Commit Graph

117 Commits

Author SHA1 Message Date
elad
5c38108d28 Change the PaX mprotect(2) restrictions' "global_protection" knob to
just "global" -- it's shorter and more readable. Update documentation.
2006-09-26 14:48:40 +00:00
rpaulo
2fb2ae3251 Import of TCP ECN algorithm for congestion control.
Both available for IPv4 and IPv6.
Basic implementation test results are available at
http://netbsd-soc.sourceforge.net/projects/ecn/testresults.html.

Work sponsored by the Google Summer of Code project 2006.
Special thanks to Kentaro Kurahone, Allen Briggs and Matt Thomas for their
help, comments and support during the project.
2006-09-05 00:29:35 +00:00
liamjfoy
2e60755ac8 add net.inet.ip.maxflows. Bump date. 2006-09-04 23:40:18 +00:00
wiz
4a3dddea24 Bump date for previous. 2006-08-08 22:11:42 +00:00
kardel
64e74c80df document timecounter sysctls 2006-08-08 19:47:44 +00:00
elad
1c8d298b89 move security.setid_core.* to kern.coredump.setid.*, as requested by yamt@. 2006-07-14 21:55:19 +00:00
elad
b5d09ef065 okay, since there was no way to divide this to two commits, here it goes..
introduce fileassoc(9), a kernel interface for associating meta-data with
files using in-kernel memory. this is very similar to what we had in
veriexec till now, only abstracted so it can be used more easily by more
consumers.

this also prompted the redesign of the interface, making it work on vnodes
and mounts and not directly on devices and inodes. internally, we still
use file-id but that's gonna change soon... the interface will remain
consistent.

as a result, veriexec went under some heavy changes to conform to the new
interface. since we no longer use device numbers to identify file-systems,
the veriexec sysctl stuff changed too: kern.veriexec.count.dev_N is now
kern.veriexec.tableN.* where 'N' is NOT the device number but rather a
way to distinguish several mounts.

also worth noting is the plugging of unmount/delete operations
wrt/fileassoc and veriexec.

tons of input from yamt@, wrstuden@, martin@, and christos@.
2006-07-14 18:41:40 +00:00
liamjfoy
27f99986a6 bump date (.Dd) 2006-05-29 19:35:31 +00:00
liamjfoy
10f12d58af document Common Address Redundancy Protocol sysctls, aka CARP
ok joerg@
2006-05-29 19:11:16 +00:00
elad
04d63f90b5 Introduce PaX MPROTECT -- mprotect(2) restrictions used to strengthen
W^X mappings.

Disabled by default.

First proposed in:

	http://mail-index.netbsd.org/tech-security/2005/12/18/0000.html

More information in:

	http://pax.grsecurity.net/docs/mprotect.txt

Read relevant parts of options(4) and sysctl(3) before using!

Lots of thanks to the PaX author and Matt Thomas.
2006-05-16 00:08:24 +00:00
christos
421a9c133c add the 3 opencrypto sysctls. 2006-03-06 00:51:48 +00:00
wiz
e1a202b1cb Bump date for security.* 2006-02-04 18:37:58 +00:00
elad
81ed970f39 - make use of the recently added mode_bits for security.setid_core.mode;
- document setid_core variables.
2006-02-02 18:00:07 +00:00
elad
48c362c085 add some more to kern. 2006-01-14 11:52:20 +00:00
elad
0fd32b39ab remove dup cnmagic. 2006-01-14 11:11:08 +00:00
elad
8ff7a54798 Sync and sort ddb, hw, kern, vm. 2006-01-14 10:33:11 +00:00
elad
3b0d736d23 oops - this should not have been commited. remove sugid_coredump line. 2006-01-13 21:10:34 +00:00
elad
6aa189f3fb grrr... another space -> tab... 2006-01-13 18:45:47 +00:00
elad
7ddc0d80bd space -> tab 2006-01-13 18:44:51 +00:00
elad
0e7647e2dd Sync net.{inet,inet6,key} 2006-01-13 18:37:06 +00:00
yamt
a71fb9d9ab add vm.inactivepct. 2005-12-21 12:21:06 +00:00
yamt
a83111c7d8 add vm.idlezero. noted by Hubert Feyrer. 2005-12-13 10:07:21 +00:00
yamt
f00c1d8ace bump date for the previous. 2005-11-27 13:12:32 +00:00
yamt
0ae701e533 add ddb.commandonenter. 2005-11-27 13:12:03 +00:00
xtraeme
eda099ea39 Mention "kern.bufq.strategies", bump date. 2005-10-15 23:05:45 +00:00
wiz
1638f02bd8 Add missing comma. 2005-10-06 11:17:38 +00:00
elad
8358410265 Document security level for sysctl and security.curtain.
Hi Hubert! :)
2005-10-03 22:22:10 +00:00
rpaulo
6f844bf524 Document kern.hardclock_ticks. Pointed out by Hubert. 2005-09-24 12:05:45 +00:00
wiz
e904ea2e97 Drop trailing whitespace. 2005-09-23 19:58:28 +00:00
xtraeme
b11450ab76 Mention vfs.sync.*, bump date. 2005-09-21 19:08:44 +00:00
rpaulo
dcc35c7ff8 Handle net.inet.tcp.debug, net.inet.tcp.debx, net.ns.spp.debug and
net.ns.spp.debx. Bump man page date.
2005-09-06 03:22:58 +00:00
rpaulo
92c6f16501 Added net.bpf.peers and net.bpf.stats and bumped the date. 2005-08-04 20:10:24 +00:00
wiz
e45ea581c3 Bump date for previous. <> -> \*[Lt]\*[Gt]. 2005-05-24 16:00:11 +00:00
elad
6755bac719 Add man-page bits about the 'count' node. 2005-05-24 15:47:46 +00:00
elad
cd0c4134f1 Remove common code for returning supported fingerprints. This is done now
via sysctl(8) using kern.veriexec.algorithms.

Also add an entry for the 'algorithms' variable in sysctl.8 forgotten in
the last commit.
2005-05-20 19:52:52 +00:00
elad
5888b16eef Some changes in veriexec.
New features:

  - Add a veriexec_report() routine to make most reporting consistent and
    remove some common code.
  - Add 'strict' mode that controls how veriexec behaves.
  - Add sysctl knobs:
     o kern.veriexec.verbose controls verbosity levels. Value: 0, 1.
     o kern.veriexec.strict controls strict level. Values: 0, 1, 2. See
       documentation in sysctl(3) for details.
     o kern.veriexec.algorithms returns a string with a space separated
       list of supported hashing algorithms in veriexec.
  - Updated documentation in man pages for sysctl(3) and sysctl(8).

Bug fixes:

  - veriexec_removechk(): Code cleanup + handle FINGERPRINT_NOTEVAL
    correctly.
  - exec_script(): Don't pass 0 as flag when executing a script; use the
    defined VERIEXEC_INDIRECT - which is 1. Makes indirect execution
    enforcement work.
  - Fix some printing formats and types..
2005-05-19 20:16:19 +00:00
christos
4eb7659c2c PR/28782: OBATA Akio: Document that kern.rtc_offset is writable. 2004-12-26 16:57:09 +00:00
jdolecek
a9ebca7170 add vfs.cd9660.utf8_joliet, and couple other vfs.* entries while here
bump date and add TNF copyright
2004-11-21 22:18:10 +00:00
daniel
84a34aedec Add vm.bufcache, vm.bufmem, vm.bufmem_lowater, m.bufmem_hiwater (PR misc/27247, misc/27233). 2004-10-15 08:47:16 +00:00
wiz
484705032c Bump date for removal of net.key.random_int. 2004-08-27 14:35:11 +00:00
itojun
8ba8c58e74 remove net.key.random_int 2004-08-27 04:58:10 +00:00
snj
7c289c6773 Bump date for last. 2004-04-28 20:28:39 +00:00
ragge
e79327fe4a Note net.inet.arp.* entries. 2004-04-28 14:15:10 +00:00
wiz
bb06082698 Remove duplicate and superfluous words. 2004-03-24 23:49:13 +00:00
snj
463ea56ee8 Bump date for last. 2004-03-24 19:11:06 +00:00
atatat
4723bb21ba Bring sysctl man pages up to date (wrt new query interface, the
versioning, and descriptions).
2004-03-24 18:22:30 +00:00
wiz
5b067ce441 Bump date for previous. 2004-01-22 07:31:53 +00:00
jonathan
7fde685464 Document net.bpf.maxbufsize in sysctl(8).
NB: bpf isn't a PF_, so where to list it in sysctl(3)?
2004-01-22 03:50:18 +00:00
atatat
bc0bdd10f7 Used to say "type=", but now says "size=" since that's what it's
supposed to say.
2004-01-08 03:44:48 +00:00
wiz
a96b21c57d Simplify Oo/Oc to Op, since it has only one simple short argument. 2003-12-31 01:21:49 +00:00