Commit Graph

204 Commits

Author SHA1 Message Date
elad 1c8d298b89 move security.setid_core.* to kern.coredump.setid.*, as requested by yamt@. 2006-07-14 21:55:19 +00:00
elad b5d09ef065 okay, since there was no way to divide this to two commits, here it goes..
introduce fileassoc(9), a kernel interface for associating meta-data with
files using in-kernel memory. this is very similar to what we had in
veriexec till now, only abstracted so it can be used more easily by more
consumers.

this also prompted the redesign of the interface, making it work on vnodes
and mounts and not directly on devices and inodes. internally, we still
use file-id but that's gonna change soon... the interface will remain
consistent.

as a result, veriexec went under some heavy changes to conform to the new
interface. since we no longer use device numbers to identify file-systems,
the veriexec sysctl stuff changed too: kern.veriexec.count.dev_N is now
kern.veriexec.tableN.* where 'N' is NOT the device number but rather a
way to distinguish several mounts.

also worth noting is the plugging of unmount/delete operations
wrt/fileassoc and veriexec.

tons of input from yamt@, wrstuden@, martin@, and christos@.
2006-07-14 18:41:40 +00:00
liamjfoy 27f99986a6 bump date (.Dd) 2006-05-29 19:35:31 +00:00
liamjfoy 10f12d58af document Common Address Redundancy Protocol sysctls, aka CARP
ok joerg@
2006-05-29 19:11:16 +00:00
elad 04d63f90b5 Introduce PaX MPROTECT -- mprotect(2) restrictions used to strengthen
W^X mappings.

Disabled by default.

First proposed in:

	http://mail-index.netbsd.org/tech-security/2005/12/18/0000.html

More information in:

	http://pax.grsecurity.net/docs/mprotect.txt

Read relevant parts of options(4) and sysctl(3) before using!

Lots of thanks to the PaX author and Matt Thomas.
2006-05-16 00:08:24 +00:00
jnemeth 7b95c00460 Coverity CID 2784: Add more checks for value==NULL. 2006-03-30 08:02:40 +00:00
christos fbe98ede0f Coverity CID 2763: Add more checks for value==NULL. 2006-03-26 23:12:48 +00:00
christos 48ce3c5d75 Coverity CID 2764: Avoid null reference 2006-03-26 23:10:26 +00:00
christos 86bc6ef985 Coverity CID 786: Avoid NULL dereference. 2006-03-22 02:25:44 +00:00
christos 421a9c133c add the 3 opencrypto sysctls. 2006-03-06 00:51:48 +00:00
christos 238f1027f9 detect integer overflow differently. previous change broke negative sysctl
values.
2006-02-08 18:13:56 +00:00
christos 404831da9c PR/17441: John F. Woods: integer sysctl does not accept numbers > 0x7fffffff
Use unsigned int in the range comparison, and use strerror() instead of
home brewed error strings.
2006-02-05 22:42:55 +00:00
wiz e1a202b1cb Bump date for security.* 2006-02-04 18:37:58 +00:00
elad 81ed970f39 - make use of the recently added mode_bits for security.setid_core.mode;
- document setid_core variables.
2006-02-02 18:00:07 +00:00
elad 202872db03 add support for parsing file mode bits.
when printed, you'll see something like "0600 (rw-------)", like the
ls output. when reading input you can either specify octal mode (0600)
or chmod-like (u=rw).

ideas from atatat@ and kjk@; okay and lots of help from atatat@.
2006-02-02 16:23:25 +00:00
elad 48c362c085 add some more to kern. 2006-01-14 11:52:20 +00:00
elad 0fd32b39ab remove dup cnmagic. 2006-01-14 11:11:08 +00:00
elad 8ff7a54798 Sync and sort ddb, hw, kern, vm. 2006-01-14 10:33:11 +00:00
elad 3b0d736d23 oops - this should not have been commited. remove sugid_coredump line. 2006-01-13 21:10:34 +00:00
elad 6aa189f3fb grrr... another space -> tab... 2006-01-13 18:45:47 +00:00
elad 7ddc0d80bd space -> tab 2006-01-13 18:44:51 +00:00
elad 0e7647e2dd Sync net.{inet,inet6,key} 2006-01-13 18:37:06 +00:00
yamt a71fb9d9ab add vm.inactivepct. 2005-12-21 12:21:06 +00:00
yamt a83111c7d8 add vm.idlezero. noted by Hubert Feyrer. 2005-12-13 10:07:21 +00:00
yamt f00c1d8ace bump date for the previous. 2005-11-27 13:12:32 +00:00
yamt 0ae701e533 add ddb.commandonenter. 2005-11-27 13:12:03 +00:00
xtraeme eda099ea39 Mention "kern.bufq.strategies", bump date. 2005-10-15 23:05:45 +00:00
wiz 1638f02bd8 Add missing comma. 2005-10-06 11:17:38 +00:00
elad 8358410265 Document security level for sysctl and security.curtain.
Hi Hubert! :)
2005-10-03 22:22:10 +00:00
rpaulo 6f844bf524 Document kern.hardclock_ticks. Pointed out by Hubert. 2005-09-24 12:05:45 +00:00
wiz e904ea2e97 Drop trailing whitespace. 2005-09-23 19:58:28 +00:00
xtraeme b11450ab76 Mention vfs.sync.*, bump date. 2005-09-21 19:08:44 +00:00
rpaulo dcc35c7ff8 Handle net.inet.tcp.debug, net.inet.tcp.debx, net.ns.spp.debug and
net.ns.spp.debx. Bump man page date.
2005-09-06 03:22:58 +00:00
rpaulo a49638942e net.inet?.*.stats are viewable with netstat(1). 2005-08-28 16:18:04 +00:00
rpaulo 92c6f16501 Added net.bpf.peers and net.bpf.stats and bumped the date. 2005-08-04 20:10:24 +00:00
rpaulo 78d05017af Inform the user that net.bpf.stats and net.bpf.peers are viewable with
netstat(1).
2005-08-04 19:44:18 +00:00
christos 2c6eadc9ce Move WARNS=3 to the Makefile.inc, and add a little const to the remaining
programs that did not compile before.
2005-06-27 01:00:04 +00:00
christos 29a6465002 Add code to handle cp_id. From atatat. 2005-06-16 14:56:36 +00:00
wiz e45ea581c3 Bump date for previous. <> -> \*[Lt]\*[Gt]. 2005-05-24 16:00:11 +00:00
elad 6755bac719 Add man-page bits about the 'count' node. 2005-05-24 15:47:46 +00:00
elad cd0c4134f1 Remove common code for returning supported fingerprints. This is done now
via sysctl(8) using kern.veriexec.algorithms.

Also add an entry for the 'algorithms' variable in sysctl.8 forgotten in
the last commit.
2005-05-20 19:52:52 +00:00
elad 5888b16eef Some changes in veriexec.
New features:

  - Add a veriexec_report() routine to make most reporting consistent and
    remove some common code.
  - Add 'strict' mode that controls how veriexec behaves.
  - Add sysctl knobs:
     o kern.veriexec.verbose controls verbosity levels. Value: 0, 1.
     o kern.veriexec.strict controls strict level. Values: 0, 1, 2. See
       documentation in sysctl(3) for details.
     o kern.veriexec.algorithms returns a string with a space separated
       list of supported hashing algorithms in veriexec.
  - Updated documentation in man pages for sysctl(3) and sysctl(8).

Bug fixes:

  - veriexec_removechk(): Code cleanup + handle FINGERPRINT_NOTEVAL
    correctly.
  - exec_script(): Don't pass 0 as flag when executing a script; use the
    defined VERIEXEC_INDIRECT - which is 1. Makes indirect execution
    enforcement work.
  - Fix some printing formats and types..
2005-05-19 20:16:19 +00:00
christos ad6c31cee3 PPR/29909: Manuel Bouyer: sysctl dumps core if kern.consdev returns unknown
device.  If we cannot determine the device name of the console, print the
console dev_t in hex.
2005-04-06 21:13:03 +00:00
christos 7a221682eb make sysctl -n print the real console tty name and -nn print the numeric
value.
XXX: -n means don't print name, not numeric. We should stop overloading
it and use a different flag.
2005-03-28 04:03:13 +00:00
atatat 0f48b53686 If a "create" or "destroy" operation succeeds, mark the cached tree as
"stale" so that the next time we try to read or write to it, we can
purge (and refresh) it.

Addresses PR 29222.
2005-03-23 03:45:25 +00:00
atatat 160438234d Fix possible segmentation fault when retrieving descriptions. Thought
I committed this a while ago.  I guess the fact that no one filed a pr
meant no one else found it.  :)
2005-03-19 23:19:17 +00:00
atatat 64dd54edba Use regexes instead of static lists of annoying numbers to recognize
sysctl nodes that have "helpers".  This is more concise, imho more
easy to understand, and has the added bonus of making it *possible* to
assign helpers to dynamically numbered nodes.
2005-03-18 04:52:24 +00:00
atatat 6472d0c335 Make requestors of kern.file2 be referred to pstat (the same as
kern.file) and add EINVAL to the list of errno values which are
silently ignored when walking the tree.
2005-03-15 13:59:35 +00:00
christos 4eb7659c2c PR/28782: OBATA Akio: Document that kern.rtc_offset is writable. 2004-12-26 16:57:09 +00:00
atatat 2971543eb5 Pass dynamic buffer pointer to display_string(), not static buffer
pointer.  Causes...misfunction if the kernel says the buffer needs to
be too much larger.
2004-12-17 05:03:03 +00:00