Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 7 Aug 2012 10:42:20 +0300
From:      Efstratios Karatzas <gpf.kira@gmail.com>
To:        soc-status@freebsd.org
Subject:   Kernel Level File Integrity Checker report #11
Message-ID:  <CAHywV0gKD5iT9JfY0RfWgBt5sUShsOzwZ7nKi-86XDZgu=A3bQ@mail.gmail.com>

next in thread | raw e-mail | index | archive | help
During week #11:

* sys/kern/kern_exec.c: Introduced a new sysctl var (vfs.pefs.exec.enable)
for use during development phase instead of using kern.securelevel. When it
is turned on, we check if schg is turned on for the executable file; if
not, we fail. In case of a shell script, only the interpreter executable is
checked instead. Next step involves moving this hack to a MAC hook as well
as introducing checks for dynamically loaded libraries.

* After a talk with my mentor, I changed some things about how
signing/verification of the .pefs.checksum file is done. Signature is now
kept within the .pefs.checksum file (at the beginning of the file). Also,
we now refrain from generating our own set of keys. /sbin/pefs asks for
user to supply both keys for DSA in PEM format files.

Next tasks on the TODO list:

- more work with schg & execution control

-- 

Efstratios "GPF" Karatzas



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHywV0gKD5iT9JfY0RfWgBt5sUShsOzwZ7nKi-86XDZgu=A3bQ>