HardenedBSD/etc/devd.conf
Hiroki Sato 0321b694c7 - Add support for a "!" character in regex matching in devd(8). It inverts
the logic (true/false) of the matching.

- Add "!usbus[0-9]+" to IFNET ATTACH notification handler in the default
  devd.conf to prevent rc.d/netif from running when usbus[0-9]+ is attached.

Reviewed by:	imp
2011-10-26 02:11:28 +00:00

327 lines
9.5 KiB
Plaintext

# $FreeBSD$
#
# Refer to devd.conf(5) and devd(8) man pages for the details on how to
# run and configure devd.
#
# NB: All regular expressions have an implicit ^$ around them.
# NB: device-name is shorthand for 'match device-name'
options {
# Each "directory" directive adds a directory to the list of
# directories that we scan for files. Files are loaded in the order
# that they are returned from readdir(3). The rule-sets are combined
# to create a DFA that's used to match events to actions.
directory "/etc/devd";
directory "/usr/local/etc/devd";
pid-file "/var/run/devd.pid";
# Setup some shorthand for regex that we use later in the file.
#XXX Yes, these are gross -- imp
set scsi-controller-regex
"(aac|adv|adw|aha|ahb|ahc|ahd|aic|amd|amr|asr|bt|ciss|ct|dpt|\
esp|ida|iir|ips|isp|mlx|mly|mpt|ncr|ncv|nsp|stg|sym|trm|wds)\
[0-9]+";
};
# Note that the attach/detach with the highest value wins, so that one can
# override these general rules.
#
# Configure the interface on attach. Due to a historical accident, this
# script is called pccard_ether.
#
# NB: DETACH events are ignored; the kernel should handle all cleanup
# (routes, arp cache). Beware of races against immediate create
# of a device with the same name; e.g.
# ifconfig bridge0 destroy; ifconfig bridge0 create
#
notify 0 {
match "system" "IFNET";
match "subsystem" "!usbus[0-9]+";
match "type" "ATTACH";
action "/etc/pccard_ether $subsystem start";
};
#
# Try to start dhclient on Ethernet-like interfaces when the link comes
# up. Only devices that are configured to support DHCP will actually
# run it. No link down rule exists because dhclient automatically exits
# when the link goes down.
#
notify 0 {
match "system" "IFNET";
match "type" "LINK_UP";
media-type "ethernet";
action "/etc/rc.d/dhclient quietstart $subsystem";
};
#
# Like Ethernet devices, but separate because
# they have a different media type. We may want
# to exploit this later.
#
detach 0 {
media-type "802.11";
action "/etc/pccard_ether $device-name stop";
};
attach 0 {
media-type "802.11";
action "/etc/pccard_ether $device-name start";
};
notify 0 {
match "system" "IFNET";
match "type" "LINK_UP";
media-type "802.11";
action "/etc/rc.d/dhclient quietstart $subsystem";
};
# An entry like this might be in a different file, but is included here
# as an example of how to override things. Normally 'ed50' would match
# the above attach/detach stuff, but the value of 100 makes it
# hard wired to 1.2.3.4.
attach 100 {
device-name "ed50";
action "ifconfig $device-name inet 1.2.3.4 netmask 0xffff0000";
};
detach 100 {
device-name "ed50";
};
# When a USB Bluetooth dongle appears, activate it
attach 100 {
device-name "ubt[0-9]+";
action "/etc/rc.d/bluetooth quietstart $device-name";
};
detach 100 {
device-name "ubt[0-9]+";
action "/etc/rc.d/bluetooth quietstop $device-name";
};
# Firmware downloader for Atheros AR3011 based USB Bluetooth devices
#attach 100 {
# match "vendor" "0x0cf3";
# match "product" "0x3000";
# action "sleep 2 && /usr/sbin/ath3kfw -d $device-name -f /usr/local/etc/ath3k-1.fw";
#};
# When a USB keyboard arrives, attach it as the console keyboard.
attach 100 {
device-name "ukbd0";
action "/etc/rc.d/syscons setkeyboard /dev/ukbd0";
};
detach 100 {
device-name "ukbd0";
action "/etc/rc.d/syscons setkeyboard /dev/kbd0";
};
attach 100 {
device-name "ums[0-9]+";
action "/etc/rc.d/moused quietstart $device-name";
};
detach 100 {
device-name "ums[0-9]+";
action "/etc/rc.d/moused stop $device-name";
};
# Firmware download into the ActiveWire board. After the firmware download is
# done, the device detaches and reappears as something new and shiny
# automatically.
attach 100 {
match "vendor" "0x0854";
match "product" "0x0100";
match "release" "0x0000";
action "/usr/local/bin/ezdownload -f /usr/local/share/usb/firmware/0854.0100.0_01.hex $device-name";
};
# Firmware download for Entrega Serial DB25 adapter.
attach 100 {
match "vendor" "0x1645";
match "product" "0x8001";
match "release" "0x0101";
action "if ! kldstat -n usio > /dev/null 2>&1 ; then kldload usio; fi; /usr/sbin/ezdownload -v -f /usr/share/usb/firmware/1645.8001.0101 /dev/$device-name";
};
# This entry starts the ColdSync tool in daemon mode. Make sure you have an up
# to date /usr/local/etc/palms. We override the 'listen' settings for port and
# type in /usr/local/etc/coldsync.conf.
notify 100 {
match "system" "USB";
match "subsystem" "DEVICE";
match "type" "ATTACH";
match "vendor" "0x082d";
match "product" "0x0100";
match "release" "0x0100";
action "/usr/local/bin/coldsync -md -p /dev/$cdev -t usb";
};
#
# Rescan scsi device-names on attach, but not detach. However, it is
# disabled by default due to reports of problems.
#
attach 0 {
device-name "$scsi-controller-regex";
// action "camcontrol rescan all";
};
# Don't even try to second guess what to do about drivers that don't
# match here. Instead, pass it off to syslog. Commented out for the
# moment, as the pnpinfo variable isn't set in devd yet. Individual
# variables within the bus supplied pnpinfo are set.
nomatch 0 {
# action "logger Unknown device: $pnpinfo $location $bus";
};
# Various logging of unknown devices.
nomatch 10 {
match "bus" "uhub[0-9]+";
action "logger Unknown USB device: vendor $vendor product $product \
bus $bus";
};
# Some PC-CARDs don't offer numerical manufacturer/product IDs, just
# show the CIS info there.
nomatch 20 {
match "bus" "pccard[0-9]+";
match "manufacturer" "0xffffffff";
match "product" "0xffffffff";
action "logger Unknown PCCARD device: CISproduct $cisproduct \
CIS-vendor $cisvendor bus $bus";
};
nomatch 10 {
match "bus" "pccard[0-9]+";
action "logger Unknown PCCARD device: manufacturer $manufacturer \
product $product CISproduct $cisproduct CIS-vendor \
$cisvendor bus $bus";
};
nomatch 10 {
match "bus" "cardbus[0-9]+";
action "logger Unknown Cardbus device: device $device class $class \
vendor $vendor bus $bus";
};
# Switch power profiles when the AC line state changes.
notify 10 {
match "system" "ACPI";
match "subsystem" "ACAD";
action "/etc/rc.d/power_profile $notify";
};
# Notify all users before beginning emergency shutdown when we get
# a _CRT or _HOT thermal event and we're going to power down the system
# very soon.
notify 10 {
match "system" "ACPI";
match "subsystem" "Thermal";
match "notify" "0xcc";
action "logger -p kern.emerg 'WARNING: system temperature too high, shutting down soon!'";
};
# Sample ZFS problem reports handling.
notify 10 {
match "system" "ZFS";
match "type" "zpool";
action "logger -p kern.err 'ZFS: failed to load zpool $pool'";
};
notify 10 {
match "system" "ZFS";
match "type" "vdev";
action "logger -p kern.err 'ZFS: vdev failure, zpool=$pool type=$type'";
};
notify 10 {
match "system" "ZFS";
match "type" "data";
action "logger -p kern.warn 'ZFS: zpool I/O failure, zpool=$pool error=$zio_err'";
};
notify 10 {
match "system" "ZFS";
match "type" "io";
action "logger -p kern.warn 'ZFS: vdev I/O failure, zpool=$pool path=$vdev_path offset=$zio_offset size=$zio_size error=$zio_err'";
};
notify 10 {
match "system" "ZFS";
match "type" "checksum";
action "logger -p kern.warn 'ZFS: checksum mismatch, zpool=$pool path=$vdev_path offset=$zio_offset size=$zio_size'";
};
# User requested suspend, so perform preparation steps and then execute
# the actual suspend process.
notify 10 {
match "system" "ACPI";
match "subsystem" "Suspend";
action "/etc/rc.suspend acpi $notify";
};
notify 10 {
match "system" "ACPI";
match "subsystem" "Resume";
action "/etc/rc.resume acpi $notify";
};
/* EXAMPLES TO END OF FILE
# An example of something that a vendor might install if you were to
# add their device. This might reside in /usr/local/etc/devd/deqna.conf.
# A deqna is, in this hypothetical example, a pccard ethernet-like device.
# Students of history may know other devices by this name, and will get
# the in-jokes in this entry.
nomatch 10 {
match "bus" "pccard[0-9]+";
match "manufacturer" "0x1234";
match "product" "0x2323";
action "kldload if_deqna";
};
attach 10 {
device-name "deqna[0-9]+";
action "/etc/pccard_ether $device-name start";
};
detach 10 {
device-name "deqna[0-9]+";
action "/etc/pccard_ether $device-name stop";
};
# Examples of notify hooks. A notify is a generic way for a kernel
# subsystem to send event notification to userland.
# Here are some examples of ACPI notify handlers. ACPI subsystems that
# generate notifies include the AC adapter, power/sleep buttons,
# control method batteries, lid switch, and thermal zones.
#
# Information returned is not always the same as the ACPI notify
# events. See the ACPI specification for more information about
# notifies. Here is the information returned for each subsystem:
#
# ACAD: AC line state (0 is offline, 1 is online)
# Button: Button pressed (0 for power, 1 for sleep)
# CMBAT: ACPI battery events
# Lid: Lid state (0 is closed, 1 is open)
# RCTL: Resource limits
# Suspend, Resume: Suspend and resume notification
# Thermal: ACPI thermal zone events
#
# This example calls a script when the AC state changes, passing the
# notify value as the first argument. If the state is 0x00, it might
# call some sysctls to implement economy mode. If 0x01, it might set
# the mode to performance.
notify 10 {
match "system" "ACPI";
match "subsystem" "ACAD";
action "/etc/acpi_ac $notify";
};
# This example works around a memory leak in PostgreSQL, restarting
# it when the "user:pgsql:swap:devctl=1G" rctl(8) rule gets triggered.
notify 0 {
match "system" "RCTL";
match "rule" "user:70:swap:.*";
action "/usr/local/etc/rc.d/postgresql restart"
};
*/