NAME
veriexec — 
Veriexec
  pseudo-device
SYNOPSIS
pseudo-device veriexec
DESCRIPTION
Veriexec verifies the integrity of specified executables and
  files before they are run or read. This makes it much more difficult to insert
  a trojan horse into the system and also makes it more difficult to run
  binaries that are not supposed to be running, for example, packet sniffers,
  DDoS clients and so on.
The 
veriexec pseudo-device is used to load and delete entries
  to and from the in-kernel 
Veriexec databases, as well as
  query information about them. It can also be used to dump the entire database.
Kernel-userland interaction
Veriexec uses
  
proplib(3) for communication
  between the kernel and userland.
  -  
-  
- VERIEXEC_LOAD
- Load an entry for a file to be monitored by
      Veriexec.
    
    The dictionary passed contains the following elements:
    
      
        
        
      
      
        | Name | Type | Purpose |  
        | file | string | filename for this entry |  
        | entry-type | uint8 | entry type (see below) |  
        | fp-type | string | fingerprint hashing algorithm |  
        | fp | data | the fingerprint |  
 “entry-type” can be one or more (binary-OR'd) of the following:
      
        
        
      
      
        | Type | Effect |  
        | VERIEXEC_DIRECT | can execute directly |  
        | VERIEXEC_INDIRECT | can execute indirectly (interpreter,
          mmap(2)) |  
        | VERIEXEC_FILE | can be opened |  
        | VERIEXEC_UNTRUSTED | located on untrusted storage |  
 
-  
-  
- VERIEXEC_DELETE
- Removes either an entry for a single file or entries for an
      entire mount from Veriexec.
    
    The dictionary passed contains the following elements:
    
      
        
        
      
      
        | Name | Type | Purpose |  
        | file | string | filename or mount-point |  
 
-  
-  
- VERIEXEC_DUMP
- Dump the Veriexec monitored files
      database from the kernel.
    
    Only files that the filename is kept for them will be dumped. The returned
      array contains dictionaries with the following elements:
    
      
        
        
      
      
        | Name | Type | Purpose |  
        | file | string | filename |  
        | fp-type | string | fingerprint hashing algorithm |  
        | fp | data | the fingerprint |  
        | entry-type | uint8 | entry type (see above) |  
 
-  
-  
- VERIEXEC_FLUSH
- Flush the Veriexec database, removing all
      entries.
    
    This command has no parameters.
-  
-  
- VERIEXEC_QUERY
- Queries Veriexec about a file, returning
      information that may be useful about it.
    
    The dictionary passed contains the following elements:
    
      
        
        
      
      
        | Name | Type | Purpose |  
        | file | string | filename |  
 The dictionary returned contains the following elements:
      
        
        
      
      
        | Name | Type | Purpose |  
        | entry-type | uint8 | entry type (see above) |  
        | status | uint8 | entry status |  
        | fp-type | string | fingerprint hashing algorithm |  
        | fp | data | the fingerprint |  
 “status” can be one of the following:
      
        
        
      
      
        | Status | Meaning |  
        | FINGERPRINT_NOTEVAL | not evaluated |  
        | FINGERPRINT_VALID | fingerprint match |  
        | FINGERPRINT_MISMATCH | fingerprint mismatch |  
 
Note that the requests 
VERIEXEC_LOAD,
  
VERIEXEC_DELETE, and
  
VERIEXEC_FLUSH are not permitted once the strict level
  has been raised past 0.
SEE ALSO
proplib(3),
  
sysctl(3),
  
security(7),
  
sysctl(8),
  
veriexecctl(8),
  
veriexecgen(8),
  
veriexec(9)
NOTES
veriexec is part of the default configuration on the following
  architectures: amd64, i386, prep, sparc64.
AUTHORS
Brett Lymn
  <
blymn@NetBSD.org>
Elad Efrat
  <
elad@NetBSD.org>