1.\" $NetBSD: veriexec.9,v 1.17 2007/08/11 19:16:21 pooka Exp $ 2.\" 3.\" Copyright 2006 Elad Efrat <elad@NetBSD.org> 4.\" Copyright 2006 Brett Lymn <blymn@NetBSD.org> 5.\" 6.\" This code is derived from software contributed to The NetBSD Foundation 7.\" by Brett Lymn and Elad Efrat 8.\" 9.\" Redistribution and use in source and binary forms, with or without 10.\" modification, are permitted provided that the following conditions 11.\" are met: 12.\" 1. Redistributions of source code must retain the above copyright 13.\" notice, this list of conditions and the following disclaimer. 14.\" 2. Neither the name of The NetBSD Foundation nor the names of its 15.\" contributors may be used to endorse or promote products derived 16.\" from this software without specific prior written permission. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 19.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 20.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 21.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 22.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28.\" POSSIBILITY OF SUCH DAMAGE. 29.\" 30.Dd August 11, 2007 31.Dt VERIEXEC 9 32.Os 33.Sh NAME 34.Nm veriexec 35.Nd in-kernel file integrity subsystem KPI 36.Sh SYNOPSIS 37.In sys/verified_exec.h 38.Sh DESCRIPTION 39.Nm 40is the KPI for 41.Em Veriexec , 42the 43.Nx 44in-kernel file integrity subsystem. 45It is responsible for managing the supported hashing algorithms, fingerprint 46calculation and comparison, file monitoring tables, and relevant hooks to 47enforce the 48.Em Veriexec 49policy. 50.Ss Core Routines 51.Bl -tag 52.It Ft void Fn veriexec_init "void" 53Initialize the 54.Em Veriexec 55subsystem. 56Called only once during system startup. 57.It Ft "bool" Fn veriexec_lookup "struct vnode *vp" 58Check if 59.Ar vp 60is monitored by 61.Em Veriexec 62or not. 63Returns 64.Dv true 65if it is, or 66.Dv false 67otherwise. 68.It Ft int Fn veriexec_verify "struct lwp *l" "struct vnode *vp" \ 69"const u_char *name" "int flag" "bool *found" 70Verifies the digital fingerprint of 71.Ar vp . 72.Ar name 73is the filename, and 74.Ar flag 75is the access flag. 76The access flag can be one of: 77.Bl -tag 78.It Dv VERIEXEC_DIRECT 79The file was executed directly via 80.Xr execve 2 . 81.It Dv VERIEXEC_INDIRECT 82The file was executed indirectly, either as an interpreter for a script or 83mapped to an executable memory region. 84.It Dv VERIEXEC_FILE 85The file was opened for reading/writing. 86.El 87.Pp 88.Ar l 89is the LWP for the request context. 90.Pp 91An optional argument, 92.Ar found , 93is a pointer to a boolean indicating whether an entry for the file was found 94in the 95.Em Veriexec 96tables. 97.It Ft void Fn veriexec_purge "struct vnode *vp" 98Purge the file entry for 99.Ar vp . 100This invalidates the fingerprint so it will be evaluated next time the file 101is accessed. 102.\" veriexec_page_verify() intentionally not documented. 103.El 104.Ss Fingerprint Related Routines 105.Bl -tag 106.It Ft Fn veriexec_fpops_add "const char *fp_type" "size_t hash_len" \ 107"size_t ctx_size" "veriexec_fpop_init_t init" "veriexec_fpop_update_t update" \ 108"veriexec_fpop_final_t final" 109Add support for fingerprinting algorithm 110.Ar fp_type 111with binary hash length 112.Ar hash_len 113and calculation context size 114.Ar ctx_size 115to 116.Em Veriexec . 117.Ar init , 118.Ar update , 119and 120.Ar final 121are the routines used to initialize, update, and finalize a calculation 122context. 123.El 124.Ss Table Management Routines 125.Bl -tag 126.It Ft int Fn veriexec_file_add "struct lwp *l" \ 127"prop_dictionary_t dict" 128Add a 129.Em Veriexec 130entry for the file described by 131.Ar dict . 132.Pp 133.Ar dict 134is expected to have the following: 135.Bl -column entryxtype string 136.Sy Name Type Purpose 137.It file string filename 138.It entry-type uint8 entry type flags ( see Xr veriexec 4 ) 139.It fp-type string fingerprint hashing algorithm 140.It fp data the fingerprint 141.El 142.It Ft int Fn veriexec_file_delete "struct lwp *l" "struct vnode *vp" 143Remove 144.Em Veriexec 145entry for 146.Ar vp . 147.It Ft int Fn veriexec_table_delete "struct lwp *l" "struct mount *mp" 148Remove 149.Em Veriexec 150table for mount-point 151.Ar mp . 152.It Ft int Fn veriexec_flush "struct lwp *l" 153Delete all 154.Em Veriexec 155tables. 156.El 157.Ss Hook Handlers 158.Bl -tag 159.It Ft int Fn veriexec_openchk "struct lwp *l" "struct vnode *vp" \ 160"const char *path" "int fmode" 161Called when a file is opened. 162.Pp 163.Ar l 164is the LWP opening the file, 165.Ar vp 166is a vnode for the file being opened as returned from 167.Xr namei 9 . 168If 169.Dv NULL , 170the file is being created. 171.Ar path 172is the pathname for the file (not necessarily a full path), and 173.Ar fmode 174are the mode bits with which the file was opened. 175.It Ft int Fn veriexec_renamechk "struct lwp *l" "struct vnode *fromvp" \ 176"const char *fromname" "struct vnode *tovp" "const char *toname" 177Called when a file is renamed. 178.Pp 179.Ar fromvp 180and 181.Ar fromname 182are the vnode and filename of the file being renamed. 183.Ar tovp 184and 185.Ar toname 186are the vnode and filename of the target file. 187.Ar l 188is the LWP renaming the file. 189.Pp 190Depending on the strict level, 191.Nm 192will either track changes appropriately or prevent the rename. 193.It Ft int Fn veriexec_removechk "struct lwp *l" "struct vnode *vp" \ 194"const char *name" 195Called when a file is removed. 196.Pp 197.Ar vp 198is the vnode of the file being removed, and 199.Ar name 200is the filename. 201.Ar l 202is the LWP removing the file, 203.Pp 204Depending on the strict level, 205.Nm 206will either clean-up after the file or prevent its removal. 207.It Ft int Fn veriexec_unmountchk "struct mount *mp" 208Checks if the current strict level allows 209.Ar mp 210to be unmounted. 211.El 212.Ss Misc. Routines 213.Bl -tag 214.It Ft int Fn veriexec_convert "struct vnode *vp" "prop_dictionary_t rdict" 215Convert 216.Em Veriexec 217entry for 218.Ar vp 219to human-readable 220.Xr proplib 3 221dictionary, 222.Ar rdict , 223with the following elements: 224.Bl -column entryxtype string 225.Sy Name Type Purpose 226.It entry-type uint8 entry type flags ( see Xr veriexec 4 ) 227.It status uint8 entry status ( see below ) 228.It fp-type string fingerprint hashing algorithm 229.It fp data the fingerprint 230.El 231.Pp 232The 233.Dq status 234can be one of the following: 235.Bl -column fingerprintxmismatch effect 236.It Sy Status Meaning 237.It FINGERPRINT_NOTEVAL not evaluated 238.It FINGERPRINT_VALID fingerprint match 239.It FINGERPRINT_MISMATCH fingerprint mismatch 240.El 241.Pp 242If no entry was found, 243.Er ENOENT 244is returned. 245Otherwise, zero. 246.It Ft int Fn veriexec_dump "struct lwp *l" "prop_array_t rarray" 247Fill 248.Ar rarray 249with entries for all files monitored by 250.Em Veriexec 251that have a filename associated with them. 252.Pp 253Each element in 254.Ar rarray 255is a dictionary with the same elements as filled by 256.Fn veriexec_convert , 257with an additional field, 258.Dq file , 259containing the filename. 260.El 261.Sh FILES 262.Bl -column srcxsysxkernxkernxverifiedexecxc foo 263.Sy Path Purpose 264.It src/sys/dev/verified_exec.c driver for userland communication 265.It src/sys/sys/verified_exec.h shared (userland/kernel) header file 266.It src/sys/kern/kern_verifiedexec.c subsystem code 267.It src/sys/kern/vfs_syscalls.c rename, remove, and unmount policies 268.It src/sys/kern/vfs_vnops.c regular file access policy 269.El 270.Sh SEE ALSO 271.Xr proplib 3 , 272.Xr sysctl 3 , 273.Xr veriexec 4 , 274.Xr sysctl 8 , 275.Xr veriexecctl 8 , 276.Xr veriexecgen 8 , 277.Xr fileassoc 9 278.Sh AUTHORS 279.An Brett Lymn Aq blymn@NetBSD.org 280.An Elad Efrat Aq elad@NetBSD.org 281.Sh CAVEATS 282There are two known issues with 283.Em Veriexec 284that should be considered when using it. 285.Ss Remote File-systems 286There is an issue providing protection for files residing on mounts from 287remote hosts. 288Because access to the file-system does not necessarily go through 289.Nm , 290there is no way to track on-disk changes. 291While it is possible to minimize the effect by evaluating the file's 292fingerprint on each access without caching the result, a problem arises when 293a file is overwritten after its fingerprint has been evaluated and it is 294running on the local host. 295.Pp 296An attacker could potentially overwrite the file contents in the remote host 297at that point, and force a flush on the local host, resulting in paging in 298of the files from the disk, introducing malicious code into a supposedly 299safe address space. 300.Pp 301There is a fix for this issue, however due to dependencies on other work 302that is still in progress it has not been commited yet. 303.Ss Layered File-systems 304Due to VFS limitations, 305.Nm 306cannot track the same on-disk file across multiple layers of overlay 307file-systems. 308Therefore, you cannot expect changes to files on overlay mounts will be 309detected simply because the underlying mount is monitored by 310.Nm . 311.Pp 312A workaround for this issue is listing all files, under all mounts, you want 313monitored in the signature file. 314