This may be done either by embedding newlines in the value,
or by using semicolons to represent line breaks (but not both at once).
* Allow shell quoting insode $ifconfig_xxN variables or /etc/ifconfig.xxN
files. This allows something like ifconfig_wi0="ssid 'my network'; dhcp"
MAKEVERBOSE MKATF MKGCCCMDS MKINET6 MKISCSI MKLDAP MKNVI
MKPCC MKPCCCMDS MKPIE MKPUFFS MKSTATICLIB MKX11 MKXORG
USE_HESIOD USE_INET6 USE_JEMALLOC USE_KERBEROS USE_LDAP
USE_PAM USE_SKEY USE_SSP USE_YP
Part of PR 29233
We really need one place to document this stuff, or at least the
canonical "installed" reference. Currently we have:
src/share/mk/bsd.README
src/doc/BUILDING.mdoc (for src/BUILDING)
src/share/man/man5/mk.conf.5 (for mk.conf(5))
into the kernel. Based on a patch by jmcneill@, with many fixes and
improvements by me.
- Put MEMORY_DISK_DYNAMIC and MODULAR into the GENERIC kernels, so that
you can load miniroot.kmod from the boot blocks and boot into the
installer!
btuartd(8) should be named btattach(8) for consistency
with other parts of NetBSD
make btattach(8) a single-use tool for less complexity
device specicific initialisation (from btuart(4)) is carried
out prior to activating the line discipline (in btattach(8)),
which simplifies the API somewhat and means that the user
tool and the kernel do not need to be kept in sync.
btuart(4) driver is much reduced; naming is made consistent
and all tsleep() and delay() are removed to userland
/etc/mtree/special not just add new entries.
Explain that check_mtree_follow_symlinks will give reports of links not
being links (notably /etc/localtime)
- Document the signatures file format in a veriexec(5) man-page,
- Document the strict levels and a general Veriexec intro in veriexec(8)
instead of security(8).
Okay blymn@.
will be extended to other appropriate ports in future. Note as such in the
bugs section.
This is an MI man page, so should not be flagged as i386 in the header.
This allows easy configuration of banner text, console device and timeout
as well as allowing menus of commands to be displayed. If /boot.cfg
is not present, then the existing behaviour does not change.
The sections in the boot loader source are surrounded by #ifdef SMALL
allowing this functionality to be removed if space is at a premium.
Thank you, wiz, for the few mandoc suggestions.
I slightly reworded part of the description and removed the
advertising clause from the version I posted to tech-userlevel.
Bug fixes:
- Fix crash reported by Scott Ellis on current-users@.
- Fix race conditions in enforcing the Veriexec rename and remove
policies. These are NOT security issues.
- Fix memory leak in rename handling when overwriting a monitored
file.
- Fix table deletion logic.
- Don't prevent query requests if not in learning mode.
KPI updates:
- fileassoc_table_run() now takes a cookie to pass to the callback.
- veriexec_table_add() was removed, it is now done internally. As a
result, there's no longer a need for VERIEXEC_TABLESIZE.
- veriexec_report() was removed, it is now internal.
- Perform sanity checks on the entry type, and enforce default type
in veriexec_file_add() rather than in veriexecctl.
- Add veriexec_flush(), used to delete all Veriexec tables, and
veriexec_dump(), used to fill an array with all Veriexec entries.
New features:
- Add a '-k' flag to veriexecctl, to keep the filenames in the kernel
database. This allows Veriexec to produce slightly more accurate
logs under certain circumstances. In the future, this can be either
replaced by vnode->pathname translation, or combined with it.
- Add a VERIEXEC_DUMP ioctl, to dump the entire Veriexec database.
This can be used to recover a database if the file was lost.
Example usage:
# veriexecctl dump > /etc/signatures
Note that only entries with the filename kept (that is, were loaded
with the '-k' flag) will be dumped.
Idea from Brett Lymn.
- Add a VERIEXEC_FLUSH ioctl, to delete all Veriexec entries. Sample
usage:
# veriexecctl flush
- Add a 'veriexec_flags' rc(8) variable, and make its default have
the '-k' flag. On systems using the default signatures file
(generaetd from running 'veriexecgen' with no arguments), this will
use additional 32kb of kernel memory on average.
- Add a '-e' flag to veriexecctl, to evaluate the fingerprint during
load. This is done automatically for files marked as 'untrusted'.
Misc. stuff:
- The code for veriexecctl was massively simplified as a result of
eliminating the need for VERIEXEC_TABLESIZE, and now uses a single
pass of the signatures file, making the loading somewhat faster.
- Lots of minor fixes found using the (still under development)
Veriexec regression testsuite.
- Some of the messages Veriexec prints were improved.
- Various documentation fixes.
All relevant man-pages were updated to reflect the above changes.
Binary compatibility with existing veriexecctl binaries is maintained.
njoly