---
- branch: netbsd-8
  date: Thu Apr 12 20:09:38 UTC 2018
  files:
  - new: 1.7.10.1
    old: '1.7'
    path: src/sys/secmodel/extensions/secmodel_extensions.c
    pathrev: src/sys/secmodel/extensions/secmodel_extensions.c@1.7.10.1
    type: modified
  id: 20180412T200938Z.6e06a7a6abad8a35231b160c65c5b6eda250b0b6
  log: "Pull up following revision(s) (requested by kamil in ticket #713):\n\tsys/secmodel/extensions/secmodel_extensions.c:
    1.8\nAdd new sysctl(3) entry: security.models.extensions.user_set_dbregs\nModel
    this new sysctl(3) entry after \"user_set_cpu_affinity\" in the same\nlevel of
    sysctl(3) switches.\nAllow to read unconditionally Debug Registers (no change
    here). This is\nconvenient as even if a user of a debugger does not use hardware
    assisted\nwatchpoints/breakpoints, a debugger can still prompt these values to
    store\nin an internal cache with context of registers. Reading them should have\nno
    security concerns.\nAdd a paranoid MI switch that prohibits by default setting
    these registers\nby a regular user (non-superuser). Make this switch disabled
    by default.\nThere are enough reserved bits out there to allow using them\nunconditionally
    on hardened hosts.\nFeatures shipped with Debug Registers are optional features
    in debuggers.\nThere is no reduction in elementary functionality.\nReviewed by
    <christos>\nSponsored by <The NetBSD Foundation>\n"
  module: src
  subject: 'CVS commit: [netbsd-8] src/sys/secmodel/extensions'
  unixtime: '1523563778'
  user: snj