HardenedBSD/sbin/veriexec/veriexec.8

.\"-
.\" SPDX-License-Identifier: BSD-2-Clause
.\"
.\" Copyright (c) 2018-2024, Juniper Networks, Inc.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
.\" OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd August 1, 2024
.Dt VERIEXEC 8
.Os
.Sh NAME
.Nm veriexec
.Nd manipulate state of mac_veriexec
.Sh SYNOPSIS
.Nm
.Op Fl v
.Op Fl C Ar directory
.Op Fl S
.Pa manifest
.Nm
.Fl z Ar state
.Nm
.Fl i Ar state
.Nm
.Fl l
.Ar file ...
.Nm
.Fl x
.Ar file ...
.Sh DESCRIPTION
.Nm
is a utility to query or manipulate the state of
.Xr mac_veriexec 4 .
.Pp
The first form is for loading a
.Pa manifest .
.Nm
first verifies a digital signature of the
.Ar manifest
and if successful, parses it and feeds its content to kernel.
The
.Fl S
flag indicates that certificate validity should be checked.
Without this, a valid signature with an expired certificate
will still be accepted.
.Pp
The second form with
.Fl z
is used to modify the
.Ar state ,
and with
.Fl i
to query the current
.Ar state .
.Pp
With
.Fl l
.Nm
will report any labels associated with the remaining arguments
assumed to be files.
If only a single file argument is given, the bare label (if any)
will be reported, otherwise the pathname followed by label.
.Pp
The final form with
.Fl x
is used to test whether
.Ar file
is verified or not.
This requires
.Xr mac_veriexec 4
to be in the
.Ql active
or
.Ql enforce
state.
.Pp
The possible states
are:
.Bl -tag -width enforce
.It Ar loaded
set automatically when the first
.Pa manifest
has been loaded.
.It Ar active
.Xr mac_veriexec 4
will begin checking files.
This state can only be entered from the
.Ar loaded
state.
.It Ar enforce
.Xr mac_veriexec 4
will fail attempts to
.Xr exec 2
or
.Xr open 2
files with
.Dv O_VERIFY
unless verified.
.It Ar locked
prevent loading of any more manifests.
.El
.Pp
When setting or querying the state, it is sufficient to provide
a unique prefix of the desired state.
So
.Fl i
.Ar a
or
.Fl z
.Ar e
are sufficient, but
.Fl i
.Ar loc
is the minimum required to avoid confusion with
.Ar loaded .
.Sh MANIFESTS
The manifest contains a mapping of relative pathnames to fingerprints
with optional flags.
For example:
.Bd -literal -offset indent
sbin/veriexec sha256=f22136...c0ff71 no_ptrace trusted
usr/bin/python sha256=5944d9...876525 indirect
sbin/somedaemon sha256=77fc2f...63f5687 label=mod1/val1,mod2/val2
.Ed
.Pp
The supported flags are:
.Bl -tag -width indirect
.It Ql indirect
the executable cannot be run directly,
but can be used as an interpreter for example via:
.Bd -literal -offset indent
#!/usr/bin/python
.Ed
.It Ql no_fips
If the system has a notion of running in FIPS mode,
a file marked with this flag will not be allowed to
exec.
.It Ql no_ptrace
do not allow running executable under a debugger.
Useful for any application critical to the security state of system.
.It Ql trusted
this flag is required for a process to use
.Xr veriexec 4
to interact with
.Xr mac_veriexec 4 .
Generally only
.Nm
should need this flag.
Implies
.Ql no_ptrace .

.El
.Pp
The
.Ql label
argument allows associating a
.Xr maclabel 7
with a file.
Neither
.Nm
nor
.Xr mac_veriexec 4
(if it supports labels)
pay any attention to the content of the label
they are provided for the use of other
.Xr mac 4
modules or indeed other applications.
.Sh EXAMPLES
Load the manifest for a
.Xr tarfs 5
package mounted on
.Pa /mnt
and be strict about enforcing certificate validity:
.Bd -literal -offset indent
# veriexec -S -C /mnt /mnt/manifest

.Ed
.Nm
will look for a detatched signature that it recognizes, such as
.Pa manifest.asc
(OpenPGP) or
.Pa manifest.*sig
(X.509).
In the case of an X.509 signature we also need a matching certificate chain
.Pa manifest.*certs .
In either case there needs to be a suitable trust anchor in the trust store.
.Pp
We can now activate:
.Bd -literal -offset indent
# veriexec -z active

.Ed
Any user can check if
.Xr mac_veriexec 4
is
.Ql active :
.Bd -literal -offset indent
$ veriexec -i active

.Ed
Any user can check that
.Pa /mnt/bin/app
is verified:
.Bd -literal -offset indent
$ veriexec -x /mnt/bin/app

.Ed
If it is not, we will get an Authentiaction error,
but unless
.Xr mac_veriexec 4
is enforcing we would still be able to run it.
.Sh NOTES
It is only safe to set
.Xr mac_veriexec 4
to
.Ql enforce
state, if sufficient manifests have been loaded
to cover all the applications that might need to be run.
.Sh HISTORY
The Verified Exec system first appeared in
.Nx .
This utility derives from the one found in Junos,
which requires that manifest files be digitally signed.