Re: veriexecctl doesn't load fingerprints after a flush

["Stathis Kamperis" <ekamperi%gmail.com@localhost>]

2008/10/6, Eric Haszlakiewicz <erh%nimenees.com@localhost>:
> On Sat, Oct 04, 2008 at 11:02:57AM +0300, Stathis Kamperis wrote:
>  > 2008/10/3 Stathis Kamperis <ekamperi%gmail.com@localhost>:
>  > > Greetings everyone.
>  > >
>  > > I am experiencing some weird problems with veriexecctl.
>  > > [...]
>  >
>  > Elad was kind enough to explain me that this is not a bug,
>  > but a feature. Next time I'll be reading the man pages more
>  > carefully.
>  >
>  > Take care & sorry for the noise.
>
>
> Not being able to load entries after flushing is a feature?
>  How so?  And where in the man pages does it say that?
>
>
>  eric
>

Hi Eric.

You must pass -k to `veriexecctl load' when loading the fingerprint
entries or else the filenames aren't kept. If this happens, `dump'
won't print anything, just like the veriexecctl(8) man page states.

stathis# veriexecctl dump | wc -l
    820
stathis# veriexecctl flush
stathis# veriexecctl dump | wc -l
      0
stathis# veriexecctl -k load
stathis# veriexecctl dump | wc -l
    820
stathis#

It's useless to get a list of hashes if you don't know to which files
they refer to.
I messed around a bit with the kern_verifiedexec.c and made it use the
"not kept" string for entries with no filename. Here is what I get:

stathis# veriexecctl flush
stathis# veriexecctl dump | wc -l
      0
stathis# veriexecctl load
stathis# veriexecctl dump | wc -l
    820
stathis# veriexecctl dump | head -n5
not\ kept SHA256
c38d8fbc8e34b352fa53d9b4e12b586df430f7970d59731c0f74cef54b37a405
direct
not\ kept SHA256
862c882c728720ef3d4519dd07e6a8cf0b41873950a6d609e731fddb910041c4
direct
not\ kept SHA256
4f6950586830d487fb9d6b7b923d744f55f24b702f30b73c1e9d242599f957bb
direct
not\ kept SHA256
ccaa31eeb5007b93389a5afe279cfe347e873b0730014255617a65bfaca60ee5
indirect, file
not\ kept SHA256
04ccd02a589741b5a495336d11e31dcf2d9971e34fcf34205a4338d81da65ba4
direct
stathis#

Best regards,
Stathis Kamperis