HomeFreeBSD

This application (veriexecctl) handles reading a fingerprints file

Description

This application (veriexecctl) handles reading a fingerprints file
containing paths, fingerprints, and optional option flags which in turn
get pushed into the MAC/veriexec meta-data store via the veriexec device.

The format of the fingerprints file is as follows:
path type fingerprint options

The type of fingerprint supported depends on what MAC/veriexec fingerprint
modules have been loaded into the system. The veriexecctl application is
able to determine which ones are available by consulting the
security.mac.veriexec.algorithms sysctl.

The following options are currently supported in MAC/veriexec and by the
veriexecctl application:

indirect

If this option is set then the executable cannot be invoked directly, it
can only be used as an interpreter in shell scripts.

file

Indicates that the fingerprint is associated with a file, not an
executable. Files have their fingerprints verified during open(2) and are
automatically made read only. This option may be used to verify shared
libraries have not been tampered with.

no_ptrace

If this option is set then the executable cannot be traced with the
ptrace(2) process tracing and debugging call.

trusted

If this option is set then the executable is allowed to write to the
mem(4) devices. By default, when verified execution is enforced, no
process is allowed to write to the mem(4) devices.

The options are not case sensitive.

Reviewed by: jtl, wblock
Obtained from: Juniper Networks, Inc.
Differential Revision: https://reviews.freebsd.org/D8575

Details

Committed
stevekJun 20 2018, 1:08 AM
Reviewer
jtl
Differential Revision
D8575: Verified execution (veriexec) fingerprint loader
Parents
rS335401: This library allows for user space applications to check file descriptors
Branches
Unknown
Tags
Unknown