Updated: 2022/Sep/29
Please read Privacy Policy. It's for your privacy.
VERIEXEC(4) Device Drivers Manual VERIEXEC(4)
NAME
veriexec - Veriexec pseudo-device
SYNOPSIS
pseudo-device veriexec
DESCRIPTION
Veriexec verifies the integrity of specified executables and files before
they are run or read. This makes it much more difficult to insert a
trojan horse into the system and also makes it more difficult to run
binaries that are not supposed to be running, for example, packet
sniffers, DDoS clients and so on.
The veriexec pseudo-device is used to load and delete entries to and from
the in-kernel Veriexec databases, as well as query information about
them. It can also be used to dump the entire database.
Kernel-userland interaction
Veriexec uses proplib(3) for communication between the kernel and
userland.
VERIEXEC_LOAD
Load an entry for a file to be monitored by Veriexec.
The dictionary passed contains the following elements:
Name Type Purpose
file string filename for this entry
entry-type uint8 entry type (see below)
fp-type string fingerprint hashing algorithm
fp data the fingerprint
keep-filename bool whether or not to retain the entry's
filename
"entry-type" can be one or more (binary-OR'd) of the following:
Type Effect
VERIEXEC_DIRECT can execute directly
VERIEXEC_INDIRECT can execute indirectly (interpreter, mmap(2))
VERIEXEC_FILE can be opened
VERIEXEC_UNTRUSTED located on untrusted storage
VERIEXEC_DELETE
Removes either an entry for a single file or entries for an entire
mount from Veriexec.
The dictionary passed contains the following elements:
Name Type Purpose
file string filename or mount-point
VERIEXEC_DUMP
Dump the Veriexec monitored files database from the kernel.
Only files for which the filename was kept will be dumped. The
returned array contains dictionaries with the following elements:
Name Type Purpose
file string filename
fp-type string fingerprint hashing algorithm
fp data the fingerprint
entry-type uint8 entry type (see above)
VERIEXEC_FLUSH
Flush the Veriexec database, removing all entries.
This command has no parameters.
VERIEXEC_QUERY
Queries Veriexec about a file, returning information that may be
useful about it.
The dictionary passed contains the following elements:
Name Type Purpose
file string filename
The dictionary returned contains the following elements:
Name Type Purpose
entry-type uint8 entry type (see above)
status uint8 entry status
fp-type string fingerprint hashing algorithm
fp data the fingerprint
"status" can be one of the following:
Status Meaning
FINGERPRINT_NOTEVAL not evaluated
FINGERPRINT_VALID fingerprint match
FINGERPRINT_MISMATCH fingerprint mismatch
Note that the requests VERIEXEC_LOAD, VERIEXEC_DELETE, and VERIEXEC_FLUSH
are not permitted once the strict level has been raised past 0.
SEE ALSO
proplib(3), sysctl(3), security(7), sysctl(8), veriexecctl(8),
veriexecgen(8), veriexec(9)
NOTES
veriexec is part of the default configuration on the following
architectures: amd64, i386, macppc, prep, sparc64.
AUTHORS
Brett Lymn <blymn@NetBSD.org>
Elad Efrat <elad@NetBSD.org>
NetBSD 10.99 January 17, 2018 NetBSD 10.99