Subject: securelevel support incomplete, 'sysctl' missing (#221 - part 3 of 5)
Index:	sys,bin,lib,usr.lib,usr.bin/many 2.11BSD

Description:
	The support for 'securelevel' is incomplete, part of it was added
	back in updates #197 thru 210 (when the 'chflags' syscall was
	implemented).  But without a means of setting the security level
	of the system the level was fixed at -1.

	There is no 'sysctl' system call present.  In addition to retrieving
	and setting the security level of the system the sysctl() call can
	be used to read many other kernel data structures without having
	to perform a nlist(3) on the kernel image.

	Also, there are present in the C library several obsolete (they
	were obsolete even when 2.11BSD was new) routines.

Repeat-By:
	Observation.  

	You may wish to refer to update #197 in which mention is made of
	the 'securelevel' feature.

	The manpages for sysctl(3) and sysctl(8) are in the shar file below.

Fix:
	sysctl() was borrowed from 4.4BSD-Lite.  Everything except the
	'networking' portion has been ported - that will be done in the
	future.  

	Initially only enough of sysctl() was going to be ported to
	manipulate the 'securelevel' of the system.  As the porting 
	effort got underway it became apparent that with not much extra
	effort the whole sysctl() call could be implemented.

	As a demonstration of how much faster sysctl() is than 'nlist()'
	a couple of the programs in the system have been converted to
	use sysctl() instead of nlist()+read() to fetch information from
	the kernel.  You may wish to save the 'w' and 'welcome' programs
	in order to compare the runtimes before and after being converted.

	As time goes on additional utilities will be switched over from
	nlist() to sysctl().

	This is part 3 of 5 (updates 219 thru 223).

	The contents of each part are as follow:

	    Part/Update#	Contents
	    ============	========
	    1 / 219		shar file of new files added to the system.
	    2 / 220		shell script to remove obsolete files
	    3 / 221		patch file 1
	    4 / 222		patch file 2
	    5 / 223		patch file 3

	The following files are modified by this part of the patch kit:

/usr/include/syscall.h
/usr/src/sys/conf/Make.unix
/usr/src/sys/conf/Make.nsunix
/usr/src/sys/conf/Make.sunix
/usr/src/sys/conf/Make.sys
/usr/src/sys/conf/param.c
/usr/src/sys/sys/ufs_fio.c
/usr/src/sys/sys/sys_inode.c
/usr/src/sys/sys/ufs_mount.c
/usr/src/sys/sys/init_main.c
/usr/src/sys/sys/kern_exec.c
/usr/src/sys/sys/init_sysent.c
/usr/src/sys/h/systm.h
/usr/src/sys/h/resource.h
/usr/src/sys/h/vmparam.h
/usr/src/sys/h/time.h
/usr/src/sys/h/vmsystm.h
/usr/src/sys/h/proc.h
/usr/src/sys/h/text.h
/usr/src/sys/h/file.h
/usr/src/sys/pdp/conf.c
/usr/src/sys/pdp/cpu.h
/usr/src/sys/OTHERS/bad144/bad144.c
/usr/src/sys/GENERIC/Makefile

	Instructions:

	1) Cut where indicated and save to a file (/tmp/foo)

	2) patch -p0 < /tmp/foo

	3) For all kernel directories in /sys copy the conf/Make.sys file:

 	   cd /sys
	   cp conf/Make.sys GENERIC/Make.sys
	   foreach i (YOURKERNEL  MYKERNEL PICKLE ...)
	     cp conf/Make.sys ${i}/Make.sys

	   If you do not do this the kern_sysctl.c file will not be compiled
	   when you recompile the kernel.

	4) You must edit the Makefile in each of the kernel directories in
	   /sys to add the 'kern_sysctl.o' file to an overlay.  Since this
	   module is rather large (almost 4kb) it will almost always go into
	   OV7.  See GENERIC/Makefile as an example.

	   Place kern_sysctl.o anywhere there is room (use the 'size' command
	   on /unix - overlays can be 8kb and the base segment can be 56kb).
	   It is _strongly_ recommended that kern_sysctl.o _NOT_ go into the
	   base segment (it won't fit most of the time anyhow).

	5) Caution:  If you have developed local drivers and have modified
	   pdp/conf.c then the patching might fail.  This will take manual
	   action to fix.

	DO NOT compile anything yet.  There will be a detailed, step-by-step
	checklist of what to compile in the last part of this kit (#223).

====================cut here===================
*** /usr/include/syscall.h.old	Fri Nov 25 22:23:07 1994
--- /usr/include/syscall.h	Fri Jan 13 20:38:45 1995
***************
*** 28,34 ****
  #define	SYS_getpid	20
  #define	SYS_mount	21
  #define	SYS_umount	22
! 				/* 23 is old: setuid */
  #define	SYS_getuid	24
  				/* 25 is old: stime */
  #define	SYS_ptrace	26
--- 28,34 ----
  #define	SYS_getpid	20
  #define	SYS_mount	21
  #define	SYS_umount	22
! #define	SYS___sysctl	23
  #define	SYS_getuid	24
  				/* 25 is old: stime */
  #define	SYS_ptrace	26
*** /usr/src/sys/conf/Make.unix.old	Sat Jan 22 16:38:43 1994
--- /usr/src/sys/conf/Make.unix	Sat Jan 14 00:44:11 1995
***************
*** 9,15 ****
  # software without specific prior written permission. This software
  # is provided ``as is'' without express or implied warranty.
  #
! #	%W% (Berkeley) %G%
  #
  #########################################################
  # Non-networking, non-separate I/D kernel		#
--- 9,15 ----
  # software without specific prior written permission. This software
  # is provided ``as is'' without express or implied warranty.
  #
! #	2.0 (2.11BSD GTE) 1/14/95
  #
  #########################################################
  # Non-networking, non-separate I/D kernel		#
***************
*** 61,67 ****
  	tty_conf.o tty_pty.o tty_subr.o tty_tb.o tty_tty.o ufs_alloc.o \
  	ufs_bio.o ufs_bmap.o ufs_dsort.o ufs_fio.o ufs_inode.o \
  	ufs_mount.o ufs_namei.o ufs_subr.o ufs_syscalls.o \
! 	vm_proc.o vm_sched.o vm_swap.o vm_swp.o vm_text.o xp.o subr_log.o
  OV1=	
  OV2=	
  
--- 61,69 ----
  	tty_conf.o tty_pty.o tty_subr.o tty_tb.o tty_tty.o ufs_alloc.o \
  	ufs_bio.o ufs_bmap.o ufs_dsort.o ufs_fio.o ufs_inode.o \
  	ufs_mount.o ufs_namei.o ufs_subr.o ufs_syscalls.o \
! 	vm_proc.o vm_sched.o vm_swap.o vm_swp.o vm_text.o xp.o subr_log.o \
! 	kern_sysctl.o
! 
  OV1=	
  OV2=	
  
*** /usr/src/sys/conf/Make.nsunix.old	Sat Jan 22 16:37:52 1994
--- /usr/src/sys/conf/Make.nsunix	Sat Jan 14 00:43:25 1995
***************
*** 9,15 ****
  # software without specific prior written permission. This software
  # is provided ``as is'' without express or implied warranty.
  #
! #	%W% (Berkeley) %G%
  #
  #########################################################
  # Networking, separate I/D kernel			#
--- 9,15 ----
  # software without specific prior written permission. This software
  # is provided ``as is'' without express or implied warranty.
  #
! #	2.0 (2.11BSD GTE) 1/14/95
  #
  #########################################################
  # Networking, separate I/D kernel			#
***************
*** 76,82 ****
  # OV6 gets the (hopefully) never used routines
  OV6=	clock.o dn.o init_main.o kern_pdp.o machdep2.o subr_prf.o syscalls.o \
  	subr_log.o toy.o
! OV7=	tmscp.o
  OV8=	mch_fpsim.o
  
  KERNOBJ=${CONF} ${BASE} ${OV1} ${OV2} ${OV3} ${OV4} ${OV5} \
--- 76,82 ----
  # OV6 gets the (hopefully) never used routines
  OV6=	clock.o dn.o init_main.o kern_pdp.o machdep2.o subr_prf.o syscalls.o \
  	subr_log.o toy.o
! OV7=	tmscp.o kern_sysctl.o
  OV8=	mch_fpsim.o
  
  KERNOBJ=${CONF} ${BASE} ${OV1} ${OV2} ${OV3} ${OV4} ${OV5} \
*** /usr/src/sys/conf/Make.sunix.old	Sat Jan 22 16:38:34 1994
--- /usr/src/sys/conf/Make.sunix	Sat Jan 14 00:43:45 1995
***************
*** 9,15 ****
  # software without specific prior written permission. This software
  # is provided ``as is'' without express or implied warranty.
  #
! #	%W% (Berkeley) %G%
  #
  #########################################################
  # Non-network, but separate I/D kernel			#
--- 9,15 ----
  # software without specific prior written permission. This software
  # is provided ``as is'' without express or implied warranty.
  #
! #	2.0 (2.11BSD GTE) 1/14/95
  #
  #########################################################
  # Non-network, but separate I/D kernel			#
***************
*** 61,67 ****
  OV4=	hk.o init_main.o kern_prot.o tty_pty.o quota_kern.o quota_subr.o \
  	quota_ufs.o subr_log.o vm_swp.o vm_swap.o vm_proc.o toy.o
  OV5=	ht.o tm.o ts.o
! OV6=	tmscp.o
  OV7=	mch_fpsim.o
  
  KERNOBJ=${CONF} ${BASE} ${OV1} ${OV2} ${OV3} ${OV4} ${OV5} \
--- 61,67 ----
  OV4=	hk.o init_main.o kern_prot.o tty_pty.o quota_kern.o quota_subr.o \
  	quota_ufs.o subr_log.o vm_swp.o vm_swap.o vm_proc.o toy.o
  OV5=	ht.o tm.o ts.o
! OV6=	tmscp.o kern_sysctl.o
  OV7=	mch_fpsim.o
  
  KERNOBJ=${CONF} ${BASE} ${OV1} ${OV2} ${OV3} ${OV4} ${OV5} \
*** /usr/src/sys/conf/Make.sys.old	Fri Mar 12 19:04:22 1993
--- /usr/src/sys/conf/Make.sys	Sat Jan 14 00:50:17 1995
***************
*** 9,15 ****
  # software without specific prior written permission. This software
  # is provided ``as is'' without express or implied warranty.
  #
! #	%W% (Berkeley) %G%
  #
  S=	../sys
  VPATH=	../sys
--- 9,15 ----
  # software without specific prior written permission. This software
  # is provided ``as is'' without express or implied warranty.
  #
! #	2.0 (2.11BSD GTE) 1/14/95
  #
  S=	../sys
  VPATH=	../sys
***************
*** 18,24 ****
  	${S}/kern_clock.c ${S}/kern_descrip.c ${S}/kern_exec.c		\
  	${S}/kern_exit.c ${S}/kern_fork.c ${S}/kern_mman.c		\
  	${S}/kern_proc.c ${S}/kern_prot.c ${S}/kern_resource.c		\
! 	${S}/kern_sig.c ${S}/kern_subr.c				\
  	${S}/kern_synch.c ${S}/kern_time.c ${S}/kern_xxx.c		\
  	${S}/quota_sys.c ${S}/quota_kern.c ${S}/quota_ufs.c		\
  	${S}/quota_subr.c ${S}/subr_log.c ${S}/subr_prf.c ${S}/subr_rmap.c \
--- 18,24 ----
  	${S}/kern_clock.c ${S}/kern_descrip.c ${S}/kern_exec.c		\
  	${S}/kern_exit.c ${S}/kern_fork.c ${S}/kern_mman.c		\
  	${S}/kern_proc.c ${S}/kern_prot.c ${S}/kern_resource.c		\
! 	${S}/kern_sig.c ${S}/kern_subr.c ${S}/kern_sysctl.c		\
  	${S}/kern_synch.c ${S}/kern_time.c ${S}/kern_xxx.c		\
  	${S}/quota_sys.c ${S}/quota_kern.c ${S}/quota_ufs.c		\
  	${S}/quota_subr.c ${S}/subr_log.c ${S}/subr_prf.c ${S}/subr_rmap.c \
***************
*** 33,39 ****
  	${S}/vm_sched.c ${S}/vm_swap.c ${S}/vm_swp.c ${S}/vm_text.c
  OBJS=	init_main.o init_sysent.o kern_acct.o kern_clock.o		\
  	kern_descrip.o kern_exec.o kern_exit.o kern_fork.o kern_mman.o	\
! 	kern_proc.o kern_prot.o kern_resource.o kern_sig.o		\
  	kern_subr.o kern_synch.o kern_time.o kern_xxx.o quota_sys.o	\
         quota_kern.o quota_ufs.o quota_subr.o subr_log.o subr_prf.o subr_rmap.o \
  	subr_xxx.o sys_generic.o sys_inode.o sys_kern.o			\
--- 33,39 ----
  	${S}/vm_sched.c ${S}/vm_swap.c ${S}/vm_swp.c ${S}/vm_text.c
  OBJS=	init_main.o init_sysent.o kern_acct.o kern_clock.o		\
  	kern_descrip.o kern_exec.o kern_exit.o kern_fork.o kern_mman.o	\
! 	kern_proc.o kern_prot.o kern_resource.o kern_sig.o kern_sysctl.o \
  	kern_subr.o kern_synch.o kern_time.o kern_xxx.o quota_sys.o	\
         quota_kern.o quota_ufs.o quota_subr.o subr_log.o subr_prf.o subr_rmap.o \
  	subr_xxx.o sys_generic.o sys_inode.o sys_kern.o			\
*** /usr/src/sys/conf/param.c.old	Thu Mar 11 20:03:37 1993
--- /usr/src/sys/conf/param.c	Wed Jan 18 19:54:06 1995
***************
*** 3,9 ****
   * All rights reserved.  The Berkeley software License Agreement
   * specifies the terms and conditions for redistribution.
   *
!  *	@(#)param.c	2.0 (2.11BSD GTE) 3/11/93
   */
  
  #include "../h/param.h"
--- 3,9 ----
   * All rights reserved.  The Berkeley software License Agreement
   * specifies the terms and conditions for redistribution.
   *
!  *	@(#)param.c	2.1 (2.11BSD GTE) 1/18/95
   */
  
  #include "../h/param.h"
***************
*** 69,74 ****
--- 69,84 ----
  struct	mount mount[NMOUNT];
  struct	buf buf[NBUF], bfreelist[BQUEUES];
  struct	bufhd bufhash[BUFHSZ];
+ 
+ /*
+  * Remove the ifdef/endif to run the kernel in unsecure mode even when in
+  * a multiuser state.  Normally 'init' raises the security level to 1 
+  * upon transitioning to multiuser.  Setting the securelevel to -1 prevents
+  * the secure level from being raised by init.
+ */
+ #ifdef	PERMANENTLY_INSECURE
+ int	securelevel = -1;
+ #endif
  
  #ifdef UCB_CLIST
  	u_int clstdesc = ((((btoc(NCLIST*sizeof(struct cblock)))-1) << 8) | RW);
*** /usr/src/sys/sys/ufs_fio.c.old	Thu Dec 15 20:10:01 1994
--- /usr/src/sys/sys/ufs_fio.c	Thu Dec 29 17:31:03 1994
***************
*** 3,9 ****
   * All rights reserved.  The Berkeley software License Agreement
   * specifies the terms and conditions for redistribution.
   *
!  *	@(#)ufs_fio.c	1.2 (2.11BSD GTE) 12/15/94
   */
  
  #include "param.h"
--- 3,9 ----
   * All rights reserved.  The Berkeley software License Agreement
   * specifies the terms and conditions for redistribution.
   *
!  *	@(#)ufs_fio.c	1.3 (2.11BSD GTE) 12/29/94
   */
  
  #include "param.h"
***************
*** 10,22 ****
  #include "user.h"
  #include "fs.h"
  #include "inode.h"
  #include "namei.h"
  #include "systm.h"
  #include "acct.h"
  #include "stat.h"
  
- extern	int	securelevel;
- 
  /*
   * Check mode permission on inode pointer.
   * Mode is READ, WRITE or EXEC.
--- 10,21 ----
  #include "user.h"
  #include "fs.h"
  #include "inode.h"
+ #include "mount.h"
  #include "namei.h"
  #include "systm.h"
  #include "acct.h"
  #include "stat.h"
  
  /*
   * Check mode permission on inode pointer.
   * Mode is READ, WRITE or EXEC.
***************
*** 135,145 ****
  			return(u.u_error);
  		if	(u.u_uid == 0)
  			{
! #ifdef	not_quite_yet
! 			if	((ip->i_flags & (SF_IMMUTABLE|SF_APPEND))) &&
  					securelevel > 0)
  				return(EPERM);
- #endif
  			ip->i_flags = vap->va_flags;
  			}
  		else
--- 134,142 ----
  			return(u.u_error);
  		if	(u.u_uid == 0)
  			{
! 			if	((ip->i_flags & (SF_IMMUTABLE|SF_APPEND)) &&
  					securelevel > 0)
  				return(EPERM);
  			ip->i_flags = vap->va_flags;
  			}
  		else
***************
*** 186,190 ****
--- 183,202 ----
  		}
  	if	(vap->va_mode != (mode_t)VNOVAL)
  		return(chmod1(ip, vap->va_mode));
+ 	return(0);
+ 	}
+ 
+ ufs_mountedon(dev)
+ 	dev_t dev;
+ 	{
+ 	register struct mount *mp;
+ 
+ 	for	(mp = mount; mp < &mount[NMOUNT]; mp++)
+ 		{
+ 		if	(mp->m_inodp == NULL)
+ 			continue;
+ 		if	(mp->m_dev == dev)
+ 			return(EBUSY);
+ 		}
  	return(0);
  	}
*** /usr/src/sys/sys/sys_inode.c.old	Thu Dec 15 19:59:30 1994
--- /usr/src/sys/sys/sys_inode.c	Fri Jan  6 23:36:24 1995
***************
*** 3,9 ****
   * All rights reserved.  The Berkeley software License Agreement
   * specifies the terms and conditions for redistribution.
   *
!  *	@(#)sys_inode.c	1.2 (2.11BSD GTE) 12/8/94
   */
  
  #include "param.h"
--- 3,9 ----
   * All rights reserved.  The Berkeley software License Agreement
   * specifies the terms and conditions for redistribution.
   *
!  *	@(#)sys_inode.c	1.3 (2.11BSD GTE) 1/6/95
   */
  
  #include "param.h"
***************
*** 602,610 ****
  /*
   * Openi called to allow handler of special files to initialize and
   * validate before actual IO.
-  *
-  * Eventually the check for 'securelevel' and the MNT_NODEV mount option
-  * will go here.
   */
  openi(ip, mode)
  	register struct inode *ip;
--- 602,607 ----
***************
*** 611,627 ****
--- 608,672 ----
  {
  	register dev_t dev = ip->i_rdev;
  	register int maj = major(dev);
+ 	dev_t bdev;
+ 	int error;
  
+ 	if (ip->i_fs->fs_flags & MNT_NODEV)
+ 		return(ENXIO);
+ 
  	switch (ip->i_mode&IFMT) {
  
  	case IFCHR:
  		if ((u_int)maj >= nchrdev)
  			return (ENXIO);
+ 		if (mode & FWRITE) {
+ 			/*
+ 			 * When running in very secure mode, do not allow
+ 			 * opens for writing of any disk character devices.
+ 			 */
+ 			if (securelevel >= 2 && isdisk(dev, IFCHR))
+ 				return(EPERM);
+ 			/*
+ 			 * When running in secure mode, do not allow opens
+ 			 * for writing of /dev/mem, /dev/kmem, or character
+ 			 * devices whose corresponding block devices are
+ 			 * currently mounted.
+ 			 */
+ 			if (securelevel >= 1) {
+ 				if ((bdev = chrtoblk(dev)) != NODEV &&
+ 					(error = ufs_mountedon(bdev)))
+ 						return(error);
+ 				if (iskmemdev(dev))
+ 					return(EPERM);
+ 			}
+ 		}
  		return ((*cdevsw[maj].d_open)(dev, mode));
  
  	case IFBLK:
  		if ((u_int)maj >= nblkdev)
  			return (ENXIO);
+ 		/*
+ 		 * When running in very secure mode, do not allow
+ 		 * opens for writing of any disk block devices.
+ 		 */
+ 		if (securelevel >= 2 && (mode & FWRITE) && isdisk(dev, IFBLK))
+ 			return(EPERM);
+ #ifdef	notyet
+ 		/*
+ 		 * Do not allow opens of block devices that are 
+ 		 * currently mounted.
+ 		 *
+ 		 * 2.11BSD must relax this restriction to allow 'fsck' to
+  		 * open the root filesystem (which is always mounted) during 
+ 		 * a reboot.  Once in secure or very secure mode the 
+ 		 * above restriction is fully effective.
+ 		 *
+ 		 * Also, 'df' on 2.11BSD opens the device - this check can
+ 		 * not be enabled until the 'statfs' capability is present.
+ 		 */
+ 		if (securelevel > 0 && (error = ufs_mountedon(dev)))
+ 			return(error);
+ #endif
  		return ((*bdevsw[maj].d_open)(dev, mode));
  	}
  	return (0);
*** /usr/src/sys/sys/ufs_mount.c.old	Sat Apr  7 18:07:25 1990
--- /usr/src/sys/sys/ufs_mount.c	Fri Jan  6 21:20:24 1995
***************
*** 3,9 ****
   * All rights reserved.  The Berkeley software License Agreement
   * specifies the terms and conditions for redistribution.
   *
!  *	@(#)ufs_mount.c	1.2 (2.10BSD Berkeley) 1/29/90
   */
  
  #include "param.h"
--- 3,9 ----
   * All rights reserved.  The Berkeley software License Agreement
   * specifies the terms and conditions for redistribution.
   *
!  *	@(#)ufs_mount.c	1.3 (2.11BSD GTE) 1/6/95
   */
  
  #include "param.h"
***************
*** 27,33 ****
  	register struct a {
  		char	*fspec;
  		char	*freg;
! 		int	ronly;
  	} *uap = (struct a *)u.u_ap;
  	dev_t dev;
  	register struct inode *ip;
--- 27,33 ----
  	register struct a {
  		char	*fspec;
  		char	*freg;
! 		int	flags;
  	} *uap = (struct a *)u.u_ap;
  	dev_t dev;
  	register struct inode *ip;
***************
*** 59,65 ****
  		u.u_error = EBUSY;
  		return;
  	}
! 	fs = mountfs(dev, uap->ronly, ip);
  	if (fs == 0)
  		return;
  	(void) copyinstr(uap->freg, fs->fs_fsmnt, sizeof(fs->fs_fsmnt)-1, &len);
--- 59,65 ----
  		u.u_error = EBUSY;
  		return;
  	}
! 	fs = mountfs(dev, uap->flags, ip);
  	if (fs == 0)
  		return;
  	(void) copyinstr(uap->freg, fs->fs_fsmnt, sizeof(fs->fs_fsmnt)-1, &len);
***************
*** 68,82 ****
  
  /* this routine has races if running twice */
  struct fs *
! mountfs(dev, ronly, ip)
  	dev_t dev;
! 	int ronly;
  	struct inode *ip;
  {
  	register struct mount *mp = 0;
  	struct buf *tp = 0;
  	register struct fs *fs;
! 	register error;
  	int needclose = 0;
  
  	error =
--- 68,83 ----
  
  /* this routine has races if running twice */
  struct fs *
! mountfs(dev, flags, ip)
  	dev_t dev;
! 	int flags;
  	struct inode *ip;
  {
  	register struct mount *mp = 0;
  	struct buf *tp = 0;
  	register struct fs *fs;
! 	register int error;
! 	int ronly = flags & MNT_RDONLY;
  	int needclose = 0;
  
  	error =
***************
*** 115,120 ****
--- 116,122 ----
  	fs->fs_flock = 0;
  	fs->fs_nbehind = 0;
  	fs->fs_lasti = 1;
+ 	fs->fs_flags = flags;
  	if (ip) {
  		ip->i_flag |= IMOUNT;
  		cacheinval(ip);
*** /usr/src/sys/sys/init_main.c.old	Thu Dec 15 19:57:55 1994
--- /usr/src/sys/sys/init_main.c	Fri Jan  6 21:58:25 1995
***************
*** 3,9 ****
   * All rights reserved.  The Berkeley software License Agreement
   * specifies the terms and conditions for redistribution.
   *
!  *	@(#)init_main.c	1.6 (2.11BSD GTE) 12/15/94
   */
  
  #include "param.h"
--- 3,9 ----
   * All rights reserved.  The Berkeley software License Agreement
   * specifies the terms and conditions for redistribution.
   *
!  *	@(#)init_main.c	1.7 (2.11BSD GTE) 1/6/95
   */
  
  #include "param.h"
***************
*** 30,36 ****
  
  int	netoff = 1;
  int	cmask = CMASK;
! int	securelevel = -1;
  
  extern	size_t physmem;
  extern	struct	mapent _coremap[];
--- 30,36 ----
  
  int	netoff = 1;
  int	cmask = CMASK;
! int	securelevel;
  
  extern	size_t physmem;
  extern	struct	mapent _coremap[];
***************
*** 156,162 ****
  	nswap = swsize;
  	mfree(swapmap, --nswap, 1);
  
! 	fs = mountfs(rootdev, boothowto & RB_RDONLY, (struct inode *)0);
  	if (!fs)
  		panic("iinit");
  	mount[0].m_inodp = (struct inode *)1;	/* XXX */
--- 156,163 ----
  	nswap = swsize;
  	mfree(swapmap, --nswap, 1);
  
! 	fs = mountfs(rootdev, boothowto & RB_RDONLY ? MNT_RDONLY : 0,
! 			(struct inode *)0);
  	if (!fs)
  		panic("iinit");
  	mount[0].m_inodp = (struct inode *)1;	/* XXX */
*** /usr/src/sys/sys/kern_exec.c.old	Sat Nov 26 23:12:37 1994
--- /usr/src/sys/sys/kern_exec.c	Fri Jan 13 20:23:46 1995
***************
*** 3,9 ****
   * All rights reserved.  The Berkeley software License Agreement
   * specifies the terms and conditions for redistribution.
   *
!  *	@(#)kern_exec.c	1.3 (2.11BSD GTE) 11/26/94
   */
  
  #include "param.h"
--- 3,9 ----
   * All rights reserved.  The Berkeley software License Agreement
   * specifies the terms and conditions for redistribution.
   *
!  *	@(#)kern_exec.c	1.4 (2.11BSD GTE) 1/13/95
   */
  
  #include "param.h"
***************
*** 19,24 ****
--- 19,25 ----
  #include "acct.h"
  #include "namei.h"
  #include "fs.h"
+ #include "mount.h"
  #include "file.h"
  #include "text.h"
  
***************
*** 70,80 ****
  	indir = 0;
  	uid = u.u_uid;
  	gid = u.u_gid;
! 	if (ip->i_mode & ISUID)
! 		uid = ip->i_uid;
! 	if (ip->i_mode & ISGID)
! 		gid = ip->i_gid;
! 
    again:
  	if (access(ip, IEXEC))
  		goto bad;
--- 71,86 ----
  	indir = 0;
  	uid = u.u_uid;
  	gid = u.u_gid;
! 	if (ip->i_fs->fs_flags & MNT_NOEXEC) {
! 		u.u_error = EACCES;
! 		goto bad;
! 	}
! 	if ((ip->i_fs->fs_flags & MNT_NOSUID) == 0) {
! 		if (ip->i_mode & ISUID)
! 			uid = ip->i_uid;
! 		if (ip->i_mode & ISGID)
! 			gid = ip->i_gid;
! 	}
    again:
  	if (access(ip, IEXEC))
  		goto bad;
*** /usr/src/sys/sys/init_sysent.c.old	Sun Nov 27 00:09:12 1994
--- /usr/src/sys/sys/init_sysent.c	Sat Jan 14 00:42:01 1995
***************
*** 3,9 ****
   * All rights reserved.  The Berkeley software License Agreement
   * specifies the terms and conditions for redistribution.
   *
!  *	@(#)init_sysent.c	1.6 (2.11BSD GTE) 11/26/94
   */
  
  /*
--- 3,9 ----
   * All rights reserved.  The Berkeley software License Agreement
   * specifies the terms and conditions for redistribution.
   *
!  *	@(#)init_sysent.c	1.7 (2.11BSD GTE) 1/14/95
   */
  
  /*
***************
*** 47,53 ****
  
  /* 1.7 system operation support */
  int	umount(),smount();
! int	sync(),reboot(),sysacct();
  
  /* 2.1 generic operations */
  int	read(),write(),readv(),writev(),ioctl();
--- 47,53 ----
  
  /* 1.7 system operation support */
  int	umount(),smount();
! int	sync(),reboot(),sysacct(), __sysctl();
  
  /* 2.1 generic operations */
  int	read(),write(),readv(),writev(),ioctl();
***************
*** 128,134 ****
  	0, getpid,			/*  20 = getpid */
  	3, smount,			/*  21 = mount */
  	1, umount,			/*  22 = umount */
! 	0, nosys,			/*  23 = old setuid */
  	0, getuid,			/*  24 = getuid */
  	0, nosys,			/*  25 = old stime */
  	4, ptrace,			/*  26 = ptrace */
--- 128,134 ----
  	0, getpid,			/*  20 = getpid */
  	3, smount,			/*  21 = mount */
  	1, umount,			/*  22 = umount */
! 	6, __sysctl,			/*  23 = __sysctl */
  	0, getuid,			/*  24 = getuid */
  	0, nosys,			/*  25 = old stime */
  	4, ptrace,			/*  26 = ptrace */
*** /usr/src/sys/h/systm.h.old	Thu Dec 24 00:51:07 1992
--- /usr/src/sys/h/systm.h	Fri Jan 20 19:49:52 1995
***************
*** 3,17 ****
   * All rights reserved.  The Berkeley software License Agreement
   * specifies the terms and conditions for redistribution.
   *
!  *	@(#)systm.h	1.1 (2.10BSD Berkeley) 12/1/86
   */
  
  #ifndef SUPERVISOR
  /*
!  * Random set of variables
!  * used by more than one
!  * routine.
   */
  extern	char version[];		/* system version */
  
  /*
--- 3,42 ----
   * All rights reserved.  The Berkeley software License Agreement
   * specifies the terms and conditions for redistribution.
   *
!  *	@(#)systm.h	1.2 (2.11BSD GTE) 12/29/94
   */
  
  #ifndef SUPERVISOR
+ 
  /*
!  * The `securelevel' variable controls the security level of the system.
!  * It can only be decreased by process 1 (/sbin/init).
!  *
!  * Security levels are as follows:
!  *   -1	permannently insecure mode - always run system in level 0 mode.
!  *    0	insecure mode - immutable and append-only flags make be turned off.
!  *	All devices may be read or written subject to permission modes.
!  *    1	secure mode - immutable and append-only flags may not be changed;
!  *	raw disks of mounted filesystems, /dev/mem, and /dev/kmem are
!  *	read-only.
!  *    2	highly secure mode - same as (1) plus raw disks are always
!  *	read-only whether mounted or not. This level precludes tampering 
!  *	with filesystems by unmounting them, but also inhibits running
!  *	newfs while the system is secured.
!  *
!  * In normal operation, the system runs in level 0 mode while single user
!  * and in level 1 mode while multiuser. If level 2 mode is desired while
!  * running multiuser, it can be set in the multiuser startup script
!  * (/etc/rc.local) using sysctl(8). If it is desired to run the system
!  * in level 0 mode while multiuser, initialize the variable securelevel
!  * in /sys/kern/kern_sysctl.c to -1. Note that it is NOT initialized to
!  * zero as that would allow the vmunix binary to be patched to -1.
!  * Without initialization, securelevel loads in the BSS area which only
!  * comes into existence when the kernel is loaded and hence cannot be
!  * patched by a stalking hacker.
   */
+ extern int securelevel;		/* system security level */
+ 
  extern	char version[];		/* system version */
  
  /*
*** /usr/src/sys/h/resource.h.old	Sun May 17 20:25:33 1987
--- /usr/src/sys/h/resource.h	Fri Jan 20 19:48:10 1995
***************
*** 3,11 ****
   * All rights reserved.  The Berkeley software License Agreement
   * specifies the terms and conditions for redistribution.
   *
!  *	@(#)resource.h	1.1 (2.10BSD Berkeley) 12/1/86
   */
  
  /*
   * Process priority specifications to get/setpriority.
   */
--- 3,14 ----
   * All rights reserved.  The Berkeley software License Agreement
   * specifies the terms and conditions for redistribution.
   *
!  *	@(#)resource.h	1.2 (2.11BSD GTE) 1/14/95
   */
  
+ #ifndef	_SYS_RESOURCE_H_
+ #define	_SYS_RESOURCE_H_
+ 
  /*
   * Process priority specifications to get/setpriority.
   */
***************
*** 79,81 ****
--- 82,91 ----
  	long	rlim_cur;		/* current (soft) limit */
  	long	rlim_max;		/* maximum value for rlim_cur */
  };
+ 
+ /* Load average structure. */
+ struct loadavg {
+ 	short ldavg[3];
+ 	int fscale;
+ };
+ #endif	/* !_SYS_RESOURCE_H_ */
*** /usr/src/sys/h/vmparam.h.old	Sun May 17 17:21:26 1987
--- /usr/src/sys/h/vmparam.h	Thu Jan 19 19:53:18 1995
***************
*** 3,9 ****
   * All rights reserved.  The Berkeley software License Agreement
   * specifies the terms and conditions for redistribution.
   *
!  *	@(#)vmparam.h	7.1 (Berkeley) 6/4/86
   */
  
  /*
--- 3,9 ----
   * All rights reserved.  The Berkeley software License Agreement
   * specifies the terms and conditions for redistribution.
   *
!  *	@(#)vmparam.h	7.1.1 (2.11BSD GTE) 1/14/95
   */
  
  /*
***************
*** 13,16 ****
--- 13,35 ----
  #include "../machine/vmparam.h"
  #else
  #include <machine/vmparam.h>
+ #endif
+ 
+ /*
+  * CTL_VM identifiers
+  */
+ #define	VM_METER	1		/* struct vmmeter */
+ #define	VM_LOADAVG	2		/* struct loadavg */
+ #define	VM_SWAPMAP	3		/* struct mapent _swapmap[] */
+ #define	VM_COREMAP	4		/* struct mapent _coremap[] */
+ #define	VM_MAXID	5		/* number of valid vm ids */
+ 
+ #ifndef	KERNEL
+ #define CTL_VM_NAMES { \
+ 	{ 0, 0 }, \
+ 	{ "vmmeter", CTLTYPE_STRUCT }, \
+ 	{ "loadavg", CTLTYPE_STRUCT }, \
+ 	{ "swapmap", CTLTYPE_STRUCT }, \
+ 	{ "coremap", CTLTYPE_STRUCT }, \
+ }
  #endif
*** /usr/src/sys/h/time.h.old	Sat May 16 11:29:24 1987
--- /usr/src/sys/h/time.h	Fri Jan 20 19:50:22 1995
***************
*** 3,11 ****
   * All rights reserved.  The Berkeley software License Agreement
   * specifies the terms and conditions for redistribution.
   *
!  *	@(#)time.h	1.1 (2.10BSD Berkeley) 12/1/86
   */
  
  /*
   * Structure returned by gettimeofday(2) system call,
   * and used in other calls.
--- 3,14 ----
   * All rights reserved.  The Berkeley software License Agreement
   * specifies the terms and conditions for redistribution.
   *
!  *	@(#)time.h	1.2 (2.11BSD GTE) 1/14/95
   */
  
+ #ifndef	_SYS_TIME_H_
+ #define	_SYS_TIME_H_
+ 
  /*
   * Structure returned by gettimeofday(2) system call,
   * and used in other calls.
***************
*** 59,61 ****
--- 62,75 ----
  #ifndef KERNEL
  #include <time.h>
  #endif
+ 
+ /*
+  * Getkerninfo clock information structure
+  */
+ struct clockinfo {
+ 	int	hz;		/* clock frequency */
+ 	int	tick;		/* micro-seconds per hz tick */
+ 	int	stathz;		/* statistics clock frequency */
+ 	int	profhz;		/* profiling clock frequency */
+ };
+ #endif	/* !_SYS_TIME_H_ */
*** /usr/src/sys/h/vmsystm.h.old	Wed Mar 10 20:26:20 1993
--- /usr/src/sys/h/vmsystm.h	Sun Jan 15 21:14:30 1995
***************
*** 3,9 ****
   * All rights reserved.  The Berkeley software License Agreement
   * specifies the terms and conditions for redistribution.
   *
!  *	@(#)vmsystm.h	7.2 (2.11BSD GTE) 3/10/93
   */
  
  /*
--- 3,9 ----
   * All rights reserved.  The Berkeley software License Agreement
   * specifies the terms and conditions for redistribution.
   *
!  *	@(#)vmsystm.h	7.2.1 (2.11BSD GTE) 1/15/95
   */
  
  /*
***************
*** 10,17 ****
   * Miscellaneous virtual memory subsystem variables and structures.
   */
  
- #if defined(KERNEL) && defined(UCB_METER) && !defined(SUPERVISOR)
  size_t	freemem;		/* remaining clicks of free memory */
  u_short	avefree;		/* moving average of remaining free clicks */
  u_short	avefree30;		/* 30 sec (avefree is 5 sec) moving average */
  
--- 10,18 ----
   * Miscellaneous virtual memory subsystem variables and structures.
   */
  
  size_t	freemem;		/* remaining clicks of free memory */
+ 
+ #if defined(KERNEL) && defined(UCB_METER) && !defined(SUPERVISOR)
  u_short	avefree;		/* moving average of remaining free clicks */
  u_short	avefree30;		/* 30 sec (avefree is 5 sec) moving average */
  
*** /usr/src/sys/h/proc.h.old	Fri Mar 12 19:44:42 1993
--- /usr/src/sys/h/proc.h	Fri Jan 20 19:47:54 1995
***************
*** 3,11 ****
   * All rights reserved.  The Berkeley software License Agreement
   * specifies the terms and conditions for redistribution.
   *
!  *	@(#)proc.h	1.1 (2.10BSD Berkeley) 12/1/86
   */
  
  /*
   * One structure allocated per active
   * process. It contains all data needed
--- 3,14 ----
   * All rights reserved.  The Berkeley software License Agreement
   * specifies the terms and conditions for redistribution.
   *
!  *	@(#)proc.h	1.2 (2.11BSD GTE) 1/18/95
   */
  
+ #ifndef	_SYS_PROC_H_
+ #define	_SYS_PROC_H_
+ 
  /*
   * One structure allocated per active
   * process. It contains all data needed
***************
*** 126,128 ****
--- 129,133 ----
  
  #define	S_DATA	0		/* specified segment */
  #define	S_STACK	1
+ 
+ #endif	/* !_SYS_PROC_H_ */
*** /usr/src/sys/h/text.h.old	Thu Dec 24 00:45:47 1992
--- /usr/src/sys/h/text.h	Fri Jan 20 19:50:09 1995
***************
*** 3,11 ****
   * All rights reserved.  The Berkeley software License Agreement
   * specifies the terms and conditions for redistribution.
   *
!  *	@(#)text.h	1.1 (2.10BSD Berkeley) 12/1/86
   */
  
  /*
   * Text structure.			XXX REF COUNT should be short
   * One allocated per pure
--- 3,14 ----
   * All rights reserved.  The Berkeley software License Agreement
   * specifies the terms and conditions for redistribution.
   *
!  *	@(#)text.h	1.2 (2.11BSD GTE) 1/19/95
   */
  
+ #ifndef	_SYS_TEXT_H_
+ #define	_SYS_TEXT_H_
+ 
  /*
   * Text structure.			XXX REF COUNT should be short
   * One allocated per pure
***************
*** 58,60 ****
--- 61,64 ----
  	u_long	free_cache;		/*	placed in cache */
  	u_long	free_cacheswap;		/*	swapped out to place in cache */
  };
+ #endif /* _SYS_TEXT_H_ */
*** /usr/src/sys/h/file.h.old	Fri Nov 25 22:34:53 1994
--- /usr/src/sys/h/file.h	Fri Jan 20 19:47:13 1995
***************
*** 3,14 ****
   * All rights reserved.  The Berkeley software License Agreement
   * specifies the terms and conditions for redistribution.
   *
!  *	@(#)file.h	1.2 (2.11BSD GTE) 11/25/94
   */
  
  #include <fcntl.h>
  
! #ifdef KERNEL
  /*
   * Descriptor table entry.
   * One for each kernel object.
--- 3,16 ----
   * All rights reserved.  The Berkeley software License Agreement
   * specifies the terms and conditions for redistribution.
   *
!  *	@(#)file.h	1.3 (2.11BSD GTE) 1/19/95
   */
  
  #include <fcntl.h>
  
! #ifndef	_SYS_FILE_H_
! #define	_SYS_FILE_H_
! 
  /*
   * Descriptor table entry.
   * One for each kernel object.
***************
*** 25,30 ****
--- 27,33 ----
  	off_t	f_offset;
  };
  
+ #ifdef KERNEL
  struct	fileops {
  	int	(*fo_rw)();
  	int	(*fo_ioctl)();
***************
*** 70,72 ****
--- 73,76 ----
  #define	DTYPE_SOCKET	2	/* communications endpoint */
  #define	DTYPE_PIPE	3	/* I don't want to hear it, okay? */
  #endif
+ #endif	/* _SYS_FILE_H_ */
*** /usr/src/sys/pdp/conf.c.old	Wed Nov 30 20:02:46 1994
--- /usr/src/sys/pdp/conf.c	Thu Dec 29 17:41:18 1994
***************
*** 3,9 ****
   * All rights reserved.  The Berkeley software License Agreement
   * specifies the terms and conditions for redistribution.
   *
!  *	@(#)conf.c	2.2 (2.11BSD Berkeley) 11/29/94
   */
  
  #include "param.h"
--- 3,9 ----
   * All rights reserved.  The Berkeley software License Agreement
   * specifies the terms and conditions for redistribution.
   *
!  *	@(#)conf.c	2.3 (2.11BSD Berkeley) 12/29/94
   */
  
  #include "param.h"
***************
*** 12,17 ****
--- 12,18 ----
  #include "time.h"
  #include "ioctl.h"
  #include "resource.h"
+ #include "inode.h"
  #include "proc.h"
  #include "clist.h"
  #include "tty.h"
***************
*** 441,443 ****
--- 442,542 ----
  };
  
  int	nchrdev = sizeof(cdevsw) / sizeof(cdevsw[0]);
+ 
+ /*
+  * Routine that identifies /dev/mem and /dev/kmem.
+  *
+  * A minimal stub routine can always return 0.
+  */
+ iskmemdev(dev)
+ 	register dev_t dev;
+ {
+ 
+ 	if (major(dev) == 1 && (minor(dev) == 0 || minor(dev) == 1))
+ 		return (1);
+ 	return (0);
+ }
+ 
+ /*
+  * Routine to determine if a device is a disk.
+  *
+  * A minimal stub routine can always return 0.
+  */
+ isdisk(dev, type)
+ 	dev_t dev;
+ 	register int type;
+ {
+ 
+ 	switch (major(dev)) {
+ 	case 3:			/* ram */
+ 	case 4:			/* hk */
+ 	case 5:			/* ra */
+ 	case 6:			/* rk */
+ 	case 7:			/* rl */
+ 	case 8:			/* rx */
+ 	case 9:			/* si */
+ 	case 10:		/* xp */
+ 	case 11:		/* br */
+ 		if (type == IFBLK)
+ 			return (1);
+ 		return (0);
+ 	case 13:		/* rhk */
+ 	case 14:		/* rra */
+ 	case 15:		/* rrk */
+ 	case 16:		/* rrl */
+ 	case 17:		/* rrx */
+ 	case 18:		/* rsi */
+ 	case 19:		/* rxp */
+ 	case 20:		/* rbr */
+ 		if (type == IFCHR)
+ 			return (1);
+ 		/* fall through */
+ 	default:
+ 		return (0);
+ 	}
+ 	/* NOTREACHED */
+ }
+ 
+ #define MAXDEV	25
+ static char chrtoblktbl[MAXDEV] =  {
+       /* CHR */      /* BLK */
+ 	/* 0 */		NODEV,
+ 	/* 1 */		NODEV,
+ 	/* 2 */		NODEV,
+ 	/* 3 */		NODEV,
+ 	/* 4 */		NODEV,
+ 	/* 5 */		NODEV,
+ 	/* 6 */		0,		/* ht */
+ 	/* 7 */		1,		/* tm */
+ 	/* 8 */		2,		/* ts */
+ 	/* 9 */		NODEV,
+ 	/* 10 */	NODEV,
+ 	/* 11 */	NODEV,
+ 	/* 12 */	NODEV,
+ 	/* 13 */	4,		/* hk */
+ 	/* 14 */	5,		/* ra */
+ 	/* 15 */	6,		/* rk */
+ 	/* 16 */	7,		/* rl */
+ 	/* 17 */	8,		/* rx */
+ 	/* 18 */	9,		/* si */
+ 	/* 19 */	10,		/* xp */
+ 	/* 20 */	11,		/* br */
+ 	/* 21 */	NODEV,
+ 	/* 22 */	NODEV,
+ 	/* 23 */	12,		/* tmscp */
+ 	/* 24 */	NODEV
+ };
+ /*
+  * Routine to convert from character to block device number.
+  *
+  * A minimal stub routine can always return NODEV.
+  */
+ chrtoblk(dev)
+ 	register dev_t dev;
+ {
+ 	register int blkmaj;
+ 
+ 	if (major(dev) >= MAXDEV || (blkmaj = chrtoblktbl[major(dev)]) == NODEV)
+ 		return (NODEV);
+ 	return (makedev(blkmaj, minor(dev)));
+ }
*** /usr/src/sys/pdp/cpu.h.old	Sat Dec 26 17:49:21 1992
--- /usr/src/sys/pdp/cpu.h	Sat Jan 14 01:07:04 1995
***************
*** 3,9 ****
   * All rights reserved.  The Berkeley software License Agreement
   * specifies the terms and conditions for redistribution.
   *
!  *	@(#)cpu.h	1.2 (2.11BSD GTE) 12/26/92
   */
  
  /*
--- 3,9 ----
   * All rights reserved.  The Berkeley software License Agreement
   * specifies the terms and conditions for redistribution.
   *
!  *	@(#)cpu.h	1.3 (2.11BSD GTE) 1/14/95
   */
  
  /*
***************
*** 13,15 ****
--- 13,28 ----
   * between cpu types).
  */
  #define	PDP1170_LEAR	((physadr) 0177740)
+ 
+ /*
+  * CTL_MACHDEP definitions.
+  */
+ #define	CPU_CONSDEV		1	/* dev_t: console terminal device */
+ #define	CPU_MAXID		2	/* number of valid machdep ids */
+ 
+ #ifndef	KERNEL
+ #define CTL_MACHDEP_NAMES { \
+ 	{ 0, 0 }, \
+ 	{ "console_device", CTLTYPE_STRUCT }, \
+ }
+ #endif
*** /usr/src/sys/OTHERS/bad144/bad144.c.old	Mon Jan 10 21:34:57 1994
--- /usr/src/sys/OTHERS/bad144/bad144.c	Sat Jan 21 17:40:39 1995
***************
*** 9,15 ****
  "@(#) Copyright (c) 1980 Regents of the University of California.\n\
   All rights reserved.\n";
  
! static char sccsid[] = "@(#)bad144.c	5.4.1 (2.11BSD GTE) 12/31/93";
  #endif not lint
  
  /*
--- 9,15 ----
  "@(#) Copyright (c) 1980 Regents of the University of California.\n\
   All rights reserved.\n";
  
! static char sccsid[] = "@(#)bad144.c	5.4.2 (2.11BSD GTE) 1/21/95";
  #endif not lint
  
  /*
***************
*** 52,58 ****
  char	name[BUFSIZ];
  char	*malloc();
  off_t	lseek();
- off_t	tell();
  long	atol();
  
  main(argc, argv)
--- 52,57 ----
*** /usr/src/sys/GENERIC/Makefile.old	Tue Nov 29 23:30:06 1994
--- /usr/src/sys/GENERIC/Makefile	Sat Jan 14 00:36:30 1995
***************
*** 63,69 ****
  	quota_ufs.o subr_log.o vm_swp.o vm_swap.o vm_proc.o toy.o
  OV5=	ht.o tm.o ts.o mem.o
  OV6=	tmscp.o rl.o
! OV7=	mch_fpsim.o
  
  KERNOBJ=${CONF} ${BASE} ${OV1} ${OV2} ${OV3} ${OV4} ${OV5} \
  	${OV6} ${OV7} ${OV8} ${OV9} ${OV10} ${OV11} ${OV12} \
--- 63,69 ----
  	quota_ufs.o subr_log.o vm_swp.o vm_swap.o vm_proc.o toy.o
  OV5=	ht.o tm.o ts.o mem.o
  OV6=	tmscp.o rl.o
! OV7=	mch_fpsim.o kern_sysctl.o
  
  KERNOBJ=${CONF} ${BASE} ${OV1} ${OV2} ${OV3} ${OV4} ${OV5} \
  	${OV6} ${OV7} ${OV8} ${OV9} ${OV10} ${OV11} ${OV12} \
