Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 21 May 2005 18:28:27 GMT
From:      "Christian S.J. Peron" <csjp@FreeBSD.org>
To:        Perforce Change Reviews <perforce@freebsd.org>
Subject:   PERFORCE change 77256 for review
Message-ID:  <200505211828.j4LISRbE069124@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help 
http://perforce.freebsd.org/chv.cgi?CH=77256

Change 77256 by csjp@csjp_xor on 2005/05/21 18:27:43

	Add some documentation for some addition sysctl variables

Affected files ...

.. //depot/projects/trustedbsd/mac/share/man/man4/mac_chkexec.4#2 edit

Differences ...

==== //depot/projects/trustedbsd/mac/share/man/man4/mac_chkexec.4#2 (text+ko) ====

@@ -83,8 +83,14 @@
 The following sysctls may be used to tweak the behavior of
 .Nm :
 .Bl -tag -width indent
+.It Va security.mac.chkexec.enable
+Set to zero or one to toggle the policy off or on.
 .It Va security.mac.chkexec.enforce
-Set to zero or one to toggle the policy off or on.
+Toggle the enforcement of the security policy. While the policy is loaded but
+not enforced, the system is in learning mode. This means that each time an
+objected is executed, the system calculates and stores the checksums for the
+object. This allows system administrators to create their "baseline database"
+of trusted binaries simply by letting the system run in regular operation.
 .It Va security.mac.chkexec.cache.objmax
 Adjust the cache size.
 This should be increased as more system objects
@@ -92,8 +98,18 @@
 Note that this value should be similar to
 .Dq 1024
 during the
-.Fx
+.Dx
 buildworld process.
+.It Va security.mac.chkexec.algo
+Specify which hashing algorithm to use. Currently md5 and sha1 are
+supported. By default sha1 is used.
+.It Va security.mac.chkexec.cache.enable
+Enable or disable the use of the object cache. Disabling the cache results
+in system execution and run-time linking performance being degraded.
+.It Va security.mac.chkexec.ignore_untagged
+Specify whether or not un-registered binaries should be exempt. This allows users
+to execute newly created binaries. It is highly recommended that this option
+NOT be enabled.
 .El
 .Sh SEE ALSO
 .Xr mac 4 ,

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200505211828.j4LISRbE069124>