| @@ -1,314 +1,314 @@ | | | @@ -1,314 +1,314 @@ |
1 | .\" $NetBSD: veriexec.9,v 1.20 2009/03/12 12:37:48 joerg Exp $ | | 1 | .\" $NetBSD: veriexec.9,v 1.21 2009/03/15 14:14:50 joerg Exp $ |
2 | .\" | | 2 | .\" |
3 | .\" Copyright 2006 Elad Efrat <elad@NetBSD.org> | | 3 | .\" Copyright 2006 Elad Efrat <elad@NetBSD.org> |
4 | .\" Copyright 2006 Brett Lymn <blymn@NetBSD.org> | | 4 | .\" Copyright 2006 Brett Lymn <blymn@NetBSD.org> |
5 | .\" | | 5 | .\" |
6 | .\" This code is derived from software contributed to The NetBSD Foundation | | 6 | .\" This code is derived from software contributed to The NetBSD Foundation |
7 | .\" by Brett Lymn and Elad Efrat | | 7 | .\" by Brett Lymn and Elad Efrat |
8 | .\" | | 8 | .\" |
9 | .\" Redistribution and use in source and binary forms, with or without | | 9 | .\" Redistribution and use in source and binary forms, with or without |
10 | .\" modification, are permitted provided that the following conditions | | 10 | .\" modification, are permitted provided that the following conditions |
11 | .\" are met: | | 11 | .\" are met: |
12 | .\" 1. Redistributions of source code must retain the above copyright | | 12 | .\" 1. Redistributions of source code must retain the above copyright |
13 | .\" notice, this list of conditions and the following disclaimer. | | 13 | .\" notice, this list of conditions and the following disclaimer. |
14 | .\" 2. Neither the name of The NetBSD Foundation nor the names of its | | 14 | .\" 2. Neither the name of The NetBSD Foundation nor the names of its |
15 | .\" contributors may be used to endorse or promote products derived | | 15 | .\" contributors may be used to endorse or promote products derived |
16 | .\" from this software without specific prior written permission. | | 16 | .\" from this software without specific prior written permission. |
17 | .\" | | 17 | .\" |
18 | .\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS | | 18 | .\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS |
19 | .\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED | | 19 | .\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED |
20 | .\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | | 20 | .\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
21 | .\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS | | 21 | .\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS |
22 | .\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | | 22 | .\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR |
23 | .\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF | | 23 | .\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF |
24 | .\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS | | 24 | .\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS |
25 | .\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN | | 25 | .\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN |
26 | .\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | | 26 | .\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
27 | .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | | 27 | .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
28 | .\" POSSIBILITY OF SUCH DAMAGE. | | 28 | .\" POSSIBILITY OF SUCH DAMAGE. |
29 | .\" | | 29 | .\" |
30 | .Dd February 10, 2008 | | 30 | .Dd February 10, 2008 |
31 | .Dt VERIEXEC 9 | | 31 | .Dt VERIEXEC 9 |
32 | .Os | | 32 | .Os |
33 | .Sh NAME | | 33 | .Sh NAME |
34 | .Nm veriexec | | 34 | .Nm veriexec |
35 | .Nd in-kernel file integrity subsystem KPI | | 35 | .Nd in-kernel file integrity subsystem KPI |
36 | .Sh SYNOPSIS | | 36 | .Sh SYNOPSIS |
37 | .In sys/verified_exec.h | | 37 | .In sys/verified_exec.h |
38 | .Sh DESCRIPTION | | 38 | .Sh DESCRIPTION |
39 | .Nm | | 39 | .Nm |
40 | is the KPI for | | 40 | is the KPI for |
41 | .Em Veriexec , | | 41 | .Em Veriexec , |
42 | the | | 42 | the |
43 | .Nx | | 43 | .Nx |
44 | in-kernel file integrity subsystem. | | 44 | in-kernel file integrity subsystem. |
45 | It is responsible for managing the supported hashing algorithms, fingerprint | | 45 | It is responsible for managing the supported hashing algorithms, fingerprint |
46 | calculation and comparison, file monitoring tables, and relevant hooks to | | 46 | calculation and comparison, file monitoring tables, and relevant hooks to |
47 | enforce the | | 47 | enforce the |
48 | .Em Veriexec | | 48 | .Em Veriexec |
49 | policy. | | 49 | policy. |
50 | .Ss Core Routines | | 50 | .Ss Core Routines |
51 | .Bl -tag -width compact | | 51 | .Bl -tag -width compact |
52 | .It Ft void Fn veriexec_init "void" | | 52 | .It Ft void Fn veriexec_init "void" |
53 | Initialize the | | 53 | Initialize the |
54 | .Em Veriexec | | 54 | .Em Veriexec |
55 | subsystem. | | 55 | subsystem. |
56 | Called only once during system startup. | | 56 | Called only once during system startup. |
57 | .It Ft "bool" Fn veriexec_lookup "struct vnode *vp" | | 57 | .It Ft "bool" Fn veriexec_lookup "struct vnode *vp" |
58 | Check if | | 58 | Check if |
59 | .Ar vp | | 59 | .Ar vp |
60 | is monitored by | | 60 | is monitored by |
61 | .Em Veriexec | | 61 | .Em Veriexec |
62 | or not. | | 62 | or not. |
63 | Returns | | 63 | Returns |
64 | .Dv true | | 64 | .Dv true |
65 | if it is, or | | 65 | if it is, or |
66 | .Dv false | | 66 | .Dv false |
67 | otherwise. | | 67 | otherwise. |
68 | .It Ft int Fn veriexec_verify "struct lwp *l" "struct vnode *vp" \ | | 68 | .It Ft int Fn veriexec_verify "struct lwp *l" "struct vnode *vp" \ |
69 | "const u_char *name" "int flag" "bool *found" | | 69 | "const u_char *name" "int flag" "bool *found" |
70 | Verifies the digital fingerprint of | | 70 | Verifies the digital fingerprint of |
71 | .Ar vp . | | 71 | .Ar vp . |
72 | .Ar name | | 72 | .Ar name |
73 | is the filename, and | | 73 | is the filename, and |
74 | .Ar flag | | 74 | .Ar flag |
75 | is the access flag. | | 75 | is the access flag. |
76 | The access flag can be one of: | | 76 | The access flag can be one of: |
77 | .Bl -tag -width VERIEXEC_INDIRECT | | 77 | .Bl -tag -width VERIEXEC_INDIRECT |
78 | .It Dv VERIEXEC_DIRECT | | 78 | .It Dv VERIEXEC_DIRECT |
79 | The file was executed directly via | | 79 | The file was executed directly via |
80 | .Xr execve 2 . | | 80 | .Xr execve 2 . |
81 | .It Dv VERIEXEC_INDIRECT | | 81 | .It Dv VERIEXEC_INDIRECT |
82 | The file was executed indirectly, either as an interpreter for a script or | | 82 | The file was executed indirectly, either as an interpreter for a script or |
83 | mapped to an executable memory region. | | 83 | mapped to an executable memory region. |
84 | .It Dv VERIEXEC_FILE | | 84 | .It Dv VERIEXEC_FILE |
85 | The file was opened for reading/writing. | | 85 | The file was opened for reading/writing. |
86 | .El | | 86 | .El |
87 | .Pp | | 87 | .Pp |
88 | .Ar l | | 88 | .Ar l |
89 | is the LWP for the request context. | | 89 | is the LWP for the request context. |
90 | .Pp | | 90 | .Pp |
91 | An optional argument, | | 91 | An optional argument, |
92 | .Ar found , | | 92 | .Ar found , |
93 | is a pointer to a boolean indicating whether an entry for the file was found | | 93 | is a pointer to a boolean indicating whether an entry for the file was found |
94 | in the | | 94 | in the |
95 | .Em Veriexec | | 95 | .Em Veriexec |
96 | tables. | | 96 | tables. |
97 | .It Ft void Fn veriexec_purge "struct vnode *vp" | | 97 | .It Ft void Fn veriexec_purge "struct vnode *vp" |
98 | Purge the file entry for | | 98 | Purge the file entry for |
99 | .Ar vp . | | 99 | .Ar vp . |
100 | This invalidates the fingerprint so it will be evaluated next time the file | | 100 | This invalidates the fingerprint so it will be evaluated next time the file |
101 | is accessed. | | 101 | is accessed. |
102 | .\" veriexec_page_verify() intentionally not documented. | | 102 | .\" veriexec_page_verify() intentionally not documented. |
103 | .El | | 103 | .El |
104 | .Ss Fingerprint Related Routines | | 104 | .Ss Fingerprint Related Routines |
105 | .Bl -tag -width compact | | 105 | .Bl -tag -width compact |
106 | .It Ft int Fn veriexec_fpops_add "const char *fp_type" "size_t hash_len" \ | | 106 | .It Ft int Fn veriexec_fpops_add "const char *fp_type" "size_t hash_len" \ |
107 | "size_t ctx_size" "veriexec_fpop_init_t init" "veriexec_fpop_update_t update" \ | | 107 | "size_t ctx_size" "veriexec_fpop_init_t init" "veriexec_fpop_update_t update" \ |
108 | "veriexec_fpop_final_t final" | | 108 | "veriexec_fpop_final_t final" |
109 | Add support for fingerprinting algorithm | | 109 | Add support for fingerprinting algorithm |
110 | .Ar fp_type | | 110 | .Ar fp_type |
111 | with binary hash length | | 111 | with binary hash length |
112 | .Ar hash_len | | 112 | .Ar hash_len |
113 | and calculation context size | | 113 | and calculation context size |
114 | .Ar ctx_size | | 114 | .Ar ctx_size |
115 | to | | 115 | to |
116 | .Em Veriexec . | | 116 | .Em Veriexec . |
117 | .Ar init , | | 117 | .Ar init , |
118 | .Ar update , | | 118 | .Ar update , |
119 | and | | 119 | and |
120 | .Ar final | | 120 | .Ar final |
121 | are the routines used to initialize, update, and finalize a calculation | | 121 | are the routines used to initialize, update, and finalize a calculation |
122 | context. | | 122 | context. |
123 | .El | | 123 | .El |
124 | .Ss Table Management Routines | | 124 | .Ss Table Management Routines |
125 | .Bl -tag -width compact | | 125 | .Bl -tag -width compact |
126 | .It Ft int Fn veriexec_file_add "struct lwp *l" \ | | 126 | .It Ft int Fn veriexec_file_add "struct lwp *l" \ |
127 | "prop_dictionary_t dict" | | 127 | "prop_dictionary_t dict" |
128 | Add a | | 128 | Add a |
129 | .Em Veriexec | | 129 | .Em Veriexec |
130 | entry for the file described by | | 130 | entry for the file described by |
131 | .Ar dict . | | 131 | .Ar dict . |
132 | .Pp | | 132 | .Pp |
133 | .Ar dict | | 133 | .Ar dict |
134 | is expected to have the following: | | 134 | is expected to have the following: |
135 | .Bl -column entryxtype string | | 135 | .Bl -column entry-type string "entry type flags (see veriexec(4))" |
136 | .It Sy Name Type Purpose | | 136 | .It Sy Name Type Purpose |
137 | .It file string filename | | 137 | .It file string filename |
138 | .It entry-type uint8 entry type flags ( see Xr veriexec 4 ) | | 138 | .It entry-type uint8 entry type flags ( see Xr veriexec 4 ) |
139 | .It fp-type string fingerprint hashing algorithm | | 139 | .It fp-type string fingerprint hashing algorithm |
140 | .It fp data the fingerprint | | 140 | .It fp data the fingerprint |
141 | .El | | 141 | .El |
142 | .It Ft int Fn veriexec_file_delete "struct lwp *l" "struct vnode *vp" | | 142 | .It Ft int Fn veriexec_file_delete "struct lwp *l" "struct vnode *vp" |
143 | Remove | | 143 | Remove |
144 | .Em Veriexec | | 144 | .Em Veriexec |
145 | entry for | | 145 | entry for |
146 | .Ar vp . | | 146 | .Ar vp . |
147 | .It Ft int Fn veriexec_table_delete "struct lwp *l" "struct mount *mp" | | 147 | .It Ft int Fn veriexec_table_delete "struct lwp *l" "struct mount *mp" |
148 | Remove | | 148 | Remove |
149 | .Em Veriexec | | 149 | .Em Veriexec |
150 | table for mount-point | | 150 | table for mount-point |
151 | .Ar mp . | | 151 | .Ar mp . |
152 | .It Ft int Fn veriexec_flush "struct lwp *l" | | 152 | .It Ft int Fn veriexec_flush "struct lwp *l" |
153 | Delete all | | 153 | Delete all |
154 | .Em Veriexec | | 154 | .Em Veriexec |
155 | tables. | | 155 | tables. |
156 | .El | | 156 | .El |
157 | .Ss Hook Handlers | | 157 | .Ss Hook Handlers |
158 | .Bl -tag -width compact | | 158 | .Bl -tag -width compact |
159 | .It Ft int Fn veriexec_openchk "struct lwp *l" "struct vnode *vp" \ | | 159 | .It Ft int Fn veriexec_openchk "struct lwp *l" "struct vnode *vp" \ |
160 | "const char *path" "int fmode" | | 160 | "const char *path" "int fmode" |
161 | Called when a file is opened. | | 161 | Called when a file is opened. |
162 | .Pp | | 162 | .Pp |
163 | .Ar l | | 163 | .Ar l |
164 | is the LWP opening the file, | | 164 | is the LWP opening the file, |
165 | .Ar vp | | 165 | .Ar vp |
166 | is a vnode for the file being opened as returned from | | 166 | is a vnode for the file being opened as returned from |
167 | .Xr namei 9 . | | 167 | .Xr namei 9 . |
168 | If | | 168 | If |
169 | .Dv NULL , | | 169 | .Dv NULL , |
170 | the file is being created. | | 170 | the file is being created. |
171 | .Ar path | | 171 | .Ar path |
172 | is the pathname for the file (not necessarily a full path), and | | 172 | is the pathname for the file (not necessarily a full path), and |
173 | .Ar fmode | | 173 | .Ar fmode |
174 | are the mode bits with which the file was opened. | | 174 | are the mode bits with which the file was opened. |
175 | .It Ft int Fn veriexec_renamechk "struct lwp *l" "struct vnode *fromvp" \ | | 175 | .It Ft int Fn veriexec_renamechk "struct lwp *l" "struct vnode *fromvp" \ |
176 | "const char *fromname" "struct vnode *tovp" "const char *toname" | | 176 | "const char *fromname" "struct vnode *tovp" "const char *toname" |
177 | Called when a file is renamed. | | 177 | Called when a file is renamed. |
178 | .Pp | | 178 | .Pp |
179 | .Ar fromvp | | 179 | .Ar fromvp |
180 | and | | 180 | and |
181 | .Ar fromname | | 181 | .Ar fromname |
182 | are the vnode and filename of the file being renamed. | | 182 | are the vnode and filename of the file being renamed. |
183 | .Ar tovp | | 183 | .Ar tovp |
184 | and | | 184 | and |
185 | .Ar toname | | 185 | .Ar toname |
186 | are the vnode and filename of the target file. | | 186 | are the vnode and filename of the target file. |
187 | .Ar l | | 187 | .Ar l |
188 | is the LWP renaming the file. | | 188 | is the LWP renaming the file. |
189 | .Pp | | 189 | .Pp |
190 | Depending on the strict level, | | 190 | Depending on the strict level, |
191 | .Nm | | 191 | .Nm |
192 | will either track changes appropriately or prevent the rename. | | 192 | will either track changes appropriately or prevent the rename. |
193 | .It Ft int Fn veriexec_removechk "struct lwp *l" "struct vnode *vp" \ | | 193 | .It Ft int Fn veriexec_removechk "struct lwp *l" "struct vnode *vp" \ |
194 | "const char *name" | | 194 | "const char *name" |
195 | Called when a file is removed. | | 195 | Called when a file is removed. |
196 | .Pp | | 196 | .Pp |
197 | .Ar vp | | 197 | .Ar vp |
198 | is the vnode of the file being removed, and | | 198 | is the vnode of the file being removed, and |
199 | .Ar name | | 199 | .Ar name |
200 | is the filename. | | 200 | is the filename. |
201 | .Ar l | | 201 | .Ar l |
202 | is the LWP removing the file, | | 202 | is the LWP removing the file, |
203 | .Pp | | 203 | .Pp |
204 | Depending on the strict level, | | 204 | Depending on the strict level, |
205 | .Nm | | 205 | .Nm |
206 | will either clean-up after the file or prevent its removal. | | 206 | will either clean-up after the file or prevent its removal. |
207 | .It Ft int Fn veriexec_unmountchk "struct mount *mp" | | 207 | .It Ft int Fn veriexec_unmountchk "struct mount *mp" |
208 | Checks if the current strict level allows | | 208 | Checks if the current strict level allows |
209 | .Ar mp | | 209 | .Ar mp |
210 | to be unmounted. | | 210 | to be unmounted. |
211 | .El | | 211 | .El |
212 | .Ss Misc. Routines | | 212 | .Ss Misc. Routines |
213 | .Bl -tag -width compact | | 213 | .Bl -tag -width compact |
214 | .It Ft int Fn veriexec_convert "struct vnode *vp" "prop_dictionary_t rdict" | | 214 | .It Ft int Fn veriexec_convert "struct vnode *vp" "prop_dictionary_t rdict" |
215 | Convert | | 215 | Convert |
216 | .Em Veriexec | | 216 | .Em Veriexec |
217 | entry for | | 217 | entry for |
218 | .Ar vp | | 218 | .Ar vp |
219 | to human-readable | | 219 | to human-readable |
220 | .Xr proplib 3 | | 220 | .Xr proplib 3 |
221 | dictionary, | | 221 | dictionary, |
222 | .Ar rdict , | | 222 | .Ar rdict , |
223 | with the following elements: | | 223 | with the following elements: |
224 | .Bl -column entryxtype string | | 224 | .Bl -column entryxtype string |
225 | .It Sy Name Type Purpose | | 225 | .It Sy Name Type Purpose |
226 | .It entry-type uint8 entry type flags ( see Xr veriexec 4 ) | | 226 | .It entry-type uint8 entry type flags ( see Xr veriexec 4 ) |
227 | .It status uint8 entry status ( see below ) | | 227 | .It status uint8 entry status ( see below ) |
228 | .It fp-type string fingerprint hashing algorithm | | 228 | .It fp-type string fingerprint hashing algorithm |
229 | .It fp data the fingerprint | | 229 | .It fp data the fingerprint |
230 | .El | | 230 | .El |
231 | .Pp | | 231 | .Pp |
232 | The | | 232 | The |
233 | .Dq status | | 233 | .Dq status |
234 | can be one of the following: | | 234 | can be one of the following: |
235 | .Bl -column fingerprintxmismatch effect | | 235 | .Bl -column fingerprintxmismatch effect |
236 | .It Sy Status Meaning | | 236 | .It Sy Status Meaning |
237 | .It FINGERPRINT_NOTEVAL not evaluated | | 237 | .It FINGERPRINT_NOTEVAL not evaluated |
238 | .It FINGERPRINT_VALID fingerprint match | | 238 | .It FINGERPRINT_VALID fingerprint match |
239 | .It FINGERPRINT_MISMATCH fingerprint mismatch | | 239 | .It FINGERPRINT_MISMATCH fingerprint mismatch |
240 | .El | | 240 | .El |
241 | .Pp | | 241 | .Pp |
242 | If no entry was found, | | 242 | If no entry was found, |
243 | .Er ENOENT | | 243 | .Er ENOENT |
244 | is returned. | | 244 | is returned. |
245 | Otherwise, zero. | | 245 | Otherwise, zero. |
246 | .It Ft int Fn veriexec_dump "struct lwp *l" "prop_array_t rarray" | | 246 | .It Ft int Fn veriexec_dump "struct lwp *l" "prop_array_t rarray" |
247 | Fill | | 247 | Fill |
248 | .Ar rarray | | 248 | .Ar rarray |
249 | with entries for all files monitored by | | 249 | with entries for all files monitored by |
250 | .Em Veriexec | | 250 | .Em Veriexec |
251 | that have a filename associated with them. | | 251 | that have a filename associated with them. |
252 | .Pp | | 252 | .Pp |
253 | Each element in | | 253 | Each element in |
254 | .Ar rarray | | 254 | .Ar rarray |
255 | is a dictionary with the same elements as filled by | | 255 | is a dictionary with the same elements as filled by |
256 | .Fn veriexec_convert , | | 256 | .Fn veriexec_convert , |
257 | with an additional field, | | 257 | with an additional field, |
258 | .Dq file , | | 258 | .Dq file , |
259 | containing the filename. | | 259 | containing the filename. |
260 | .El | | 260 | .El |
261 | .Sh FILES | | 261 | .Sh FILES |
262 | .Bl -column srcxsysxkernxkernxverifiedexecxc foo | | 262 | .Bl -column srcxsysxkernxkernxverifiedexecxc foo |
263 | .It Sy Path Purpose | | 263 | .It Sy Path Purpose |
264 | .It src/sys/dev/verified_exec.c driver for userland communication | | 264 | .It src/sys/dev/verified_exec.c driver for userland communication |
265 | .It src/sys/sys/verified_exec.h shared (userland/kernel) header file | | 265 | .It src/sys/sys/verified_exec.h shared (userland/kernel) header file |
266 | .It src/sys/kern/kern_verifiedexec.c subsystem code | | 266 | .It src/sys/kern/kern_verifiedexec.c subsystem code |
267 | .It src/sys/kern/vfs_syscalls.c rename, remove, and unmount policies | | 267 | .It src/sys/kern/vfs_syscalls.c rename, remove, and unmount policies |
268 | .It src/sys/kern/vfs_vnops.c regular file access policy | | 268 | .It src/sys/kern/vfs_vnops.c regular file access policy |
269 | .El | | 269 | .El |
270 | .Sh SEE ALSO | | 270 | .Sh SEE ALSO |
271 | .Xr proplib 3 , | | 271 | .Xr proplib 3 , |
272 | .Xr sysctl 3 , | | 272 | .Xr sysctl 3 , |
273 | .Xr veriexec 4 , | | 273 | .Xr veriexec 4 , |
274 | .Xr security 8 , | | 274 | .Xr security 8 , |
275 | .Xr sysctl 8 , | | 275 | .Xr sysctl 8 , |
276 | .Xr veriexecctl 8 , | | 276 | .Xr veriexecctl 8 , |
277 | .Xr veriexecgen 8 , | | 277 | .Xr veriexecgen 8 , |
278 | .Xr fileassoc 9 | | 278 | .Xr fileassoc 9 |
279 | .Sh AUTHORS | | 279 | .Sh AUTHORS |
280 | .An Brett Lymn Aq blymn@NetBSD.org | | 280 | .An Brett Lymn Aq blymn@NetBSD.org |
281 | .An Elad Efrat Aq elad@NetBSD.org | | 281 | .An Elad Efrat Aq elad@NetBSD.org |
282 | .Sh CAVEATS | | 282 | .Sh CAVEATS |
283 | There are two known issues with | | 283 | There are two known issues with |
284 | .Em Veriexec | | 284 | .Em Veriexec |
285 | that should be considered when using it. | | 285 | that should be considered when using it. |
286 | .Ss Remote File-systems | | 286 | .Ss Remote File-systems |
287 | There is an issue providing protection for files residing on mounts from | | 287 | There is an issue providing protection for files residing on mounts from |
288 | remote hosts. | | 288 | remote hosts. |
289 | Because access to the file-system does not necessarily go through | | 289 | Because access to the file-system does not necessarily go through |
290 | .Nm , | | 290 | .Nm , |
291 | there is no way to track on-disk changes. | | 291 | there is no way to track on-disk changes. |
292 | While it is possible to minimize the effect by evaluating the file's | | 292 | While it is possible to minimize the effect by evaluating the file's |
293 | fingerprint on each access without caching the result, a problem arises when | | 293 | fingerprint on each access without caching the result, a problem arises when |
294 | a file is overwritten after its fingerprint has been evaluated and it is | | 294 | a file is overwritten after its fingerprint has been evaluated and it is |
295 | running on the local host. | | 295 | running on the local host. |
296 | .Pp | | 296 | .Pp |
297 | An attacker could potentially overwrite the file contents in the remote host | | 297 | An attacker could potentially overwrite the file contents in the remote host |
298 | at that point, and force a flush on the local host, resulting in paging in | | 298 | at that point, and force a flush on the local host, resulting in paging in |
299 | of the files from the disk, introducing malicious code into a supposedly | | 299 | of the files from the disk, introducing malicious code into a supposedly |
300 | safe address space. | | 300 | safe address space. |
301 | .Pp | | 301 | .Pp |
302 | There is a fix for this issue, however due to dependencies on other work | | 302 | There is a fix for this issue, however due to dependencies on other work |
303 | that is still in progress it has not been committed yet. | | 303 | that is still in progress it has not been committed yet. |
304 | .Ss Layered File-systems | | 304 | .Ss Layered File-systems |
305 | Due to VFS limitations, | | 305 | Due to VFS limitations, |
306 | .Nm | | 306 | .Nm |
307 | cannot track the same on-disk file across multiple layers of overlay | | 307 | cannot track the same on-disk file across multiple layers of overlay |
308 | file-systems. | | 308 | file-systems. |
309 | Therefore, you cannot expect changes to files on overlay mounts will be | | 309 | Therefore, you cannot expect changes to files on overlay mounts will be |
310 | detected simply because the underlying mount is monitored by | | 310 | detected simply because the underlying mount is monitored by |
311 | .Nm . | | 311 | .Nm . |
312 | .Pp | | 312 | .Pp |
313 | A workaround for this issue is listing all files, under all mounts, you want | | 313 | A workaround for this issue is listing all files, under all mounts, you want |
314 | monitored in the signature file. | | 314 | monitored in the signature file. |