mirror of
https://git.FreeBSD.org/src.git
synced 2024-12-02 08:42:48 +00:00
b77f618568
Add missing flags to veriexec(8) as well as some examples to help explain usage. Also add veriexec.4 Sponsored by: Juniper Networks, Inc. Reviewed by: imp Differential Revision: https://reviews.freebsd.org/D46207
243 lines
5.6 KiB
Groff
243 lines
5.6 KiB
Groff
.\"-
|
|
.\" SPDX-License-Identifier: BSD-2-Clause
|
|
.\"
|
|
.\" Copyright (c) 2018-2024, Juniper Networks, Inc.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
|
.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
|
.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
|
.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
|
.\" OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
|
.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
|
.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
|
.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
.\"
|
|
.Dd August 1, 2024
|
|
.Dt VERIEXEC 8
|
|
.Os
|
|
.Sh NAME
|
|
.Nm veriexec
|
|
.Nd manipulate state of mac_veriexec
|
|
.Sh SYNOPSIS
|
|
.Nm
|
|
.Op Fl v
|
|
.Op Fl C Ar directory
|
|
.Op Fl S
|
|
.Pa manifest
|
|
.Nm
|
|
.Fl z Ar state
|
|
.Nm
|
|
.Fl i Ar state
|
|
.Nm
|
|
.Fl l
|
|
.Ar file ...
|
|
.Nm
|
|
.Fl x
|
|
.Ar file ...
|
|
.Sh DESCRIPTION
|
|
.Nm
|
|
is a utility to query or manipulate the state of
|
|
.Xr mac_veriexec 4 .
|
|
.Pp
|
|
The first form is for loading a
|
|
.Pa manifest .
|
|
.Nm
|
|
first verifies a digital signature of the
|
|
.Ar manifest
|
|
and if successful, parses it and feeds its content to kernel.
|
|
The
|
|
.Fl S
|
|
flag indicates that certificate validity should be checked.
|
|
Without this, a valid signature with an expired certificate
|
|
will still be accepted.
|
|
.Pp
|
|
The second form with
|
|
.Fl z
|
|
is used to modify the
|
|
.Ar state ,
|
|
and with
|
|
.Fl i
|
|
to query the current
|
|
.Ar state .
|
|
.Pp
|
|
With
|
|
.Fl l
|
|
.Nm
|
|
will report any labels associated with the remaining arguments
|
|
assumed to be files.
|
|
If only a single file argument is given, the bare label (if any)
|
|
will be reported, otherwise the pathname followed by label.
|
|
.Pp
|
|
The final form with
|
|
.Fl x
|
|
is used to test whether
|
|
.Ar file
|
|
is verified or not.
|
|
This requires
|
|
.Xr mac_veriexec 4
|
|
to be in the
|
|
.Ql active
|
|
or
|
|
.Ql enforce
|
|
state.
|
|
.Pp
|
|
The possible states
|
|
are:
|
|
.Bl -tag -width enforce
|
|
.It Ar loaded
|
|
set automatically when the first
|
|
.Pa manifest
|
|
has been loaded.
|
|
.It Ar active
|
|
.Xr mac_veriexec 4
|
|
will begin checking files.
|
|
This state can only be entered from the
|
|
.Ar loaded
|
|
state.
|
|
.It Ar enforce
|
|
.Xr mac_veriexec 4
|
|
will fail attempts to
|
|
.Xr exec 2
|
|
or
|
|
.Xr open 2
|
|
files with
|
|
.Dv O_VERIFY
|
|
unless verified.
|
|
.It Ar locked
|
|
prevent loading of any more manifests.
|
|
.El
|
|
.Pp
|
|
When setting or querying the state, it is sufficient to provide
|
|
a unique prefix of the desired state.
|
|
So
|
|
.Fl i
|
|
.Ar a
|
|
or
|
|
.Fl z
|
|
.Ar e
|
|
are sufficient, but
|
|
.Fl i
|
|
.Ar loc
|
|
is the minimum required to avoid confusion with
|
|
.Ar loaded .
|
|
.Sh MANIFESTS
|
|
The manifest contains a mapping of relative pathnames to fingerprints
|
|
with optional flags.
|
|
For example:
|
|
.Bd -literal -offset indent
|
|
sbin/veriexec sha256=f22136...c0ff71 no_ptrace trusted
|
|
usr/bin/python sha256=5944d9...876525 indirect
|
|
sbin/somedaemon sha256=77fc2f...63f5687 label=mod1/val1,mod2/val2
|
|
.Ed
|
|
.Pp
|
|
The supported flags are:
|
|
.Bl -tag -width indirect
|
|
.It Ql indirect
|
|
the executable cannot be run directly,
|
|
but can be used as an interpreter for example via:
|
|
.Bd -literal -offset indent
|
|
#!/usr/bin/python
|
|
.Ed
|
|
.It Ql no_fips
|
|
If the system has a notion of running in FIPS mode,
|
|
a file marked with this flag will not be allowed to
|
|
exec.
|
|
.It Ql no_ptrace
|
|
do not allow running executable under a debugger.
|
|
Useful for any application critical to the security state of system.
|
|
.It Ql trusted
|
|
this flag is required for a process to use
|
|
.Xr veriexec 4
|
|
to interact with
|
|
.Xr mac_veriexec 4 .
|
|
Generally only
|
|
.Nm
|
|
should need this flag.
|
|
Implies
|
|
.Ql no_ptrace .
|
|
|
|
.El
|
|
.Pp
|
|
The
|
|
.Ql label
|
|
argument allows associating a
|
|
.Xr maclabel 7
|
|
with a file.
|
|
Neither
|
|
.Nm
|
|
nor
|
|
.Xr mac_veriexec 4
|
|
(if it supports labels)
|
|
pay any attention to the content of the label
|
|
they are provided for the use of other
|
|
.Xr mac 4
|
|
modules or indeed other applications.
|
|
.Sh EXAMPLES
|
|
Load the manifest for a
|
|
.Xr tarfs 5
|
|
package mounted on
|
|
.Pa /mnt
|
|
and be strict about enforcing certificate validity:
|
|
.Bd -literal -offset indent
|
|
# veriexec -S -C /mnt /mnt/manifest
|
|
|
|
.Ed
|
|
.Nm
|
|
will look for a detatched signature that it recognizes, such as
|
|
.Pa manifest.asc
|
|
(OpenPGP) or
|
|
.Pa manifest.*sig
|
|
(X.509).
|
|
In the case of an X.509 signature we also need a matching certificate chain
|
|
.Pa manifest.*certs .
|
|
In either case there needs to be a suitable trust anchor in the trust store.
|
|
.Pp
|
|
We can now activate:
|
|
.Bd -literal -offset indent
|
|
# veriexec -z active
|
|
|
|
.Ed
|
|
Any user can check if
|
|
.Xr mac_veriexec 4
|
|
is
|
|
.Ql active :
|
|
.Bd -literal -offset indent
|
|
$ veriexec -i active
|
|
|
|
.Ed
|
|
Any user can check that
|
|
.Pa /mnt/bin/app
|
|
is verified:
|
|
.Bd -literal -offset indent
|
|
$ veriexec -x /mnt/bin/app
|
|
|
|
.Ed
|
|
If it is not, we will get an Authentiaction error,
|
|
but unless
|
|
.Xr mac_veriexec 4
|
|
is enforcing we would still be able to run it.
|
|
.Sh NOTES
|
|
It is only safe to set
|
|
.Xr mac_veriexec 4
|
|
to
|
|
.Ql enforce
|
|
state, if sufficient manifests have been loaded
|
|
to cover all the applications that might need to be run.
|
|
.Sh HISTORY
|
|
The Verified Exec system first appeared in
|
|
.Nx .
|
|
This utility derives from the one found in Junos,
|
|
which requires that manifest files be digitally signed.
|