Designate a file or filesystem as trusted, or see if it is
Syntax:
Mark a file or filesystem as trusted:
pathtrust [!]file... [lockdown]
Test to see if a file is trusted:
pathtrust [-q] -t file...
Options:
- -q
- Be quiet; use only the return code to indicate whether or not the file is trusted.
- -t
- Test to see if the file is trusted.
If you haven't also specified the -q option, pathtrust
reports the results on standard output.
- [!]file
- The item to test or mark as trusted.
If you're marking an item (i.e., you haven't specified the -t option):
- If you specify a leading exclamation mark, the given file is designated as trusted.
- If you don't specify the exclamation mark, the underlying filesystem is designated as trusted.
- lockdown
- Prevent any other files or filesystems from being marked as trusted.
To unlock this, reboot your system.
If you want to mark or test a file that's called lockdown, specify it as a path
(e.g., ./lockdown).
Description:
The pathtrust utility sends messages to
procnto
to mark the given files and filesystems as trusted.
If you don't mark any files or filesystems as trusted, all are trusted.
If a process with any privileged abilities enabled
attempts to mark a region of memory as PROT_EXEC,
any memory-mapped files in the region must be trusted or be from a trusted filesystem.
For more information about abilities, see
procmgr_ability()
in the QNX Neutrino C Library Reference.
Note:
The trusted designations—like the effects of the lockdown command—disappear
when you reboot your system.
In order to make the designations persist, you can run pathtrust
in a boot script, a universal profile, or such.
Exit status:
- 0
- Successful completion; the file or filesystem is trusted.
- 1
- The file or filesystem isn't trusted.
- 2
- An error occurred.