FreeBSD trusted execution system: beta testers wanted

Peter Jeremy PeterJeremy at
Sat Mar 12 15:06:26 PST 2005

On Fri, 2005-Mar-11 15:29:51 +0000, Christian S.J. Peron wrote:
>I have written a trusted execution module and would appreciate if anyone could
>help in testing. This module provides a functionality similar to NetBSD's
>verified exec mechanism. Once the design details of this security policy has
>been solidified, I will be releasing a white paper which describes the
>technical implementation in greater detail.

Sounds good.

>   Download, build and install the mac_chkexec kernel module:
>    fetch
>    tar zxvf mac_chkexec.1110510616.tar.gz
>    cd mac_chkexec
>    make
>    make install

Unfortunately, the existing file is incompatible with the "standard" kernel
building process.  The instructions above seem to work but since it's a
separate step from buildkernel/installkernel, I'm sure to forget it at some
time.  If I unpack it into /sys/modules and add "SUBDIR += mac_chkexec" to
/sys/modules/Makefile - it blows up with:

===> mac_chkexec
@ -> /usr/src/sys
machine -> /usr/src/sys/i386/include
awk -f @/tools/vnode_if.awk @/kern/vnode_if.src -h
rm -f .depend
mkdep -f .depend -a   -nostdinc -I/usr/src/sys/crypto -D_KERNEL -DKLD_MODULE -I- -I/usr/src/sys/crypto -I. -I@ -I@/contrib/altq -I@/../include -I/usr/obj/usr/src/i386/usr/include -I/usr/obj/usr/src/sys/fwall /usr/src/sys/crypto//sha1.c /usr/src/sys/modules/mac_chkexec/mac_chkexec.c
/usr/src/sys/modules/mac_chkexec/mac_chkexec.c:61:25: mac_chkexec.h: No such file or directory
mkdep: compile failed
*** Error code 1

I also notice that the Makefile has /usr/src/sys hard-coded into it.

Can I suggest the following patch:

server# diff -u Makefile~ Makefile
--- Makefile~   Fri Mar 11 14:09:20 2005
+++ Makefile    Sun Mar 13 09:56:42 2005
@@ -1,5 +1,5 @@
-.PATH: /usr/src/sys/crypto/
-CFLAGS+=       -I/usr/src/sys/crypto
+.PATH: ${.CURDIR}/../../crypto
+CFLAGS+=       -I${.CURDIR} -I${.CURDIR}/../../crypto
 KMOD=  mac_chkexec
 SRCS=  vnode_if.h \

Peter Jeremy

More information about the freebsd-security mailing list