Commit Graph

3300 Commits

Author SHA1 Message Date
Brooks Davis 8d26a9da0c amd64: assume the kernel supports RDFSBASE and RDGSBASE
There is no need to support pre-12.0 (and thus pre-ino64) kernels in a
15.x libc.

Continue to check if the CPU supports these features before using them
and fall back as required.

Reviewed by:	kib
Differential Revision:	https://reviews.freebsd.org/D50732
2025-08-08 18:15:21 +01:00
Lexi Winter 2fb03d6c11 gssd: Be consistent about Makefile conditionals
gssd itself is only built when both MK_GSSAPI and MK_KERBEROS_SUPPORT
are enabled, but the init script and OptionalObsoleteFiles entries
only checked MK_GSSAPI.  Check both variables everywhere.

Reviewed by:		des
Differential Revision:	https://reviews.freebsd.org/D51812
2025-08-08 14:16:06 +01:00
Brooks Davis e7e964cb2e syscalls: normalize _exit(2) declerations
exit(3) is implemented by the runtime and performs a number of shutdown
actions before ultimately calling _exit(2) to terminate the program.  We
historically named the syscall table entry `exit` rather than `_exit`,
but this requires special handling in libc/libsys to cause the `_exit`
symbol to exist while implementing `exit` in libc.

Declare the syscall as `_exit` and flow that through the system.

Because syscall(SYS_exit, code) is fairly widely used, allow a
configured extra line in syscall.h to define SYS_exit to SYS__exit.

I've found no external uses of __sys_exit() so I've not bothered to
create a compatability version of this private symbol.

Reviewed by:	imp, kib, emaste
Differential Revision:	https://reviews.freebsd.org/D51672
2025-08-08 10:30:16 +01:00
Brooks Davis fd4cdc438b rtld: fix dependencies for rtld-libc
Previously we (appropriately, but incorrectly) attempted to depend on
LIBC_NOSSP_PIC and LIBSYS_PIC for rtld_libc.a.  Unfortunately,
variables in dependency lists are expanded at parse time and those
variables are defined in bsd.libnames.mk which *must* be included by
bsd.{lib,prog}.mk.  As such, they were undefined and thus expanded to
the empty string resulting in no dependency with predictable and highly
confusing results.

Move the declaration of these dependencies to after the include of
bsd.prog.mk and add comments on both side in hopes of keeping any future
dependencies in sync.

Reviewed by:	kib
Differential Revision:	https://reviews.freebsd.org/D51790
2025-08-08 10:30:16 +01:00
Simon J. Gerraty 5c4d1c8584 Replace license with just SPDX BSD-2-Clause 2025-08-07 15:15:37 -07:00
Lexi Winter 7ed6b6b9d1 packages: move route(6)d to the rip package
These are deprecated, but in the mean time, move them to another
package.  routed in particularly doesn't need to be in -runtime.

Reviewed by:		manu
Differential Revision:	https://reviews.freebsd.org/D51783
2025-08-07 13:36:59 +01:00
Jessica Clarke 650bcf5b6b rtld-elf: Don't include duplicate semicolon in Obj_Entry
MD_OBJ_ENTRY is a list of members, possibly empty, to include in
Obj_Entry. By including the semicolon here, in the case that it's empty,
we end up with a duplicate semicolon. In the case that it's not empty,
whether there's a duplicate depends on each architecture's definition,
but they all in fact put a semicolon after every member, so there is
also a duplicate semicolon there. This is invalid C syntax, although
both GCC and Clang accept it, treating it only as a pedantic warning,
but there is no need for us to rely on that, and downstream it masked a
missing semicolon for an added field, but only on architectures where
MD_OBJ_ENTRY is empty, leading to conditional compilation failure for
something that should have been detected as an unconditional error.

Note that PCPU_MD_FIELDS, which this is based on, follows a different
style. There, every architecture defines at least one member, and there
is a semicolon after PCPU_MD_FIELDS in sys/sys/pcpu.h, but every
architecture makes sure to not put a semicolon after the final member in
its definition of the macro. This is not a pattern we can adhere to here
though given not all architectures add members.

Fixes:	06db20ffec ("rtld: Add MD_OBJ_ENTRY to extend Struct_Obj_Entry")
2025-08-07 01:10:18 +01:00
Dag-Erling Smørgrav ac641d55ea rc.subr: Drop duplicate SPDX tag in test script
I added a tag in the correct place in the previous commit, and somehow
managed to miss that there was already one in the wrong place.

Fixes:		7f04c09fe7
Sponsored by:	Klara, Inc.
Sponsored by:	NetApp, Inc.
2025-08-02 01:19:37 +02:00
Dag-Erling Smørgrav 7f04c09fe7 rc.subr: Fix wait_for_pids
It looks like this function was intended to loop and print an update
whenever at least one of the waited-for processes terminates.  However,
the default behavior of pwait is to block until none of the watched
processes exist.  Use pwait -o instead so it only blocks until at least
one process terminates, and add a test.

Sponsored by:	Klara, Inc.
Sponsored by:	NetApp, Inc.
Reviewed by:	siderop1_netapp.com, kevans
Differential Revision:	https://reviews.freebsd.org/D51691
2025-08-02 01:11:57 +02:00
Dag-Erling Smørgrav e40a2c4927 comsat: Don't return from the child
Fixes:		91629228e3
MFC after:	1 week
Reviewed by:	emaste
Differential Revision:	https://reviews.freebsd.org/D51581
2025-07-28 17:28:59 +02:00
Dag-Erling Smørgrav 4a4338d944 comsat: Don't read arbitrary files
When processing a notification, instead of accepting any file name
that doesn't begin with a slash, accept only file names that don't
contain any slashes at all.  This makes it possible to notify a
user about a mailbox that doesn't bear their name, as long as they
are permitted to read it, but prevents comsat from reading files
outside the mail spool.

PR:		270404
MFC after:	1 week
Reviewed by:	emaste
Differential Revision:	https://reviews.freebsd.org/D51580
2025-07-28 17:28:59 +02:00
Dag-Erling Smørgrav 23401aeb15 Replace last few remaining MAN[1-8] with MAN
Reviewed by:	ivy
Differential Revision:	https://reviews.freebsd.org/D51530
2025-07-26 12:00:02 +02:00
Dag-Erling Smørgrav a3d4ae7cf3 dma: Don't install dma.conf world-readable
While here, install auth.conf into /etc as well.

MFC after:	3 days
PR:		288409
Reviewed by:	ivy, bapt
Differential Revision:	https://reviews.freebsd.org/D51529
2025-07-26 11:59:53 +02:00
Lexi Winter 76446b5aa3 gssd: move to a new package
It's reasonable to want to install gssd without the Kerberos utilities
(e.g., if using security/krb5 from ports), so move gssd to its own
package to allow this.

Reviewed by:	manu, cy
Differential Revision:	https://reviews.freebsd.org/D51486
2025-07-25 18:31:27 +01:00
Kyle Evans 5138a20765 tftpd: explicitly set egid after dropping supplemental groups
tftpd seems to be the last program in base that implicitly relies on
setgroups() to set the egid.  This is a security landmine in portable
software as most operating systems don't behave this way, so do an
explicit setgid() in case the kernel doesn't set it already.

While we're here, FreeBSD's setgroups() has supported nominally clearing
all supplemental groups since 1997.  It still leaves the egid in our
cr_groups[0] because we don't have an out-of-band way to store the egid,
and on other systems it'll clear the supplemental group entirely as one
would want.

Reviewed by:	allanjude (previous version), des, olce
Differential Revision:	https://reviews.freebsd.org/D51149
2025-07-24 09:59:07 -05:00
Dag-Erling Smørgrav aa183bc7f9 rc.d: Fix mountd service script.
This script references variables beloning to the nfsd and zfs services,
therefore it needs to load their configurations.

MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D51473
2025-07-24 15:00:47 +02:00
Konstantin Belousov db9ef9d5f5 rtld: do not relocate tlsinit address twice
The addend for PT_TLS p_vaddr value should be obj' relocbase and not
mapbase. It does not matter for dso which is linked at the address
zero, but for executables in direct-exec mode with non-zero link
address mapbase is already at the link base.  Then, adding mapbase to
phtls->p_vaddr adds twice as much relocbase offset as needed.

PR:	288334
Reported by:	Jordan Gordeev <jgopensource@proton.me>
Reviewed by:	jrtc27
Sponsored by:	The FreeBSD Foundation
MFC after:	1 week
Differential revision:	https://reviews.freebsd.org/D51448
2025-07-21 08:29:05 +03:00
Mark Johnston fa8db724ae random: Treat writes to /dev/random as separate from /entropy
RANDOM_CACHED is overloaded to refer both to entropy obtained from files
loaded by the boot loader, and entropy obtained via writes to
/dev/random.  Introduce a new source, RANDOM_RANDOMDEV, to refer to the
latter.  This is to enable treating RANDOM_CACHED as a special case in
the NIST health test implementation.

Update the default harvest_mask in rc.conf to include RANDOM_RANDOMDEV,
preserving the old behaviour of accepting writes to /dev/random.

Bump __FreeBSD_version for modules which register a pure source, since
all of their values have now shifted.

Reviewed by:	cem
MFC after:	3 months
Sponsored by:	Stormshield
Sponsored by:	Klara, Inc.
Differential Revision:	https://reviews.freebsd.org/D51155
2025-07-18 20:33:06 +00:00
Michael Proto 9e8c1f9576 /etc/rc.d/pf: Fix for multi-line pf_fallback_rules
Setting multiple pf_fallback_rules in /etc/rc.conf as per the
documentation produces invalid pf syntax due to the lack of echo
quoting $pf_fallback_rules in /etc/rc.d/pf. Adding quotes around
the $pf_fallback_rules echo maintains newlines needed for valid
pfctl syntax. Provided patch resolves the issue

Also updating rc.conf(5) to reflect that multi-line pf_fallback_rules
should not include a trailing backslash (\) as line breaks are
needed when passing rules to pfctl via stdin.

PR:		288197
Reviewed by:	kp
MFC after:	2 weeks
2025-07-15 15:06:27 +02:00
Mark Johnston da89500adb rc_subr_test: Bump some sleep timeouts
The test verifies that the rc framework will OOM-protect a process
spawned by rc.  It just wraps a 5-second /bin/sleep invocation as part
of this test.

The rc framework uses procctl to set the OOM-protect bit after the
process has started, i.e., it uses procctl -p.  So, with a 5 second
timeout, it's possible for the process to exit before procctl actually
runs, if the system is heavily loaded.  (I see this failure occasionally
with KMSAN configured and many tests running in parallel.)

Bump the timeout to reduce the risk of this happening.  The timeout
value is arbitrary since the test will stop the rc process, i.e., we
don't have to wait for 60 seconds to elapse before the test passes.

MFC after:	1 week
2025-07-13 18:24:36 +00:00
Mateusz Piotrowski 5d5258653b rc.subr: Fix a typo in check_jail()'s description
MFC after:	3 days
Event:		Berlin Hackathon 202507
2025-07-12 18:23:03 +02:00
Mateusz Piotrowski 46f18ecf8d rc: Use check_jail to check values of security.jail MIBs
PR:		282404
Reviewed by:	markj, netchild
Approved by:	markj (mentor)
MFC after:	2 weeks
Event:		Berlin Hackathon 202507
Differential Revision:	https://reviews.freebsd.org/D47329
2025-07-12 18:20:32 +02:00
Jessica Clarke 02d06043ba rtld-elf: Delete unused RELOC_ALIGNED_P copies
This was copied from arm to aarch64 to riscv, but only arm uses it.

MFC after:	1 week
2025-07-11 02:07:04 +01:00
Jessica Clarke a1d971ad3f rtld-elf: Track allocated TCBs internally and use for distribute_static_tls
Currently rtld delegates to libc or libthr to initialise the TCBs for
all existing threads when dlopen is called for a library that is using
static TLS. This creates an odd split where rtld manages all of TLS for
dynamically-linked executables except for this specific case, and is
unnecessarily complex, including having to reason about the locking due
to dropping the bind lock so libthr can take the thread list lock
without deadlocking if any of the code run whilst that lock is held ends
up calling back into rtld (such as for lazy PLT resolution).

The only real reason we call out into libc / libthr is that we don't
have a list of threads in rtld and that's how we find the currently used
TCBs to initialise (and at the same time do the copy in the callee
rather than adding overhead with some kind of callback that provides the
TCB to rtld. If we instead keep a list of allocated TCBs in rtld itself
then we no longer need to do this, and can just copy the data in rtld.
How these TCBs are mapped to threads is irrelevant, rtld can just treat
all TCBs equally and ensure that each TCB's static TLS data block
remains in sync with the current set of loaded modules, just as how
_rtld_allocate_tls creates a fresh TCB and associated data without any
embedded threading model assumptions.

As an implementation detail, to avoid a separate allocation for the list
entry and having to find that allocation from the TCB to remove and free
it on deallocation, we allocate a fake TLS offset for it and embed the
list entry there in each TLS block.

This will also make it easier to add a new TLS ABI downstream in
CheriBSD, especially in the presence of library compartmentalisation.

Reviewed by:	kib
Differential Revision:	https://reviews.freebsd.org/D50920
2025-07-10 20:00:28 +01:00
Jessica Clarke 4d2752925a rtld-elf: Extract part of allocate_tls_offset into allocate_tls_offset_common
This will be used to allocate additional space for a TAILQ_ENTRY by rtld
at a known offset from the TCB, as if it were TLS data.

Reviewed by:	kib
Differential Revision:	https://reviews.freebsd.org/D51068
2025-07-10 20:00:28 +01:00
Kyle Evans 3f0e109209 flua: fbsd: allow stdout to be captured for exec() processes
This allows us to do things like:

```
local fp = assert(fbsd.exec({"ls", "-l"}, true))
local fpout = assert(fp:stdout())

while true do
        local line = fpout:read("l")
        if not line then break end
        print("Read: " .. line)
end

fp:close()
```

The makeman lua rewrite will use it to capture `make showconfig` output
for processing.

Reviewed by:	bapt
Differential Revision:	https://reviews.freebsd.org/D50539
2025-07-09 00:12:32 -05:00
Kyle Evans 6a2c624b35 flua: fbsd: return a process handle to operate on when we exec()
This gives us some way to be able to write to stdin if we want to, or
as a future improvement, will allow us to extract stdout from the
process.  The handle is setup to close and waitpid() on close/gc so that
existing users wouldn't necessarily leak for the lifetime of the script
if they weren't adopted to the new model.

Reviewed by:	bapt
Differential Revision:	https://reviews.freebsd.org/D50538
2025-07-09 00:12:31 -05:00
Kyle Evans 0610ba6cdb flua: fbsd: avoid leaking stdin pipes on error
Additionally, there's no way to get to the end without a valid
stdin_pipe[1] at the moment, so don't check for it.  stdin_pipe[0] is
closed earlier, as the parent shouldn't need the read-side of the pipe.

While we're here, also free the file actions earlier and on error --
they're not necessary once posix_spawnp() has returned.

Reviewed by:	bapt
Differential Revision:	https://reviews.freebsd.org/D50537
2025-07-09 00:12:31 -05:00
Mark Johnston eda96744b4 lposix: Clean up the posix namespace definitions
The posix module is subdivided according to C headers; for instance,
posix.unistd contains routines available from unistd.h, such as
chown(2).

A quirk of our implementation is that each of the modules is a direct
entry in the global table.  That is, there is no "posix" table.
Instead, "posix.foo" and "posix.bar.baz" are both top-level tables.
This is surprising and goes against Lua's shorthand of using "." to
access keys in a table.  lua-posix also doesn't work this way.

Rework things so that "posix" and "posix.sys" are proper tables.
Existing flua code which uses require() to bind posix submodules to a
name will be unaffected.  Code which accesses them directly using
something like _G["posix.sys.utsname"].uname() will be broken, but I
don't think anything like that exists.  In particular, it is now
possible to call posix.sys.utsname.uname() without any require
statements.

Reviewed by:	imp, bapt
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D51158
2025-07-07 15:43:27 +00:00
Mark Johnston 667ef8875b nuageinit: Add wrappers for chmod and chown
In the wrappers, check for errors and abort if one is raised.  At some
point it may be useful to have a mechanism to ignore errors, but I'm not
sure yet how that should look.

For chmod, let the mode be specified as an octal number, otherwise it's
hard to understand what's happening.  Note that this must be specified
as a string, otherwise tonumber() will raise an error.

Reviewed by:	bapt
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D51159
2025-07-05 14:54:07 +00:00
Mark Johnston 88d94ead7f lposix: Use reentrant passwd and group lookup functions
The implementation of chown() in the posix module handles user and group
names as well as numeric IDs.  When resolving names, be sure to use
reentrant lookup functions rather than assuming it's safe to clobber the
internal buffers used by getpwnam() and getgrnam().

Fix some style nits while here.

Reviewed by:	imp, bapt
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D46555
2025-07-04 20:11:12 +00:00
Eugene Grosbein 24e8ed535f network.subr: correct return code in case of bad call to ifisup()
This is rather cosmetic correction.

PR:		287872
MFC-after:	2 weeks
X-MFC-With:	6d3bc576ab
2025-07-01 21:33:19 +07:00
Eugene Grosbein 6d3bc576ab libexec/rc: improve performance of pccard_ether script
Replace "ifconfig -ul" with "ifconfig -n" because netlink-enabled
/sbin/ifconfig utility has sub-optimal performance for listing.

Combined with the commit b1b17432aa,
these changes mostly eliminate performance regression of the command
"service devd start" for a system having hundreds of network interfaces
created before devd starts, after FreeBSD 14+ switched
/sbin/ifconfig to netlink(4)

PR:		287872
MFC-after:	2 weeks
2025-07-01 21:13:10 +07:00
Mark Johnston 9c014cc25c Revert "rc: Disable pathname expansion when calling run_rc_command()"
At least nuageinit is broken after this commit, breaking some downstream
CI systems.  It also disables globbing for rc.local scripts, which is
likely to break users in surprising ways.

This reverts commit 4deb9760a9.
2025-06-27 20:18:36 +00:00
Mark Johnston d783591a7d Revert "rc: Fix scripts that need pathname expansion"
The commit which motivated this is being reverted.

This reverts commit 7faddeb395.
2025-06-27 20:18:24 +00:00
Sebastien Baylocq 7ad574b3e3 nuageinit: fix log name 2025-06-27 16:35:55 +02:00
Baptiste Daroussin b56d2195f1 nuageinit: enhance sudo support
from the cloudinit specification sudo rules can be a string or an
array of string
2025-06-26 14:34:51 +02:00
Baptiste Daroussin 3969965c7f nuageinit: fix setting owner when only the user is set 2025-06-26 14:34:51 +02:00
Baptiste Daroussin d9a4c24df1 nuageinit: write_files fix typo breaking tests 2025-06-26 14:34:51 +02:00
joyu liaonull 0804e60df1 ftpd: Provide an option to turn off FTP anonymous usage
ftpd provides the -n option to disable anonymous FTP access, meaning the
username 'ftp' cannot log in to the FTP server without a password stored
in the password database. This feature helps prevent users who lack the
background knowledge of how this special username 'ftp' conventionally
works in FTP from mistakenly creating an account with the username
'ftp,' assuming it behaves like other usernames that require a password
to log in to the FTP server, which it does not.

Differential Revision:	https://reviews.freebsd.org/D46547
2025-06-26 14:10:14 +02:00
Baptiste Daroussin 19a7ea3cc4 nuageinit: implement write_files
write_files is a list of files that should be created at the first boot

each file content can be either plain text or encoded in base64 (note
that cloudinit specify that gzip is supported, but we do not support it
yet.)

All other specifier from cloudinit should work:
by default all files will juste overwrite exesiting files except if
"append" is set to true, permissions, ownership can be specified.
The files are create before packages are being installed and user
created.

if "defer" is set to true then the file is being created after packages
installation and package manupulation.

This feature is requested for KDE's CI.
2025-06-26 13:47:37 +02:00
Sebastien Baylocq dba00b1c6b nuageinit: launch post network script with postnet citype
Sponsored by:	OVHCloud
2025-06-26 09:26:11 +02:00
Baptiste Daroussin 40dafa08b2 nuageinit: use lyaml to parse yaml files
This fixes case where vendors or cloudinit consumers are using all
features from yaml.

KDE is using reference for its CI for example.
lima-vm uses syntax for which our previous yaml.lua has bug in the
parser (https://github.com/lima-vm/lima/issues/1508)
2025-06-26 09:24:15 +02:00
Baptiste Daroussin 2bc180ef04 lyaml: vendor import lua bindings for libyaml 2025-06-26 09:15:08 +02:00
Andrew Turner 28fd9bceba rtld-elf: Add Add AT_HWCAP3 and AT_HWCAP4
Add the AT_HWCAP3 and AT_HWCAP4 format strings to auxfmt.

Reviewed by:	brooks, kib
Sponsored by:	Arm Ltd
Differential Revision:	https://reviews.freebsd.org/D51007
2025-06-24 17:26:40 +01:00
Siva Mahadevan 7067bab893 nuageinit(7) tests: Fix extra space in test output expectation
This fixes the test case libexec.nuageinit.nuageinit.config2_userdata_packages

Signed-off-by: Siva Mahadevan <me@svmhdvn.name>

Event:		Kitchener-Waterloo Hackathon 202506
Sponsored by:	The FreeBSD Foundation
Pull Request:	https://github.com/freebsd/freebsd-src/pull/1734
2025-06-20 17:01:25 -04:00
Maxim Konovalov b78b7fa01f nuageinit.7: language and grammar improvements
Reviewed by:	bapt
2025-06-19 13:14:33 +00:00
Cy Schubert abd3c20a03 mountcritlocal: Check only first byte for comment
Check for a "#" at the start of the line regardless whether it is its
own token or not. We avoid unecessary calls to rc.d/zpool.

Suggested by:	ivy
Fixes:		b6e33f0cd5
2025-06-17 12:59:36 -07:00
Maxim Konovalov 1049c079c0 nuageinit.7: language and grammar fixes mostly 2025-06-17 07:59:57 +00:00
Baptiste Daroussin 5ec727ea1a nuageinit: write a documentation
Reviewed by:	imp, ziaee (both a previous version)
Differential Revision:	https://reviews.freebsd.org/D50878
2025-06-17 08:54:39 +02:00