when there is no memory available to do so. Use the uvnode's strategy
routine to retrieve data from the device, rather than always using pread().
Add a buffer header flag that specifies external management of the buffer's
data area.
All of this in support of a new cleaner, which is not included in this commit.
New features:
- Add a veriexec_report() routine to make most reporting consistent and
remove some common code.
- Add 'strict' mode that controls how veriexec behaves.
- Add sysctl knobs:
o kern.veriexec.verbose controls verbosity levels. Value: 0, 1.
o kern.veriexec.strict controls strict level. Values: 0, 1, 2. See
documentation in sysctl(3) for details.
o kern.veriexec.algorithms returns a string with a space separated
list of supported hashing algorithms in veriexec.
- Updated documentation in man pages for sysctl(3) and sysctl(8).
Bug fixes:
- veriexec_removechk(): Code cleanup + handle FINGERPRINT_NOTEVAL
correctly.
- exec_script(): Don't pass 0 as flag when executing a script; use the
defined VERIEXEC_INDIRECT - which is 1. Makes indirect execution
enforcement work.
- Fix some printing formats and types..
netmask value of 0xffffffff (INADDR_NONE). Fix by using inet_aton(3).
Note it was possible to specify the same mask as the dotted quad
255.255.255.255 because of a later call to gethostbyname(3).
[From FreeBSD]
from the default CIDR (host/mask) interpretation. As discussed on
tech-net.
* Use errx() in place of fprintf() and exit(). Make the error message
formats consistent.
denote that a flag was readable/writeable, but that is achieved by passing
a 0 as the flags.
Thanks to uwe@ for finding this out and explaining me why it was wrong.
Use -I${.CURDIR} instead of -I. to support placement of objects elsewhere.
Make sure arguments to ctype functions are unsigned char by changing the
type of one function argument.
Fix "local declaration shadows global" warnings by renaming variables.
Fix printing of size_t variable to use %zu format instead of %u.
* We now use hash tables instead of a list to store the in kernel
fingerprints.
* Fingerprint methods handling has been made more flexible, it is now
even simpler to add new methods.
* the loader no longer passes in magic numbers representing the
fingerprint method so veriexecctl is not longer kernel specific.
* fingerprint methods can be tailored out using options in the kernel
config file.
* more fingerprint methods added - rmd160, sha256/384/512
* veriexecctl can now report the fingerprint methods supported by the
running kernel.
* regularised the naming of some portions of veriexec.
elad