|
Revision tags: release/14.0.0 |
|
| #
fa9896e0 |
| 16-Aug-2023 |
Warner Losh <imp@FreeBSD.org> |
Remove $FreeBSD$: two-line nroff pattern
Remove /^\.\\"\n\.\\"\s*\$FreeBSD\$$\n/
|
|
Revision tags: release/13.2.0, release/12.4.0 |
|
| #
287d467c |
| 18-Jul-2022 |
Mitchell Horne <mhorne@FreeBSD.org> |
mac: add new mac_ddb(4) policy
Generally, access to the kernel debugger is considered to be unsafe from
a security perspective since it presents an unrestricted interface to
inspect or modify the sy
mac: add new mac_ddb(4) policy
Generally, access to the kernel debugger is considered to be unsafe from
a security perspective since it presents an unrestricted interface to
inspect or modify the system state, including sensitive data such as
signing keys.
However, having some access to debugger functionality on production
systems may be useful in determining the cause of a panic or hang.
Therefore, it is desirable to have an optional policy which allows
limited use of ddb(4) while disabling the functionality which could
reveal system secrets.
This loadable MAC module allows for the use of some ddb(4) commands
while preventing the execution of others. The commands have been broadly
grouped into three categories:
- Those which are 'safe' and will not emit sensitive data (e.g. trace).
Generally, these commands are deterministic and don't accept
arguments.
- Those which are definitively unsafe (e.g. examine <addr>, search
<addr> <value>)
- Commands which may be safe to execute depending on the arguments
provided (e.g. show thread <addr>).
Safe commands have been flagged as such with the DB_CMD_MEMSAFE flag.
Commands requiring extra validation can provide a function to do so.
For example, 'show thread <addr>' can be used as long as addr can be
checked against the system's list of process structures.
The policy also prevents debugger backends other than ddb(4) from
executing, for example gdb(4).
Reviewed by: markj, pauamma_gundo.com (manpages)
Sponsored by: Juniper Networks, Inc.
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D35371
show more ...
|
|
Revision tags: release/13.1.0, release/12.3.0, release/13.0.0, release/12.2.0, release/11.4.0, release/12.1.0, release/11.3.0, release/12.0.0, release/11.2.0, release/10.4.0, release/11.1.0, release/11.0.1, release/11.0.0, release/10.3.0 |
|
| #
f94594b3 |
| 12-Sep-2015 |
Baptiste Daroussin <bapt@FreeBSD.org> |
Finish merging from head, messed up in previous attempt
|
| #
ab875b71 |
| 14-Aug-2015 |
Navdeep Parhar <np@FreeBSD.org> |
Catch up with head, primarily for the 1.14.4.0 firmware.
|
|
Revision tags: release/10.2.0 |
|
| #
5f78ec1c |
| 28-Jul-2015 |
Dimitry Andric <dim@FreeBSD.org> |
Merge ^/head r285793 through r285923.
|
| #
208a8b95 |
| 25-Jul-2015 |
Edward Tomasz Napierala <trasz@FreeBSD.org> |
Update Capsicum and Mandatory Access Control manual pages
to no longer claim they are experimental.
Reviewed by: rwatson@, wblock@
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential
Update Capsicum and Mandatory Access Control manual pages
to no longer claim they are experimental.
Reviewed by: rwatson@, wblock@
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D2985
show more ...
|
|
Revision tags: release/10.1.0, release/9.3.0, release/10.0.0, release/9.2.0, release/8.4.0, release/9.1.0, release/8.3.0_cvs, release/8.3.0, release/9.0.0, release/7.4.0_cvs, release/8.2.0_cvs, release/7.4.0, release/8.2.0, release/8.1.0_cvs, release/8.1.0 |
|
| #
a4bf5fb9 |
| 28-Apr-2010 |
Kirk McKusick <mckusick@FreeBSD.org> |
Update to current version of head.
|
| #
aa12cea2 |
| 14-Apr-2010 |
Ulrich Spörlein <uqs@FreeBSD.org> |
mdoc: order prologue macros consistently by Dd/Dt/Os
Although groff_mdoc(7) gives another impression, this is the ordering
most widely used and also required by mdocml/mandoc.
Reviewed by: ru
Appro
mdoc: order prologue macros consistently by Dd/Dt/Os
Although groff_mdoc(7) gives another impression, this is the ordering
most widely used and also required by mdocml/mandoc.
Reviewed by: ru
Approved by: philip, ed (mentors)
show more ...
|
|
Revision tags: release/7.3.0_cvs, release/7.3.0 |
|
| #
1a0fda2b |
| 04-Mar-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
IFH@204581
|
|
Revision tags: release/8.0.0_cvs, release/8.0.0 |
|
| #
874108ae |
| 12-Nov-2009 |
Oleksandr Tymoshenko <gonzo@FreeBSD.org> |
MFC @199204
|
| #
fa3e572c |
| 22-Oct-2009 |
Pawel Jakub Dawidek <pjd@FreeBSD.org> |
Remove self-reference.
|
|
Revision tags: release/7.2.0_cvs, release/7.2.0, release/7.1.0_cvs, release/7.1.0, release/6.4.0_cvs, release/6.4.0, release/7.0.0_cvs, release/7.0.0, release/6.3.0_cvs, release/6.3.0, release/6.2.0_cvs, release/6.2.0, release/5.5.0_cvs, release/5.5.0, release/6.1.0_cvs, release/6.1.0, release/6.0.0_cvs, release/6.0.0, release/5.4.0_cvs, release/5.4.0, release/4.11.0_cvs, release/4.11.0 |
|
| #
da2fa159 |
| 12-Jan-2005 |
Ruslan Ermilov <ru@FreeBSD.org> |
Scheduled mdoc(7) sweep.
|
|
Revision tags: release/5.3.0_cvs, release/5.3.0 |
|
| #
0bbfd990 |
| 16-Jul-2004 |
Robert Watson <rwatson@FreeBSD.org> |
Update Biba and MLS man pages to take into account recent renaming of
the 'single' label element to 'effective.
|
| #
5203edcd |
| 03-Jul-2004 |
Ruslan Ermilov <ru@FreeBSD.org> |
Mechanically kill hard sentence breaks and double whitespaces.
|
|
Revision tags: release/4.10.0_cvs, release/4.10.0, release/5.2.1_cvs, release/5.2.1, release/5.2.0_cvs, release/5.2.0, release/4.9.0_cvs, release/4.9.0 |
|
| #
a1de21c1 |
| 12-Sep-2003 |
Ruslan Ermilov <ru@FreeBSD.org> |
mdoc(7): Fix common mistakes made in the SEE ALSO section.
|
|
Revision tags: release/5.1.0_cvs, release/5.1.0 |
|
| #
3cc3bf52 |
| 01-Jun-2003 |
Ruslan Ermilov <ru@FreeBSD.org> |
Assorted mdoc(7) fixes.
|
| #
149c7230 |
| 21-May-2003 |
Ruslan Ermilov <ru@FreeBSD.org> |
Kill whitespace at EOL.
Approved by: re (blanket)
|
|
Revision tags: release/4.8.0_cvs, release/4.8.0 |
|
| #
0c6e926f |
| 31-Mar-2003 |
Chris Costello <chris@FreeBSD.org> |
Document the new mac_portacl(4) policy.
Sponsored by: DARPA, Network Associates Laboratories
Obtained from: TrustedBSD Project
|
| #
83b0a95a |
| 17-Feb-2003 |
Chris Costello <chris@FreeBSD.org> |
o Add a note explaining the meaning of mls/equal beyond "equal to all
labels"
o Remove the ++ compartment range notation example as this has not yet
been merged into CVS.
o Include a "Runtime Con
o Add a note explaining the meaning of mls/equal beyond "equal to all
labels"
o Remove the ++ compartment range notation example as this has not yet
been merged into CVS.
o Include a "Runtime Configuration" section listing all of the relevant
sysctl knobs for this policy.
Sponsored by: DARPA, Network Associates Laboratories
Obtained from: TrustedBSD Project
show more ...
|
| #
daa1772e |
| 20-Jan-2003 |
Chris Costello <chris@FreeBSD.org> |
Properly mark up column lists. This does not affect output; I just had
the arguments to .Bl incorrect.
Sponsored by: DARPA, Network Associates Laboratories
|
|
Revision tags: release/5.0.0_cvs, release/5.0.0 |
|
| #
ccf09d7c |
| 15-Jan-2003 |
Chris Costello <chris@FreeBSD.org> |
Update cross-references to include mac(4).
Sponsored by: DARPA, Network Associates Laboratories
|
| #
5792da74 |
| 08-Jan-2003 |
Chris Costello <chris@FreeBSD.org> |
o Refer to "Network Associates Laboratories" instead of "NAI Labs" or
"Network Associates Labs" in the copyright notice.
o Remove clause #3 in the license terms.
o Remove the line break from my nam
o Refer to "Network Associates Laboratories" instead of "NAI Labs" or
"Network Associates Labs" in the copyright notice.
o Remove clause #3 in the license terms.
o Remove the line break from my name.
Sponsored by: DARPA, Network Associates Laboratories
show more ...
|
| #
9cad8863 |
| 08-Jan-2003 |
Chris Costello <chris@FreeBSD.org> |
Cross-reference mac_lomac.4
Sponsored by: DARPA, Network Associates Laboratories
|
| #
6f489bd9 |
| 20-Dec-2002 |
Chris Costello <chris@FreeBSD.org> |
o Change "accesses" to "access" (sounds better)
o Correct the range of compartments (1..256 instead of 0..255)
o Use the correct name for "Network Associates Laboratories"
MFC Candidate.
Sponsored
o Change "accesses" to "access" (sounds better)
o Correct the range of compartments (1..256 instead of 0..255)
o Use the correct name for "Network Associates Laboratories"
MFC Candidate.
Sponsored by: DARPA, Network Associates Laboratories
Reviewed by: Adam Migus <adam@migus.org>
show more ...
|
| #
4e9f9c6d |
| 12-Dec-2002 |
Chris Costello <chris@FreeBSD.org> |
Use the correct compartment notation in sample labels.
Sponsored by: DARPA, Network Associates Labs
Approved by: re (blanket)
|