From owner-freebsd-stable@FreeBSD.ORG  Thu Apr  3 11:51:55 2008
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 33E511065670
	for <freebsd-stable@freebsd.org>; Thu,  3 Apr 2008 11:51:55 +0000 (UTC)
	(envelope-from max@love2party.net)
Received: from moutng.kundenserver.de (moutng.kundenserver.de
	[212.227.126.187])
	by mx1.freebsd.org (Postfix) with ESMTP id BE8E38FC14
	for <freebsd-stable@freebsd.org>; Thu,  3 Apr 2008 11:51:54 +0000 (UTC)
	(envelope-from max@love2party.net)
Received: from vampire.homelinux.org (dslb-088-064-183-238.pools.arcor-ip.net
	[88.64.183.238])
	by mrelayeu.kundenserver.de (node=mrelayeu7) with ESMTP (Nemesis)
	id 0ML2xA-1JhNyz3BRY-0000nO; Thu, 03 Apr 2008 13:51:54 +0200
Received: (qmail 90622 invoked from network); 3 Apr 2008 11:50:55 -0000
Received: from myhost.laiers.local (192.168.4.151)
	by mx.laiers.local with SMTP; 3 Apr 2008 11:50:55 -0000
From: Max Laier <max@love2party.net>
Organization: FreeBSD
To: freebsd-stable@freebsd.org
Date: Thu, 3 Apr 2008 13:49:41 +0200
User-Agent: KMail/1.9.9
References: <47F3DA07.4020209@forrie.com>
In-Reply-To: <47F3DA07.4020209@forrie.com>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200804031349.41159.max@love2party.net>
X-Provags-ID: V01U2FsdGVkX1/o6xJ0efobSNnJ2P7Z32UtAXe+7SI30IzfWxW
	+Vkyo52ErSHFjrW5BJWlPDJRW5V0MzkAKMtBRVfZejG1ktBGEp
	FTPUeYkxzUC+i2KyuGaYg==
Cc: Forrest Aldrich <forrie@forrie.com>, csjp@freebsd.org
Subject: Re: Digitally Signed Binaries w/ Kernel support, etc.
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Apr 2008 11:51:55 -0000

On Wednesday 02 April 2008 21:09:59 Forrest Aldrich wrote:
> Does FreeBSD have support for digitally signed binary checking, similar
> to what Linux has with bsign and DigSig, where system binaries are
> signed and this signature is verified before being run in the kernel?

There is mac_chkexec[1], but I'm not sure about its status.

> This would be very useful to have to further tighen-down the system.

[1]http://perforce.freebsd.org/depotTreeBrowser.cgi?FSPC=//depot/projects/trustedbsd/mac/sys/security/mac%5fchkexec&HIDEDEL=NO

-- 
/"\  Best regards,                      | mlaier@freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier@EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News