From 97d75abb70a730a75afe7f475c017d0b99da85bf Mon Sep 17 00:00:00 2001
From: elad <elad@NetBSD.org>
Date: Fri, 17 Jun 2005 22:39:08 +0000
Subject: [PATCH] Oops. Don't allow file delete even if it's not monitored if
 we're in lockdown mode (strict level 3).

---
 sys/kern/kern_verifiedexec.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/sys/kern/kern_verifiedexec.c b/sys/kern/kern_verifiedexec.c
index 02daa88648a7..606a938c5332 100644
--- a/sys/kern/kern_verifiedexec.c
+++ b/sys/kern/kern_verifiedexec.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: kern_verifiedexec.c,v 1.26 2005/06/17 17:46:18 elad Exp $	*/
+/*	$NetBSD: kern_verifiedexec.c,v 1.27 2005/06/17 22:39:08 elad Exp $	*/
 
 /*-
  * Copyright 2005 Elad Efrat <elad@bsd.org.il>
@@ -30,7 +30,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_verifiedexec.c,v 1.26 2005/06/17 17:46:18 elad Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_verifiedexec.c,v 1.27 2005/06/17 22:39:08 elad Exp $");
 
 #include <sys/param.h>
 #include <sys/mount.h>
@@ -467,8 +467,13 @@ veriexec_removechk(struct proc *p, struct vnode *vp, const char *pathbuf)
 		return (error);
 
 	vhe = veriexec_lookup(va.va_fsid, va.va_fileid);
-	if (vhe == NULL)
+	if (vhe == NULL) {
+		/* Lockdown mode: Deny access to non-monitored files. */
+		if (veriexec_strict >= 3)
+			return (EPERM);
+
 		return (0);
+	}
 
 	veriexec_report("Remove request.", pathbuf, &va, p,
 			REPORT_NOVERBOSE, REPORT_ALARM, REPORT_NOPANIC);