From owner-soc-status@FreeBSD.ORG Tue Jul 17 14:07:48 2012 Return-Path: Delivered-To: soc-status@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id EA863106564A for ; Tue, 17 Jul 2012 14:07:48 +0000 (UTC) (envelope-from gpf.kira@gmail.com) Received: from mail-qc0-f173.google.com (mail-qc0-f173.google.com [209.85.216.173]) by mx1.freebsd.org (Postfix) with ESMTP id A1ADE8FC08 for ; Tue, 17 Jul 2012 14:07:48 +0000 (UTC) Received: by qcab12 with SMTP id b12so302310qca.18 for ; Tue, 17 Jul 2012 07:07:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=vdVBvrAuxvNdyiGcpFazyRQDOdnvB2NpDTE2I2i02Gk=; b=j4tMsqceZpDZDpbsQ94gEBaoEnz9aikkvqDoMIZ3lG3SeYL0RHD7KCVuyPCjNN98AB VprjpulMuvgyrxXNqCastBUzkK87hqqEPf+l5KIg7khpIEfwJqtqOSDOj9HVaGwUH5nF 7aY68lkA8+BaY05Egh3dP6Mo4nb14WDotSFXNoYd779AvbS3wuwbqmGFk5Auxje0ZaTr wPIzzYOpSGRjSTKUfZALVjnO6oKzYGKvRItewuSKvWFvUVMzjGUX55Tgvu03LjFepfHY IADOr24+7GGBVlfbW26iRIEmYzv57suMGX4zPal4/T1848nk5WqUG5xgOenJNdBTwZ9/ aBmg== MIME-Version: 1.0 Received: by 10.224.185.148 with SMTP id co20mr5042083qab.4.1342533624692; Tue, 17 Jul 2012 07:00:24 -0700 (PDT) Received: by 10.229.47.71 with HTTP; Tue, 17 Jul 2012 07:00:24 -0700 (PDT) Date: Tue, 17 Jul 2012 17:00:24 +0300 Message-ID: From: Efstratios Karatzas To: soc-status@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Kernel Level File Integrity Checker report #8 X-BeenThere: soc-status@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Summer of Code Status Reports and Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jul 2012 14:07:49 -0000 During week #8: * clean up the codebase * midterm eval * checksums are now produced in kernel land during VOP_READ() and checked against the ones from .pefs.checksum. If they don't match, we deny reading access to that vnode. Next tasks on the TODO list: * research/implement signing .pefs.checksum and verifying that signature during `/sbin/pefs verify` as well as during VFS_MOUNT(). * require that immutable flags are set for all files that require integrity checking. this should be checked both by /sbin/pefs and in kernel when a vnode is looked up in index tables to see if it requires integrity checking. Also, add an option to `/sbin/pefs addchecksum` to set immutable flags for all files in input list, in case they are not already set. -- Efstratios "GPF" Karatzas