Date: Mon, 20 Aug 2012 16:08:43 +0000 From: gpf@FreeBSD.org To: svn-soc-all@FreeBSD.org Subject: socsvn commit: r240588 - soc2012/gpf/pefs_kmod/sbin/pefs Message-ID: <20120820160843.1B86F1065675@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: gpf Date: Mon Aug 20 16:08:42 2012 New Revision: 240588 URL: http://svnweb.FreeBSD.org/socsvn/?view=rev&rev=240588 Log: - add man page entries for new /sbin/pefs actions. - also, change the letters used for some options so as to avoid conflict with pre-existing ones. Modified: soc2012/gpf/pefs_kmod/sbin/pefs/pefs.8 soc2012/gpf/pefs_kmod/sbin/pefs/pefs_ctl.c Modified: soc2012/gpf/pefs_kmod/sbin/pefs/pefs.8 ============================================================================== --- soc2012/gpf/pefs_kmod/sbin/pefs/pefs.8 Mon Aug 20 15:34:06 2012 (r240587) +++ soc2012/gpf/pefs_kmod/sbin/pefs/pefs.8 Mon Aug 20 16:08:42 2012 (r240588) @@ -104,6 +104,25 @@ .Pp .Nm .Cm showalgs +.Pp +.Nm +.Cm addchecksum +.Op Fl s +.Op Fl a Ar alg +.Op Fl i Ar input_file +.Op Fl k Ar privatekey_file +.Op Fl d Ar dirpath +.Ar filesystem +.Nm +.Cm verify +.Op Fl u|n +.Op Fl k Ar publickey_file +.Ar checksum_file +.Ar filesystem +.Nm +.Cm nameid +.Op Fl u|n +.Ar filepath .Sh DESCRIPTION The .Nm @@ -227,6 +246,76 @@ Print all elements of the key chain staring with given parent key. .It Cm showalgs Print list of all supported algorithms. +.It Cm addchecksum Ar filesystem +Create +.Em .pefs.checksum +db file for +.Ar filesystem. +The algorithm that will be used as a hash function (sha256 by default) is +set by +.Fl a Ar alg . +The file that contains the private key in PEM format for the DSA signing +algorithm must be provided using +.Fl k Ar privatekey_file . +The list of files is read from stdin unless +.Fl i Ar input_file +is used. Files should be either regular files or symbolic links. Symlinks +are not traversed. +All files that need integrity checking must have the immutable flag (schg) set; +.Fl s +can be used to let +.Nm +turn it on for files that do not. +.Fl d Ar dirpath +can be used to specify under which directory the resulting +.Em .pefs.checksum +file should be placed. Otherwise, it is created under $PWD. +.It Cm verify Ar checksumpath filesystem +Verify the contents of a +.Em .pefs.checksum +file. This command scans the entire +.Ar filesystem +and checks that every entry in +.Em .pefs.checkum +is found and produces the same checksums. The command will try to produce +the same warning messages as +.Cm addchecksum +concerning hardlinks and symbolic links. It will also try to produce as many +warning messages as possible before failing. If +.Ar filesystem +is mounted but the key has not been supplied yet, +.Fl n +flag should be used. If the pefs +.Ar filesystem +is unmounted, the +.Fl u +flag should be used instead. By default, +.Nm +will assume that the filesystem is mounted and user has provided the +necessary key(s) using +.Cm addkey . +The file that contains the public key in PEM format must be provided using +.Fl k Ar privatekey_file . +.It Cm nameid Ar filepath +Print the identifier for an encrypted pefs filename where filename = +XBase64(checksum || E(tweak || filename)). The id is the name checksum, +meaning VMAC(E(tweak || filename)). This identifier is used as a primary key +when a filename is handled by +.Nm +for integrity checking purposes. Some warning messages produced by +.Nm +refer to files by their internal ID and not their decrypted fullpath; e.g. +when verifying an unmounted pefs filesystem. Therefore, this command can be +used to map fullpaths to internal IDs. If the pefs +.Ar filesystem +is unmounted, the +.Fl u +flag should be used instead. By default, +.Nm +will assume that the filesystem is mounted and user has provided the +necessary key(s) using +.Cm addkey . +Symlinks are not traversed. .El .Pp .Ss COMMAND OPTIONS @@ -248,11 +337,18 @@ .It Fl C Disables key chain lookup. By default if chain is found, keys it consists of are also used for operation. +.It Fl d Ar dirpath +specifies under which directory the resulting +.Em .pefs.checksum +file should be placed. .It Fl i Ar iterations Number of .Ar iterations to use with PKCS#5v2. -If this option is not specified default value of 50000 is used. +If this option is not specified default value of 50000 is used. In case of +.Cm addchecksum +, it may be used to specify the file that contains the list of full filenames +that require integrity checking. .It Fl I Ar iterations Specifies number of .Ar iterations @@ -270,9 +366,15 @@ Specifies a file which contains part of the key. If .Ar keyfile -is given as -, standard input will be used. +is given as -, standard input will be used. In case of integrity +checking actions, this specifies either the public or the private key +that is used by the signing algorithm. .It Fl K Ar keyfile Specifies a file which contains part of the secondary/child key. +.It Fl n +Specifies that the pefs +.Ar filesystem +is mounted but user has not provided the necessary key(s) yet. .It Fl o Ar options Mount options passed to .Xr mount 8 @@ -281,10 +383,19 @@ Do not ask for passphrase. .It Fl P Do not ask for passphrase for secondary/child key. +.It Fl s +Is used to let +.Cm addchecksum +turn on the schg immutable flag for files that need integrity checking but +lack the schg flag. .It Fl t Test-only mode. Do not perform actual operation but check if it can be performed. Usable for scripting. +.It Fl u +Specifies that the pefs +.Ar filesystem +is unmounted. .It Fl v Verbose mode. .It Fl x @@ -369,6 +480,14 @@ before loading .Nm kernel module. +.It Va vfs.pefs.exec.enable +If this flag is set to 1, the system allows execution of code that derives +solely from files with the immutable flag (schg) set. This flag is temporary +as this functionality should be controlled by securelevel. +.It Va vfs.pefs.exec.enable.noscript +Same as the above except for when user is trying to execute a script. In +that case, only the interpreter will be checked for the schg flag, not the +script file. .El .Sh EXAMPLES Encrypting a directory: Modified: soc2012/gpf/pefs_kmod/sbin/pefs/pefs_ctl.c ============================================================================== --- soc2012/gpf/pefs_kmod/sbin/pefs/pefs_ctl.c Mon Aug 20 15:34:06 2012 (r240587) +++ soc2012/gpf/pefs_kmod/sbin/pefs/pefs_ctl.c Mon Aug 20 16:08:42 2012 (r240588) @@ -1006,14 +1006,14 @@ /* * XXXgpf: Instead of a man page entry: * - * pefs addchecksum [-f] [-a algo] [-i inputfile] [-k pkey_file] [-p path] \ + * pefs addchecksum [-s] [-a alg] [-i inputfile] [-k pkey_file] [-d dirpath] \ * filesystem * * $command creates .pefs.checksum db file for filesystem. * This file will contain all checksums necessary to check integrity * of files upon access. * - * algo is the name of the algorithm to be used as a cryptographic + * alg is the name of the algorithm to be used as a cryptographic * hash function; supported algorithms: sha256, sha512. sha256 is * used by default. * @@ -1022,8 +1022,8 @@ * These files should be either regular files or symbolic links. * Symlinks are not traversed. * - * path defines where .pefs.checksum should be created. By default, - * .pefs.checksum is created under $PWD. path should be a directory, + * dirpath defines where .pefs.checksum should be created. By default, + * .pefs.checksum is created under $PWD. dirpath should be a directory, * outside of target pefs filesystem. * * pkey_file is the file that contains the private key that will be used @@ -1054,7 +1054,7 @@ /* by default create checksum file under $PWD */ snprintf(csm_path, sizeof(csm_path), "./%s", PEFS_FILE_CHECKSUM); - while ((i = getopt(argc, argv, "fa:i:k:p:")) != -1) + while ((i = getopt(argc, argv, "sa:i:k:d:")) != -1) switch(i) { case 'a': for (j=0; j < PEFS_SUPPORTED_DIGESTS; j++) @@ -1069,7 +1069,7 @@ goto out; } break; - case 'f': + case 's': flags|= PEFS_SETIMMUTABLE; break; case 'i': @@ -1088,7 +1088,7 @@ goto out; } break; - case 'p': + case 'd': if (stat(optarg, &sb) != 0) { warn("cannot stat file %s", optarg); error = PEFS_ERR_INVALID; @@ -1356,7 +1356,7 @@ " pefs randomchain [-fv] [-n min] [-N max] filesystem\n" " pefs showchains [-fp] [-i iterations] [-k keyfile] filesystem\n" " pefs showalgs\n" -" pefs addchecksum [-f] [-a algo] [-i inputfile] [-k pkey_file] [-p checksumpath] filesystem\n" +" pefs addchecksum [-s] [-a algo] [-i inputfile] [-k pkey_file] [-d dirpath] filesystem\n" " pefs verify [-n/u] [-k pkey_file] [checksumpath filesystem]\n" " pefs nameid [-u/-n] [filepath]" );
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120820160843.1B86F1065675>