Bug fixes:
- Fix crash reported by Scott Ellis on current-users@.
- Fix race conditions in enforcing the Veriexec rename and remove
policies. These are NOT security issues.
- Fix memory leak in rename handling when overwriting a monitored
file.
- Fix table deletion logic.
- Don't prevent query requests if not in learning mode.
KPI updates:
- fileassoc_table_run() now takes a cookie to pass to the callback.
- veriexec_table_add() was removed, it is now done internally. As a
result, there's no longer a need for VERIEXEC_TABLESIZE.
- veriexec_report() was removed, it is now internal.
- Perform sanity checks on the entry type, and enforce default type
in veriexec_file_add() rather than in veriexecctl.
- Add veriexec_flush(), used to delete all Veriexec tables, and
veriexec_dump(), used to fill an array with all Veriexec entries.
New features:
- Add a '-k' flag to veriexecctl, to keep the filenames in the kernel
database. This allows Veriexec to produce slightly more accurate
logs under certain circumstances. In the future, this can be either
replaced by vnode->pathname translation, or combined with it.
- Add a VERIEXEC_DUMP ioctl, to dump the entire Veriexec database.
This can be used to recover a database if the file was lost.
Example usage:
# veriexecctl dump > /etc/signatures
Note that only entries with the filename kept (that is, were loaded
with the '-k' flag) will be dumped.
Idea from Brett Lymn.
- Add a VERIEXEC_FLUSH ioctl, to delete all Veriexec entries. Sample
usage:
# veriexecctl flush
- Add a 'veriexec_flags' rc(8) variable, and make its default have
the '-k' flag. On systems using the default signatures file
(generaetd from running 'veriexecgen' with no arguments), this will
use additional 32kb of kernel memory on average.
- Add a '-e' flag to veriexecctl, to evaluate the fingerprint during
load. This is done automatically for files marked as 'untrusted'.
Misc. stuff:
- The code for veriexecctl was massively simplified as a result of
eliminating the need for VERIEXEC_TABLESIZE, and now uses a single
pass of the signatures file, making the loading somewhat faster.
- Lots of minor fixes found using the (still under development)
Veriexec regression testsuite.
- Some of the messages Veriexec prints were improved.
- Various documentation fixes.
All relevant man-pages were updated to reflect the above changes.
Binary compatibility with existing veriexecctl binaries is maintained.
This should avoid occasional problems with syncing or unmounting
filesystems on machines which use the automounter. Tested
successfully under NetBSD-i386 3.1_STABLE and 4.0_BETA2.
by killing the parent process. The parent's PID is saved in $RC_PID.
* In all rc.d/* scripts that previously tried to stop the boot,
replace in-line code with "stop_boot".
* Document this.
This should fix PR 29822.
examples in the wscons.conf). Now, you have to specify wscons
control device and put variable name and parameter on separate
fields.
NB: changes ARE NOT backward compatible and config file must be
checked (but default config doesn't utilizing setvar).
can't find the el-torito boot image with the old syntax. This can be
fixed by removed the leading "i386/" from the -b argument, but then
the mkisofs from the current cdrtools-2.01 package won't find the boot image.
Change the graf-point specifications so that a trailing / terminates
the grafted directories. This way both versions of mkisofs can find the
boot loader.
instead of one by one using mknod. This is much faster (speed
increases of up to 20 times have been observed, but 3 to 5 times is
more common).
* One "-M" flag will create the mfs file system but not redirect output
to a temporary console; "-M -M" will also redirect output.
* Change the way we accumulate options to pass to MAKEDEV.local.
so that it can be loaded by the machine's firmware. Put the resulting
image inside the 'installation/instkernel' release subdirectory, as the
installation instructions explain.
Fixes port-shark/35563.
Since I managed to commit my alternate scheme for zeropad, delete
the commented out lines and replace the only other use.
I've not deleted the function itself though.
relies on mkisofs to create bootable ISO image. macppc should also be there,
but it seems the code to make an iso bootable never got added in etc.macppc/
GENERIC kernels. If ACPI is an issue on your hardware, 'boot -c' and
'disable acpi' should be a workaround. ACPI-enabled kernels works fine
on pre-acpi hardware.
for amd64:
- add ACPI to INSTALL and GENERIC, remove the *_ACPI config files.
- get rid of the bootfloppy-big.fs boot image, and got to a 3-floppy boot
image
for i386:
- introduce INSTALL_LARGE which has ACPI and some devices with big firmware
- move some devices from INSTALL to INSTALL_LARGE
- Boot floppies still use INSTALL, and bootfloppy-big.fs is still there
(for thoses who want to build el-torito floppy emulation boot CD) and use
INSTALL.
For both, drop the 'iso-image' code in etc/ to make the iso bootable, we'll
use something else to build bootable CDs.
human procedures) breaking because they assume it's enough to copy
MAKEDEV fom one place to another.
Let MAKEDEV return after defining shell functions but before doing any
real work, if MAKEDEV_AS_LIBRARY is set.
Let MAKEDEV.local load MAKEDEV as a function library via
"MAKEDEV_AS_LIBRARY=1 . MAKEDEV".
filesystem and then populate it.
Determine the actual number of inodes that will be needed and add 10%.
Use "mount_mfs -o union" to save us having to copy MADEDEV (in case
anyone wishes to see it.
tsutsui