rwatson [Mon, 12 Aug 2002 02:00:21 +0000 (02:00 +0000)]
Declare a module service "kernel_mac_support" when MAC support is
enabled and the kernel provides the MAC registration and entry point
service. Declare a dependency on that module service for any
MAC module registered using mac_policy.h. For now, hard code the
version as 1, but once we've come up with a versioning policy, we'll
move to a #define of some sort. In the mean time, this will prevent
loading a MAC module when 'options MAC' isn't present, which (due to
a bug in the kernel linker) can result if the MAC module is preloaded
via loader.conf.
This particular evil recommended by: peter
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI LAbs
rwatson [Mon, 12 Aug 2002 01:54:10 +0000 (01:54 +0000)]
Introduce IO_NOMACCHECK, a flag that will be passed to vn_rdwr() to
indicate that the calling code has already performed necessary MAC
checks (if any) for this operation. This flag will help resolve
layering problems that existing because vn_rdwr() is called both
on behalf of user processes directly (such as in system calls of
various sorts, during core dumps, etc), as well as deep in the file
system code on behalf of the file system (such as in UFS, ext2fs,
etc). Code that is acting on behalf of a kernel service rather
than explicitly on behalf of a user process will specify this flag.
By default, MAC checks will be performed (and generally should
be performed).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
rwatson [Mon, 12 Aug 2002 01:45:40 +0000 (01:45 +0000)]
Add necessary instrumentation to IBCS2 emulation support for mandatory
access control: as with SVR4, very few changes required since almost
all services are implemented by wrapping existing native FreeBSD
system calls. Only readdir() calls need additional instrumentation.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
rwatson [Mon, 12 Aug 2002 01:42:21 +0000 (01:42 +0000)]
Enforce MAC policies for the locally implemented vnode services in
SVR4 emulation relating to readdir() and fd_revoke(). All other
services appear to be implemented by simply wrapping existing
FreeBSD native system call implementations, so don't require local
instrumentation in the emulator module.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
rwatson [Mon, 12 Aug 2002 01:24:26 +0000 (01:24 +0000)]
Another fix that wasn't pulled in from the MAC branch: the
struct mount is not cached as *mp at this point, so use
vp->v_mount directly, following the check that it's non-NULL.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
rwatson [Mon, 12 Aug 2002 01:16:55 +0000 (01:16 +0000)]
Teach the OSF/1 emulation layer a little more about mandatory access
control: perform checks during OSF/1 statfs()-related calls by
invoking mac_check_mount_stat().
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
mjacob [Sun, 11 Aug 2002 23:34:20 +0000 (23:34 +0000)]
Add support for the LSI-Logic Fusion/MP architecture.
This is an architecture that present a thing message passing interface
to the OS. You can query as to how many ports and what kind are attached
and enable them and so on.
A less grand view is that this is just another way to package SCSI (SPI or
FC) and FC-IP into a one-driver interface set.
semenu [Sun, 11 Aug 2002 20:33:11 +0000 (20:33 +0000)]
Fix sendfile(), who was calling vn_rdwr() without aresid parameter and
thus hiting EIO at the end of file. This is believed to be a feature
(not a bug) of vn_rdwr(), so we turn it off by supplying aresid param.
dwmalone [Sun, 11 Aug 2002 18:37:25 +0000 (18:37 +0000)]
Fix a bug where you couldn't start top in a very small window. Now
you can start it in a small window, but it doesn't always display
anything sensible. Resizing the window does work though.
The patch is a slightly simpler one than Sheldon's in the PR.
hm [Sun, 11 Aug 2002 15:47:26 +0000 (15:47 +0000)]
add experimental support for Data over Voice (DoV) outgoing calls.
based on patches received from Guy Ellis (guy@traverse.com.au),
Chris Collins (xfire@xware.cx) and Phillip Musumeci (phillip@cs.jcu.edu.au).
jmallett [Sun, 11 Aug 2002 15:37:10 +0000 (15:37 +0000)]
Initialise disk->d_ufs so that in sblock.c it's always initialised
(unless someone tries to use libufs support functions without using
_fillout or _ctor to construct a uufsd.)
schweikh [Sun, 11 Aug 2002 13:05:30 +0000 (13:05 +0000)]
Fix typos; each file has at least one s/seperat/separat/
(I skipped those in contrib/, gnu/ and crypto/)
While I was at it, fixed a lot more found by ispell that I
could identify with certainty to be errors. All of these
were in comments or text, not in actual code.
mux [Sun, 11 Aug 2002 11:32:02 +0000 (11:32 +0000)]
The kldload() system call doesn't return 0 when it succeeded,
so compare the return value against -1 to see if it failed
instead of simply doing if (kldload("nfs")).
tjr [Sun, 11 Aug 2002 09:53:44 +0000 (09:53 +0000)]
Correct boundary condition error in `D' and `P' commands when the last
line of the pattern space is empty. Don't emit spurious newline when
EOF is reached with the `N' command.
imp [Sun, 11 Aug 2002 08:51:08 +0000 (08:51 +0000)]
Follow NetBSD's lead and use WI_PORTTYPE_HOSTAP instead of _AP, since
_AP might be used in the future for cards with firmware that does AP in
firmware.
jake [Sat, 10 Aug 2002 22:14:16 +0000 (22:14 +0000)]
Auto size available kernel virtual address space based on phsyical memory
size. This avoids blowing out kva in kmeminit() on large memory machines
(4 gigs or more).
mux [Sat, 10 Aug 2002 20:19:04 +0000 (20:19 +0000)]
- Introduce a new struct xvfsconf, the userland version of struct vfsconf.
- Make getvfsbyname() take a struct xvfsconf *.
- Convert several consumers of getvfsbyname() to use struct xvfsconf.
- Correct the getvfsbyname.3 manpage.
- Create a new vfs.conflist sysctl to dump all the struct xvfsconf in the
kernel, and rewrite getvfsbyname() to use this instead of the weird
existing API.
- Convert some {set,get,end}vfsent() consumers to use the new vfs.conflist
sysctl.
- Convert a vfsload() call in nfsiod.c to kldload() and remove the useless
vfsisloadable() and endvfsent() calls.
- Add a warning printf() in vfs_sysctl() to tell people they are using
an old userland.
After these changes, it's possible to modify struct vfsconf without
breaking the binary compatibility. Please note that these changes don't
break this compatibility either.
When bp will have updated mount_smbfs(8) with the patch I sent him, there
will be no more consumers of the {set,get,end}vfsent(), vfsisloadable()
and vfsload() API, and I will promptly delete it.
mux [Sat, 10 Aug 2002 19:56:45 +0000 (19:56 +0000)]
Introduce a new sysctl flag, CTLFLAG_SKIP, which will cause
sysctl_sysctl_next() to skip this sysctl. The sysctl is
still available, but doesn't appear in a "sysctl -a".
This is especially useful when you want to deprecate a sysctl,
and add a warning into it to warn users that they are using
an old interface. Without this flag, the warning would get
echoed when running "sysctl -a" (which happens at boot).
luigi [Sat, 10 Aug 2002 15:04:40 +0000 (15:04 +0000)]
Major revision of the ipfw manpage, trying to make it up-to-date
with ipfw2 extensions and give examples of use of the new features.
This is just a preliminary commit, where i simply added the basic
syntax for the extensions, and clean up the page (e.g. by listing
things in alphabetical rather than random order).
I would appreciate feedback and possible corrections/extensions
by interested parties.
Still missing are a more detailed description of stateful rules
(with keepalives), interaction with of stateful rules and natd (don't do
that!), examples of use with the recently introduced rule sets.
There is an issue related to the MFC: RELENG_4 still has ipfw as a
default, and ipfw2 is optional. We have two options here: MFC this
page as ipfw(8) adding a large number of "SORRY NOT IN IPFW" notes,
or create a new ipfw2(8) manpage just for -stable users. I am all
for the first approach, but of course am listening to your comments.
imp [Sat, 10 Aug 2002 06:37:32 +0000 (06:37 +0000)]
When we allocate our bus address via the kludge that we have in the
code to do it when the bios doesn't do it for us, flag it. Then, when
we dealloc, do an equal kludge to get rid of the address. This should
address the can't get IRQ and panic bug in a more graceful way.
# really should write a dealloc routine and just call it instead, since
# this might not fix things in the kldunload case.
luigi [Sat, 10 Aug 2002 04:37:32 +0000 (04:37 +0000)]
One bugfix and one new feature.
The bugfix (ipfw2.c) makes the handling of port numbers with
a dash in the name, e.g. ftp-data, consistent with old ipfw:
use \\ before the - to consider it as part of the name and not
a range separator.
The new feature (all this description will go in the manpage):
each rule now belongs to one of 32 different sets, which can
be optionally specified in the following form:
ipfw add 100 set 23 allow ip from any to any
If "set N" is not specified, the rule belongs to set 0.
Individual sets can be disabled, enabled, and deleted with the commands:
ipfw disable set N
ipfw enable set N
ipfw delete set N
Enabling/disabling of a set is atomic. Rules belonging to a disabled
set are skipped during packet matching, and they are not listed
unless you use the '-S' flag in the show/list commands.
Note that dynamic rules, once created, are always active until
they expire or their parent rule is deleted.
Set 31 is reserved for the default rule and cannot be disabled.
All sets are enabled by default. The enable/disable status of the sets
can be shown with the command
ipfw show sets
Hopefully, this feature will make life easier to those who want to
have atomic ruleset addition/deletion/tests. Examples:
To add a set of rules atomically:
ipfw disable set 18
ipfw add ... set 18 ... # repeat as needed
ipfw enable set 18
To delete a set of rules atomically
ipfw disable set 18
ipfw delete set 18
ipfw enable set 18
To test a ruleset and disable it and regain control if something
goes wrong:
ipfw disable set 18
ipfw add ... set 18 ... # repeat as needed
ipfw enable set 18 ; echo "done "; sleep 30 && ipfw disable set 18
here if everything goes well, you press control-C before
the "sleep" terminates, and your ruleset will be left
active. Otherwise, e.g. if you cannot access your box,
the ruleset will be disabled after the sleep terminates.
I think there is only one more thing that one might want, namely
a command to assign all rules in set X to set Y, so one can
test a ruleset using the above mechanisms, and once it is
considered acceptable, make it part of an existing ruleset.
peter [Sat, 10 Aug 2002 03:00:55 +0000 (03:00 +0000)]
Fix the broken "avoid unaligned data" fix. The problem is that the builtin
gcc memcpy "knows" about types that are supposed to be actually already
aligned and triggers alignment errors doing the memcpy itself.
"Fix" this by changing it to a bcopy(). In this case, we had:
struct timeval *tp;
struct timeval tv1;
memcpy(&tv1,tp,sizeof(tv1));
.. and since gcc *knows* that a pointer to a timeval is longword aligned
and that tv1 is longword aligned, then it can use an inline that assumes
alignment. The following works too:
cp = (char *)tp;
memcpy(&tv1,cp,sizeof(tv1));
Simply casting (char *)tp for the memcpy doesn't work. :-(
This affected different 64 bit platforms in different ways and depends
a lot on gcc as well. I've seen this on alpha and ia64 at least, although
alpha isn't doing it right now.
sos [Fri, 9 Aug 2002 20:54:06 +0000 (20:54 +0000)]
Add the ability to use ATAPI devices via CAM.
The CAM<>ATAPI layer was submitted by "Thomas Quinot <thomas@cuivre.fr.eu.org>"
changes form the version on the net by me (formatting, ability to be used
alone without the ATAPI native device driver, proper speed reporting...)
See /sys/conf/NOTES for usage.
Submitted by: Thomas Quinot <thomas@cuivre.fr.eu.org>
fanf [Fri, 9 Aug 2002 20:37:01 +0000 (20:37 +0000)]
Remove some Dijkstra quotes from fortunes that are duplicated in fortunes2.
Move the single remaining one across to fortunes2 to join its friends.
Spell his name consistently. Remove a couple of other duplicate fortunes.
tmm [Fri, 9 Aug 2002 15:47:43 +0000 (15:47 +0000)]
The boottime variable in sys/kern/kern_tc.c is a struct timeval, not a
time_t, so do not use the latter as type when retrieving the variable
via libkvm. This should fix vmstat on sparc64.
projects / FreeBSD / FreeBSD.git / log