Now
netbsd-8 commitmail json YAML
Pull up following revision(s) (requested by kamil in ticket #713):
sys/secmodel/extensions/secmodel_extensions.c: 1.8
Add new sysctl(3) entry: security.models.extensions.user_set_dbregs
Model this new sysctl(3) entry after "user_set_cpu_affinity" in the same
level of sysctl(3) switches.
Allow to read unconditionally Debug Registers (no change here). This is
convenient as even if a user of a debugger does not use hardware assisted
watchpoints/breakpoints, a debugger can still prompt these values to store
in an internal cache with context of registers. Reading them should have
no security concerns.
Add a paranoid MI switch that prohibits by default setting these registers
by a regular user (non-superuser). Make this switch disabled by default.
There are enough reserved bits out there to allow using them
unconditionally on hardened hosts.
Features shipped with Debug Registers are optional features in debuggers.
There is no reduction in elementary functionality.
Reviewed by <christos>
Sponsored by <The NetBSD Foundation>
sys/secmodel/extensions/secmodel_extensions.c: 1.8
Add new sysctl(3) entry: security.models.extensions.user_set_dbregs
Model this new sysctl(3) entry after "user_set_cpu_affinity" in the same
level of sysctl(3) switches.
Allow to read unconditionally Debug Registers (no change here). This is
convenient as even if a user of a debugger does not use hardware assisted
watchpoints/breakpoints, a debugger can still prompt these values to store
in an internal cache with context of registers. Reading them should have
no security concerns.
Add a paranoid MI switch that prohibits by default setting these registers
by a regular user (non-superuser). Make this switch disabled by default.
There are enough reserved bits out there to allow using them
unconditionally on hardened hosts.
Features shipped with Debug Registers are optional features in debuggers.
There is no reduction in elementary functionality.
Reviewed by <christos>
Sponsored by <The NetBSD Foundation>