MAC/veriexec implements a verified execution environment using the MAC
The code is organized into a few distinct pieces:
- The meta-data store (in veriexec_metadata.c) which maps a file system identifier, file identifier, and generation key tuple to veriexec meta-data record.
- Fingerprint management (in veriexec_fingerprint.c) which deals with calculating the cryptographic hash for a file and verifying it. It also manages the loadable fingerprint modules.
- MAC policy implementation (in mac_veriexec.c) which implements the following MAC methods:
- Initializes the veriexec state, meta-data store, fingerprint modules, and registers mount and unmount EVENTHANDLERs
- Implements the following per-policy system calls:
- Check a file descriptor to see if the referenced file has a valid fingerprint.
- Check a path to see if the referenced file has a valid fingerprint.
- Check if loading a kld is allowed. This checks if the referenced vnode has a valid fingerprint.
- Clears the veriexec slot data in a mount point label.
- Initializes the veriexec slot data in a mount point label.
- The file system identifier is saved in the veriexec slot data.
- Check if a process is allowed to write to /dev/kmem and /dev/mem devices.
- If a process is flagged as trusted, it is allowed to write.
- Check if a process is allowed to be debugged. If a process is not flagged with VERIEXEC_NOTRACE, then debugging is allowed.
- Check is an exectuable is allowed to run. If veriexec is not enforcing or the executable has a valid fingerprint, then it is allowed to run. NOTE: veriexec will complain about mismatched fingerprints if it is active, regardless of the state of the enforcement.
- Check is a file is allowed to be opened. If verification was not requested, veriexec is not enforcing, or the file has a valid fingerprint, then veriexec will allow the file to be opened.
- Copies the veriexec slot data from one label to another.
- Clears the veriexec slot data in a vnode label.
- Initializes the veriexec slot data in a vnode label.
- The fingerprint status for the file is stored in the veriexec slot data.
Some sysctls, under security.mac.veriexec, for setting debug level, fetching the current state in a human-readable form, and dumping the fingerprint database are implemented in this source file.
The MAC policy implementation source file also contains some utility functions.
- A set of fingerprint modules for the following cryptographic hash algorithms:
- Loadable module builds for MAC/veriexec and fingerprint modules.
Depends on D2902