ab4f0a1518
During software installation, use veriexec -S to strictly enforce certificate validity checks (notBefore, notAfter). Otherwise ignore certificate validity period. It is generally unacceptible for the Internet to stop working just because someone did not upgrade their infrastructure for a decade. Sponsored by: Juniper Networks, Inc. Reviewed by: sebastien.bini_stormshield.eu Differential Revision: https://reviews.freebsd.org/D35758
166 lines
4.0 KiB
Groff
166 lines
4.0 KiB
Groff
.\"-
|
|
.\" Copyright (c) 2018, Juniper Networks, Inc.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
|
.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
|
.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
|
.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
|
.\" OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
|
.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
|
.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
|
.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
.\"
|
|
.\" $FreeBSD$
|
|
.\"
|
|
.Dd July 8, 2022
|
|
.Dt VERIEXEC 8
|
|
.Os
|
|
.Sh NAME
|
|
.Nm veriexec
|
|
.Nd manipulate state of mac_veriexec
|
|
.Sh SYNOPSIS
|
|
.Nm
|
|
.Op Fl v
|
|
.Op Fl C Ar directory
|
|
.Op Fl S
|
|
.Pa manifest
|
|
.Nm
|
|
.Fl z Ar state
|
|
.Nm
|
|
.Fl i Ar state
|
|
.Nm
|
|
.Fl x
|
|
.Ar file ...
|
|
.Sh DESCRIPTION
|
|
.Nm
|
|
is a utility to query or manipulate the state of
|
|
.Xr mac_veriexec 4 .
|
|
.Pp
|
|
The first form is for loading a
|
|
.Pa manifest .
|
|
.Nm
|
|
first verifies a digital signature of the
|
|
.Ar manifest
|
|
and if successful, parses it and feeds its content to kernel.
|
|
The
|
|
.Fl S
|
|
flag indicates that certificate validity should be checked.
|
|
Without this, a valid signature with an expired certificate
|
|
will still be accepted.
|
|
.Pp
|
|
The second form with
|
|
.Fl z
|
|
is used to modify the
|
|
.Ar state ,
|
|
and with
|
|
.Fl i
|
|
to query the current
|
|
.Ar state .
|
|
.Pp
|
|
The final form with
|
|
.Fl x
|
|
is used to test whether
|
|
.Ar file
|
|
is verified or not.
|
|
This requires
|
|
.Xr mac_veriexec 4
|
|
to be in the
|
|
.Ql active
|
|
or
|
|
.Ql enforce
|
|
state.
|
|
.Pp
|
|
The possible states
|
|
are:
|
|
.Bl -tag -width enforce
|
|
.It Ar loaded
|
|
set automatically when first
|
|
.Pa manifest
|
|
has been loaded.
|
|
.It Ar active
|
|
.Xr mac_veriexec 4
|
|
will begin checking files.
|
|
This state can only be entered from the
|
|
.Ar loaded
|
|
state.
|
|
.It Ar enforce
|
|
.Xr mac_veriexec 4
|
|
will fail attempts to
|
|
.Xr exec 2
|
|
or
|
|
.Xr open 2
|
|
files with
|
|
.Dv O_VERIFY
|
|
unless verified.
|
|
.It Ar locked
|
|
prevent loading of any more manifests.
|
|
.El
|
|
.Pp
|
|
When setting or querying the state, it is sufficient to provide
|
|
a unique prefix of the desired state.
|
|
So
|
|
.Fl i
|
|
.Ar a
|
|
or
|
|
.Fl z
|
|
.Ar e
|
|
are sufficient, but
|
|
.Fl i
|
|
.Ar loc
|
|
is the minimum required to avoid confusion with
|
|
.Ar loaded .
|
|
.Sh MANIFESTS
|
|
The manifest contains a mapping of relative pathnames to fingerprints
|
|
with optional flags.
|
|
For example:
|
|
.Bd -literal -offset indent
|
|
sbin/veriexec sha256=f22136...c0ff71 no_ptrace
|
|
usr/bin/python sha256=5944d9...876525 indirect
|
|
sbin/somedaemon sha256=77fc2f...63f5687 label=mod1/val1,mod2/val2
|
|
.Ed
|
|
The supported flags are:
|
|
.Bl -tag -width indirect
|
|
.It Ql indirect
|
|
the executable cannot be run directly,
|
|
but can be used as an interpreter for example via:
|
|
.Bd -literal -offset indent
|
|
#!/usr/bin/python
|
|
.Ed
|
|
.It Ql no_ptrace
|
|
do not allow running executable under a debugger.
|
|
Useful for any application critical to the security state of system.
|
|
.El
|
|
.Pp
|
|
The
|
|
.Ql label
|
|
argument allows associating a
|
|
.Xr maclabel 7
|
|
with the executable.
|
|
Neither
|
|
.Nm
|
|
nor
|
|
.Xr mac_veriexec 4
|
|
(if it supports labels)
|
|
pay any attention to the content of the label
|
|
they are provided for the use of other
|
|
.Xr mac 4
|
|
modules.
|
|
.Sh HISTORY
|
|
The Verified Exec system first appeared in
|
|
.Nx .
|
|
This utility derrives from the one found in Junos.
|
|
The key difference is the requirement that manifest files
|
|
be digitally signed.
|