Subject: Re: Veriexec broken on amd64?
To: Scott Ellis <scotte@warped.com>
From: Elad Efrat <elad@NetBSD.org>
List: current-users
Date: 02/09/2007 12:04:33
Scott Ellis wrote:
> I'm having a problem with using Veriexec on -current for amd64.  Back on
> December 20th -current, everything worked fine.  I updated -current on
> Feb 4th, and found that I get the following shortly after going
> multiuser (yes, that bad formatting really is how it looks on boot!):

the veriexec warnings you get (you really shouldn't get them on console
since we no longer use printf) are because you have not properly
configured it. /bin/sh is accessed both directly and indirectly, so I'm
guessing you need to add the 'indirect' flag to your config file.

other errors are problems with other stuff; in strict level 0, other
than printing, veriexec doesn't really do anything.

> Clearing /tmp.
> Loading fingerprints... done.
> kern.veriexec.strict: 0 -> 0
> kern.veriexec.verbose: 0 -> 0
> Checking quotas: done.
> Setting securelevel: kern.securelevel: 0 -> 1
> Starting virecover.
> Feb  4 19:59:34 intrepid /netbsd: Veriexec: Incorrect access type.
> [/bin/sh, pid=980, uid=0, gid=0]
> Feb  4 19:59:34 intrepid /netbsd: Veriexec: Incorrect access type.
> [/usr/libexec/virecover, pid=980, uid=0, gid=0]
> Starting dhcpd.
> Linking /var/tmp -> /tmp
> starting local daemons:estd saslauthd spamd Feb  4 19:59:34 intrepid
> /netbsd: Veriexec: Incorrect access type. [/bin/sh, pid=100, uid=0, gid=0]
> Starting spamd
> Feb  4 19:59:34 intrepid /netbsd: Veriexec: Incorrect access type.
> [/software/perl-5.9.3/bin/perl, pid=103, uid=0, gid=0]
> exim FreePOP Feb  4 19:59:36 exim[109]: 2007-02-04 19:59:36 Start queue
> run: pid=109
> Feb  4 19:59:36 exim[109]: 2007-02-04 19:59:36 End queue run: pid=109
> apache Feb  4 19:59:36 intrepid /netbsd: Veriexec: Incorrect access
> type. [/bin/sh, pid=113, uid=0, gid=0]
> Feb  4 19:59:37 httpd[115]: [warn] RSA server certificate is a CA
> certificate (BasicConstraints: CA == TRUE !?)
> samba Feb  4 19:59:37 httpd[1108]: [warn] RSA server certificate is a CA
> certificate (BasicConstraints: CA == TRUE !?)
> ClamAV SlimServer Feb  4 19:59:37 intrepid /netbsd: Veriexec: Incorrect
> access type. [/software/perl-5.9.3/bin/perl, pid=1239, uid=0, gid=0]
> SELCD dovecot Cleaning tmp .
> Starting lpd.
> Updating motd.
> Starting ntpd.
> Starting powerd.
> Starting sshd.
> Restoring mixer settings: mixer0fatal protection fault in supervisor mode
> trap type 4 code 0 rip ffffffff80268827 cs 8 rflags 10246 cr2
> 7f7fffffddb0 cpl 0 rsp ffff800047f98a60
> panic: trap
> syncing disks...
> 
> Thinking maybe it was a transient problem, and seeing some fileassoc
> checkins, I tried again today, and get the same results.  The full dmesg
> is attached to this email, as is the kernel config.

the only fileassoc change prior to feb 4 that could have affected
anything is from dec 23. other than that, the stuff I changed in
fileassoc is feb 6. for veriexec, more or less the same: last
meaningful change in dec 30, other than that, feb 6.

> Ideas?  This is 100% repeatable.  Turning veriexec off in rc.conf lets
> the system operate just fine (albeit without the veriexec protection!).

phyre:elad {1} uname -pmr
4.99.9 amd64 x86_64
phyre:elad {2} sysctl kern.veriexec
kern.veriexec.verbose = 1
kern.veriexec.strict = 1
kern.veriexec.algorithms = RMD160 SHA256 SHA384 SHA512 SHA1 MD5
kern.veriexec.count.table0.mntpt = /
kern.veriexec.count.table0.fstype = ffs
kern.veriexec.count.table0.nentries = 148
kern.veriexec.count.table1.mntpt = /usr
kern.veriexec.count.table1.fstype = ffs
kern.veriexec.count.table1.nentries = 880
phyre:elad {3}

so I'm not sure how broken it is on amd64. what's interesting is that
the fault is in mixerctl rather. how are you building? what are the
relevant file versions in the kernel you're using?

-e.