xref: /freebsd/sbin/veriexec/veriexec.8 (revision 058ac3e8063366dafa634d9107642e12b038bf09)
1.\"-
2.\" Copyright (c) 2018, Juniper Networks, Inc.
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, are permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\"    notice, this list of conditions and the following disclaimer.
9.\" 2. Redistributions in binary form must reproduce the above copyright
10.\"    notice, this list of conditions and the following disclaimer in the
11.\"    documentation and/or other materials provided with the distribution.
12.\"
13.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
14.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
15.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
16.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
17.\" OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
18.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
19.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24.\"
25.\" $FreeBSD$
26.\"
27.Dd July 8, 2022
28.Dt VERIEXEC 8
29.Os
30.Sh NAME
31.Nm veriexec
32.Nd manipulate state of mac_veriexec
33.Sh SYNOPSIS
34.Nm
35.Op Fl v
36.Op Fl C Ar directory
37.Op Fl S
38.Pa manifest
39.Nm
40.Fl z Ar state
41.Nm
42.Fl i Ar state
43.Nm
44.Fl x
45.Ar file ...
46.Sh DESCRIPTION
47.Nm
48is a utility to query or manipulate the state of
49.Xr mac_veriexec 4 .
50.Pp
51The first form is for loading a
52.Pa manifest .
53.Nm
54first verifies a digital signature of the
55.Ar manifest
56and if successful, parses it and feeds its content to kernel.
57The
58.Fl S
59flag indicates that certificate validity should be checked.
60Without this, a valid signature with an expired certificate
61will still be accepted.
62.Pp
63The second form with
64.Fl z
65is used to modify the
66.Ar state ,
67and with
68.Fl i
69to query the current
70.Ar state .
71.Pp
72The final form with
73.Fl x
74is used to test whether
75.Ar file
76is verified or not.
77This requires
78.Xr mac_veriexec 4
79to be in the
80.Ql active
81or
82.Ql enforce
83state.
84.Pp
85The possible states
86are:
87.Bl -tag -width enforce
88.It Ar loaded
89set automatically when first
90.Pa manifest
91has been loaded.
92.It Ar active
93.Xr mac_veriexec 4
94will begin checking files.
95This state can only be entered from the
96.Ar loaded
97state.
98.It Ar enforce
99.Xr mac_veriexec 4
100will fail attempts to
101.Xr exec 2
102or
103.Xr open 2
104files with
105.Dv O_VERIFY
106unless verified.
107.It Ar locked
108prevent loading of any more manifests.
109.El
110.Pp
111When setting or querying the state, it is sufficient to provide
112a unique prefix of the desired state.
113So
114.Fl i
115.Ar a
116or
117.Fl z
118.Ar e
119are sufficient, but
120.Fl i
121.Ar loc
122is the minimum required to avoid confusion with
123.Ar loaded .
124.Sh MANIFESTS
125The manifest contains a mapping of relative pathnames to fingerprints
126with optional flags.
127For example:
128.Bd -literal -offset indent
129sbin/veriexec sha256=f22136...c0ff71 no_ptrace
130usr/bin/python sha256=5944d9...876525 indirect
131sbin/somedaemon sha256=77fc2f...63f5687 label=mod1/val1,mod2/val2
132.Ed
133The supported flags are:
134.Bl -tag -width indirect
135.It Ql indirect
136the executable cannot be run directly,
137but can be used as an interpreter for example via:
138.Bd -literal -offset indent
139#!/usr/bin/python
140.Ed
141.It Ql no_ptrace
142do not allow running executable under a debugger.
143Useful for any application critical to the security state of system.
144.El
145.Pp
146The
147.Ql label
148argument allows associating a
149.Xr maclabel 7
150with the executable.
151Neither
152.Nm
153nor
154.Xr mac_veriexec 4
155(if it supports labels)
156pay any attention to the content of the label
157they are provided for the use of other
158.Xr mac 4
159modules.
160.Sh HISTORY
161The Verified Exec system first appeared in
162.Nx .
163This utility derrives from the one found in Junos.
164The key difference is the requirement that manifest files
165be digitally signed.
166