xref: /freebsd/sbin/veriexec/veriexec.8 (revision 1719886f6d08408b834d270c59ffcfd821c8f63a)
1.\"-
2.\" SPDX-License-Identifier: BSD-2-Clause
3.\"
4.\" Copyright (c) 2018-2023, Juniper Networks, Inc.
5.\"
6.\" Redistribution and use in source and binary forms, with or without
7.\" modification, are permitted provided that the following conditions
8.\" are met:
9.\" 1. Redistributions of source code must retain the above copyright
10.\"    notice, this list of conditions and the following disclaimer.
11.\" 2. Redistributions in binary form must reproduce the above copyright
12.\"    notice, this list of conditions and the following disclaimer in the
13.\"    documentation and/or other materials provided with the distribution.
14.\"
15.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
16.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
17.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
18.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
19.\" OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
20.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
21.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
22.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
23.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
24.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
25.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26.\"
27.Dd August 8, 2023
28.Dt VERIEXEC 8
29.Os
30.Sh NAME
31.Nm veriexec
32.Nd manipulate state of mac_veriexec
33.Sh SYNOPSIS
34.Nm
35.Op Fl v
36.Op Fl C Ar directory
37.Op Fl S
38.Pa manifest
39.Nm
40.Fl z Ar state
41.Nm
42.Fl i Ar state
43.Nm
44.Fl l
45.Ar file ...
46.Nm
47.Fl x
48.Ar file ...
49.Sh DESCRIPTION
50.Nm
51is a utility to query or manipulate the state of
52.Xr mac_veriexec 4 .
53.Pp
54The first form is for loading a
55.Pa manifest .
56.Nm
57first verifies a digital signature of the
58.Ar manifest
59and if successful, parses it and feeds its content to kernel.
60The
61.Fl S
62flag indicates that certificate validity should be checked.
63Without this, a valid signature with an expired certificate
64will still be accepted.
65.Pp
66The second form with
67.Fl z
68is used to modify the
69.Ar state ,
70and with
71.Fl i
72to query the current
73.Ar state .
74.Pp
75With
76.Fl l
77.Nm
78will report any labels associated with the remaining arguments
79assumed to be files.
80If only a single file argument is given, the bare label (if any)
81will be reported, otherwise the pathname followed by label.
82.Pp
83The final form with
84.Fl x
85is used to test whether
86.Ar file
87is verified or not.
88This requires
89.Xr mac_veriexec 4
90to be in the
91.Ql active
92or
93.Ql enforce
94state.
95.Pp
96The possible states
97are:
98.Bl -tag -width enforce
99.It Ar loaded
100set automatically when first
101.Pa manifest
102has been loaded.
103.It Ar active
104.Xr mac_veriexec 4
105will begin checking files.
106This state can only be entered from the
107.Ar loaded
108state.
109.It Ar enforce
110.Xr mac_veriexec 4
111will fail attempts to
112.Xr exec 2
113or
114.Xr open 2
115files with
116.Dv O_VERIFY
117unless verified.
118.It Ar locked
119prevent loading of any more manifests.
120.El
121.Pp
122When setting or querying the state, it is sufficient to provide
123a unique prefix of the desired state.
124So
125.Fl i
126.Ar a
127or
128.Fl z
129.Ar e
130are sufficient, but
131.Fl i
132.Ar loc
133is the minimum required to avoid confusion with
134.Ar loaded .
135.Sh MANIFESTS
136The manifest contains a mapping of relative pathnames to fingerprints
137with optional flags.
138For example:
139.Bd -literal -offset indent
140sbin/veriexec sha256=f22136...c0ff71 no_ptrace
141usr/bin/python sha256=5944d9...876525 indirect
142sbin/somedaemon sha256=77fc2f...63f5687 label=mod1/val1,mod2/val2
143.Ed
144The supported flags are:
145.Bl -tag -width indirect
146.It Ql indirect
147the executable cannot be run directly,
148but can be used as an interpreter for example via:
149.Bd -literal -offset indent
150#!/usr/bin/python
151.Ed
152.It Ql no_ptrace
153do not allow running executable under a debugger.
154Useful for any application critical to the security state of system.
155.El
156.Pp
157The
158.Ql label
159argument allows associating a
160.Xr maclabel 7
161with the executable.
162Neither
163.Nm
164nor
165.Xr mac_veriexec 4
166(if it supports labels)
167pay any attention to the content of the label
168they are provided for the use of other
169.Xr mac 4
170modules.
171.Sh HISTORY
172The Verified Exec system first appeared in
173.Nx .
174This utility derives from the one found in Junos.
175The key difference is the requirement that manifest files
176be digitally signed.
177