VERIEXEC(4) Kernel Interfaces Manual VERIEXEC(4)
NAME
veriexecVeriexec pseudo-device
SYNOPSIS
pseudo-device veriexec
DESCRIPTION
Veriexec verifies the integrity of specified executables and files before they are run or read. This makes it much more difficult to insert a trojan horse into the system and also makes it more difficult to run binaries that are not supposed to be running, for example, packet sniffers, DDoS clients and so on.
 
The veriexec pseudo-device is used to load and delete entries to and from the in-kernel Veriexec databases, as well as query information about them. It can also be used to dump the entire database.
Kernel-userland interaction
Veriexec uses proplib(3) for communication between the kernel and userland.
VERIEXEC_LOAD
Load an entry for a file to be monitored by Veriexec.
 
The dictionary passed contains the following elements:
Name
Type
Purpose
file
string
filename for this entry
entry-type
uint8
entry type (see below)
fp-type
string
fingerprint hashing algorithm
fp
data
the fingerprint
 
“entry-type” can be one or more (binary-OR'd) of the following:
Type
Effect
VERIEXEC_DIRECT
can execute directly
VERIEXEC_INDIRECT
can execute indirectly (interpreter, mmap(2))
VERIEXEC_FILE
can be opened
VERIEXEC_UNTRUSTED
located on untrusted storage
VERIEXEC_DELETE
Removes either an entry for a single file or entries for an entire mount from Veriexec.
 
The dictionary passed contains the following elements:
Name
Type
Purpose
file
string
filename or mount-point
VERIEXEC_DUMP
Dump the Veriexec monitored files database from the kernel.
 
Only files that the filename is kept for them will be dumped. The returned array contains dictionaries with the following elements:
Name
Type
Purpose
file
string
filename
fp-type
string
fingerprint hashing algorithm
fp
data
the fingerprint
entry-type
uint8
entry type (see above)
VERIEXEC_FLUSH
Flush the Veriexec database, removing all entries.
 
This command has no parameters.
VERIEXEC_QUERY
Queries Veriexec about a file, returning information that may be useful about it.
 
The dictionary passed contains the following elements:
Name
Type
Purpose
file
string
filename
 
The dictionary returned contains the following elements:
Name
Type
Purpose
entry-type
uint8
entry type (see above)
status
uint8
entry status
fp-type
string
fingerprint hashing algorithm
fp
data
the fingerprint
 
“status” can be one of the following:
Status
Meaning
FINGERPRINT_NOTEVAL
not evaluated
FINGERPRINT_VALID
fingerprint match
FINGERPRINT_MISMATCH
fingerprint mismatch
 
Note that the requests VERIEXEC_LOAD, VERIEXEC_DELETE, and VERIEXEC_FLUSH are not permitted once the strict level has been raised past 0.
SEE ALSO
NOTES
veriexec is part of the default configuration on the following architectures: amd64, i386, prep, sparc64.
AUTHORS
Brett Lymn <blymn@NetBSD.org> Elad Efrat <elad@NetBSD.org>