socsvn commit: r240588 - soc2012/gpf/pefs_kmod/sbin/pefs
gpf at FreeBSD.org
gpf at FreeBSD.org
Mon Aug 20 16:08:45 UTC 2012
Author: gpf
Date: Mon Aug 20 16:08:42 2012
New Revision: 240588
URL: http://svnweb.FreeBSD.org/socsvn/?view=rev&rev=240588
Log:
- add man page entries for new /sbin/pefs actions.
- also, change the letters used for some options so as to avoid conflict
with pre-existing ones.
Modified:
soc2012/gpf/pefs_kmod/sbin/pefs/pefs.8
soc2012/gpf/pefs_kmod/sbin/pefs/pefs_ctl.c
Modified: soc2012/gpf/pefs_kmod/sbin/pefs/pefs.8
==============================================================================
--- soc2012/gpf/pefs_kmod/sbin/pefs/pefs.8 Mon Aug 20 15:34:06 2012 (r240587)
+++ soc2012/gpf/pefs_kmod/sbin/pefs/pefs.8 Mon Aug 20 16:08:42 2012 (r240588)
@@ -104,6 +104,25 @@
.Pp
.Nm
.Cm showalgs
+.Pp
+.Nm
+.Cm addchecksum
+.Op Fl s
+.Op Fl a Ar alg
+.Op Fl i Ar input_file
+.Op Fl k Ar privatekey_file
+.Op Fl d Ar dirpath
+.Ar filesystem
+.Nm
+.Cm verify
+.Op Fl u|n
+.Op Fl k Ar publickey_file
+.Ar checksum_file
+.Ar filesystem
+.Nm
+.Cm nameid
+.Op Fl u|n
+.Ar filepath
.Sh DESCRIPTION
The
.Nm
@@ -227,6 +246,76 @@
Print all elements of the key chain staring with given parent key.
.It Cm showalgs
Print list of all supported algorithms.
+.It Cm addchecksum Ar filesystem
+Create
+.Em .pefs.checksum
+db file for
+.Ar filesystem.
+The algorithm that will be used as a hash function (sha256 by default) is
+set by
+.Fl a Ar alg .
+The file that contains the private key in PEM format for the DSA signing
+algorithm must be provided using
+.Fl k Ar privatekey_file .
+The list of files is read from stdin unless
+.Fl i Ar input_file
+is used. Files should be either regular files or symbolic links. Symlinks
+are not traversed.
+All files that need integrity checking must have the immutable flag (schg) set;
+.Fl s
+can be used to let
+.Nm
+turn it on for files that do not.
+.Fl d Ar dirpath
+can be used to specify under which directory the resulting
+.Em .pefs.checksum
+file should be placed. Otherwise, it is created under $PWD.
+.It Cm verify Ar checksumpath filesystem
+Verify the contents of a
+.Em .pefs.checksum
+file. This command scans the entire
+.Ar filesystem
+and checks that every entry in
+.Em .pefs.checkum
+is found and produces the same checksums. The command will try to produce
+the same warning messages as
+.Cm addchecksum
+concerning hardlinks and symbolic links. It will also try to produce as many
+warning messages as possible before failing. If
+.Ar filesystem
+is mounted but the key has not been supplied yet,
+.Fl n
+flag should be used. If the pefs
+.Ar filesystem
+is unmounted, the
+.Fl u
+flag should be used instead. By default,
+.Nm
+will assume that the filesystem is mounted and user has provided the
+necessary key(s) using
+.Cm addkey .
+The file that contains the public key in PEM format must be provided using
+.Fl k Ar privatekey_file .
+.It Cm nameid Ar filepath
+Print the identifier for an encrypted pefs filename where filename =
+XBase64(checksum || E(tweak || filename)). The id is the name checksum,
+meaning VMAC(E(tweak || filename)). This identifier is used as a primary key
+when a filename is handled by
+.Nm
+for integrity checking purposes. Some warning messages produced by
+.Nm
+refer to files by their internal ID and not their decrypted fullpath; e.g.
+when verifying an unmounted pefs filesystem. Therefore, this command can be
+used to map fullpaths to internal IDs. If the pefs
+.Ar filesystem
+is unmounted, the
+.Fl u
+flag should be used instead. By default,
+.Nm
+will assume that the filesystem is mounted and user has provided the
+necessary key(s) using
+.Cm addkey .
+Symlinks are not traversed.
.El
.Pp
.Ss COMMAND OPTIONS
@@ -248,11 +337,18 @@
.It Fl C
Disables key chain lookup.
By default if chain is found, keys it consists of are also used for operation.
+.It Fl d Ar dirpath
+specifies under which directory the resulting
+.Em .pefs.checksum
+file should be placed.
.It Fl i Ar iterations
Number of
.Ar iterations
to use with PKCS#5v2.
-If this option is not specified default value of 50000 is used.
+If this option is not specified default value of 50000 is used. In case of
+.Cm addchecksum
+, it may be used to specify the file that contains the list of full filenames
+that require integrity checking.
.It Fl I Ar iterations
Specifies number of
.Ar iterations
@@ -270,9 +366,15 @@
Specifies a file which contains part of the key.
If
.Ar keyfile
-is given as -, standard input will be used.
+is given as -, standard input will be used. In case of integrity
+checking actions, this specifies either the public or the private key
+that is used by the signing algorithm.
.It Fl K Ar keyfile
Specifies a file which contains part of the secondary/child key.
+.It Fl n
+Specifies that the pefs
+.Ar filesystem
+is mounted but user has not provided the necessary key(s) yet.
.It Fl o Ar options
Mount options passed to
.Xr mount 8
@@ -281,10 +383,19 @@
Do not ask for passphrase.
.It Fl P
Do not ask for passphrase for secondary/child key.
+.It Fl s
+Is used to let
+.Cm addchecksum
+turn on the schg immutable flag for files that need integrity checking but
+lack the schg flag.
.It Fl t
Test-only mode.
Do not perform actual operation but check if it can be performed.
Usable for scripting.
+.It Fl u
+Specifies that the pefs
+.Ar filesystem
+is unmounted.
.It Fl v
Verbose mode.
.It Fl x
@@ -369,6 +480,14 @@
before loading
.Nm
kernel module.
+.It Va vfs.pefs.exec.enable
+If this flag is set to 1, the system allows execution of code that derives
+solely from files with the immutable flag (schg) set. This flag is temporary
+as this functionality should be controlled by securelevel.
+.It Va vfs.pefs.exec.enable.noscript
+Same as the above except for when user is trying to execute a script. In
+that case, only the interpreter will be checked for the schg flag, not the
+script file.
.El
.Sh EXAMPLES
Encrypting a directory:
Modified: soc2012/gpf/pefs_kmod/sbin/pefs/pefs_ctl.c
==============================================================================
--- soc2012/gpf/pefs_kmod/sbin/pefs/pefs_ctl.c Mon Aug 20 15:34:06 2012 (r240587)
+++ soc2012/gpf/pefs_kmod/sbin/pefs/pefs_ctl.c Mon Aug 20 16:08:42 2012 (r240588)
@@ -1006,14 +1006,14 @@
/*
* XXXgpf: Instead of a man page entry:
*
- * pefs addchecksum [-f] [-a algo] [-i inputfile] [-k pkey_file] [-p path] \
+ * pefs addchecksum [-s] [-a alg] [-i inputfile] [-k pkey_file] [-d dirpath] \
* filesystem
*
* $command creates .pefs.checksum db file for filesystem.
* This file will contain all checksums necessary to check integrity
* of files upon access.
*
- * algo is the name of the algorithm to be used as a cryptographic
+ * alg is the name of the algorithm to be used as a cryptographic
* hash function; supported algorithms: sha256, sha512. sha256 is
* used by default.
*
@@ -1022,8 +1022,8 @@
* These files should be either regular files or symbolic links.
* Symlinks are not traversed.
*
- * path defines where .pefs.checksum should be created. By default,
- * .pefs.checksum is created under $PWD. path should be a directory,
+ * dirpath defines where .pefs.checksum should be created. By default,
+ * .pefs.checksum is created under $PWD. dirpath should be a directory,
* outside of target pefs filesystem.
*
* pkey_file is the file that contains the private key that will be used
@@ -1054,7 +1054,7 @@
/* by default create checksum file under $PWD */
snprintf(csm_path, sizeof(csm_path), "./%s", PEFS_FILE_CHECKSUM);
- while ((i = getopt(argc, argv, "fa:i:k:p:")) != -1)
+ while ((i = getopt(argc, argv, "sa:i:k:d:")) != -1)
switch(i) {
case 'a':
for (j=0; j < PEFS_SUPPORTED_DIGESTS; j++)
@@ -1069,7 +1069,7 @@
goto out;
}
break;
- case 'f':
+ case 's':
flags|= PEFS_SETIMMUTABLE;
break;
case 'i':
@@ -1088,7 +1088,7 @@
goto out;
}
break;
- case 'p':
+ case 'd':
if (stat(optarg, &sb) != 0) {
warn("cannot stat file %s", optarg);
error = PEFS_ERR_INVALID;
@@ -1356,7 +1356,7 @@
" pefs randomchain [-fv] [-n min] [-N max] filesystem\n"
" pefs showchains [-fp] [-i iterations] [-k keyfile] filesystem\n"
" pefs showalgs\n"
-" pefs addchecksum [-f] [-a algo] [-i inputfile] [-k pkey_file] [-p checksumpath] filesystem\n"
+" pefs addchecksum [-s] [-a algo] [-i inputfile] [-k pkey_file] [-d dirpath] filesystem\n"
" pefs verify [-n/u] [-k pkey_file] [checksumpath filesystem]\n"
" pefs nameid [-u/-n] [filepath]"
);
More information about the svn-soc-all
mailing list