Michael Osipov [Tue, 3 Oct 2023 05:53:20 +0000 (07:53 +0200)]
libfetch: don't rely on ca_root_nss for certificate validation
Before certctl(8), there was no system trust store, and libfetch
relied on the CA certificate bundle from the ca_root_nss port to
verify peers.
We now have a system trust store and a reliable mechanism for
manipulating it (to explicitly add, remove, or revoke certificates),
but if ca_root_nss is installed, libfetch will still prefer that to
the system trust store.
With this change, unless explicitly overridden, libfetch will rely on
OpenSSL to pick up the default system trust store.
syscalls: fix missing SIGSYS for several ENOSYS errors
In particular, when the syscall number is too large, or when syscall is
dynamic. For that, add nosys_sysent structure to pass fake sysent to
syscall top code.
Reviewed by: dchagin, markj
Discussed with: jhb
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D41976
Mark Johnston [Mon, 2 Oct 2023 20:55:26 +0000 (16:55 -0400)]
geli tests: Use shorter passphrases in setkey_passphrase
There is an undocumented limit on the length of a GELI passphrase, and
the test exceeded that. Most of the time it worked because a nul
terminator would appear early enough in the string.
Reported by: Jenkins
Fixes: 2b7b09ac9675 ("geli tests: Add a regression test for geli setkey -J")
They all call cgetstr(), which returns -2 on such conditions and already
sets errno to ENOMEM, arguably the appropriate value for these functions
as well.
No in-tree consumer currently checks for errno on error reported by
these functions, so this change has no other code impact.
Olivier Certner [Thu, 25 May 2023 07:10:27 +0000 (09:10 +0200)]
setusercontext(): Fix gap when setting a realtime-class priority
The login.conf's "priority" capability allows to set priorities in the
idle or realtime classes in addition to the classical nice values (-20
to 20), through a natural extension where values greater than 20 put the
processes in the idle class (with priority adjusted within RTP_PRIO_MIN
and RTP_PRIO_MAX, 21 being converted to 0, 22 to 1, etc.) and values
lower than -20 put the process in the realtime class (with priority
adjusted within RTP_PRIO_MIN and RTP_PRIO_MAX, -21 being converted to
RTP_PRIO_MAX (31), -22 to 30, etc.).
Before this fix, in the latter case (realtime class), -21 was converted
to 30, and RTP_PRIO_MAX (31) could never be specified.
While here, change the priority computation for the idle-class case to
be symmetrical and use RTP_PRIO_MIN (in practice, this changes nothing
at all, since RTP_PRIO_MIN is 0; but this is the correct theoretical
formula, which would work as well with other values of RTP_PRIO_MIN).
Applies only to bare-metal Zen2 processors. The system currently
automatically applies it to all of them.
Tunable/sysctl 'machdep.mitigations.zenbleed.enable' can be used to
forcibly enable or disable the mitigation at boot or run-time. Possible
values are:
0: Mitigation disabled
1: Mitigation enabled
2: Run the automatic determination.
Currently, value 2 is the default and has identical effect as value 1.
This might change in the future if we choose to take into account
microcode revisions in the automatic determination process.
The tunable/sysctl value is simply ignored on non-applicable CPU models,
which is useful to apply the same configuration on a set of machines
that do not all have Zen2 processors. Trying to set it to any integer
value not listed above is silently equivalent to setting it to value 2
(automatic determination).
The current mitigation state can be queried through sysctl
'machdep.mitigations.zenbleed.state', which returns "Not applicable",
"Mitigation enabled" or "Mitigation disabled". Note that this state is
not guaranteed to be accurate in case of intervening modifications of
the corresponding chicken bit directly via cpuctl(4) (this includes the
cpucontrol(8) utility). Resetting the desired policy through
'machdep.mitigations.zenbleed.enable' (possibly to its current value)
will reset the hardware state and ensure that the reported state is
again coherent with it.
Reviewed by: kib
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D41817
lib/libc/tests/string: expand memcmp test to bcmp, timingsafe_{b,mem}cmp
The four functions more or less perform the same operation.
Reuse the same unit test with slight changes so we can cover
them all. Constant-time operation is not verified for the
timingsafe_* functions.
Sponsored by: The FreeBSD Foundation
Approved by: ngie
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D41528
lib/libc/tests/string/memcmp_test.c: extend test to support custom memcmp function
Extend the tests to permit loading an external memcmp function
and testing it over using the libc version. This was added by the
example of other tests in the test suite doing the same thing and
helped tremendously in development.
This change was originally part of D41442 but was taken out to
permit separate review as extrapolated from @ngie's request in
D41349.
Sponsored by: FreeBSD Foundation
Approved by: ngie
Differential Revision: https://reviews.freebsd.org/D41528
Tom Cosgrove [Mon, 7 Feb 2022 14:44:56 +0000 (14:44 +0000)]
aarch64: fix branch target indications in arm64cpuid.pl and keccak1600
Add missing AARCH64_VALID_CALL_TARGET to armv8_rng_probe(). Also add
these to the functions defined by gen_random(), and note that this Perl
sub prints the assembler out directly, not going via the $code xlate
mechanism (and therefore coming before the include of arm_arch.h). So
fix this too.
In KeccakF1600_int, AARCH64_SIGN_LINK_REGISTER functions as
AARCH64_VALID_CALL_TARGET on BTI-only builds, so it needs to come before
the 'adr' line.
Russ Butler [Sat, 28 Aug 2021 18:57:09 +0000 (13:57 -0500)]
aarch64: support BTI and pointer authentication in assembly
This change adds optional support for
- Armv8.3-A Pointer Authentication (PAuth) and
- Armv8.5-A Branch Target Identification (BTI)
features to the perl scripts.
Both features can be enabled with additional compiler flags.
Unless any of these are enabled explicitly there is no code change at
all.
The extensions are briefly described below. Please read the appropriate
chapters of the Arm Architecture Reference Manual for the complete
specification.
Pointer Authentication extension supports the authentication of the
contents of registers before they are used for indirect branching
or load.
PAuth provides a probabilistic method to detect corruption of register
values. PAuth signing instructions generate a Pointer Authentication
Code (PAC) based on the value of a register, a seed and a key.
The generated PAC is inserted into the original value in the register.
A PAuth authentication instruction recomputes the PAC, and if it matches
the PAC in the register, restores its original value. In case of a
mismatch, an architecturally unmapped address is generated instead.
With PAuth, mitigation against ROP (Return-oriented Programming) attacks
can be implemented. This is achieved by signing the contents of the
link-register (LR) before it is pushed to stack. Once LR is popped,
it is authenticated. This way a stack corruption which overwrites the
LR on the stack is detectable.
The PAuth extension adds several new instructions, some of which are not
recognized by older hardware. To support a single codebase for both pre
Armv8.3-A targets and newer ones, only NOP-space instructions are added
by this patch. These instructions are treated as NOPs on hardware
which does not support Armv8.3-A. Furthermore, this patch only considers
cases where LR is saved to the stack and then restored before branching
to its content. There are cases in the code where LR is pushed to stack
but it is not used later. We do not address these cases as they are not
affected by PAuth.
There are two keys available to sign an instruction address: A and B.
PACIASP and PACIBSP only differ in the used keys: A and B, respectively.
The keys are typically managed by the operating system.
To enable generating code for PAuth compile with
-mbranch-protection=<mode>:
- standard or pac-ret: add PACIASP and AUTIASP, also enables BTI
(read below)
- pac-ret+b-key: add PACIBSP and AUTIBSP
Branch Target Identification features some new instructions which
protect the execution of instructions on guarded pages which are not
intended branch targets.
If Armv8.5-A is supported by the hardware, execution of an instruction
changes the value of PSTATE.BTYPE field. If an indirect branch
lands on a guarded page the target instruction must be one of the
BTI <jc> flavors, or in case of a direct call or jump it can be any
other instruction. If the target instruction is not compatible with the
value of PSTATE.BTYPE a Branch Target Exception is generated.
In short, indirect jumps are compatible with BTI <j> and <jc> while
indirect calls are compatible with BTI <c> and <jc>. Please refer to the
specification for the details.
Armv8.3-A PACIASP and PACIBSP are implicit branch target
identification instructions which are equivalent with BTI c or BTI jc
depending on system register configuration.
BTI is used to mitigate JOP (Jump-oriented Programming) attacks by
limiting the set of instructions which can be jumped to.
BTI requires active linker support to mark the pages with BTI-enabled
code as guarded. For ELF64 files BTI compatibility is recorded in the
.note.gnu.property section. For a shared object or static binary it is
required that all linked units support BTI. This means that even a
single assembly file without the required note section turns-off BTI
for the whole binary or shared object.
The new BTI instructions are treated as NOPs on hardware which does
not support Armv8.5-A or on pages which are not guarded.
To insert this new and optional instruction compile with
-mbranch-protection=standard (also enables PAuth) or +bti.
When targeting a guarded page from a non-guarded page, weaker
compatibility restrictions apply to maintain compatibility between
legacy and new code. For detailed rules please refer to the Arm ARM.
Compiler support
----------------
Compiler support requires understanding '-mbranch-protection=<mode>'
and emitting the appropriate feature macros (__ARM_FEATURE_BTI_DEFAULT
and __ARM_FEATURE_PAC_DEFAULT). The current state is the following:
This change adds BTI landing pads even to assembly functions which are
likely to be directly called only. In these cases, landing pads might
be superfluous depending on what code the linker generates.
Code size and performance impact for these cases would be negligible.
Interaction with C code
-----------------------
Pointer Authentication is a per-frame protection while Branch Target
Identification can be turned on and off only for all code pages of a
whole shared object or static binary. Because of these properties if
C/C++ code is compiled without any of the above features but assembly
files support any of them unconditionally there is no incompatibility
between the two.
Useful Links
------------
To fully understand the details of both PAuth and BTI it is advised to
read the related chapters of the Arm Architecture Reference Manual
(Arm ARM):
https://developer.arm.com/documentation/ddi0487/latest/
Additional materials:
"Providing protection for complex software"
https://developer.arm.com/architectures/learn-the-architecture/providing-protection-for-complex-software
Arm Compiler Reference Guide Version 6.14: -mbranch-protection
https://developer.arm.com/documentation/101754/0614/armclang-Reference/armclang-Command-line-Options/-mbranch-protection?lang=en
Arm C Language Extensions (ACLE)
https://developer.arm.com/docs/101028/latest
Addional Notes
--------------
This patch is a copy of the work done by Tamas Petz in boringssl. It
contains the changes from the following commits:
aarch64: support BTI and pointer authentication in assembly
Change-Id: I4335f92e2ccc8e209c7d68a0a79f1acdf3aeb791
URL: https://boringssl-review.googlesource.com/c/boringssl/+/42084
aarch64: Improve conditional compilation
Change-Id: I14902a64e5f403c2b6a117bc9f5fb1a4f4611ebf
URL: https://boringssl-review.googlesource.com/c/boringssl/+/43524
aarch64: Fix name of gnu property note section
Change-Id: I6c432d1c852129e9c273f6469a8b60e3983671ec
URL: https://boringssl-review.googlesource.com/c/boringssl/+/44024
David Sloan [Thu, 7 Sep 2023 16:22:21 +0000 (10:22 -0600)]
nvme: Fix memory leak in pt ioctl commands
When running nvme passthrough commands through the ioctl interface
memory is mapped with vmapbuf() but not unmapped. This results in leaked
memory whenever a process executes an nvme passthrough command with a
data buffer. This can be replicated with a simple c function (error
checks skipped for brevity):
Bjoern A. Zeeb [Mon, 2 Oct 2023 14:44:29 +0000 (14:44 +0000)]
net80211 / drivers: remove public use of ieee80211_node_incref()
ieee80211_node_incref() is the FreeBSD implementation of
ieee80211_ref_node(). Not being interested in the node returned
it was used as a shortcut in 3 drivers (ath, uath, wpi).
Replace the call with the public KPI of ieee80211_ref_node() and
ignore the result.
This leaves us with the single internal call going
ieee80211_ref_node() -> ieee80211_node_incref() and that should
help increasing portability but also limiting the places to trace
for node reference operations.
Sponsored by: The FreeBSD Foundation
MFC after: 4 weeks
Bjoern A. Zeeb [Mon, 2 Oct 2023 13:57:45 +0000 (13:57 +0000)]
net80211: make ieee80211_alloc_node() private
Looking through the allocation/free and reference cycle of nodes we have
a few (publicly) (almost) unused macros and functions.
Start making them private and reducing the amount of entry paths to the
same/similar functionality.
First is to make ieee80211_alloc_node() static as it is nowhere used
in the tree outside this file.
Bjoern A. Zeeb [Mon, 2 Oct 2023 13:53:33 +0000 (13:53 +0000)]
net80211: improve ddb output for sta and rate
Add more missing fields to the ddb output of sta (including spares so
people will notice if they use them to adjust ddb as well).
There are still more missing fields (some left as reminder in an
uncompiled __notyet__ block).
Add _db_show_rate() to print iv_rate as well optionally including
function pointers.
Sponsored by: The FreeBSD Foundation
MFC after: 3 days
Mitchell Horne [Mon, 2 Oct 2023 13:40:18 +0000 (10:40 -0300)]
ofwdump: install dependent on MK_FDT
The utility depends on the presence of the openfirm(4) pseudo-device,
which is gated by the FDT kernel option. The MK_FDT knob is correctly
set to "yes" for FDT/OFW-enabled platforms (powerpc* included); use it
to install the utility and eliminate the arch-specific Makefile logic.
No functional change intended.
Reviewed by: emaste, pkubaj
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D41977
Mark Johnston [Mon, 2 Oct 2023 11:49:27 +0000 (07:49 -0400)]
swap_pager: Fix a race in swap_pager_swapoff_object()
When we disable swapping to a device, we scan the full VM object list
looking for objects with swap trie nodes that reference the device in
question. The pages corresponding to those nodes are paged in.
While paging in, we drop the VM object lock. Moreover, we do not hold a
reference for the object; swap_pager_swapoff_object() merely bumps the
paging-in-progress counter. vm_object_terminate() waits for this
counter to drain before proceeding and freeing pages.
However, swap_pager_swapoff_object() decrements the counter before
re-acquiring the VM object lock, which means that vm_object_terminate()
can race to acquire the lock and free the pages. Then,
swap_pager_swapoff_object() ends up unbusying a freed page. Fix the
problem by acquiring the lock before waking up sleepers.
makefs/zfs: fix build with gcc 12 after b5a2bf512dbe
Due to integer promotion rules, dn_nlevels (uint8_t) gets promoted to a
plain int, resulting in -Werror warnings with gcc 12:
In file included from /workspace/src/usr.sbin/makefs/zfs.c:35:
/workspace/src/usr.sbin/makefs/zfs.c: In function '_dnode_cursor_flush':
/workspace/src/usr.sbin/makefs/zfs.c:684:23: error: comparison of integer expressions of different signedness: 'unsigned int' and 'int' [-Werror=sign-compare]
684 | assert(levels <= c->dnode->dn_nlevels - 1);
| ^~
/workspace/src/usr.sbin/makefs/zfs.c:691:27: error: comparison of integer expressions of different signedness: 'unsigned int' and 'int' [-Werror=sign-compare]
691 | if (level == c->dnode->dn_nlevels - 1) {
| ^~
/workspace/src/usr.sbin/makefs/zfs.c: In function 'dnode_cursor_next':
/workspace/src/usr.sbin/makefs/zfs.c:739:41: error: comparison of integer expressions of different signedness: 'unsigned int' and 'int' [-Werror=sign-compare]
739 | for (levels = 0; levels < c->dnode->dn_nlevels - 1; levels++) {
| ^
Changing the order of cleanup in lkpi_ic_vap_delete() will avoid
firmware crashes or a direct panic as observed as ieee80211_vap_detach()
will do most cleanup for us and get us into the correct state.
The solution is not fully developed yet and one may not be able
to create a new vap (lkpi_ic_vap_create may fail with error 17)
afterwards. It is supposed to be a step towards more stability
for now.
Sponsored by: The FreeBSD Foundation
MFC after: 3 days
PR: 269842
Move the call to lkpi_disassoc() before the state change to
IEEE80211_STA_NOTEXIST which will remove the sta (from firmware).
Based on a comment it seems that originally we had to do it the
other way round.
iwlwifi(4) has a check and will silently not remove the sta from
the firmware when vif->cfg.assoc is still set (see iwl_mvm_sta_del()).
This leads to the LinuxKPI 802.11 code thinking the sta is gone as
downward state changes by the mac80211 op (*sta_state)() may not fail.
Once we try to assoc with a newly added station later, iwlwifi firmware
will run into an assert having two ap_sta set on the same vif.
We can observe that problem in iwlwifi(4) having __le32 sta_id = 1
instead of sta_id = 0 in iwl_mvm_sta_cfg_cmd{} on the HCMD.
This should fix one of the most seen problems with iwlwifi(4), e.g.,
when running service netif restart wlan0 or
service wpa_supplicant restart wlan0.
Sponsored by: The FreeBSD Foundation
MFC after: 3 days
If we bail out early from pf_test(6)() we still need to clean up/finish
SCTP multihome work, which requires the 'off' value to be set. Set it
early enough.
MFC after: 3 days
Sponsored by: Orange Business Services
Alexander Motin [Fri, 29 Sep 2023 15:22:46 +0000 (11:22 -0400)]
Restrict short block cloning requests
If we are copying only one block and it is smaller than recordsize
property, do not allow destination to grow beyond one block if it
is not there yet. Otherwise the destination will get stuck with
that block size forever, that can be as small as 512 bytes, no
matter how big the destination grow later.
Reviewed-by: Kay Pedersen <mail@mkwg.de> Reviewed-by: Rob Norris <rob.norris@klarasystems.com> Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Alexander Motin <mav@FreeBSD.org>
Sponsored by: iXsystems, Inc.
Closes #15321
Brian Behlendorf [Fri, 29 Sep 2023 15:21:25 +0000 (08:21 -0700)]
Tweak rebuild in-flight hard limit
Vendor testing shows we should be able to get a little more
performance if we further relax the hard limit which we're hitting.
Authored-by: Brian Behlendorf <behlendorf1@llnl.gov> Reviewed-by: Alexander Motin <mav@FreeBSD.org> Signed-off-by: Tony Hutter <hutter2@llnl.gov>
Closes #15324
Jose Luis Duran [Fri, 29 Sep 2023 13:24:32 +0000 (09:24 -0400)]
dtc: Ensure it is built in C++17 mode
Explicitly specify the C++ standard to be used in the Makefile.
This prevents macOS cross-builds from using the default gnu++98 and
fail. This syncs dtc with upstream commit 39a58cfaab7d55c7975ebf905d859ba91a369fa0.
ipfilter: Add sysctl flag CTLFLAG_TUN to loader tunable
The sysctl variable `net.inet.ipf.large_nat` is actually a loader
tunable. Add sysctl flag CTLFLAG_TUN to it so that `sysctl -T` will
report it correctly.
No functional change intended.
Reviewed by: cy (for #network)
Fixes: a805ffbcbce8 ipfilter: Make LARGE_NAT a tunable
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D42005
Colin Percival [Sat, 9 Sep 2023 00:55:16 +0000 (17:55 -0700)]
EC2: Add experimental cloud-init images
Known issues:
1. The ec2-user user is created with a homedir of /usr/home/ec2-user
instead of /home/ec2-user; this appears to be a bug in cloud-init's
FreeBSD support.
2. Cloud-init configures IPv4 networking but not IPv6 networking.
Colin Percival [Sat, 9 Sep 2023 00:51:57 +0000 (17:51 -0700)]
EC2: Flavour existing AMIs as "base"
Using the recently-added "cloudware flavours" mechanism, turn the
existing EC2 AMIs into a new "base" flavour. The only user-visible
change is that AMI names now include the word "base".
Colin Percival [Sat, 9 Sep 2023 00:51:08 +0000 (17:51 -0700)]
release/Makefile.vm: Add support for CW flavours
There are two "Vagrant" images right now: "Vagrant Image for VirtualBox"
and "Vagrant Image for VMWare". Rather than listing these separately in
a CLOUDWARE list, place "VAGRANT" into a CLOUDWARE_TYPES list and then
use a VAGRANT_FLAVOURS variable to identify the two versions. Add make
logic to allow defaults (in this case, image format and filesystem) to
be specified once for VAGRANT and inherited by both flavours.
This will make future work to add flavoured EC2 images simpler.
Colin Percival [Sat, 9 Sep 2023 00:49:35 +0000 (17:49 -0700)]
release/Makefile.vm: Garbage collect unused bits
The cw*-package targets were introduced in February 2015 as part of
adding support for building GCE images; but GCE support was reworked
in June 2015 and the cw*-package targets were in fact never used.
Remove them.
The *_DISK variables were introduced in February 2015 as part of
adding the cloudware-install target; this was removed in May 2016 as
the cloudware images are published via the respective cloud systems
and not published as disk images via the FreeBSD FTP site. As such,
the *_DISK variables are not unused; remove them.
Akash B [Thu, 28 Sep 2023 21:10:07 +0000 (02:40 +0530)]
Fix ENOSPC for extended quota
When unlinking multiple files from a pool at 100% capacity, it
was possible for ENOSPC to be returned after the first few unlinks.
This issue was fixed previously by PR #13172 but then this was
again introduced by PR #13839.
This is resolved using the existing mechanism of returning ERESTART
when over quota as long as we know enough space will shortly be
available after processing the pending deferred frees.
Also, updated the existing testcase which reliably reproduced the
issue without this patch.
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov> Reviewed-by: Alexander Motin <mav@FreeBSD.org> Reviewed-by: Dipak Ghosh <dipak.ghosh@hpe.com> Signed-off-by: Akash B <akash-b@hpe.com>
Closes #15312
John Hay [Thu, 28 Sep 2023 21:08:08 +0000 (14:08 -0700)]
x86: Properly align interrupt vectors for MSI
MSI (not MSI-X) interrupt vectors must be allocated in groups that are
powers of 2, and the block of IDT vectors must be aligned to the size
of the request.
The code in native_apic_alloc_vectors() does an alignment check in the loop:
if ((vector & (align - 1)) != 0)
continue;
first = vector;
But it adds APIC_IO_INTS to the value it returns:
return (first + APIC_IO_INTS);
The problem is that APIC_IO_INTS is not a multiple of 32. It is 48:
As a result, a request for 32 vectors (the max supported by MSI), was
not always aligned. To fix, check the alignment of
'vector + APIC_IO_INTS' in the loop.
Simon J. Gerraty [Thu, 28 Sep 2023 21:01:56 +0000 (14:01 -0700)]
Move the adding of CFLAGS_LAST to bsd.sys.mk
The point of CFLAGS_LAST is to be the last thing in CFLAGS
so add it last.
For DIRDEPS_BUILD this can best be done via local.dirdeps-build.mk
which is guaranteed to be the last makefile read, but that does nothing
for non-DIRDEPS_BUILD
Mark Johnston [Thu, 28 Sep 2023 20:16:17 +0000 (16:16 -0400)]
makefs/zfs: Ensure that the last block of a file has the right size
When copying a file's contents into the pool, a loop copies blocks of
the maximum size (128KB), allocating space from the vdev for each block.
The space allocator rounds up to the nearest block size, but for files
larger than the maximum size, this can result in the last block having a
smaller logical size than the rest of the blocks belonging to that
dnode. This violates some ZFS invariants when appending to that file.
Modify fs_populate_file() to use the same block size for the final
block.
Reported by: cperciva
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
* Like GNU split, turn autoextend back on if given -a0.
* Add a test case that verifies that -a<non-zero> turns autoextend off.
* Add a test case that verifies that -a0 turns autoextend back on.
* Whenever possible, use strtonum() to parse numeric arguments.
* Improve usefulness and consistency of error messages.
* While here, fix some type and style issues.
Previously, syslogd's daemon process would signal that it had finished
initialization using SIGALRM. In capability mode, signal delivery is not
allowed, so use a pipe to indicate that it is ready to accept messages.
Reviewed by: markj
MFC after: 3 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D41459
Setup consfile filed for logging while Initialized is false, but do not
bother opening the console. Close console/tty descriptors after parsing,
as well. The ttymsg() function will re-open these descriptors for us.
Also, remove references to the ctty global variable since it will always
be _PATH_CONSOLE.
Reviewed by: markj
MFC after: 3 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D41380
Use the SA_NOCLDWAIT sigaction() flag to disable the creation of
zombie processes. This leaves no reason to wait() on children, so
remove the reaping routine.
Previously, deadq entries were removed in reapchild(). Move deadq
removal into markit() after SIGKILL is sent.
Reviewed by: markj
MFC after: 3 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D41415
Prepare for program Capsicumization by storing process descriptors
instead of pids. Signal delivery is not permitted in capability mode,
so we can use pdkill(2) to terminate child processes.
Reviewed by: markj
MFC after: 3 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D41369
Add logging sockets directly to the socklist, unless parsing flags. The
peerlist is still needed to temporarily hold socket information until
the configuration flags have been parsed.
It is tempting to remove the entire peerlist, but addsock() can not
determine if syslogd is in secure mode unless the flags have been
parsed.
Also, call pidfile_open() right after flag parsing so we can terminate
if another syslogd instance is already running.
Reviewed by: markj
MFC after: 3 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D41364
Use kqueue(2) for socket I/O and signal notification. Previously,
select(2) and traditional signal handlers were being used.
This change centralizes all of the async notification delivery into a
single loop so future Capsicum sandboxing will be easier. It also
simplifies the code by removing boiler-plate cruft that comes with the
older interfaces.
Reviewed by: Slawa Olhovchenkov, markj, emaste
MFC after: 3 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D41363
Move all configuration-file code outside of the initialization loop and
into its own set of functions. Create a readconfigfile() to open the
config and call parseconfigfile() to parse it.
The init() function no longer returns if there was a failure to open the
configuration file. Initialization will be finished, using the backup
logging rules: *.ERR to /dev/console and *.PANIC to all logged in users.
Reviewed by: markj, emaste
MFC after: 3 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D41358
See previous commit that made cr_canseeothergids() use the new
realgroupmember() function, taking into account real group IDs instead
of effective ones.
Olivier Certner [Thu, 17 Aug 2023 23:54:45 +0000 (01:54 +0200)]
cr_canseeothergids(): Use real instead of effective group membership
Using the effective group and not the real one when testing membership
has the consequence that unprivileged processes cannot see setuid
commands they launch until these have relinquished their privileges.
This is also in contradiction with how the similar cr_canseeotheruids()
works, i.e., by taking into account real user IDs.
Fix this by substituting groupmember() with realgroupmember(). While
here, simplify the code.
Olivier Certner [Thu, 17 Aug 2023 23:54:44 +0000 (01:54 +0200)]
groupmember(): Extract the supplementary group search in a separate function
This is in preparation for the introduction of the new realgroupmember()
function, which does the same search into supplementary groups as
groupmember().
Mention cr_bsd_visible(9). Remove references to cr_canseeothergids(9)
and cr_canseeotheruids(9), as well as indirect references not
immediately useful.
Fix description of credentials checks to match reality.