Verified Execution (veriexec)
- MAC/veriexec module
- veriexecctl utility
verified mounts (D2902)
- signed manifest support
We have some X.509-based signed manifest functionality in Junos, but it possibly will not be what the FreeBSD project may want.
- veriexec for loader(8) to load kernel, modules, etc.
- allow for MAC modules to effectively do a setuid/setgid operation
- this will most likely need to be revisited, as it has been some time since the changes were made in Junos
- resolve securelevel and MAC interaction
- Currently there are some things that securelevel takes precedence over MAC policies