My understanding is that Veriexec isn't enabled by default - the manpage says only that "[s]ome kernels already enable Veriexec by default." If you have this enabled, how do you upgrade binaries? The manpage says that in strict mode 1, write access to monitored binaries is allowed but then access is denied. So I assume that after file modification, root then runs veriexecgen and veriexecctl load as mentioned in the manual to update the signatures list. So it seems that strict level 1 isn't functionally different from a read-only /usr or even just root-owned binaries. In either case, you just need root to update targeted binaries. Surely I'm missing something and would appreciate some insight.
At a glance as an outsider, stricter modes appear somewhat functionally similar to "chflags schg" on BSD systems, where more work is needed to get around restrictions. In the case of schg, you have to reboot into single user mode, remove the schg flag, then modify the binary, and continue booting into multi-user mode. You could do this as a remote attacker (as in not having console access) depending on what boot files are or aren't protected with schg, but modifying all the necessary files can be a source of new problems.
I'm not familiar enough to know if this is particularly well adopted with NetBSD, but the obvious way to do it that I could see is A/B roots, where the active system can only update the inactive root.
I suspect the actual most likely case is that it's meant for appliances where the running system doesn't update itself, and updates are accomplished via actions like "go physically replace the SD card with the new one".
> In either case, you just need root to update targeted binaries.
My understanding is that the difference is you would need to boot with a kernel with veriexec disabled to replace binaries and regenerate hashes. Root alone isn't sufficient, and you can't disable veriexec as root in strict mode.
I assume but don't know for sure that this refers to Veriexec in NetBSD, and I'm not sure what in HardenedBSD. Anyone know?
https://man.netbsd.org/veriexec.8
My understanding is that Veriexec isn't enabled by default - the manpage says only that "[s]ome kernels already enable Veriexec by default." If you have this enabled, how do you upgrade binaries? The manpage says that in strict mode 1, write access to monitored binaries is allowed but then access is denied. So I assume that after file modification, root then runs veriexecgen and veriexecctl load as mentioned in the manual to update the signatures list. So it seems that strict level 1 isn't functionally different from a read-only /usr or even just root-owned binaries. In either case, you just need root to update targeted binaries. Surely I'm missing something and would appreciate some insight.
At a glance as an outsider, stricter modes appear somewhat functionally similar to "chflags schg" on BSD systems, where more work is needed to get around restrictions. In the case of schg, you have to reboot into single user mode, remove the schg flag, then modify the binary, and continue booting into multi-user mode. You could do this as a remote attacker (as in not having console access) depending on what boot files are or aren't protected with schg, but modifying all the necessary files can be a source of new problems.