Warner Losh [Tue, 6 Feb 2024 23:11:38 +0000 (16:11 -0700)]
leapseconds: Update to the canonical place.
IERS is the source of truth for leap seconds. Their leapsecond file is
updated most quickly and is always right (unlike the IANA one which
often lags). IERS operates this public service for the express purpose
of random people downloading it. Their terms of service are compatible
with open source (we could include this in our release). Rather than
fighting with questions around this because the IANA one changed
locations or the auto update script broken, just use this.
This is in preference to the NIST ftp copy. NIST is in the process of
retiring their FTP services.
Check for privilege PRIV_SCHED_SETPOLICY instead of PRIV_SCHED_SET, to
at least make it coherent with what is done at thread creation when
a realtime policy is requested, and have users authorized by
mac_priority(4) pass it.
This change is good enough in practice since it only allows 'root' (as
before) and mac_priority(4)'s authorized users in (the point of this
change), without other side effects. More changes in this area, to
generally ensure that all privilege checks are consistent, are going to
come as olce's priority revamp project lands.
Alan Somers [Thu, 25 Jan 2024 15:19:37 +0000 (08:19 -0700)]
fusefs: fix invalid value for st_birthtime.tv_nsec
If a file system's on-disk format does not support st_birthtime, it
isn't clear what value it should return in stat(2). Neither our man
page nor the OpenGroup specifies. But our convention for UFS and
msdosfs is to return { .tv_sec = -1, .tv_nsec = 0 }. fusefs is
different. It returns { .tv_sec = -1, .tv_nsec = -1 }. It's done that
ever since the initial import in SVN r241519.
Most software apparently handles this just fine. It must, because we've
had no complaints. But the Rust standard library will panic when
reading such a timestamp during std::fs::metadata, even if the caller
doesn't care about that particular value. That's a separate bug, and
should be fixed.
Change our invalid value to match msdosfs and ufs, pacifying the Rust
standard library.
Mark Johnston [Wed, 7 Feb 2024 14:43:25 +0000 (09:43 -0500)]
inpcb: Restore some NULL checks of credential pointers
At least one out-of-tree port (net-mgmt/ng_ipacct) depends on being able
to call in_pcblookup_local() with cred == NULL, so the MFC of commit ac1750dd143e ("inpcb: Remove NULL checks of credential references")
broke compatibility.
Restore a subset of the NULL checks to avoid breaking the module in the
13.3 release. This is a direct commit to stable/13.
Kyle Evans [Tue, 16 Jan 2024 02:55:58 +0000 (20:55 -0600)]
kern: tty: fix ttyinq_read_uio assertion
It's clear from later context that `rlen` was always expected to include
`flen`, as we'll trim `flen` bytes from the end of the read. Relax our
initial assertion to only require the total size less trimmed bytes to
lie within the out buffer size.
While we're here, I note that if we have to read more than one block and
we're trimming from the end then we'll do the wrong thing and omit
`flen` bytes from every block, rather than just the end. Add an
assertion to make sure we're not doing that, but the only caller that
specifies a non-zero `flen` today will only really be doing so if rlen
is entirely within a single buffer.
Olivier Certner [Thu, 25 Jan 2024 22:25:10 +0000 (23:25 +0100)]
login_cap.h: Remove LOGIN_DEFPRI
This is an implementation detail which is likely to become irrelevant in
the future, as we move to not resetting the priority if the
corresponding capability is not present in the configuration file
('/etc/login.conf').
GitHub's code search and Google show no use of this public constant, and
it doesn't exist in OpenBSD and NetBSD.
So, remove this definition and its sole use in-tree.
PR: 276570 (exp-run)
Reviewed by: emaste
Approved by: emaste (mentor)
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D43609
Olivier Certner [Thu, 25 Jan 2024 22:10:40 +0000 (23:10 +0100)]
login_cap.h: Remove LOGIN_DEFUMASK
This public constant has not been used in-tree since 1997 (this was
noticed while working on previous commit "setusercontext(): umask: Set
it only once (in the common case)").
Since it was an implementation detail and GitHub's code search and
Google show no use of this symbol today, simply remove it.
PR: 276570 (exp-run)
Reviewed by: emaste, kib (earlier version, then part of D40344)
Approved by: emaste (mentor)
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D43608
Olivier Certner [Tue, 30 May 2023 15:14:50 +0000 (17:14 +0200)]
setusercontext(): Set priority from '~/.login_conf' as well
Setting the process priority is done only when the current process'
effective UID corresponds to that for which context is to be set.
Consequently, setting priority is done with appropriate credentials and
will fail if the target user tries to raise it unduly via his
'~/.login_conf'.
PR: 271751
Reviewed by: kib, Andrew Gierth <andrew_tao173.riddles.org.uk>
Approved by: emaste (mentor)
MFC after: 3 days
Relnotes: yes
Sponsored by: Kumacom SAS
Differential Revision: https://reviews.freebsd.org/D40352
Olivier Certner [Wed, 21 Jun 2023 08:53:37 +0000 (10:53 +0200)]
setclasspriority(): New possible value 'inherit'
It indicates to the login.conf machinery (setusercontext() /
setclasscontext()) to leave priority alone, effectively inheriting it
from the parent process.
Olivier Certner [Wed, 21 Jun 2023 08:39:15 +0000 (10:39 +0200)]
login.conf(5): Document priority's default and possible values
Priority is reset to 0 if not explicitly specified.
While here, be more explicit about what "Initial priority (nice) level"
means and document that it is possible to set real-time or idle class'
priorities with this capability.
Reviewed by: emaste
Approved by: emaste (mentor)
MFC after: 3 days
Sponsored by: Kumacom SAS
Differential Revision: https://reviews.freebsd.org/D40689
Olivier Certner [Mon, 29 May 2023 16:39:04 +0000 (18:39 +0200)]
setusercontext(): Better error messages when priority is not set correctly
Polish the syslog messages to contain readily useful information.
Behavior of capability 'priority' is inconsistent with what is done for
all other contexts: 'umask', 'cpumask', resource limits, etc., where an
absence of capability means to inherit the value. It is currently
preserved for compatibility, but is subject to change on a future major
release.
Olivier Certner [Thu, 25 May 2023 12:18:45 +0000 (14:18 +0200)]
setusercontext(): umask: Set it only once (in the common case)
Simplify the code and make it more coherent (umask was the only context
setting not modified by setlogincontext() directly).
Preserve the current behavior of not changing the umask if none is
specified in the login class capabilities database, but without the
superfluous umask() dance. (The only exception to this is that
a special value no user is likely to input in the database now stands
for no specification.)
If some user has a 'umask' override in its '~/.login_conf', the umask
will still be set twice as before (as is the case for all other context
settings overriden in '~/.login_conf').
Log a warning in case of an invalid umask specification.
This change makes it apparent that the value of LOGIN_DEFUMASK doesn't
matter. It will be removed in a subsequent commit.
Mike Karels [Sat, 27 Jan 2024 15:40:07 +0000 (09:40 -0600)]
inet(3): clarify syntax accepted by inet_pton
The section INTERNET ADDRESSES describes the acceptance of dotted
values with varying number of parts in multiple bases. This applies
to inet_aton and inet_addr, but not to inet_pton. Clarify this
section by listing the functions to which this applies. Move the
description of what inet_pton accepts into this section from STANDARDS,
where it is easily missed. Rename the section to clarify that it
applies only to IPv4. (inet_pton also works with IPv6.)
Mike Karels [Fri, 5 Jan 2024 19:41:24 +0000 (13:41 -0600)]
arm64/RPI: enable powerd by default on arm64-aarch64-RPI images
Most 64-bit Raspberry Pi models have a variable processor clock
speed that defaults to a slow speed (e.g. 600 MHz for a nominal
1.5 GHz clock). This results in everything running slowly unless
or until powerd is started, and FreeBSD is then thought to be slow.
Enable powerd by default in /etc/rc.conf on the arm64-aarch64-RPI
images. Tested on Raspberry Pi 3B+ and 4B so far.
Dimitry Andric [Sat, 27 Jan 2024 21:51:08 +0000 (22:51 +0100)]
Add libllvm and liblldb source files to enable WITH_ASAN build
This is another part of fixing the WITH_ASAN build. Some additional
source files had to be added to libllvm and liblldb, since the ASan
instrumentation causes symbols in those files to be referenced.
Dimitry Andric [Sat, 27 Jan 2024 21:24:38 +0000 (22:24 +0100)]
msun: remove fabs from Symbol.map, and adjust comment
We have s_fabs.c, but fabs(3) is already provided by libc due to
historical reasons, so it is not compiled into libm. When the linker
does not use --undefined-version, this leads to a complaint about the
symbol being nonexistent, so remove it from Symbol.map.
While here, adjust the comment about some functions being supplied by
libc: while it is true that all these are indeed in libc, libm still
includes its own versions of frexp(3), isnan(3), isnanf(3), and
isnanl(3).
Reported by: Steve Kargl <sgk@troutmask.apl.washington.edu>
MFC after: 3 days
a freebsd dev member reported a symbol conflict and intercepting this
had little value anyway.
This is one part of fixing the WITH_ASAN build. Some executables in the
base system define their own hexdump() symbol, which would otherwise
conflict with the ASan-intercepted one.
Kyle Evans [Tue, 16 Jan 2024 02:55:59 +0000 (20:55 -0600)]
kern: tty: recanonicalize the buffer on ICANON/VEOF/VEOL changes
Before this change, we would canonicalize any partial input if the new
local mode is not ICANON, but that's about it. If we were switching
from -ICANON -> ICANON, or if VEOF/VEOL changes, then our internal canon
accounting would be wrong.
The main consequence of this is that in ICANON mode, we would
potentially hang a read(2) longer if the new VEOF/VEOL appears later in
the buffer, and FIONREAD would be similarly wrong as a result.
Kyle Evans [Tue, 16 Jan 2024 02:55:59 +0000 (20:55 -0600)]
kern: pts: do not special case closed slave side
This would previously return 1 if the slave side of the pts was closed
to force an application to read() from it and observe the EOF, but it's
not clear why and this is inconsistent both with how we handle devices
with similar mechanics (like pipes) and also with other kernels, such as
OpenBSD/NetBSD and Linux.
Kyle Evans [Tue, 16 Jan 2024 02:55:58 +0000 (20:55 -0600)]
kern: tty: fix EOF handling for canonical reads
If the read(2) buffer is one byte short of an EOF, then we'll end up
reading the line into the buffer, then re-entering and seeing an EOF at
the beginning of the inq, assuming it's a zero-length line.
Fix this corner-case by searching one more byte than we have available
for an EOF. If we found it, then we'll trim it here; otherwise, we'll
limit our read to just the space we have in the out buffer and the next
read(2) will (potentially) read the remainder of the line.
Fix FIONREAD while we're here to match what an application can expect
read(2) to return -- scan for the first break character in the part of
the input that's been canonicalized, we'll never return more than that.
Michael Osipov [Fri, 24 Nov 2023 09:26:41 +0000 (10:26 +0100)]
periodic: Make daily diff(1) output as small is possible
Make, by default, daily diff(1) ignore whitespace changes and the unified output
a context of zero (0) lines. This reduces output of unrelated lines in e-mails
delivered to root.
Michael Osipov [Fri, 24 Nov 2023 09:26:41 +0000 (10:26 +0100)]
periodic: Make security diff(1) output as small is possible
Make, by default, security diff(1) produce a unified output with a context of
zero (0) lines. This reduces output of unrelated lines in e-mails delivered
to root.
Xin LI [Sat, 27 Jan 2024 03:09:39 +0000 (19:09 -0800)]
releng-gce: Advertise the availability of UEFI support in GCE images.
The amd64 and arm64 images supported UEFI, mark it as so users can take
advantage of UEFI boot on GCE. This is already done on FreeBSD
14.0-RELEASE but never codified into the release tools (and should).
Aaron LI [Mon, 22 Jan 2024 16:18:56 +0000 (10:18 -0600)]
wg: detach bpf upon destroy as well
bpfattach() is called in wg_clone_create(), but the bpfdetach() is
missing from wg_close_destroy(). Add the missing bpfdetach() to avoid
leaking both the associated bpf bits as well as the ifnet that bpf will
hold a reference to.
Aaron LI [Wed, 17 Jan 2024 23:29:23 +0000 (23:29 +0000)]
if_wg: fix access to noise_local->l_has_identity and l_private
These members are protected by the identity lock, so rlock it in
noise_remote_alloc() and then assert that we have it held to some extent
in noise_precompute_ss().
Aaron LI [Wed, 17 Jan 2024 23:29:23 +0000 (23:29 +0000)]
if_wg: fix erroneous calculation in calculate_padding() for p_mtu == 0
In practice this is harmless; only keepalive packets may realistically have
p_mtu == 0, and they'll also have no payload so the math works out the same
either way. Still, let's prefer technical accuracy and calculate the amount
of padding needed rather than the padded length...
Mark Johnston [Mon, 15 Jan 2024 17:29:02 +0000 (12:29 -0500)]
condvar: Fix a user-after-free in _cv_wait() when ktrace is enabled
When a thread wakes up after sleeping on a CV, it must not dereference
the CV structure, as it may already have been freed. At least ZFS
relies on this invariant, see commit c636f94bd2ff15be5b904939872b4bce31456c18 for example.
Thus, when logging context-switch events, copy the wmesg into a stack
buffer while it is still safe to do so, and log that after waking up.
While here, move the initial ktrcsw() call later, after assertions and
the SCHEDULER_STOPPED_TD() condition are checked.
Mark Johnston [Mon, 15 Jan 2024 17:27:11 +0000 (12:27 -0500)]
condvar: Clean up condvar.h a bit
- Remove a typedef that has been unused for a long time.
- Remove a LOCORE guard. MI headers like condvar.h don't need such a
guard in general.
- Move a forward declaration into the _KERNEL block.
- Add a types.h include to make the file self-contained.
Cy Schubert [Sat, 20 Jan 2024 13:52:35 +0000 (05:52 -0800)]
rc.d/kdc: Support start of MIT krb5kdc
Some users wishing to use the MIT krb5kdc have discovered the
kdc script workaround applied to the MIT krb5 ports is insufficient.
Let's build into this rc script the smarts to determine whether
base or ports Hiemdal kdc is being invoked or the MIT krb5kdc.
While at it, remove kdc_start_precmd(). This will simplify a future
jail patch.
Chuck Tuffli [Thu, 12 Oct 2023 22:04:17 +0000 (15:04 -0700)]
bhyve nvme: Add NQN value
Add a NVMe Qualified Name (NQN) to the Controller Data structure using
the "first format" (i.e., "... used by any organization that owns a
domain name" Section 7.9 NVM-Express 1.4c 2021.06.28 Ratified).
This avoids a Linux kernel warning about a missing or invalid NQN.
Olivier Certner [Thu, 4 Jan 2024 17:45:52 +0000 (18:45 +0100)]
pthread_attr_get_np(): Use malloc(), report ENOMEM, don't tamper on error
Similarly as in the previous commit, using calloc() instead of malloc()
is useless here in the regular case since the subsequent call to
cpuset_getaffinify() is going to completely fill the allocated memory.
However, there is an additional complication. This function tries to
allocate memory to hold the cpuset if it previously wasn't, and does so
before the thread lock is acquired, which can fail on a bad thread ID.
In this case, it is necessary to deallocate the memory allocated in this
function so that the attributes object appears unmodified to the caller
when an error is returned. Without this, a subsequent call to
pthread_attr_getaffinity_np() would expose uninitialized memory (not
a security problem per se, since it comes from the same process) instead
of returning a full mask as it would before the failing call to
pthread_attr_get_np(). So the caller would be able to notice a change
in the state of the attributes object even if pthread_attr_get_np()
reported failure, which would be quite surprising. A similar problem
that could occur on failure of cpuset_setaffinity() has been fixed.
Finally, we shall always report memory allocation failure. This already
goes for pthread_attr_init(), so, if for nothing else, just be
consistent.
Reviewed by: emaste, kib
Approved by: emaste (mentor)
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D43329
Olivier Certner [Thu, 4 Jan 2024 15:10:40 +0000 (16:10 +0100)]
libthr: thr_attr.c: More style and clarity fixes
The change of argument for sizeof() (from a type to an object) is to be
consistent with the change done for the malloc() code just above in the
preceding commit touching this file.
Consider bit flags as integers and test whether they are set with an
explicit comparison with 0.
Use an explicit flag value (PTHREAD_SCOPE_SYSTEM) in place of a variable
that has this value at point of substitution.