hi,

after talking a bit with brett lymn about netbsd's veriexec and new code
in vexec (from stephanie) we came to an agreement for importing some of
the code into the netbsd tree.

that's not a problem and as i understood it'll go in - if at all - to
the 2.1 release.

i'd like to get peoples' opinion on it, aside several changes i've
already discussed bret with - mostly related to adding hooks in the VM
system for trusted data, or to be more correct, detecting untrusted data
for NFS transfers and a change in how dynamic libraries are supported.

other things i'd like to know:

  - i recall discussion in here (tech-kern@) about adding privacy hooks.
    what's the concensus about that? some of my work focuses on that
    aspect and includes changes to sysctl code to allow privacy across
    all syscl-used code.

  - for a while i've been looking into 'converting' many of the live kvm
    uses to sysctl-based. the most interesting one is definately
    netstat, and i'd like to know if anyone looked into that or have any
    ideas on how to implement it best.

    right now netstat uses kvm for data access which means a ton of k-u
    copies. one of the ideas me and some others initially thought of was
    to implement it using chunked copying + filtering passed as another
    sysctl level.

    the idea is to query from userland as to how much space needed,
    allocate in userspace + slop space, allocate a kernel buffer
    (possibly from a pool? or whatever) and do a k-k copy to construct
    an augmented data-structure, and then copying it to the userspace
    allocated buffer.

i can supply and work on code for all that, some of it is ready, some
isn't, but the question is what the commiters think..

thanks,

-b.

ps. for stephanie - http://ethernet.org/~brian/Stephanie/