Subject: CVS commit: [netbsd-3] src/sys/dev
To: None <source-changes@NetBSD.org>
From: Matthias Scheler <tron@netbsd.org>
List: source-changes
Date: 07/02/2005 15:51:20
Module Name: src
Committed By: tron
Date: Sat Jul 2 15:51:20 UTC 2005
Modified Files:
src/sys/dev [netbsd-3]: verified_exec.c
Log Message:
Pull up revision 1.15 (requested by elad in ticket #487):
More veriexec changes:
- Better organize strict level. Now we have 4 levels:
- Level 0, learning mode: Warnings only about anything that might've
resulted in 'access denied' or similar in a higher strict level.
- Level 1, IDS mode:
- Deny access on fingerprint mismatch.
- Deny modification of veriexec tables.
- Level 2, IPS mode:
- All implications of strict level 1.
- Deny write access to monitored files.
- Prevent removal of monitored files.
- Enforce access type - 'direct', 'indirect', or 'file'.
- Level 3, lockdown mode:
- All implications of strict level 2.
- Prevent creation of new files.
- Deny access to non-monitored files.
- Update sysctl(3) man-page with above. (date bumped too :)
- Remove FINGERPRINT_INDIRECT from possible fp_status values; it's no
longer needed.
- Simplify veriexec_removechk() in light of new strict level policies.
- Eliminate use of 'securelevel'; veriexec now behaves according to
its strict level only.
To generate a diff of this commit:
cvs rdiff -r1.5.2.8 -r1.5.2.9 src/sys/dev/verified_exec.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.