> That is a bug, Thanks for reporting. Revision 1.25 of
> sys/kern/kern_verifiedexec.c fixes it.

Thanks for the quick fix! I incorporated it into my local netbsd-3
sources for now.

However, some more issues arose.

First, when the strict level is set to 1, just querying the strict
level results in a

# sysctl kern.veriexec.strict
sysctl: kern.veriexec.strict: sysctl() failed with Operation not permitted

Then, in order to set the strict level, I used /etc/sysctl.conf. The
problem is that /etc/rc.d/sysctl gets called before /etc/rc.d/veriexec
by default. This "locks up" veriexec before any fingerprints are
loaded which is obviously fatal. A quick hack of mine was to change
"BEFORE: securelevel" to "BEFORE: securelevel sysctl" in
/etc/rc.d/veriexec which somehow worked. I'm not sure though if there
is not a better way to do this.

Several things come to mind

1) Make the strict level an rcvar specific to veriexec. Not sure if
this belongs there.
2) Somehow prevent veriexec from raising strictness if there is no
fingerprint loaded. Not desirable IMHO.
3) Properly reorder the rc.d script. My best guess.
4) Something else.

I also noticed that the veriexecctl(8) man page is out of sync. That's
it for now.

Bye,

ND