.\"- .\" SPDX-License-Identifier: BSD-2-Clause .\" .\" Copyright (c) 2018-2024, Juniper Networks, Inc. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" .\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS .\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT .\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR .\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT .\" OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, .\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT .\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, .\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY .\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE .\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" .Dd August 1, 2024 .Dt VERIEXEC 8 .Os .Sh NAME .Nm veriexec .Nd manipulate state of mac_veriexec .Sh SYNOPSIS .Nm .Op Fl v .Op Fl C Ar directory .Op Fl S .Pa manifest .Nm .Fl z Ar state .Nm .Fl i Ar state .Nm .Fl l .Ar file ... .Nm .Fl x .Ar file ... .Sh DESCRIPTION .Nm is a utility to query or manipulate the state of .Xr mac_veriexec 4 . .Pp The first form is for loading a .Pa manifest . .Nm first verifies a digital signature of the .Ar manifest and if successful, parses it and feeds its content to kernel. The .Fl S flag indicates that certificate validity should be checked. Without this, a valid signature with an expired certificate will still be accepted. .Pp The second form with .Fl z is used to modify the .Ar state , and with .Fl i to query the current .Ar state . .Pp With .Fl l .Nm will report any labels associated with the remaining arguments assumed to be files. If only a single file argument is given, the bare label (if any) will be reported, otherwise the pathname followed by label. .Pp The final form with .Fl x is used to test whether .Ar file is verified or not. This requires .Xr mac_veriexec 4 to be in the .Ql active or .Ql enforce state. .Pp The possible states are: .Bl -tag -width enforce .It Ar loaded set automatically when the first .Pa manifest has been loaded. .It Ar active .Xr mac_veriexec 4 will begin checking files. This state can only be entered from the .Ar loaded state. .It Ar enforce .Xr mac_veriexec 4 will fail attempts to .Xr exec 2 or .Xr open 2 files with .Dv O_VERIFY unless verified. .It Ar locked prevent loading of any more manifests. .El .Pp When setting or querying the state, it is sufficient to provide a unique prefix of the desired state. So .Fl i .Ar a or .Fl z .Ar e are sufficient, but .Fl i .Ar loc is the minimum required to avoid confusion with .Ar loaded . .Sh MANIFESTS The manifest contains a mapping of relative pathnames to fingerprints with optional flags. For example: .Bd -literal -offset indent sbin/veriexec sha256=f22136...c0ff71 no_ptrace trusted usr/bin/python sha256=5944d9...876525 indirect sbin/somedaemon sha256=77fc2f...63f5687 label=mod1/val1,mod2/val2 .Ed .Pp The supported flags are: .Bl -tag -width indirect .It Ql indirect the executable cannot be run directly, but can be used as an interpreter for example via: .Bd -literal -offset indent #!/usr/bin/python .Ed .It Ql no_fips If the system has a notion of running in FIPS mode, a file marked with this flag will not be allowed to exec. .It Ql no_ptrace do not allow running executable under a debugger. Useful for any application critical to the security state of system. .It Ql trusted this flag is required for a process to use .Xr veriexec 4 to interact with .Xr mac_veriexec 4 . Generally only .Nm should need this flag. Implies .Ql no_ptrace . .El .Pp The .Ql label argument allows associating a .Xr maclabel 7 with a file. Neither .Nm nor .Xr mac_veriexec 4 (if it supports labels) pay any attention to the content of the label they are provided for the use of other .Xr mac 4 modules or indeed other applications. .Sh EXAMPLES Load the manifest for a .Xr tarfs 5 package mounted on .Pa /mnt and be strict about enforcing certificate validity: .Bd -literal -offset indent # veriexec -S -C /mnt /mnt/manifest .Ed .Nm will look for a detatched signature that it recognizes, such as .Pa manifest.asc (OpenPGP) or .Pa manifest.*sig (X.509). In the case of an X.509 signature we also need a matching certificate chain .Pa manifest.*certs . In either case there needs to be a suitable trust anchor in the trust store. .Pp We can now activate: .Bd -literal -offset indent # veriexec -z active .Ed Any user can check if .Xr mac_veriexec 4 is .Ql active : .Bd -literal -offset indent $ veriexec -i active .Ed Any user can check that .Pa /mnt/bin/app is verified: .Bd -literal -offset indent $ veriexec -x /mnt/bin/app .Ed If it is not, we will get an Authentiaction error, but unless .Xr mac_veriexec 4 is enforcing we would still be able to run it. .Sh NOTES It is only safe to set .Xr mac_veriexec 4 to .Ql enforce state, if sufficient manifests have been loaded to cover all the applications that might need to be run. .Sh HISTORY The Verified Exec system first appeared in .Nx . This utility derives from the one found in Junos, which requires that manifest files be digitally signed.