When an unprivileged user restarts a service using, e.g., sudo, the
service runs with the audit user ID set to that of the unprivileged
user. This can have surprising effects: for instance, a user that
restarts a jail that is running sshd will end up with their UID attached
to all audit logs associated with users who log in via that sshd
instance. (sshd will set the audit user, but this is disallowed in
jails by default.)
Add support for rc.conf directives which cause rc to override the audit
user. Specifically, make <name>_audit_user=foo cause the audit user to
be set to "foo" for service <name>. A plain audit_user=foo directive
causes all services to be started as foo.
Note, like other similar rc features, this feature is limited to rc
services which are run by executing a command. Shell functions can't be
wrapped this way.
Reviewed by: 0mp
MFC after: 2 weeks
Sponsored by: Modirum MDPay
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D53747
When running an rc command, if the target rc script defines
<command>_cmd, e.g., start_cmd=..., then the run_rc_command() executes
that instead of $command. In general it's a shell function, and
"cpuset -l <n> <shell function>" doesn't work.
Moreover, it doesn't really make sense to run cpuset for anything other
than start_cmd.
Other optional isolation mechanisms (e.g., <name>_fib,
<name>_chroot) are only used when invoking $command directly as part of
the "start" command. Make <name>_cpuset consistent with everything else
by removing these extraneous cpuset invocations.
Reviewed by: 0mp
MFC after: 2 weeks
Sponsored by: Modirum MDPay
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D53746
By default, setaudit(8) overwrites the whole audit session state. For
the purpose of overwriting only a single field, e.g., the audit user,
this is inconvenient. Add -U to accomodate this case: when specified,
setaudit(8) will first fetch the current session state block and then
will only overwrite those fields specified on the command line.
Reviewed by: csjp
MFC after: 2 weeks
Sponsored by: Modirum MDPay
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D53672
Unmodified sources from https://github.com/csjayp/setaudit at commit
aa4dd9dfa40b6437030d718834236f4eaeb18ccb.
Some follow-up changes will fix a few issues and make it easier to use
this utility in the rc framework.
Reviewed by: csjp
MFC after: 2 weeks
Sponsored by: Modirum MDPay
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D53669
Specifically, make this code fit in fewer columns:
- deindent cases to conform to the usual style,
- use a local variable to minimize duplication in each case.
No functional change intended.
Reviewed by: 0mp, netchild
MFC after: 2 weeks
Sponsored by: Klara, Inc.
Sponsored by: Modirum MDPay
Differential Revision: https://reviews.freebsd.org/D53754
Recent changes to HPTS have broken an API that was somehow removed (used by user space programs for
time calculations). This commit will add back the inline function that was removed.
Differential Revision:<https://reviews.freebsd.org/D53225>
diff3's getopt.h included a function declaration without a prototype,
which produces a compiler warning. Just remove the bespoke getopt.h
and use the system header.
Reported by: Mark Millard
Reviewed by: fuz
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D53802
Opcode handling should not fall through to the LOOKUP_DSCP type.
Reviewed by: melifaro
Obtained from: Yandex LLC
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D53775
EFIAPI has to be defined correctly for amd64, or things won't boot
because it uses a different API than we normally use. Normally, this
only affects amd64, since all the other archs are basically nothing.
Tested on: amd64, aarch64 and armv7 (the frist two by markj and I with
differnet test setups).
Fixes: 43b8edb320
Sponsored by: Netflix
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D53799
The packages for 15.0-RELEASE built without the bug fix needed to make
files created via @sample get properly listed in METALOG. Fix the
cloudware which contain @sample-using packages by adding the necessary
files to METALOG manually.
This should be reverted after the next full package build, and live on
only in releng/15.0.
Reviewed by: markj
MFC after: immediately (15.0-RC2)
Differential Revision: https://reviews.freebsd.org/D53797
We ship these in order to comply with GCE Marketplace rules about
providing source code and licenses for all the software we ship as
part of images.
Reviewed by: markj
MFC after: immediately (15.0-RC2)
Differential Revision: https://reviews.freebsd.org/D53796
These were forgotten during the METALOGization process earlier.
Reviewed by: markj
MFC after: immediately (for 15.0-RC2)
Differential Revision: https://reviews.freebsd.org/D53795
cfg80211_chandef_create() gets passed a pointer to a cfg80211_chan_def.
It seems that several users are passing in an uninitialized variable
from the stack and expect cfg80211_chandef_create() to initialize it.
Run memset() on the struct, which for all callers currently seems to do
the right thing, to avoid later accesses to uninitialized struct members
like "punctured".
Reported by: CI (gcc build)
MFC after: 3 days
Sponsonred by: The FreeBSD Foundation
IFT_ENC has special behaviour in pf we don't desire, and this also ensures that
for all interface types there is N:1:1 correspondence between if_type:dlt:header len.
Requested by: glebius
MFC after: 1 week
The command
sh -c 'sleep 3 | sleep 2 & sleep 3 & kill %1; wait %1'
crashes (with appropriate sanitization such as putting
MALLOC_CONF=abort:true,junk:true in the environment or compiling with
-fsanitize=address).
What happens here is that waitcmdloop() calls dowait() with a NULL job
pointer, instructing dowait() to freejob() if it's a non-interactive
shell and $! was not and cannot be referenced for it. However,
waitcmdloop() then uses fields possibly freed by freejob() and calls
freejob() again.
This only occurs if the job being waited for is identified via % syntax
($! has never been referenced for it), it is a pipeline with two or more
elements and another background job has been started before the wait
command. That seems special enough for a bug to remain. Test scripts
written by Jilles would almost always use $! and not % syntax.
We can instead make waitcmdloop() pass its job pointer to dowait(),
fixing up things for that (waitcmdloop() will have to call deljob() if
it does not call freejob()).
The crash from
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=290330#c2 appears to
be the same bug.
PR: 290330
Reported by: bdrewery
Reviewed by: bdrewery
Differential Revision: https://reviews.freebsd.org/D53773
- also use new .St -ieee754-2008 request in *pi.3
Reviewed by: imp
Approved by markj (mentor)
See also: D53784
Differential Revision: https://reviews.freebsd.org/D53783
This is needed to simplify the msun manpages {sin,cos,tan}pi.3
Approved by: markj (mentor)
MFC after: 1 month
Differential Revision: https://reviews.freebsd.org/D53784
Notable upstream pull request merges:
#1747702fdd26e5 Add knob to disable slow io notifications
#17792d0294aa75 Update dnode_next_offset_level to accept blkid instead
of offset
#178248c225ff1b Fix gang write late_arrival bug
#17861 -multiple Lift userspace definitions out of zfs_context.h
#17872dcada084b Pass flags to more DMU write/hold functions
#17875ec268cdf9 Fix caching of DDT log and BRT
#17875ea125eeb5 BRT: Round bv_entcount up to BRT_BLOCKSIZE
#178776cfc3dba9 Cleanup ZIO_FLAG_IO_RETRY vs TRYHARD usage
#17885e63d026b9 cmd/zpool cstyle issues
#17890b4f073b5a Add BRT support to zpool prefetch command
#17903baefe098e ZIO: Set minimum number of free issue threads to 32
#179066e12f0bd7 spa_misc: add an API for spa_namespace_lock
#17908e26b9fc87 FreeBSD: Add support for _PC_CASE_INSENSITIVE
#17911 -multiple Update library ABI versions for v2.4.0
#179158aaed7dc4 BRT: Fix ranges to blocks conversion math
#17916cc5cae547 BRT: Increase block size from 4KB to 8KB
#1792172b2a9571 ZAP: Remove dmu_object_info_from_dnode() call
Obtained from: OpenZFS
OpenZFS commit: e63d026b91
If we fail to obtain a new source port (pf_get_sport()) while we've
created a udp_mapping (for 'endpoint independent nat') we must free the
udp_mapping in pf_get_sport(). Otherwise the calling function will call
pf_udp_mapping_release(). This will then attempt to remove the udp_mapping from
a list it's not in, and crash.
Actually free the udp_mapping in all failure cases. While here sprinkle in a few
more assertions to ensure we don't forget leak udp_mappings and add a test case
to provoke this problem.
Reviewed by: thj
MFC after: 1 week
See also: https://redmine.pfsense.org/issues/16517
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D53737
Virtual Functions are considered untrusted and have no control
over VLAN filtering configuration in HW. To allow using
VLANs on VF intreface driver has to assume that VLAN HW Filtering
is always enabled and pass requests for adding or removing VLAN
tags to Physical Function driver using Mailbox API.
Signed-off-by: Krzysztof Galazka <krzysztof.galazka@intel.com>
Approved by: kbowling (mentor)
Reviewed by: erj (previous version)
Tested by: gowtham.kumar.ks_intel.com
MFC after: 1 week
Sponsored by: Intel Corporation
Differential Revision: https://reviews.freebsd.org/D53245
The deprecation notice should indicate that the driver or feature will
be removed in a future release, not one that's nearly EOL.
Sponsored by: The FreeBSD Foundation
Users report freebsd-update failing with "The update metadata index is
correctly signed, but failed an integrity check." Add a hint at which
of the cases is failing to help track down the issue.
PR: 264205
Reviewed by: dch
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D52222
Make libesecureboot build, enabled when WITH_BEARSSL=y
WITH_LOADER_EFI_SECUREBOOT=y.
Copy EDK2 files related to secure boot to sys/contrib/edk2 and delete
duplicates under libsecreboot/efi/include.
Adjust efi_variables.c to build in the new environment.
Undefine MIN and MAX before include sys/param.h in libsecureboot.h. I'm
not sure that sys/param.h is needed here, but either the param.h or the
Base.h definitions are fine.
Fix include paths to reflect the new way.
Fixes: 43b8edb320
Sponsored by: Netflix
Update to include the right includes for the riscv protocol to get the
hypervisor details.
Note: I expanded the GUID inline rather than using a #define because
there was none. This is only listed in UefiCpuPkg/UefiCpuPkg.dec, so
include it here inline until we can automate using those files.
Fixes: 43b8edb320
Sponsored by: Netflix
Import UefiCpuPkg/Include/Protocol/RiscVBootProtocol.h to
Include/Protocol. This is another direct copy that needs to be carefully
considered in future imports. For now, it's easier to add this
incrementally here.
Sponsored by: Netflix
Now that we've moved to always using this, it turns out the the funky
thing we have for L'a' is everywhere. Removing this check until I can
sort it out. This breaks the build on armv7 otherwise.
Fixes: 43b8edb320
Sponsored by: Netflix
x86 doesn't use FDT things by default, but aarch64 does. I thought I'd
built the loader on aarch64 to test the EDK2 all the things series, but
apparently not. This fixes the aarch64 build.
Fixes: 43b8edb320
Sponsored by: Netflix
This one is from EmbeddedPkg/Include/Guid/Fdt.h, which is our first
EmbeddedPkg addition. For the moment, I'm doing this as an ad-hoc basis,
but in the next import may need to reconsider the strategy.
Sponsored by: Netflix
Floppies have been obsolete for over a decade. Add a deprecation note
now and plan to remove fdc(4) support in 16.
Reviewed by: ziaee
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D41549
Remove the old EFI SDK files that we've been nursing along for too many
years. Replace them with files from EDK2 edk2-stable202502 and tweak the
interfaces we need to tweak. Mostly include different things or change
the names of the protocols that no longer have old-school compat names.
I gave up in the middle of env.c, too damn tedious to find all those new
GUIDs. Also, many of the guids were mystery meat, most likely from the
EDK2 sources, but just not the Include subdirectory. Need to investigate
those. And the memory info? Is it just an oboslete thing, or embedded
knowledge of EDK2.
Delete the now-redundant copies of things in Guid and Protocol. I
debated keeping ZeroGuid.h, but EDK2 has moved on from when I snagged it
years ago (or maybe I just invented it out of whole cloth: edk2 does
radically different things today and I didn't do the git deep-dive to
find out).
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D53655
Pull in more headers from edk2-stable202502 that will be needed as we
transition the building to using only EDK2 headers in the boot loader,
finally ditching our home-grown ones from a super-obsolete SDK from the
early days of EFI.
Note to future importers: My apologies if this not being a mege commit
causes problems. Except for ProcessorBind.h, all files should be exactly
as we got them from EDK2, and if that breaks the build on future
imports, we should adjust our code.
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D53654
On x86 these trigger for 32-bit builds. We only ever (will) do that for
the 32-bit loader that starts a 64 bit kernel for ia32. For the moment,
take the training wheels off, though most likely some compile flags need
to be used to change the i386 ABI to force *int64_t alignment to 64
bits or some other horror as yet ill-concieved. Despite this assertion,
the ia32 to boot 64-bit kernels loaders seem to work.
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D53653