tech-kern archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: veriexec
2008/2/10, Elad Efrat <elad%netbsd.org@localhost>:
> Matthew Mondor wrote:
[...]
> > Also, I tend to constantly get these in kernel logs (a few examples
> > taken from dmesg | tail):
> >
> > Veriexec: Incorrect access type. [/bin/sh, pid=11314, uid=0, gid=0]
> > Veriexec: Incorrect access type. [/usr/bin/true, pid=11314, uid=0,
> > gid=0]
> > Veriexec: Incorrect access type. [/bin/sh, pid=26712, uid=0, gid=0]
> > Veriexec: Incorrect access type. [/usr/bin/true, pid=26712, uid=0,
> > gid=0]
> > Veriexec: Incorrect access type. [/bin/sh, pid=967, uid=0, gid=0]
> > Veriexec: Incorrect access type. [/bin/sh, pid=4750, uid=0, gid=0]
> > Veriexec: Incorrect access type. [/bin/sh, pid=17683, uid=0, gid=0]
> > Veriexec: Incorrect access type. [/usr/bin/true, pid=17683, uid=0,
> > gid=0]
> > Veriexec: Incorrect access type. [/bin/sh, pid=18068, uid=0, gid=0]
> > Veriexec: Incorrect access type. [/usr/bin/true, pid=18068, uid=0,
> > gid=0]
> >
> > As the system continues to work fine, I guess that these are only
> > warnings, but what does "Incorrect access type" exactly mean in this
> > context?
> >
> > Although I also have a -current box I did not compare with veriexec
> > on it yet to see if this also occurs.
>
> It will always occur. :)
>
> First, a note: it works fine as long as the access type isn't enforced.
>
> The "access type" is "how the file should be accessed", as specified by
> /etc/signatures. For example, /bin/sh is probably used both as a shell
> (direct execution) and as a shell script interpreter (indirect
> execution), so it needs both of these flags.
>
> A while ago mjf@ wrote a patch for veriexecgen that tries to guess all
> of that stuff (see PR/34773) -- please test if you're interested; if you
> find it useful I'll just commit it.
>
> Thanks,
>
> -e
>
Since we are here...
In netbsd-4 branch, in veriexecctl(8) man page it says for the signatures file:
"If no options are specified, both direct and indirect execution are implied."
My experience showed that not both execution modes are set by default.
Can anyone please verify it ?
I have to get back in the camp of my unit and I won't be out for a
couple of days, otherwise I would have double checked it myself.
Thanks,
Stathis
Home |
Main Index |
Thread Index |
Old Index