From owner-freebsd-chat@FreeBSD.ORG  Mon Jul 13 15:32:37 2009
Return-Path: <owner-freebsd-chat@FreeBSD.ORG>
Delivered-To: freebsd-chat@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 821A01065674
	for <freebsd-chat@freebsd.org>; Mon, 13 Jul 2009 15:32:37 +0000 (UTC)
	(envelope-from jhb@freebsd.org)
Received: from cyrus.watson.org (cyrus.watson.org [65.122.17.42])
	by mx1.freebsd.org (Postfix) with ESMTP id 54E298FC1E
	for <freebsd-chat@freebsd.org>; Mon, 13 Jul 2009 15:32:37 +0000 (UTC)
	(envelope-from jhb@freebsd.org)
Received: from bigwig.baldwin.cx (66.111.2.69.static.nyinternet.net
	[66.111.2.69])
	by cyrus.watson.org (Postfix) with ESMTPSA id 01E3F46B39;
	Mon, 13 Jul 2009 11:32:37 -0400 (EDT)
Received: from jhbbsd.hudson-trading.com (unknown [209.249.190.8])
	by bigwig.baldwin.cx (Postfix) with ESMTPA id CF07B8A096;
	Mon, 13 Jul 2009 11:32:35 -0400 (EDT)
From: John Baldwin <jhb@freebsd.org>
To: freebsd-chat@freebsd.org
Date: Mon, 13 Jul 2009 08:40:30 -0400
User-Agent: KMail/1.9.7
References: <4A5A5F8B.4030909@highperformance.net>
In-Reply-To: <4A5A5F8B.4030909@highperformance.net>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200907130840.30499.jhb@freebsd.org>
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0.1
	(bigwig.baldwin.cx); Mon, 13 Jul 2009 11:32:36 -0400 (EDT)
X-Virus-Scanned: clamav-milter 0.95.1 at bigwig.baldwin.cx
X-Virus-Status: Clean
X-Spam-Status: No, score=-2.5 required=4.2 tests=AWL,BAYES_00,RDNS_NONE
	autolearn=no version=3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on bigwig.baldwin.cx
Cc: "Jason C. Wells" <jcw@highperformance.net>
Subject: Re: Whitelist Before Execution
X-BeenThere: freebsd-chat@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Non technical items related to the community
	<freebsd-chat.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-chat>,
	<mailto:freebsd-chat-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-chat>
List-Post: <mailto:freebsd-chat@freebsd.org>
List-Help: <mailto:freebsd-chat-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-chat>,
	<mailto:freebsd-chat-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jul 2009 15:32:37 -0000

On Sunday 12 July 2009 6:11:23 pm Jason C. Wells wrote:
> Is there a method by which we can check the consistency of an executable 
> or library prior to trusting it for execution?  For example, if the file 
> doesn't exist in the list of trusted files or the checksums do not match 
> then do not allow execution and write a warning message to the log.  I 
> could do this manually with existing features like mtree.  It would be 
> nice if the system could do it for me.

I believe csjp@ has a MAC module to store checksums of trusted executables in 
the kernel and to fail execve() if the executable is not a known trusted 
binary.

-- 
John Baldwin