Re: veriexec

To: tech-kern%netbsd.org@localhost
Subject: Re: veriexec
From: "Stathis Kamperis" <ekamperi%gmail.com@localhost>
Date: Tue, 19 Feb 2008 21:38:50 +0200

2008/2/10, Elad Efrat <elad%netbsd.org@localhost>:
> Matthew Mondor wrote:
[...]
> > Also, I tend to constantly get these in kernel logs (a few examples
> > taken from dmesg | tail):
> >
> > Veriexec: Incorrect access type. [/bin/sh, pid=11314, uid=0, gid=0]
> > Veriexec: Incorrect access type. [/usr/bin/true, pid=11314, uid=0,
> > gid=0]
> > Veriexec: Incorrect access type. [/bin/sh, pid=26712, uid=0, gid=0]
> > Veriexec: Incorrect access type. [/usr/bin/true, pid=26712, uid=0,
> > gid=0]
> > Veriexec: Incorrect access type. [/bin/sh, pid=967, uid=0, gid=0]
> > Veriexec: Incorrect access type. [/bin/sh, pid=4750, uid=0, gid=0]
> > Veriexec: Incorrect access type. [/bin/sh, pid=17683, uid=0, gid=0]
> > Veriexec: Incorrect access type. [/usr/bin/true, pid=17683, uid=0,
> > gid=0]
> > Veriexec: Incorrect access type. [/bin/sh, pid=18068, uid=0, gid=0]
> > Veriexec: Incorrect access type. [/usr/bin/true, pid=18068, uid=0,
> > gid=0]
> >
> > As the system continues to work fine, I guess that these are only
> > warnings, but what does "Incorrect access type" exactly mean in this
> > context?
> >
> > Although I also have a -current box I did not compare with veriexec
> > on it yet to see if this also occurs.
>
> It will always occur. :)
>
> First, a note: it works fine as long as the access type isn't enforced.
>
> The "access type" is "how the file should be accessed", as specified by
> /etc/signatures. For example, /bin/sh is probably used both as a shell
> (direct execution) and as a shell script interpreter (indirect
> execution), so it needs both of these flags.
>
> A while ago mjf@ wrote a patch for veriexecgen that tries to guess all
> of that stuff (see PR/34773) -- please test if you're interested; if you
> find it useful I'll just commit it.
>
> Thanks,
>
> -e
>

Since we are here...

In netbsd-4 branch, in veriexecctl(8) man page it says for the signatures file:
"If no options are specified, both direct and indirect execution are implied."

My experience showed that not both execution modes are set by default.
Can anyone please verify it ?

I have to get back in the camp of my unit and I won't be out for a
couple of days, otherwise I would have double checked it myself.

Thanks,
Stathis

Follow-Ups:
- Re: veriexec
  - From: Elad Efrat

References:
- veriexec
  - From: Matthew Mondor
- Re: veriexec
  - From: Elad Efrat

Prev by Date: Re: Atheros AR5212 suspension breaks WPA
Next by Date: Re: Atheros AR5212 suspension breaks WPA
Previous by Thread: Re: veriexec
Next by Thread: Re: veriexec
Indexes:

Home | Main Index | Thread Index | Old Index