The veriexec pseudo-device is used to load and delete entries to and from the in-kernel Veriexec databases, as well as query information about them. It can also be used to dump the entire database.
VERIEXEC_LOAD
The dictionary passed contains the following elements:
Name Type Purpose |
file string filename for this entry |
entry-type uint8 entry type( see below) |
fp-type string fingerprint hashing algorithm |
fp data the fingerprint |
``entry-type'' can be one or more (binary-OR'd) of the following:
Type Effect |
VERIEXEC_DIRECT can execute directly
|
VERIEXEC_INDIRECT can execute indirectly (interpreter,mmap(2) )
|
VERIEXEC_FILE can be opened
|
VERIEXEC_UNTRUSTED located on untrusted storage
|
VERIEXEC_DELETE
The dictionary passed contains the following elements:
Name Type Purpose |
file string filename or mount-point |
VERIEXEC_DUMP
Only files that the filename is kept for them will be dumped. The returned array contains dictionaries with the following elements:
file string filename |
fp-type string fingerprint hashing algorithm |
fp data the fingerprint |
entry-type uint8 entry type( see above) |
VERIEXEC_FLUSH
This command has no parameters.
VERIEXEC_QUERY
The dictionary passed contains the following elements:
Name Type Purpose |
file string filename |
The dictionary returned contains the following elements:
entry-type uint8 entry type( see above) |
status uint8 entry status |
fp-type string fingerprint hashing algorithm |
fp data the fingerprint |
``status'' can be one of the following:
Status Meaning |
FINGERPRINT_NOTEVAL not evaluated
|
FINGERPRINT_VALID fingerprint match
|
FINGERPRINT_MISMATCH fingerprint mismatch
|
Note that the requests
VERIEXEC_LOAD
,
VERIEXEC_DELETE
,
and
VERIEXEC_FLUSH
are not permitted once the strict level has been raised past 0.