Reviewed by: gbe
Fixes: 9da2fe96ff ("kern: fix setgroups(2) and getgroups(2) to match other platforms")
MFC after: 5 days
MFC to: stable/15
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D52285
Add a new SECURITY CONSIDERATIONS section describing in details what the
new behavior is after commit 9da2fe96ff ("kern: fix setgroups(2) and
getgroups(2) to match other platforms"), what setgroups(2) does not
do anymore, and how programs using it are affected.
Fix the groups limit after commit 9da2fe96ff ("kern: fix setgroups(2)
and getgroups(2) to match other platforms").
Prefer a terminology referring to POSIX terms, i.e., use "effective
group list" instead of "group access list".
While here, fix some style.
Note for MFC to stable/14: The content will have to be revised as the
new behavior is not in place. The latter should still be mentioned as
upcoming in 15.
Fixes: 9da2fe96ff ("kern: fix setgroups(2) and getgroups(2) to match other platforms")
MFC after: 5 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D52284
Bring up to date with NSS by substituting "file" with "database".
Describe more precisely which database is accessed, i.e., only the group
database, which value should be used and where it lands in the result.
Prefer a terminology referring to POSIX terms, i.e., use "effective
group list" instead of "group access list".
Reviewed by: gbe
MFC after: 5 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D52283
After commit 9da2fe96ff ("kern: fix setgroups(2) and getgroups(2) to
match other platforms"), initgroups() does not set the effective GID
anymore and uses all passed groups as the supplementary group list.
This effectively breaks backwards compatibility with programs/libraries
compiled on a FreeBSD 14 or earlier system.
Restore compatibility by creating a new version of the 'initgroups'
symbol that designates the current implementation and providing
a pre-FreeBSD-15-compatible version under the symbol's previously
exported version. The new version calls the new setgroups(2) system
call, while the compatible one calls the original one (called
freebsd14_setgroups()).
Update the manual page with some history and comparison with other
current open-source systems. Add a "SECURITY CONSIDERATIONS" section
highlighting some security properties of this approach and the reasons
we adopt it. While here, revamp the manual page, in particular to use
the exact POSIX terminology where possible.
Note for MFC to stable/14: Only the manual page update is to be MFCed,
and the text changed to reflect the old behavior and inform readers of
the new upcoming behavior in 15.
Reviewed by: kib
Fixes: 9da2fe96ff ("kern: fix setgroups(2) and getgroups(2) to match other platforms")
MFC after: 5 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D52282
We must not return ENOMEM, but rather -1 with 'errno' set to ENOMEM, as
described in the manual page and as other implementations are doing.
A malloc() failure actually already sets ENOMEM for us. Add comments
indicating which function set 'errno' each time we return.
While here, improve style and remove useless headers.
Reviewed by: kib, emaste
Fixes: 54404cfb13 ("In preparation for raising NGROUPS and NGROUPS_MAX, ...")
MFC after: 5 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D52580
An examination of the scripts under 'sys/tools/syscalls' indicates that
keeping STD as a type in the presence of COMPATxx does not make any
difference, and regenerating system call files with STD removed does
indeed not show any difference. Moreover, this practice is inconsistent
with the rest of the file.
Thus, remove the superfluous STD type for the two above-mentioned system
calls. While here, re-order the remaining types for getgroups() to be
consistent with other such occurences (COMPATxx before CAPENABLED).
Reviewed by: kevans, emaste
MFC after: 5 days
MFC to: stable/15
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D52499
It is in fact redundant with the previous one, as the set of
supplementary groups is expected to be empty.
MFC after: 5 days
MFC to: stable/15
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D52281
No functional change (intended).
Go through conversion to a 'l_gid_t' before copying out in order to cope
with differing group types (except for not representable values, of
course). This is what is done, e.g., for getgroups() in 'linux_misc.c'.
As Linux's group type is the same as ours on all architectures, we could
as well just stop bothering and copy out our memory representation,
eliminating the loop here. Whatever the choice, though, it has to be
consistent here and there.
Introduce 'out' of type 'l_gid_t' to avoid performing "by hand" array
arithmetics when copying out.
MFC after: 5 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D52280
For the size we know we will need in the end.
No functional change (intended).
MFC after: 5 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D52279
This was missed in commit 838d985825 ("Rework the credential code to
support larger values of NGROUPS (...)").
No functional change (intended).
MFC after: 5 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D52278
'ngroups_max' is the maximum number of supplementary groups the system
will accept, and this has not changed.
Fixes: 9da2fe96ff ("kern: fix setgroups(2) and getgroups(2) to match other platforms")
MFC after: 5 days
MFC to: stable/15
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D52277
No functional change (intended).
While here, fix/improve style a bit and in setgroups().
MFC after: 5 days
MFC to: stable/15
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D52276
Invert the initial test on whether the policy is in force so that, if
there are no restrictions, the function bails out early, allowing to
de-indent the rest of the code and have it finish with a non-zero (deny)
'return'.
No functional change (intended).
MFC after: 5 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D52272
As 'cr_gid' was in fact stored in cr_groups[0],
rule_grant_supplementary_groups() would loop only on further elements of
cr_groups[]. Now that cr_groups[0] is not 'cr_gid' anymore, but some
supplementary group, take it into account.
Fixes: be1f7435ef ("kern: start tracking cr_gid outside of cr_groups[]")
MFC after: 5 days
MFC to: stable/15
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D52271
Fixes: be1f7435ef ("kern: start tracking cr_gid outside of cr_groups[]")
MFC after: 5 days
MFC to: stable/15
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D52270
Make it more straightforward for consumers. Also, recommend using
cr_sgroups[] for supplementary groups, as this can generally alleviate
index problems and will help us spot and change consumers if/when
'struct ucred' is evolved incompatibly (and cr_sgroups[] suppressed).
MFC after: 5 days
MFC to: stable/15
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D52269
The removal of 'cr_gid' from cr_groups[] as cr_groups[0] made
cr_canseeothergids() skip considering the subject's first supplementary
group, causing the 'security.bsd.see_other_gids' policy to be too
restrictive, and cr_xids_subset() miss a check on the effective GID,
relaxing the "can debug" and "can export KTLS keys" checks.
Fix these policies.
Fixes: be1f7435ef ("kern: start tracking cr_gid outside of cr_groups[]")
MFC after: 5 days
MFC to: stable/15
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D52268
No functional change.
Fixes: 9da2fe96ff ("kern: fix setgroups(2) and getgroups(2) to match other platforms")
MFC after: 5 days
MFC to: stable/15
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D52267
While here, fix style of some already-updated comments.
Fixes: be1f7435ef ("kern: start tracking cr_gid outside of cr_groups[]")
MFC after: 5 days
MFC to: stable/15
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D52266
Remove the parts about the effective GID being stored as the first
element of the groups array, as this is generally not the case now after
commit be1f7435ef ("kern: start tracking cr_gid outside of
cr_groups[]") (some credentials export structures still have the old
layout, and need to do the 'ngroups_max + 1' computation, but given the
computation needed to obtain a size in bytes, this detail is not really
important here).
Remove the part about 32-bit machines, avoiding another modification
when support for them is removed.
No functional change.
MFC after: 5 days
MFC to: stable/15
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D52265
This comment has been obsoleted by commit be1f7435ef ("kern: start
tracking cr_gid outside of cr_groups[].").
No functional change.
MFC after: 5 days
MFC to: stable/15
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D52264
Due to the partial-only changes of commit 46c07316f9 ("kern: adopt the
cr_gid macro for cr_groups[0] more widely"), subsequent commit
be1f7435ef ("kern: start tracking cr_gid outside of cr_groups[]")
caused a mismatch between filling cr_groups[0] in 'reused_creds' in
fuse_interrupt_send() and reading 'cr_gid' from it in
fuse_setup_ihead(), with the consequence that the kernel would send
a FUSE_INTERRUPT message to the FUSE deamon with an uninitialized GID in
its header (which, besides being wrong, would disclose 4 bytes from its
stack).
Fixes: be1f7435ef ("kern: start tracking cr_gid outside of cr_groups[]")
MFC after: 5 days
MFC to: stable/15
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D52255
cmcred_groups[0] in 'struct cmsgcred' must be the effective GID.
Note that the code in unp_addsockcred() filling up 'struct
sockcred'/'struct sockcred2' (LOCAL_CREDS/LOCAL_CREDS_PERSISTENT
options) was in fact "wrong" before 'cr_gid' was moved out of
cr_groups[], in the sense that it would transmit the effective GID
twice, both separately as 'sc_egid' and as the first element of
'sc_groups'. It is now exact, so is left unchanged, which causes
a difference in output (the effective GID is no more in 'sc_groups',
unless it is also a supplementary group) that is unlikely to affect
applications in practice.
Reviewed by: glebius
Fixes: be1f7435ef ("kern: start tracking cr_gid outside of cr_groups[]")
MFC after: 5 days
MFC to: stable/15
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D52262
In particular, fixes 'procstat -s -M' (for processes with more than 16
groups).
Reviewed by: kib
Fixes: be1f7435ef ("kern: start tracking cr_gid outside of cr_groups[]")
MFC after: 5 days
MFC to: stable/15
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D52275
This change does the following 2 things:
- Makes the build more repeatable by isolating the environment. This
prevents bmake from leaking variables into gmake and makes the overall
process a bit more robust.
- Add debug printouts to make the process more straightforward to the
reader and whoever is executing doing the current vendor import.
MFC after: 1 month
Differential Revision: https://reviews.freebsd.org/D52420
If this tunable is enabled and vtnet receives a packet with
VIRTIO_NET_HDR_F_NEEDS_CSUM set, vtnet computes the TCP/UDP checksum
and writes it in the checksum field.
This was somewhat useful when vtnet pretended that such a packet has
a correct checksum and set the mbuf flag CSUM_DATA_VALID.
But this is not the case anymore.
Reviewed by: tuexen
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D52546
* Allow the congestion control modules CDG, CHD, HD, and vegas also
to be compiled into the kernel for IPv6 only kernel configs.
* Compile the helper module h_ertt for round trip time estimation only
into the kernel, if one of the congestion control module using it
(one of CDG, CDH, HD, or vegas) is also compiled into the kernel.
Please note the second point implies that TCP TSO is done whenever
possible as long as none of the congestion control modules CDG, CHD,
HD, or vegas is loaded or compiled into the kernel.
Reviewed by: cc
MFC after: 3 days
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D52547
Add metalog entries for various files. This is a bit incomplete as
pw(8) doesn't yet have support for emitting metalog entries, which we
need since it's used here to create an interactive user.
Reviewed by: emaste
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D52456
- Avoid mounting devfs just to list packages and fetch distfiles.
- Add metalog entries.
Reviewed by: cperciva, emaste
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D52455
- Add metalog entries.
- Remove a stray entry in the package list.
Reviewed by: cperciva, emaste
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D52454
- Avoid chrooting to uninstall pkg, as it will not be installed in the
first place when in non-root mode.
- Add metalog entries.
Reviewed by: cperciva
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D52452
- Don't chroot to uninstall pkg since we don't install pkg in the first
place.
- Use pw -R instead of chrooting.
- Add metalog entries.
Reviewed by: cperciva, emaste
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D52451
When starting single-user mode, use the home directory from user root as
current directory and for the HOME environment variable. If the
directory does not exist, set HOME=/.
Also adjust /root/.profile to stop setting HOME, since it should always
have been set now.
This is intended to keep shell startup files working in single-user mode
after /.profile has been removed.
Reviewed by: emaste, ivy, kevans
MFC after: 1 week
Relnotes: yes
Differential Revision: https://reviews.freebsd.org/D52527
Create a new tests package set to hold the tests, which are not useful
to all users and don't belong in the base set.
Reviewed by: emaste, ivy
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D52574
The FreeBSD-src package is the largest single pkgbase package at 158M
currently. Remove it and FreeBSD-src-sys (87M) from the base set as
they are not useful to all users.
Reviewed by: emaste, ivy
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D52573
Provide variables, PKG_REPOS_DIR and PKG_REPO_NAME, to allow the user to
configure the source package repository. Configure pkg to emit added
files to a metalog which gets concatenated with the main metalog
immediately before we build the root filesystem.
Reviewed by: cperciva, emaste
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D52453
so that we do not discard EtherIP packets ( over IPv6 network ) when
net.inet6.ip6.fw.deny_unknown_exthdrs is set to 1 ( which is the default
value ).
PR: 227450
Reviewed by: ae, #network
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D52566
Currently it is impossible for a privileged, jailed process to set audit
session state. This can result in suprising audit event misattribution.
For example, suppose a user ssh'es into a jail and restarts a service;
normally, sshd sets audit state such that events generated by the SSH
session are attributed to the newly authenticated user, but in a jail,
the corresponding setaudit(2) call fails, so events are attributed to
the user who had started sshd in the jail (typically the user who had
started the jail itself by some means).
While this behaviour is reasonable, administrators might want to trust
the jailed sshd to reset audit state, such that the authenticated user
appears in audit logs. Add a jail knob to enable this. Add a simple
regression test.
This is a reapplication of commit 246d7e9fc2 following a revert.
The audit system calls must preserve the old behaviour of returning
ENOSYS if the system call is disallowed within a jail, as some
applications depend on that behaviour.
Reviewed by: kevans, jamie (previous version)
MFC after: 1 week
Sponsored by: Modirum MDPay
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D51719
Differential Revision: https://reviews.freebsd.org/D52572
aarch64 and riscv are supported since 2023 so it should be safe to
enable it by default.
MFC after: 2 weeks
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D52575
Changing audit system calls to return EPERM instead of ENOSYS when
invoked from a jail breaks some userspace applications. Revert for now
until a more complete change is reviewed.
This reverts commit 246d7e9fc2.
PR: 289645
Now that stat(1) can report whether a file is sparse, we no longer need
a helper program for our tests.
Sponsored by: Klara, Inc.
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D52482
Add a new -h option that causes stat to print a list of holes for each
file argument.
Sponsored by: Klara, Inc.
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D52481
Add PNP info so it the module can be by devmatch(8) and automatically
loaded. On non-x86 platforms it is not included in GENERIC.
Reviewed by: imp
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D52557
x18 is overwritten with a temporary copy of the kernel stack pointer
when it is saved in the trapframe. This does not matter in terms of
function since nested exception return does not restore x18 from the
trapframe, but it does mean that examining x18 in a debugger in stack
frames above a nested fault outputs the wrong register value.
To fix, compute the value of the original stack pointer to save in x18
later after the trapframe has been constructed.
Reviewed by: jhb, andrew
Sponsored by: AFRL, DARPA
Differential Revision: https://reviews.freebsd.org/D52472
The first store-pair instruction in save_registers_head decrements the
stack pointer to create room for most of the trapframe (and the
redzone area for nested exceptions). However, the expression was a
bit non-intuitive as it was using an expression without a leading
negative sign to adjust the stack pointer. Rewrite the expression so
that it is more clearly a negative adjustment to the stack pointer.
Suggested by: andrew
Reviewed by: andrew
Sponsored by: AFRL, DARPA
Differential Revision: https://reviews.freebsd.org/D52514