mac_veriexec_parser, branch main FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=main 2024-09-20T15:22:56Z mac_veriexec_parser: Fix open_file error handling 2024-09-20T15:22:56Z Heyang Zhou hello@su3.io 2024-07-22T17:43:28Z urn:sha1:6e45b50342d5adadf9dd08e3476fc90f715be1fc NDFREE_PNBUF should be called after checking the return value of vn_open(), and should only be called once. Reviewed by: imp, zlei, Kornel Dulęba <mindal@semihalf.com>, Elliott Mitchell Pull Request: https://github.com/freebsd/freebsd-src/pull/1338 sys: Automated cleanup of cdefs and other formatting 2023-11-27T05:24:00Z Warner Losh imp@FreeBSD.org 2023-11-24T20:12:57Z urn:sha1:fdafd315ad0d0f28a11b9fb4476a9ab059c62b92 Apply the following automated changes to try to eliminate no-longer-needed sys/cdefs.h includes as well as now-empty blank lines in a row. Remove /^#if.*\n#endif.*\n#include\s+<sys/cdefs.h>.*\n/ Remove /\n+#include\s+<sys/cdefs.h>.*\n+#if.*\n#endif.*\n+/ Remove /\n+#if.*\n#endif.*\n+/ Remove /^#if.*\n#endif.*\n/ Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/types.h>/ Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/param.h>/ Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/capsicum.h>/ Sponsored by: Netflix sys: Remove $FreeBSD$: one-line .c pattern 2023-08-16T17:54:36Z Warner Losh imp@FreeBSD.org 2023-08-16T17:54:36Z urn:sha1:685dc743dc3b5645e34836464128e1c0558b404b Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/ mac_veriexec_parser: fix build after 7e1d3eefd410. 2022-09-09T12:09:08Z Dag-Erling Smørgrav des@FreeBSD.org 2022-09-09T12:09:08Z urn:sha1:08e331f41bba9e4c0a241c3350c8111f633ec46e Sponsored by: Klara, Inc. vfs: NDFREE(&nd, NDF_ONLY_PNBUF) -> NDFREE_PNBUF(&nd) 2022-03-24T10:20:51Z Mateusz Guzik mjg@FreeBSD.org 2022-03-24T10:10:03Z urn:sha1:bb92cd7bcd16f3f36cdbda18d8193619892715fb security: clean up empty lines in .c and .h files 2020-09-01T21:26:00Z Mateusz Guzik mjg@FreeBSD.org 2020-09-01T21:26:00Z urn:sha1:e5ecee7440496904939e936501d0db93bed15415 vfs: drop the mostly unused flags argument from VOP_UNLOCK 2020-01-03T22:29:58Z Mateusz Guzik mjg@FreeBSD.org 2020-01-03T22:29:58Z urn:sha1:b249ce48ea5560afdcff57e72a9880b7d3132434 Filesystems which want to use it in limited capacity can employ the VOP_UNLOCK_FLAGS macro. Reviewed by: kib (previous version) Differential Revision: https://reviews.freebsd.org/D21427 Fix mac_veriexec_parser build after r347938 2019-08-08T16:51:49Z Marcin Wojtas mw@FreeBSD.org 2019-08-08T16:51:49Z urn:sha1:e7c5d9d3f2a6b76b7528aeaf2e9e284345ba62b0 In r347938 the definition of mac_veriexec_metadata_add_file so adjust the argument list accordingly. Submitted by: Kornel Duleba <mindal@semihalf.com> Create kernel module to parse Veriexec manifest based on envs 2019-04-03T03:57:37Z Marcin Wojtas mw@FreeBSD.org 2019-04-03T03:57:37Z urn:sha1:b0fefb25c558179e9f9c7f0d375c6a03fb567eb9 The current approach of injecting manifest into mac_veriexec is to verify the integrity of it in userspace (veriexec (8)) and pass its entries into kernel using a char device (/dev/veriexec). This requires verifying root partition integrity in loader, for example by using memory disk and checking its hash. Otherwise if rootfs is compromised an attacker could inject their own data. This patch introduces an option to parse manifest in kernel based on envs. The loader sets manifest path and digest. EVENTHANDLER is used to launch the module right after the rootfs is mounted. It has to be done this way, since one might want to verify integrity of the init file. This means that manifest is required to be present on the root partition. Note that the envs have to be set right before boot to make sure that no one can spoof them. Submitted by: Kornel Duleba <mindal@semihalf.com> Reviewed by: sjg Obtained from: Semihalf Sponsored by: Stormshield Differential Revision: https://reviews.freebsd.org/D19281