Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sbin/veriexecctl Sync with reality.
details: https://anonhg.NetBSD.org/src/rev/0bec85169383
branches: trunk
changeset: 583372:0bec85169383
user: elad <elad%NetBSD.org@localhost>
date: Tue Aug 02 18:06:14 2005 +0000
description:
Sync with reality.
- Verified Exec -> Veriexec
- pseudo-device is `veriexec'
- veriexec.conf -> signatures, and mention /etc/signatures as the default
location
- We use veriexec's strict level, not the system securelevel
- Mention the `direct' option
- Mention that the signatures file can have multiple options in a single
entry, comma-separated
- Mention that both `direct' and `indirect' access modes are implied
if no access modes are explicitly mention in the options
- Bump date
diffstat:
sbin/veriexecctl/veriexecctl.8 | 42 +++++++++++++++++++++++++-----------------
1 files changed, 25 insertions(+), 17 deletions(-)
diffs (100 lines):
diff -r 8ea3b1faf5da -r 0bec85169383 sbin/veriexecctl/veriexecctl.8
--- a/sbin/veriexecctl/veriexecctl.8 Tue Aug 02 16:14:10 2005 +0000
+++ b/sbin/veriexecctl/veriexecctl.8 Tue Aug 02 18:06:14 2005 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: veriexecctl.8,v 1.14 2005/06/13 13:07:56 wiz Exp $
+.\" $NetBSD: veriexecctl.8,v 1.15 2005/08/02 18:06:14 elad Exp $
.\"
.\" Copyright (c) 1999
.\" Brett Lymn - blymn%baea.com.au@localhost, brett_lymn%yahoo.com.au@localhost
@@ -29,38 +29,37 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $Id: veriexecctl.8,v 1.14 2005/06/13 13:07:56 wiz Exp $
+.\" $Id: veriexecctl.8,v 1.15 2005/08/02 18:06:14 elad Exp $
.\"
-.Dd June 13, 2005
+.Dd August 2, 2005
.Dt VERIEXECCTL 8
.Os
.Sh NAME
.Nm veriexecctl
-.Nd load or report verified exec fingerprints
+.Nd load or report veriexec fingerprints
.Sh SYNOPSIS
.Nm
-.Cm load Ar veriexec.conf
+.Cm load Ar signatures
.Sh DESCRIPTION
The
.Nm
-command is used to manipulate the Verified Exec feature.
-Verified Exec must have been configured into the booted kernel for this
+command is used to manipulate the Veriexec feature.
+Veriexec must have been configured into the booted kernel for this
commaned to work.
.Sh COMMANDS
.Bl -tag -width 25n
-.It Cm load Ar veriexec.conf
+.It Cm load Ar signatures
Load the fingerprint entries contained in
-.Ar veriexec.conf
+.Ar signatures
into the in kernel tables.
-This operation is only available if kern.securelevel is less than or
-equal to zero.
+This operation is only available if kern.veriexec.strict is zero.
Once loaded the kernel can then validate executed programs
or files against the loaded fingerprints and report when fingerprints
do not match.
.El
-.Sh VERIEXEC.CONF
+.Sh SIGNATURES
The
-.Pa veriexec.conf
+.Pa signatures
file contains lines of fields (separated by one or more whitespace
characters) of the form:
.Pp
@@ -79,9 +78,11 @@
The field
.Em options
contains the associated options for the file.
-Currently there are two valid options:
+Currently there are three valid options:
.Pp
.Bl -tag -width INDIRECT -compact
+.It Dv DIRECT
+Allow direct execution only.
.It Dv INDIRECT
If this option is set then the executable cannot be invoked directly, it
can only be used as an interpreter in shell scripts.
@@ -99,10 +100,17 @@
Comments are indicated by the first character of a line being a
.Sq \&#
character.
+Multiple options can be combined using a
+.Sq \&,
+character.
+If no options are specified, both direct and indirect execution
+are implied.
.Sh FILES
-.Bl -tag -width /dev/veriexec -compact
+.Bl -tag -width /etc/signatures -compact
.It Pa /dev/veriexec
-verified executable device node
+veriexec device node
+.It Pa /etc/signatures
+default signatures file
.El
.Sh SEE ALSO
.Xr veriexec 4 ,
@@ -117,6 +125,6 @@
.Nm
requires the kernel to have been configured with the
.Dv VERIFIED_EXEC
-option and the verifiedexec pseudo-device.
+option and the veriexec pseudo-device.
.Sh BUGS
There must be no whitespace in the path field of a fingerprint entry.
Home |
Main Index |
Thread Index |
Old Index