From owner-soc-status@FreeBSD.ORG  Tue Aug  7 07:42:28 2012
Return-Path: <owner-soc-status@FreeBSD.ORG>
Delivered-To: soc-status@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 966A71065690
	for <soc-status@freebsd.org>; Tue,  7 Aug 2012 07:42:28 +0000 (UTC)
	(envelope-from gpf.kira@gmail.com)
Received: from mail-gg0-f182.google.com (mail-gg0-f182.google.com
	[209.85.161.182])
	by mx1.freebsd.org (Postfix) with ESMTP id 523638FC21
	for <soc-status@freebsd.org>; Tue,  7 Aug 2012 07:42:27 +0000 (UTC)
Received: by ggnk4 with SMTP id k4so4062014ggn.13
	for <soc-status@freebsd.org>; Tue, 07 Aug 2012 00:42:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=mime-version:date:message-id:subject:from:to:content-type;
	bh=Ipd+/NMTsgNSPEfQ0s5G+4JdpByAL7KoAE/sqez0nLk=;
	b=S6bXH6Hos6tTxLMBiyB9l+ktC1iAT4KjEgHBTLVhCFx10AMKZkKvtArw8Vsva3RLVj
	zmraAdeXcnII00cEUEtumKt0S2hOm88UAVvGZ2A6Mf1mTZBhoRWne6ZCGhzBMz7ShXy5
	3fxGRX8MDkLnHsQEmid99gtdPd9+Rnfz4Erqd5pNR6h41GfpWBcHywXV87V5Zgp/atj6
	Ek24xrUv40d0H5v2MW4ufm4sEx3BHPBOHtNdBPn9ynrM3ZkfVXRa/bLPtp2TbY6MMO+A
	izwWATMfMmnDNLxbpPS2APX8kvJd0k/3iRmhQZVjAU2vs1XvxDmP5EOfzTQzIEyVN9YY
	is2w==
MIME-Version: 1.0
Received: by 10.60.1.69 with SMTP id 5mr23022017oek.66.1344325340859; Tue, 07
	Aug 2012 00:42:20 -0700 (PDT)
Received: by 10.182.108.38 with HTTP; Tue, 7 Aug 2012 00:42:20 -0700 (PDT)
Date: Tue, 7 Aug 2012 10:42:20 +0300
Message-ID: <CAHywV0gKD5iT9JfY0RfWgBt5sUShsOzwZ7nKi-86XDZgu=A3bQ@mail.gmail.com>
From: Efstratios Karatzas <gpf.kira@gmail.com>
To: soc-status@freebsd.org
Content-Type: text/plain; charset=UTF-8
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Subject: Kernel Level File Integrity Checker report #11
X-BeenThere: soc-status@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Summer of Code Status Reports and Discussion <soc-status.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/soc-status>,
	<mailto:soc-status-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/soc-status>
List-Post: <mailto:soc-status@freebsd.org>
List-Help: <mailto:soc-status-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/soc-status>,
	<mailto:soc-status-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Aug 2012 07:42:28 -0000

During week #11:

* sys/kern/kern_exec.c: Introduced a new sysctl var (vfs.pefs.exec.enable)
for use during development phase instead of using kern.securelevel. When it
is turned on, we check if schg is turned on for the executable file; if
not, we fail. In case of a shell script, only the interpreter executable is
checked instead. Next step involves moving this hack to a MAC hook as well
as introducing checks for dynamically loaded libraries.

* After a talk with my mentor, I changed some things about how
signing/verification of the .pefs.checksum file is done. Signature is now
kept within the .pefs.checksum file (at the beginning of the file). Also,
we now refrain from generating our own set of keys. /sbin/pefs asks for
user to supply both keys for DSA in PEM format files.

Next tasks on the TODO list:

- more work with schg & execution control

-- 

Efstratios "GPF" Karatzas