netbsd-bugs: Re: kern/30817

Subject: Re: kern/30817
To: None <erh@swapsimple.com>
From: Elad Efrat <elad@NetBSD.org>
List: netbsd-bugs
Date: 10/14/2005 00:19:13
Hello Eric.

erh@swapsimple.com wrote:

> 	So how I am supposed to know this?  Given that the veriexec man page
> mentions NOTHING about how to turn it on (a mysterious reference to
> sysctl, especially just after a reference to kern.sercurelevel, doesn't
> count), 

Veriexec does not care about securelevel:

phyre:work {13} man 4 veriexec | col -b | grep -i securelevel
phyre:work {14} man 8 veriexecctl | col -b | grep -i securelevel
phyre:work {15}

If there is a man-page in the ``SEE ALSO'' part of the man-page, then
you might have a look. sysctl(8) lists the entire hierarchy of the
sysctl tree, and sysctl(3) gives a description for each element.

veriexec(4) describes the veriexec pseudo-device and what ioctls
it accepts. veriexecctl(8) describes the program used to load
signatures.

> I think either this bug, or 30818, should still be open until
> the man page is updated a little.

With what? duplicate text from sysctl(3)?

> 	The solution of "man 3 sysctl" that you mentions in 30818 is bs, since
> just knowing that there is a veriexec sysctl setting is only marginally
> helpful when you don't know what changing it does.

Ah -- but you failed to read that man-page. Let me paste:

VERIEXEC_STRICT
	Controls the strict level of Verified Exec.  The strict
	level defines how Verified Exec will treat various situa-
	tions.  In strict level 0, the system is in learning mode
	and will only warn about fingerprint mismatches, aswell
	as allow removal of fingerprinted files.  It is the only
	level where fingerprints can be loaded.  In strict level
	1, the system is in IDS mode.  It will deny access to
	files with mismatched fingerprints.  In strict level 2,
	the system is in IPS mode.  It has all effects of strict
	level 1, plus it will deny write access to monitored
	files, prevent their removal, and enforce access type
	(direct, indirect, file).  Strict level 3 operates as
	lockdown mode.  It will have all effects of strict level
	2, but it will also prevent access to non-monitored
	files.  Furthermore, it will prevent addition of new
	files to the system, and allow writing only to files
	opened before the strict level was raised.

There is also an entire chapter in the NetBSD guide dedicated to
Veriexec:

http://netbsd.org/guide/en/chap-veriexec.html

And here's the part talking about strict levels:

http://netbsd.org/guide/en/chap-veriexec.html#chap-veriexec-strict


Please take a moment to read veriexecctl(8), veriexec(4),
and relevant parts from sysctl(3). If you are still not sure about
what each knob does or how to use Veriexec, and the online chapter
in the NetBSD guide does not help you, *then* open a PR.

-e.

-- 
Elad Efrat
PGP Key ID: 0x666EB914