NetBSD/sys/conf/std

60 lines
1.7 KiB
Plaintext
Raw Normal View History

2019-01-27 05:08:33 +03:00
# $NetBSD: std,v 1.23 2019/01/27 02:08:41 pgoyette Exp $
#
# standard MI 'options'
#
# this file is for options which can't be off-by-default for some reasons.
# "it's commonly used" is NOT a good reason to enable options here.
2005-09-17 18:39:11 +04:00
#
# Always include "kern" attribute (module). Other attributes don't need to
# depend on "kern".
#
select kern
# Always include the "vfs" attribute (module). Although all of the
# ufs/xxx file systems depend on the vfs attribute, it is not required
# that any file system actually be built-in to the kernel. (At least
# on some architectures, file system modules can be loaded at boot
# time.)
select vfs
select net # XXX Clean up dependency
2005-09-17 18:39:11 +04:00
# the following options are on-by-default to keep
# kernel config file compatibility.
options VMSWAP # Swap device/file support
options BUFQ_FCFS # First-come First-serve strategy
options BUFQ_DISKSORT # Traditional min seek sort strategy
options RFC2292 # Previous version of Adv. Sockets API for IPv6
options PTRACE # Include ptrace(2) syscall
options PTRACE_HOOKS # Include ptrace hooks
options COREDUMP # allow processes to coredump.
options AIO # POSIX asynchronous I/O
options MQUEUE # POSIX message queues
First take at security model abstraction. - Add a few scopes to the kernel: system, network, and machdep. - Add a few more actions/sub-actions (requests), and start using them as opposed to the KAUTH_GENERIC_ISSUSER place-holders. - Introduce a basic set of listeners that implement our "traditional" security model, called "bsd44". This is the default (and only) model we have at the moment. - Update all relevant documentation. - Add some code and docs to help folks who want to actually use this stuff: * There's a sample overlay model, sitting on-top of "bsd44", for fast experimenting with tweaking just a subset of an existing model. This is pretty cool because it's *really* straightforward to do stuff you had to use ugly hacks for until now... * And of course, documentation describing how to do the above for quick reference, including code samples. All of these changes were tested for regressions using a Python-based testsuite that will be (I hope) available soon via pkgsrc. Information about the tests, and how to write new ones, can be found on: http://kauth.linbsd.org/kauthwiki NOTE FOR DEVELOPERS: *PLEASE* don't add any code that does any of the following: - Uses a KAUTH_GENERIC_ISSUSER kauth(9) request, - Checks 'securelevel' directly, - Checks a uid/gid directly. (or if you feel you have to, contact me first) This is still work in progress; It's far from being done, but now it'll be a lot easier. Relevant mailing list threads: http://mail-index.netbsd.org/tech-security/2006/01/25/0011.html http://mail-index.netbsd.org/tech-security/2006/03/24/0001.html http://mail-index.netbsd.org/tech-security/2006/04/18/0000.html http://mail-index.netbsd.org/tech-security/2006/05/15/0000.html http://mail-index.netbsd.org/tech-security/2006/08/01/0000.html http://mail-index.netbsd.org/tech-security/2006/08/25/0000.html Many thanks to YAMAMOTO Takashi, Matt Thomas, and Christos Zoulas for help stablizing kauth(9). Full credit for the regression tests, making sure these changes didn't break anything, goes to Matt Fleming and Jaime Fournier. Happy birthday Randi! :)
2006-09-09 00:58:56 +04:00
2019-01-27 05:08:33 +03:00
# Common compatibility functions. They happen to be needed even when
# no compatibility option is explicitly enabled.
#
options COMPAT_UTILS
First take at security model abstraction. - Add a few scopes to the kernel: system, network, and machdep. - Add a few more actions/sub-actions (requests), and start using them as opposed to the KAUTH_GENERIC_ISSUSER place-holders. - Introduce a basic set of listeners that implement our "traditional" security model, called "bsd44". This is the default (and only) model we have at the moment. - Update all relevant documentation. - Add some code and docs to help folks who want to actually use this stuff: * There's a sample overlay model, sitting on-top of "bsd44", for fast experimenting with tweaking just a subset of an existing model. This is pretty cool because it's *really* straightforward to do stuff you had to use ugly hacks for until now... * And of course, documentation describing how to do the above for quick reference, including code samples. All of these changes were tested for regressions using a Python-based testsuite that will be (I hope) available soon via pkgsrc. Information about the tests, and how to write new ones, can be found on: http://kauth.linbsd.org/kauthwiki NOTE FOR DEVELOPERS: *PLEASE* don't add any code that does any of the following: - Uses a KAUTH_GENERIC_ISSUSER kauth(9) request, - Checks 'securelevel' directly, - Checks a uid/gid directly. (or if you feel you have to, contact me first) This is still work in progress; It's far from being done, but now it'll be a lot easier. Relevant mailing list threads: http://mail-index.netbsd.org/tech-security/2006/01/25/0011.html http://mail-index.netbsd.org/tech-security/2006/03/24/0001.html http://mail-index.netbsd.org/tech-security/2006/04/18/0000.html http://mail-index.netbsd.org/tech-security/2006/05/15/0000.html http://mail-index.netbsd.org/tech-security/2006/08/01/0000.html http://mail-index.netbsd.org/tech-security/2006/08/25/0000.html Many thanks to YAMAMOTO Takashi, Matt Thomas, and Christos Zoulas for help stablizing kauth(9). Full credit for the regression tests, making sure these changes didn't break anything, goes to Matt Fleming and Jaime Fournier. Happy birthday Randi! :)
2006-09-09 00:58:56 +04:00
#
# Security model.
#
2009-08-10 15:46:42 +04:00
options secmodel_bsd44 # Traditional 4.4BSD security model
#
# Scheduling algorithm
#
options SCHED_4BSD
pseudo-device cpuctl
#
# Kernel entropy pool and random-number generator pseudodevice.
# The pseudodevice might stop being "std" when the two are torn
# apart some day but the entropy pool itself never will (they are
# presently implemented in the same source file)
#
pseudo-device rnd