veriexec - something similar?

rafael_grether

rafael_grether

Hey guys,

Is there something similar to NetBSD veriexec(8) on FreeBSD?

I want to restrict in a jail the execution of only certain system binaries (even limiting root). Setting the filesystem as 'exec' only on the standard directories `/usr/bin` and `/usr/sbin` and 'noexec' on the others does not solve my problem, since root can still place any binaries in those directories and run them. NetBSD has veriexec, where I can specify in a database the HASH of the binaries allowed to be executed. There exist something similar tool, or would you recommend an alternative for FreeBSD?

Thanks
 
cracauer@

Thanks, maybe I’m mistaken, but It seems it’s not really the veriexec tool, but rather exclusive of a kernel interface.
There are no tools to control the use of the veriexec device, such as veriexecctl.
In the FreeBSD man pages, there are entries about veriexec in FreeBSD 15, but nothing in FreeBSD 14.3 man page...

Maybe something in development?

I found: https://reviews.freebsd.org/rS335402 and https://reviews.freebsd.org/D8575
But is confusing to determine the status of module and implementation...
 
rafael_grether said:
cracauer@

Thanks, maybe I’m mistaken, but It seems it’s not really the veriexec tool, but rather exclusive of a kernel interface.
There are no tools to control the use of the veriexec device, such as veriexecctl.
In the FreeBSD man pages, there are entries about veriexec in FreeBSD 15, but nothing in FreeBSD 14.3 man page...

Maybe something in development?

I found: https://reviews.freebsd.org/rS335402 and https://reviews.freebsd.org/D8575
But is confusing to determine the status of module and implementation...
Click to expand...

I never used it. I agree that the status is a bit odd. The kernel module also doesn't seem to be installed by default.
 
You must log in or register to reply here.
Back
Top