This application (veriexecctl) handles reading a fingerprints file containing paths, fingerprints, and optional option flags which in turn get pushed into the MAC/veriexec meta-data store via the veriexec device.
The format of the fingerprints file is as follows:
path type fingerprint options
The type of fingerprint supported depends on what MAC/veriexec fingerprint modules have been loaded into the system. The veriexecctl application is able to determine which ones are available by consulting the security.mac.veriexec.algorithms sysctl.
The following options are currently supported in MAC/veriexec and by the veriexecctl application:
- indirect
- If this option is set then the executable cannot be invoked directly, it can only be used as an interpreter in shell scripts.
- file
- Indicates that the fingerprint is associated with a file, not an executable. Files have their fingerprints verified during open(2) and are automatically made read only. This option may be used to verify shared libraries have not been tampered with.
- no_ptrace
- If this option is set then the executable cannot be traced with the ptrace(2) process tracing and debugging call.
- trusted
- If this option is set then the executable is allowed to write to the mem(4) devices. By default, when verified execution is enforced, no process is allowed to write to the mem(4) devices.
The options are not case sensitive.
Depends on D8561.