Veriexec is a file-signing scheme for the NetBSD operating system.
It introduces a special device node (/dev/veriexec) through which a
signature list can be loaded into the
kernel. The list contains
file paths, together with
hashes and an expected file type ("DIRECT" for executables, "INDIRECT" for scripts and "FILE" for
shared libraries and regular files). The kernel then verifies the contents of the signed files against their hashes just before they are opened in an exec()
or open()
system call.
When Veriexec is enabled at level 0, the kernel will simply warn about signature mismatches. At level 1, it will prevent access to mismatched files. At level 2, it prevents signed files from being overwritten or deleted. At the highest, level 3, the kernel will not allow unsigned files to be accessed at all.