Security Topics
Verified Execution (veriexec)
Available
See https://github.com/hackagadget/freebsd/tree/hackagadget/veriexec
- MAC/veriexec module
- libveriexec
- veriexecctl utility
In Review
verified mounts (D2902)
Committed
O_VERIFY flag
Needed
- signed manifest support
We have some X.509-based signed manifest functionality in Junos, but it possibly will not be what the FreeBSD project may want. - veriexec for loader(8) to load kernel, modules, etc.
MAC Framework
Available
- allow for MAC modules to effectively do a setuid/setgid operation
- this will most likely need to be revisited, as it has been some time since the changes were made in Junos
In Review
Committed
Needed
- resolve securelevel and MAC interaction
- Currently there are some things that securelevel takes precedence over MAC policies