This checkin adds support in ufs/ffs for the FS_NEEDSFSCK flag.
It is described in ufs/ffs/fs.h as follows:
/*
* Filesystem flags.
*
* Note that the FS_NEEDSFSCK flag is set and cleared only by the
* fsck utility. It is set when background fsck finds an unexpected
* inconsistency which requires a traditional foreground fsck to be
* run. Such inconsistencies should only be found after an uncorrectable
* disk error. A foreground fsck will clear the FS_NEEDSFSCK flag when
* it has successfully cleaned up the filesystem. The kernel uses this
* flag to enforce that inconsistent filesystems be mounted read-only.
*/
#define FS_UNCLEAN 0x01 /* filesystem not clean at mount */
#define FS_DOSOFTDEP 0x02 /* filesystem using soft dependencies */
#define FS_NEEDSFSCK 0x04 /* filesystem needs sync fsck before mount */
Do not allow the soft updates flag to be set if the filesystem is dirty.
Because the kernel will allow the mounting of unclean filesystems when
the soft updates flag is set, it is important that only soft updates
style inconsistencies (missing blocks and inodes) be present. Otherwise
a panic may ensue. It is also important that the filesystem be in a clean
state when the soft updates flag is set because the background fsck uses
the fact that the flag is set to indicate that it is safe to run. If
background fsck encounters non-soft updates style inconsistencies, it
will exit with unexpected inconsistencies.
Convert getfacl to the ACL editing library functions. getfacl should
now compile/work on any POSIX.1e-compliant implementation (also tested
against the current Linux patches).
o Since uid checks in p_cansignal() are now identical between P_SUGID
and non-P_SUGID cases, simplify p_cansignal() logic so that the
P_SUGID masking of possible signals is independent from uid checks,
removing redundant code and generally improving readability.
Make this more lint-friendly. This file seems to be invoked in just
about any .c file that includes a .h, and lint produces copious
whining because of the asm ...; stuff.
Back out most of revision 1.28: lists of diagnostics must use -diag,
not -tag. Instead, put a period after the error messages to aide
those using dumb terminals not capable of properly displaying markup.
o Disallow two "allow this" exceptions in p_cansignal() restricting
the ability of unprivileged processes to deliver arbitrary signals
to daemons temporarily taking on unprivileged effective credentials
when P_SUGID is not set on the target process:
Removed:
(p1->p_cred->cr_ruid != ps->p_cred->cr_uid)
(p1->p_ucred->cr_uid != ps->p_cred->cr_uid)
o Replace two "allow this" exceptions in p_cansignal() restricting
the ability of unprivileged processes to deliver arbitrary signals
to daemons temporarily taking on unprivileged effective credentials
when P_SUGID is set on the target process:
Replaced:
(p1->p_cred->p_ruid != p2->p_ucred->cr_uid)
(p1->p_cred->cr_uid != p2->p_ucred->cr_uid)
With:
(p1->p_cred->p_ruid != p2->p_ucred->p_svuid)
(p1->p_ucred->cr_uid != p2->p_ucred->p_svuid)
o These changes have the effect of making the uid-based handling of
both P_SUGID and non-P_SUGID signal delivery consistent, following
these four general cases:
p1's ruid equals p2's ruid
p1's euid equals p2's ruid
p1's ruid equals p2's svuid
p1's euid equals p2's svuid
The P_SUGID and non-P_SUGID cases can now be largely collapsed,
and I'll commit this in a few days if no immediate problems are
encountered with this set of changes.
o These changes remove a number of warning cases identified by the
proc_to_proc inter-process authorization regression test.
o As these are new restrictions, we'll have to watch out carefully for
possible side effects on running code: they seem reasonable to me,
but it's possible this change might have to be backed out if problems
are experienced.
peter [Fri, 13 Apr 2001 01:45:22 +0000 (01:45 +0000)]
Remove the 'DO NOT EDIT THIS FILE' crud that we spit out with 'crontab -l'.
Otherwise, "crontab -l > file; vi file; crontab file" adds an extra set
of "DO NOT EDIT" markers each and every time which is a bit silly.
Match ip6fw's command line options to those of ipfw (specifically, added
the ability to use a preprocessor, use the -q (quiet) flag when reading
from a file). The source used is from ipfw.
Clean up exit codes while I am here.
KAME has been informed and plans on integrating these patches into their
own source as well.
o Disable two "allow this" exceptions in p_cansched()m retricting the
ability of unprivileged processes to modify the scheduling properties
of daemons temporarily taking on unprivileged effective credentials.
These cases (p1->p_cred->p_ruid == p2->p_ucred->cr_uid) and
(p1->p_ucred->cr_uid == p2->p_ucred->cr_uid), respectively permitting
a subject process to influence the scheduling of a daemon if the subject
process has the same real uid or effective uid as the daemon's effective
uid. This removes a number of the warning cases identified by the
proc_to_proc iner-process authorization regression test.
o As these are new restrictions, we'll have to watch out carefully for
possible side effects on running code: they seem reasonable to me,
but it's possible this change might have to be backed out if problems
are experienced.
o Make kqueue's filt_procattach() function use the error value returned
by p_can(...P_CAN_SEE), rather than returning EACCES directly. This
brings the error code used here into line with similar arrangements
elsewhere, and prevents the leakage of pid usage information.
o Reduce information leakage into jails by adding invocations of
p_can(...P_CAN_SEE...) to getpgid(), getsid(), and setpgid(),
blocking these operations on processes that should not be visible
by the requesting process. Required to reduce information leakage
in MAC environments.
o Replace p_cankill() with p_cansignal(), remove wrappage of p_can()
from signal authorization checking.
o p_cansignal() takes three arguments: subject process, object process,
and signal number, unlike p_cankill(), which only took into account
the processes and not the signal number, improving the abstraction
such that CANSIGNAL() from kern_sig.c can now also be eliminated;
previously CANSIGNAL() special-cased the handling of SIGCONT based
on process session. privused is now deprecated.
o The new p_cansignal() further limits the set of signals that may
be delivered to processes with P_SUGID set, and restructures the
access control check to allow it to be extended more easily.
o These changes take into account work done by the OpenBSD Project,
as well as by Robert Watson and Thomas Moestl on the TrustedBSD
Project.
o Enable -DSETSUGID_SUPPORTED in inter-process authorization regression
test by default, as setugid() is now part of the base kernel (assuming
(options REGRESSION) has been enabled for the running kernel).
o Introduce a new system call, __setsugid(), which allows a process to
toggle the P_SUGID bit explicitly, rather than relying on it being
set implicitly by other protection and credential logic. This feature
is introduced to support inter-process authorization regression testing
by simplifying userland credential management allowing the easy
isolation and reproduction of authorization events with specific
security contexts. This feature is enabled only by "options REGRESSION"
and is not intended to be used by applications. While the feature is
not known to introduce security vulnerabilities, it does allow
processes to enter previously inaccessible parts of the credential
state machine, and is therefore disabled by default. It may not
constitute a risk, and therefore in the future pending further analysis
(and appropriate need) may become a published interface.
o Introduce "options REGRESSION", a kernel option which enables
interfaces and functionality intended for use during correctness and
regression testing. Features enabled by "options REGRESSION" may
in and of themselves introduce security or correctness problems if
used improperly, and so are not intended for use in production
systems, only in testing environments.
o First pass at an inter-process authorization regression testing suite.
This test utility attempts to evaluate the current kernel policy
for authorization inter-process activities, currently ptrace(),
kill(, SIGHUP), getpriority(), and setpriority(). The utility creates
pairs of processes, initializes their credential sets to useful
cases, and reports on whether the results are in keeping with hard-coded
safety expectations.
o Currently, this utility relies on the availability of __setugid(),
an uncomitted system call used for managing the P_SUGID bit. Due to
continuing discussion of optional regression testing kernel components
("options REGRESSION") I'll hold off on committing that until the
discussion has reached its natural termination.
o A number of additional testing factors should be taken into account
in the testing, including tests for different classes of signals,
interactions with process session characteristics, I/O signalling,
broadcast activities such as broadcast signalling, mass priority
setting, and to take into group-related aspects of credentials.
Additional operations should also be taken into account, such as ktrace,
debugging attach using procfs, and so on.
o This testing suite is intended to prevent the introduction of bugs
in the upcoming sets of authorization changes associated with the
introduction of process capabilities and mandatory access control.
Parse the various argument registers in the printtrap() function so that
one doesn't have to go grab a reference manual to decode them by hand every
time the alpha kernel falls over.
peter [Wed, 11 Apr 2001 00:39:20 +0000 (00:39 +0000)]
Create debug.hashstat.[raw]nchash and debug.hashstat.[raw]nfsnode to
enable easy access to the hash chain stats. The raw prefixed versions
dump an integer array to userland with the chain lengths. This cheats
and calls it an array of 'struct int' rather than 'int' or sysctl -a
faithfully dumps out the 128K array on an average machine. The non-raw
versions return 4 integers: count, number of chains used, maximum chain
length, and percentage utilization (fixed point, multiplied by 100).
The raw forms are more useful for analyzing the hash distribution, while
the other form can be read easily by humans and stats loggers.
Fix a typo relating to the "-U" (force UDP for mount protocol)
option. When specified, make sure to use the correct netid for the
getnetconfigent() call, and also in error messages.
brian [Tue, 10 Apr 2001 23:16:55 +0000 (23:16 +0000)]
o The -s limit is ARG_MAX - 4K, not ARG_MAX - 2K.
o Mention that the current environment is part of the -s calculation.
o Add a BUGS section that warns against executing a program that increases
the size of the argument list or the size of the environment.
I have wondered for a while what the difference is between
get a big list | xargs sudo command
which fails and
get a big list | sudo xargs command
which succeeds. The answer is that in the first case, sudo expands
the environment and pushes the amount of data passed into execve over
the E2BIG threshold.
projects / FreeBSD / FreeBSD.git / log