Cem Kayali, 12/15/08 03:27:
Cem Kayali, 12/15/08 02:56:Elad Efrat, 12/15/08 02:50:Hi, First, let me apologize for forgetting to attach the patch. It's attached to this mail. :)On Mon, Dec 15, 2008 at 2:41 AM, Cem Kayali <cemkayali%eticaret.com.tr@localhost> wrote:Hi,- Machine has already been up and I enabled veriexec by '/etc/rc.d/veriexecstart' just after inserting veriexec=yes into rc.conf - I edited veriexec sysctl parameters and they are as: kern.veriexec.verbose = 1 kern.veriexec.strict = 2 kern.veriexec.algorithms = RMD160 SHA256 SHA384 SHA512 SHA1 MD5 - I did following operations: localhost# cd /usr/pkg/bin localhost# cp kasteroids kasteroids.org localhost# rm -rf kasteroids localhost# cp katomic kasteroids- I tried to run ./kasteroids and it launched (it actually started katomic!)- Signature file: localhost# grep kasteroids /etc/signatures/usr/pkg/bin/kasteroids SHA512 3ca3929b49cff9eafdb2d644..................- Original checksum: localhost# cksum -a sha512 /usr/pkg/bin/kasteroidsSHA512 (/usr/pkg/bin/kasteroids) = e2073b3f71885530cab84865f..............- /var/log/messages does not contain any error message.I really surprised nobody untill now has noticed the problem -if there is a problem really. This is 4.99.7X amd64 machine. Maybe problem is within 64bit systems.My tests are done on amd64 as well, so that is not the issue. Perhaps your signatures file isn't loaded properly? can you try running veriexecctl query /usr/pkg/bin/kasteroids and show me the output? if it will indicate the fingerprint mismatches, and you are able to overwrite/delete/run it, then we have a problem! Thanks, -e.Hi, localhost# localhost# localhost# grep kasteroids /etc/signatures/usr/pkg/bin/kasteroids SHA512 3ca3929b49cff9eafdb2d644c6e52................localhost# localhost# localhost# veriexecctl query /usr/pkg/bin/kasteroids veriexecctl: No Veriexec entry for `/usr/pkg/bin/kasteroids' localhost# localhost#Well you are right, it looks like it does not load some or all of signatures... It is about 453 KB file.Thanks CemAdditional information: localhost# veriexecctl query /usr/pkg/bin/kasteroids Filename: /usr/pkg/bin/kasteroids Mount: /usr Entry flags: direct Entry status: not evaluated Fingerprint algorithm: SHA512 Fingerprint: 3ca3929b49cff9eafdb2d644c6e52e9f7094679b..........The only difference is that i modified sysctl.conf entries and rebooted machine (note: i rebooted machine in previous step and it didnt work)From kern.veriexec.strict=1 kern.veriexec.verbose=1 To kern.veriexec.strict=0 kern.veriexec.verbose=0 And then after boot is complete, localhost# sysctl -w kern.veriexec.verbose=1 kern.veriexec.verbose: 0 -> 1 localhost# sysctl -w kern.veriexec.strict=1 kern.veriexec.strict: 0 -> 1 And running '/usr/pkg/bin/kasteroids' does produce error message:Dec 15 03:25:12 localhost /netbsd: Veriexec: Mismatch. [/usr/pkg/bin/kasteroids]Regards, Cem
It looks like sysctl.conf modifies strict value before veriexec loads signature file and there is no way to update/load signature file after kern.veriexec.strict>0.
load [file]
Load the fingerprint entries contained in file, if specified, or
the default signatures file otherwise.
This operation is only allowed in learning mode (strict level
zero).
This is confusing, it is hard to guess such order.
Regards,
Cem