Commit Graph

200 Commits

Author SHA1 Message Date
joerg
1c3412fa2f Use .In for header files instead of .Ar Pa and variations. 2010-03-22 19:30:53 +00:00
elad
6780ec6543 CTLFLAG_READONLY[12] are long gone. 2009-09-26 04:43:48 +00:00
alc
3831d4ed46 Bump date. 2009-07-22 22:54:15 +00:00
alc
2f42139c8e Constify the fourth argument of sysctlbtname(3) (ie. `newp', the pointer to
the new value).

This change sync sysctl(3) and sysctlbtname(3) prototypes.

No objection on <tech-userlevel>
2009-07-22 22:53:41 +00:00
christos
461a86f9bd merge christos-time_t 2009-01-11 02:45:45 +00:00
reed
a4bfac4a14 Reference secmodel_securelevel(9) manual page. 2008-11-11 00:09:36 +00:00
christos
6f1e299202 From Ilya Dogolazky: Fix return value doc. 2008-09-17 22:08:52 +00:00
wiz
5021afa87b Sort error descriptions. 2006-12-18 00:09:59 +00:00
pavel
edab74570a Move the description of sysctl MIBs from sysctl.3 to a new manual page
sysctl.7. Remove the list of MIBs from sysctl.8 so we don't have to
maintain duplicate information, as proposed by YAMAMOTO Takashi on
tech-userlevel. Also remove references to header files from sysctl.8.

The numeric constants remain documented, they are still needed in some
cases. See the discussion on tech-userlevel. ("mib list in sysctl.8")

OK by YAMAMOTO Takashi.
2006-12-04 08:59:13 +00:00
elad
174436830e Adapt to recent Veriexec sysctl(9) changes. 2006-11-27 17:55:12 +00:00
christos
df031f1edc PR/34837: Mindaguas: Add SysV SHM dynamic reallocation and locking to the
physical memory
2006-11-25 21:40:04 +00:00
elad
3dc874e6b2 Add note about Segvguard interface/implementation being experimental and
with the potential to change in future releases.
2006-11-23 17:24:36 +00:00
elad
a84fee7faf Initial implementation of PaX Segvguard (this is still work-in-progress,
it's just to get it out of my local tree).
2006-11-22 02:02:51 +00:00
yamt
355bbc5cdf document tcp.abc. 2006-10-19 11:48:02 +00:00
wiz
22b0689a70 Bump date for previous. 2006-10-13 21:12:51 +00:00
rpaulo
f3330397f0 Modular (I tried ;-) TCP congestion control API. Whenever certain conditions
happen in the TCP stack, this interface calls the specified callback to
handle the situation according to the currently selected congestion
control algorithm.
A new sysctl node was created: net.inet.tcp.congctl.{available,selected}
with obvious meanings.
The old net.inet.tcp.newreno MIB was removed.
The API is discussed in tcp_congctl(9).

In the near future, it will be possible to selected a congestion control
algorithm on a per-socket basis.

Discussed on tech-net and reviewed by <yamt>.
2006-10-09 16:27:07 +00:00
elad
e18b1bdd1d PR/27233: Arto Selonen: 'options BUFCACHE' vs. 'sysctl vm.bufcache'
documentation differs
2006-10-08 15:56:50 +00:00
elad
5c38108d28 Change the PaX mprotect(2) restrictions' "global_protection" knob to
just "global" -- it's shorter and more readable. Update documentation.
2006-09-26 14:48:40 +00:00
wiz
9934420870 Only mark up one word, not the whole sentence. 2006-09-06 18:59:21 +00:00
liamjfoy
ecc29b2222 document net.inet.ip.maxflows. dump date. 2006-09-06 18:56:21 +00:00
rpaulo
2fb2ae3251 Import of TCP ECN algorithm for congestion control.
Both available for IPv4 and IPv6.
Basic implementation test results are available at
http://netbsd-soc.sourceforge.net/projects/ecn/testresults.html.

Work sponsored by the Google Summer of Code project 2006.
Special thanks to Kentaro Kurahone, Allen Briggs and Matt Thomas for their
help, comments and support during the project.
2006-09-05 00:29:35 +00:00
liamjfoy
36661dd3cb Update for carp(4). Bump date.
from openbsd
2006-09-04 23:16:22 +00:00
christos
ce0ef6cfc4 Pretending to be Elad's keyboard:
fileassoc.diff adds a fileassoc_table_run() routine that allows you to
pass a callback to be called with every entry on a given mount.

veriexec.diff adds some raw device access policies: if raw disk is
opened at strict level 1, all fingerprints on this disk will be
invalidated as a safety measure. level 2 will not allow opening disk
for raw writing if we monitor it, and prevent raw writes to memory.
level 3 will not allow opening any disk for raw writing.

both update all relevant documentation.

veriexec concept is okay blymn@.
2006-08-11 19:17:47 +00:00
wiz
ac9fed958d Remove superfluous word, add comma to make it easier to parse. 2006-07-24 21:48:13 +00:00
elad
5e3617ba81 blymn made ips mode prevent execution of non-monitored files; document
that.
2006-07-24 21:44:52 +00:00
elad
51f96c232c ugh.. forgot to document no removal in ids mode. 2006-07-24 21:43:46 +00:00
elad
a5307a7c24 "verified exec" -> "veriexec" + some minor tweaks. 2006-07-22 10:47:53 +00:00
wiz
6dd1c5d067 Punctuation nits. 2006-07-14 22:04:42 +00:00
elad
1c8d298b89 move security.setid_core.* to kern.coredump.setid.*, as requested by yamt@. 2006-07-14 21:55:19 +00:00
elad
b5d09ef065 okay, since there was no way to divide this to two commits, here it goes..
introduce fileassoc(9), a kernel interface for associating meta-data with
files using in-kernel memory. this is very similar to what we had in
veriexec till now, only abstracted so it can be used more easily by more
consumers.

this also prompted the redesign of the interface, making it work on vnodes
and mounts and not directly on devices and inodes. internally, we still
use file-id but that's gonna change soon... the interface will remain
consistent.

as a result, veriexec went under some heavy changes to conform to the new
interface. since we no longer use device numbers to identify file-systems,
the veriexec sysctl stuff changed too: kern.veriexec.count.dev_N is now
kern.veriexec.tableN.* where 'N' is NOT the device number but rather a
way to distinguish several mounts.

also worth noting is the plugging of unmount/delete operations
wrt/fileassoc and veriexec.

tons of input from yamt@, wrstuden@, martin@, and christos@.
2006-07-14 18:41:40 +00:00
elad
04d63f90b5 Introduce PaX MPROTECT -- mprotect(2) restrictions used to strengthen
W^X mappings.

Disabled by default.

First proposed in:

	http://mail-index.netbsd.org/tech-security/2005/12/18/0000.html

More information in:

	http://pax.grsecurity.net/docs/mprotect.txt

Read relevant parts of options(4) and sysctl(3) before using!

Lots of thanks to the PaX author and Matt Thomas.
2006-05-16 00:08:24 +00:00
wiz
7cde219c2b Bump date for previous, uppercase I/O, serial comma, remove trailing space. 2006-04-26 20:41:30 +00:00
blymn
434398553a Change DISKSTATS to IOSTATS, document new i/o stats sysctl. 2006-04-25 11:56:25 +00:00
wiz
db6c428e48 Bump date for previous. 2006-02-24 22:05:09 +00:00
drochner
39222faf50 complete constification of the sysctl() user side 2006-02-24 19:33:09 +00:00
elad
e25c3ef7af document knobs for security.setid_core.
while i'm here... catch up with reality: no more SECURITY_CURTAIN;
now we have security.curtain. (no constant)
2006-02-02 19:56:32 +00:00
wiz
3b03818912 Replace statfs(2) with statvfs(2). 2006-01-14 15:40:49 +00:00
elad
ef8e209a99 sync & sort kern. 2006-01-14 15:36:38 +00:00
elad
aa14ddaccd sort vm. 2006-01-14 11:18:45 +00:00
elad
455a40402f sync & sort hw. 2006-01-14 11:14:00 +00:00
elad
742866cafe Sync net.{inet,inet6}. 2006-01-13 21:09:55 +00:00
wiz
db45f13c8a Bump date for previous. Remove trailing whitespace. 2005-12-01 18:08:10 +00:00
elad
310e19f394 Change the entry from "foobar" to "not applicable" in the "Changeable"
field of kern.veriexec.count.. no idea how that went unnoticed. :)
2005-12-01 14:45:31 +00:00
simonb
9e2441db78 Add a full-stop to the end of a sentence. 2005-10-06 13:45:12 +00:00
wiz
77a08e3909 Fix typo. Add some commas. Improve markup. 2005-10-06 11:17:11 +00:00
elad
8358410265 Document security level for sysctl and security.curtain.
Hi Hubert! :)
2005-10-03 22:22:10 +00:00
rpaulo
6f844bf524 Document kern.hardclock_ticks. Pointed out by Hubert. 2005-09-24 12:05:45 +00:00
isaki
e70e55fa02 Correct a typo. 2005-07-17 05:06:57 +00:00
elad
0e4dfe1792 - Use more calls to veriexec_report() where possible.
- Change #ifdef VERIFIED_EXEC_VERBOSE to another verbose level, 2. Add
  sysctl(3) bits.

- Simplify access type conflict handling during load. This depends on
  the values of access type defines to be ordered from least to most
  'strict'.
2005-06-20 15:06:18 +00:00
wiz
f076596bae New sentence, new line. 2005-06-17 18:19:39 +00:00