Sleep for one second after calling audit -t to give the audit daemon a
chance to actually terminate the audit service and exit. Otherwise, on
an rc.d/auditd restart, the new audit daemon instance may try to start
auditing while the previous session is still running. Likewise, this
ensures a chance for auditd to terminate the audit trail at system
shutdown.
Perhaps more ideally, the script would wait synchronously for auditd to
exit rather than for an arbitrary but short period of time.
MFC after: 3 days
Obtained from: TrustedBSD Project
- move steps describing how to gain ipdivert support to SYNOPSIS and
follow the style of other section 4 manual pages
- add ipfw(4) to SEE ALSO section
Rework the way errors are handled with respect to how audit records are
written to the audit trail file:
- audit_record_write() now returns void, and all file system specific
error handling occurs inside this function. This pushes error handling
complexity out of the record demux routine that hands off to both the
trail and audit pipes, and makes trail behavior more consistent with
pipes as a record destination.
- Rate limit kernel printfs associated with running low on space. Rate
limit audit triggers for low space. Rate limit printfs for fail stop
events. Rate limit audit worker write error printfs.
- Document in detail the types of limits and space checks we perform, and
combine common cases.
This improves the audit subsystems tolerance to low space conditions by
avoiding toasting the console with printfs are waking up the audit daemon
continuously.
MFC after: 3 days
Obtained from: TrustedBSD Project
add KTRACE hooks into kevent... This will help people debug their kqueue
programs to find out exactly which events were registered and which were
returned... This should be lower in kern_kevent, but that would require
special munging due to locks and the functions used to copyin/copyout
kevents...
If someone wants to teach ktrace how to output pretty kevents, I have a
kevent prety printer that can be used...
The goal was to sync with the OSSv4 API 4Front Technologies uses in their
proprietary OSS driver. This was successful as far as possible. The part
of the API which is stable is implemented, for the rest there are some
stubs already.
New system ioctls:
- SNDCTL_SYSINFO - obtain audio system info (version, # of audio/midi/
mixer devices, etc.)
- SNDCTL_AUDIOINFO - fetch details about a specific audio device
- SNDCTL_MIXERINFO - fetch details about a specific mixer device
New audio ioctls:
- Sync groups (SNDCTL_DSP_SYNCGROUP/SNDCTL_DSP_SYNCSTART) which allow
triggered playback/recording on multiple devices (even across processes
simultaneously).
- Peak meters (SNDCTL_DSP_GETIPEAKS/SNDCTL_DSP_GETOPEAKS) - can query
audio drivers for peak levels (needs driver support, disabled for now).
- Per channel playback/recording levels -
SNDCTL_DSP_{GET,SET}{PLAY,REC}VOL. Note that these are still in name
only, just wrapping around the AC97-style mixer at the moment. The next
step is to push them down to the drivers.
Audio ioctls still under development by 4Front (for which stubs may exist
in this commit):
- SNDCTL_GETNAME, SNDCTL_{GET,SET}{SONG,LABEL}
- SNDCTL_DSP_{GET,SET}_CHNORDER
- SNDCTL_MIX_ENUMINFO, SNDCTL_MIX_EXTINFO - (might be documented enough in
the OSS releases to work on this. These ioctls cover the cool "twiddle
any knob on your card" features.)
Missing:
- SNDCTL_DSP_COOKEDMODE -- this ioctl is used to give applications direct
access to a card's buffers, bypassing the feeder architecture. It's
a toughy -- "someone" needs to decide :
(a) if this is desireable, and (b) if it's reasonably feasible.
Updates for driver writers:
So far, only two routines to the channel class (in channel_if.m) are added.
One is for fetching a list of discrete supported playback/recording rates
of a channel, and the other is for fetching peak level info (useful for
drawing peak meters). Interested parties may want to help pushing down
SNDCTL_DSP_{GET,SET}{PLAY,REC}VOL into the drivers.
To use the new stuff you need to rebuild the sound drivers or your kernel
(depending on if you use modules or not) and to install soundcard.h (a
buildworld/installworld handles this).
Sponsored by: Google SoC 2006
Submitted by: ryanb
Many thanks to: 4Front Technologies for their cooperation, explanations
and the nice license of their soundcard.h.
now that we don't automagicly increase the MTU of host routes, when we copy
the loopback interface, copy it's mtu also.. This means that we again have
large mtu support for local ip addresses...
MFp4:
- Linux returns ENOPROTOOPT in a case of not supported opt to setsockopt.
- Return EISDIR in pread() when arg is a directory.
- Return EINVAL instead of EFAULT when namelen is not correct in accept().
- Return EINVAL instead of EACCESS if invalid access mode is entered in
access().
- Return EINVAL instead of EADDRNOTAVAIL in a case of bad salen param
to bind().
Submitted by: rdivacky
Tested with: LTP (vfork01 fails now, but it seems to be a race and
not caused by those changes)
MFC after: 1 week
Allow the ASF feature to be disabled via a tunable. On one of my systems,
bringing up the bge interface results in a complete system freeze when
this feature is enabled. Leave it enabled by default.
Always set the IP version in the TCP input path, to preserve
the header field for possible later IPSEC SPD lookup, even
when the kernel is built without 'options INET6'.
PR: kern/57760
MFC after: 1 week
Submitted by: Joachim Schueth
If /dev/tty gets opened after your controlling terminal has been revoked
you can't call tty_clone afterwords. OpenBSD and NetBSD both fail the
open call in that case, so we should do so as well. This can
be done in ctty_clone by returning with *dev==NULL. Admittedly this
causes open to return ENOENT, instead of ENXIO as on the other BSDs,
but this way requires the least touching of code.
Stop reloading %fs and %gs, since it causes the base address from
GDT to be loaded into FS.base and GS.base, these values of course
are not the values set by sysarch() with I386_SET_FSBASE and
I386_SET_GSBASE, the change fixed a crash for 32bit libthr after
signal handler returned and normal code is accessing thread pointer,
for example: movl %gs:8, %eax.
Add a -a argument to id(1), which causes id(1) to print out process
audit properties, including the audit user id. This can be quite
helpful in debugging audit problems.
Obtained from: TrustedBSD Project
MFC after: 3 days
Update the ipmi(4) driver:
- Split out the communication protocols into their own files and use
a couple of function pointers in the softc that the commuication
protocols setup in their own attach routine.
- Add support for the SSIF interface (talking to IPMI over SMBus).
- Add an ACPI attachment.
- Add a PCI attachment that attaches to devices with the IPMI interface
subclass.
- Split the ISA attachment out into its own file: ipmi_isa.c.
- Change the code to probe the SMBIOS table for an IPMI entry to just use
pmap_mapbios() to map the table in rather than trying to setup a fake
resource on an isa device and then activating the resource to map in the
table.
- Make bus attachments leaner by adding attach functions for each
communication interface (ipmi_kcs_attach(), ipmi_smic_attach(), etc.)
that setup per-interface data.
- Formalize the model used by the driver to handle requests by adding an
explicit struct ipmi_request object that holds the state of a given
request and reply for the entire lifetime of the request. By bundling
the request into an object, it is easier to add retry logic to the various
communication backends (as well as eventually support BT mode which uses
a slightly different message format than KCS, SMIC, and SSIF).
- Add a per-softc lock and remove D_NEEDGIANT as the driver is now MPSAFE.
- Add 32-bit compatibility ioctl shims so you can use a 32-bit ipmitool
on FreeBSD/amd64.
- Add ipmi(4) to i386 and amd64 NOTES.
Submitted by: ambrisko (large portions of 2 and 3)
Sponsored by: IronPort Systems, Yahoo!
MFC after: 6 days
Revert r1.80 as the ethernet header was inadvertently stripped from ARP
packets. Reimplement this correctly and use a sysctl that defaults to off so
the user doesnt get any suprises if ipfw blocks the ARP packet.
Be more GNU compatible:
don't be greedy on the GNU "::" extension when arg separated by whitespace
and POSIX_CORRECTLY is set. From POSIX point of view this is unclear
situation, so minimal assumption looks right.
Fix a case where socket I/O atomicity is violated due to not dropping
the entire record when a non-data mbuf is removed in the soreceive() path.
This only triggers a panic directly when compiled with INVARIANTS.
PR: 38495
Submitted by: James Juran
MFC after: 1 week
The sparc64/sparc64/pmap.c implementations of pmap_remove(),
pmap_protect(), and pmap_copy() have optimizations for regions
larger than PMAP_TSB_THRESH (which works out to 16MB). This
caused a panic in tsb_foreach for kernel mappings, since
pm->pm_tsb is NULL in that case. This fix teaches tsb_foreach
to use the kernel's tsb in that case.
Connect up a QUEUE FULL event with CAM and adjust openings.
Unfortunately, the QUEUE FULL event only tells you Bus && Target.
It doesn't tell you lun. In order for the XPT_REL_SIMQ action to
work, we have to have a real lun. But which one? For now, just
iterate over MPT_MAX_LUNS.
Practically speaking, this is only going to be happening for lower
quality SAS or SATA drives behind the SAS controller, which means
only lun 0, so it's not so bad.
Helpful Reminder Nagging from: John Baldwin, Fred Whiteside
andre [Thu, 21 Sep 2006 19:14:51 +0000 (19:14 +0000)]
Move the initialization of the hardware capabilities in em_init_locked()
before em_setup_transmit_structures() as it needs this information to
properly set up TSO parameters.
atomic_fetchadd_int is used by mb_free_ext(), but it
returns the previous value that the "add" effected (In
this case we are adding -1), afterwhich we compare it
to '0'... to see if we free the mbuf... we should
be comparing it to '1'... Note that this only effects
when there is contention since there is a first part
to the comparison that checks to see if its '1'. So
this bug would only crop up if two CPU's are trying
to free the same mbuf refcount at the same time. This
will happen in SCTP but I doubt can happen in TCP or
UDP.
PR: N/A
Submitted by: rrs
Reviewed by: gnn,sam
Approved by: gnn,sam
Vendor import of OpenBSM 1.0 alpha 11, with the following change history
notes since the last import:
OpenBSM 1.0 alpha 11
- Reclassify certain read/write operations as having no class rather than the
fr/fw class; our default classes audit intent (open) not operations (read,
write).
- Introduce AUE_SYSCTL_WRITE event so that BSD/Darwin systems can audit reads
and writes of sysctls as separate events. Add additional kernel
environment and jail events for FreeBSD.
- Break AUDIT_TRIGGER_OPEN_NEW into two events, AUDIT_TRIGGER_ROTATE_USER
(issued by the user audit(8) tool) and AUDIT_TRIGGER_ROTATE_KERNEL (issued
by the kernel audit implementation) so that they can be distinguished.
- Disable rate limiting of rotate requests; as the kernel doesn't retransmit
a dropped request, the log file will otherwise grow indefinitely if the
trigger is dropped.
- Improve auditd debugging output.
- Fix a number of threading related bugs in audit_control file reading
routines.
- Add APIs au_poltostr() and au_strtopol() to convert between text
representations of audit_control policy flags and the flags passed to
auditon(A_SETPOLICY) and retrieved from auditon(A_GETPOLICY).
- Add API getacpol() to return the 'policy:' entry from audit_control, an
extension to the Solaris file format to allow specification of policy
persistent flags.
- Update audump to print the audit_control policy field.
- Update auditd to read the audit_control policy field and set the kernel
policy to match it when configuring/reconfiguring. Remove the -s and -h
arguments as these policies are now set via the configuration file. If a
policy line is not found in the configuration file, continue with the
current default of setting AUDIT_CNT.
- Fix bugs in the parsing of large execve(2) arguments and environmental
variable tokens; increase maximum parsed argument and variable count.
- configure now detects strlcat(), used by policy-related functions.
- Reference token and record sample files added to test tree.
Replace system call thr_getscheduler, thr_setscheduler, thr_setschedparam
with rtprio_thread, while rtprio system call is for process only, the new
system call rtprio_thread is responsible for LWP.
Introduce a new method ipv6if which attemptes to figure out if an
interface is an IPv6 interface.
Use this method to decide if we should attempt to configure an interface
with an IPv6 address in pccard_ether. The mechanism pccard_ether uses
to do this is unsuited to the task because it assumes the list of
interfaces it is passed is the full list of IPv6 interfaces and makes
decissions based on that. This is at least a step in the right
direction and is probably about as much as we can MFC safely.
kan [Thu, 21 Sep 2006 01:37:02 +0000 (01:37 +0000)]
Use __builtin_va_start instead of __builtin_stdarg_start. GCC4 obsoletes
the former and __builtin_va_start was present in all GCC version 3.1 and
later.
In the spirit of nanoBSD and PicoBSD, add TinyBSD.
Submitted by jmeloatfreebsdbrasil,com-br
(Jean Milanez Melo)
As PicoBSD becomes slightly less useful, TinyBSD fills the gap below nanoBSD.
Based on The Open Group Base Specifications Issue 6 IEEE Std 1003.1, our
current implementation of df(1) is does not properly format the output under
certain conditions. Right now -kP and -Pk are not the same thing. Further,
when we set the BLOCKSIZE environment variable, we use "1k" instead of "1024",
making the header display incorrectly.
To quote the specification:
"When both the -k and -P options are specified, the following header line
shall be written (in the POSIX locale):
"Filesystem 1024-blocks Used Available Capacity Mounted on\n"
- If -P has been specified, check to make sure that -k has not already been
specified, if so, simply break instead of clobbering the previous blocksize
- Use 1024 instead of 1k to make the header POSIX compliant
Flushing all IPv4 routes when an interface is removed or unconfigured
makes no sense. Remove the undocumented removable_route_flush feature
from pccard_ether.
Add a new 'bce_mgmt_init_locked' function to enable the minimal parts
of the chip to let ASF/IPMI firmware to respond to IPMI after attaching
and when the chip is down. David looked at it but could really say
what they right minimal config. stuff would be. It's not documented.
I figured this out via trial and error.
Allow hw.mfi.event_locale/hw.mfi.event_class to be set via loader.
If an event doesn't match the criteria then don't print it. Some
events are not saved in the log (<0 class events).