[src/netbsd-3]: src/sys/dev Pull up revision 1.15 (requested by elad in ticke...

[tron <tron%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/7a9b485a8067
branches:  netbsd-3
changeset: 576372:7a9b485a8067
user:      tron <tron%NetBSD.org@localhost>
date:      Sat Jul 02 15:51:20 2005 +0000

description:
Pull up revision 1.15 (requested by elad in ticket #487):
More veriexec changes:
- Better organize strict level. Now we have 4 levels:
- Level 0, learning mode: Warnings only about anything that might've
resulted in 'access denied' or similar in a higher strict level.
- Level 1, IDS mode:
- Deny access on fingerprint mismatch.
- Deny modification of veriexec tables.
- Level 2, IPS mode:
- All implications of strict level 1.
- Deny write access to monitored files.
- Prevent removal of monitored files.
- Enforce access type - 'direct', 'indirect', or 'file'.
- Level 3, lockdown mode:
- All implications of strict level 2.
- Prevent creation of new files.
- Deny access to non-monitored files.
- Update sysctl(3) man-page with above. (date bumped too :)
- Remove FINGERPRINT_INDIRECT from possible fp_status values; it's no
longer needed.
- Simplify veriexec_removechk() in light of new strict level policies.
- Eliminate use of 'securelevel'; veriexec now behaves according to
its strict level only.

diffstat:

 sys/dev/verified_exec.c |  15 ++++++---------
 1 files changed, 6 insertions(+), 9 deletions(-)

diffs (37 lines):

diff -r c05847ae4a5f -r 7a9b485a8067 sys/dev/verified_exec.c
--- a/sys/dev/verified_exec.c   Sat Jul 02 15:51:13 2005 +0000
+++ b/sys/dev/verified_exec.c   Sat Jul 02 15:51:20 2005 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: verified_exec.c,v 1.5.2.8 2005/07/02 15:50:08 tron Exp $       */
+/*     $NetBSD: verified_exec.c,v 1.5.2.9 2005/07/02 15:51:20 tron Exp $       */
 
 /*-
  * Copyright 2005 Elad Efrat <elad%bsd.org.il@localhost>
@@ -31,9 +31,9 @@
 
 #include <sys/cdefs.h>
 #if defined(__NetBSD__)
-__KERNEL_RCSID(0, "$NetBSD: verified_exec.c,v 1.5.2.8 2005/07/02 15:50:08 tron Exp $");
+__KERNEL_RCSID(0, "$NetBSD: verified_exec.c,v 1.5.2.9 2005/07/02 15:51:20 tron Exp $");
 #else
-__RCSID("$Id: verified_exec.c,v 1.5.2.8 2005/07/02 15:50:08 tron Exp $\n$NetBSD: verified_exec.c,v 1.5.2.8 2005/07/02 15:50:08 tron Exp $");
+__RCSID("$Id: verified_exec.c,v 1.5.2.9 2005/07/02 15:51:20 tron Exp $\n$NetBSD: verified_exec.c,v 1.5.2.9 2005/07/02 15:51:20 tron Exp $");
 #endif
 
 #include <sys/param.h>
@@ -158,12 +158,9 @@
        int error = 0;
        u_long hashmask;
 
-       /*
-        * Don't allow updates in multi-user mode.
-        */
-       if ((securelevel > 0) || (veriexec_strict > 0)) {
-               printf("Veriexec: veriexecioctl: Securelevel or strict "
-                      "mode, modifying veriexec tables is not permitted.\n"); 
+       if (veriexec_strict > 0) {
+               printf("Veriexec: veriexecioctl: Strict mode, modifying "
+                      "veriexec tables is not permitted.\n"); 
 
                return (EPERM);
        }