Add an API for alerting internal libc routines to the presence of
"unsafe" paths post-chroot, and use it in ftpd. [11:07]
Fix a buffer overflow in telnetd. [11:08]
Make pam_ssh ignore unpassphrased keys unless the "nullok" option is
specified. [11:09]
Add sanity checking of service names in pam_start. [11:10]
Approved by: so (cperciva)
Approved by: re (bz)
Security: FreeBSD-SA-11:06.bind
Security: FreeBSD-SA-11:07.chroot
Security: FreeBSD-SA-11:08.telnetd
Security: FreeBSD-SA-11:09.pam_ssh
Security: FreeBSD-SA-11:10.pam
from scratch, copying needed functionality from the old implemenation
on demand, with a thorough review of all code. The main change is that
interface layer has been removed from the CARP. Now redundant addresses
are configured exactly on the interfaces, they run on.
The CARP configuration itself is, as before, configured and read via
SIOCSVH/SIOCGVH ioctls. A new prefix created with SIOCAIFADDR or
SIOCAIFADDR_IN6 may now be configured to a particular virtual host id,
which makes the prefix redundant.
ifconfig(8) semantics has been changed too: now one doesn't need
to clone carpXX interface, he/she should directly configure a vhid
on a Ethernet interface.
To supply vhid data from the kernel to an application the getifaddrs(8)
function had been changed to pass ifam_data with each address. [1]
The new implementation definitely closes all PRs related to carp(4)
being an interface, and may close several others. It also allows
to run a single redundant IP per interface.
Big thanks to Bjoern Zeeb for his help with inet6 part of patch, for
idea on using ifam_data and for several rounds of reviewing!
PR: kern/117000, kern/126945, kern/126714, kern/120130, kern/117448
Reviewed by: bz
Submitted by: bz [1]
yet (see LLVM PR 9788), and warns about it, rub it out for now. When
clang grows support for this attribute, I will revert this again.
MFC after: 1 week
conversion between enum desdir/desmode from include/rpc/des.h, and enum
desdir/desmode from include/rpcsvc/crypt.x. These are actually
different enums, with different value names, but by accident the integer
representation of the enum values happened to be the same.
MFC after: 1 week
warn about it. I guess this was originally done to silence a bogus
warning by an older version of gcc, but I could not reproduce it with
any version of gcc that I have access to.
MFC after: 1 week
__noreturn macro and modify the other exiting functions to use it.
The __noreturn macro, unlike __dead2, must be used BEFORE the function.
This is in line with the C and C++ specifications that place _Noreturn (c1x)
and [[noreturn]] (C++11) in front of the functions. As with __dead2, this
macro falls back to using the GCC attribute.
Unfortunately, clang currently sets the same value for the C version macro
in C99 and C1x modes, so these functions are hidden by default. At some
point before 10.0, I need to go through the headers and clean up the C1x /
C++11 visibility.
Reviewed by: brooks (mentor)
vs. the comment documented "If we are working with a privileged socket,
then take only one attempt". Make the code match.
Furthermore, critical privileged applications that [over] log a vast amount
can look like a DoS to this code. Given it's unlikely the single reattempted
send() will succeeded, avoid usurping the scheduler in a library API for a
single non-critical facility in critical applications.
Obtained from: Juniper Networks
Discussed with: glebius
than silently failing and returning success.
Without this, code calls pthread_once(), receives a return value of
success, and thinks that the passed function has been called.
Approved by: dim (mentor)
system calls to provide feed-forward clock management capabilities to
userspace processes. ffclock_getcounter() returns the current value of the
kernel's feed-forward clock counter. ffclock_getestimate() returns the current
feed-forward clock parameter estimates and ffclock_setestimate() updates the
feed-forward clock parameter estimates.
- Document the syscalls in the ffclock.2 man page.
- Regenerate the script-derived syscall related files.
Committed on behalf of Julien Ridoux and Darryl Veitch from the University of
Melbourne, Australia, as part of the FreeBSD Foundation funded "Feed-Forward
Clock Synchronization Algorithms" project.
For more information, see http://www.synclab.org/radclock/
Submitted by: Julien Ridoux (jridoux at unimelb edu au)
load of _l suffixed versions of various standard library functions that use
the global locale, making them take an explicit locale parameter. Also
adds support for per-thread locales. This work was funded by the FreeBSD
Foundation.
Please test any code you have that uses the C standard locale functions!
Reviewed by: das (gdtoa changes)
Approved by: dim (mentor)
change here is to ensure that when a process forks after arc4random
is seeded, the parent and child don't observe the same random sequence.
OpenBSD's fix introduces some additional overhead in the form of a
getpid() call. This could be improved upon, e.g., by setting a flag
in fork(), if it proves to be a problem.
This was discussed with secteam (simon, csjp, rwatson) in 2008, shortly
prior to my going out of town and forgetting all about it. The conclusion
was that the problem with forks is worrisome, but it doesn't appear to
have introduced an actual vulnerability for any known programs.
The only significant remaining difference between our arc4random and
OpenBSD's is in how we seed the generator in arc4_stir().
OpenBSD's version (r1.22). While some of our style changes were
indeed small improvements, being able to easily track functionality
changes in OpenBSD seems more useful.
Also fix style bugs in the FreeBSD-specific parts of this file.
No functional changes, as verified with md5.
The size passed to strlcat() must depend on the input length, not the
output length. Because the input and output buffers are equal in size,
the resulting binary does not change at all.
madvise(2) except that it operates on a file descriptor instead of a
memory region. It is currently only supported on regular files.
Just as with madvise(2), the advice given to posix_fadvise(2) can be
divided into two types. The first type provide hints about data access
patterns and are used in the file read and write routines to modify the
I/O flags passed down to VOP_READ() and VOP_WRITE(). These modes are
thus filesystem independent. Note that to ease implementation (and
since this API is only advisory anyway), only a single non-normal
range is allowed per file descriptor.
The second type of hints are used to hint to the OS that data will or
will not be used. These hints are implemented via a new VOP_ADVISE().
A default implementation is provided which does nothing for the WILLNEED
request and attempts to move any clean pages to the cache page queue for
the DONTNEED request. This latter case required two other changes.
First, a new V_CLEANONLY flag was added to vinvalbuf(). This requests
vinvalbuf() to only flush clean buffers for the vnode from the buffer
cache and to not remove any backing pages from the vnode. This is
used to ensure clean pages are not wired into the buffer cache before
attempting to move them to the cache page queue. The second change adds
a new vm_object_page_cache() method. This method is somewhat similar to
vm_object_page_remove() except that instead of freeing each page in the
specified range, it attempts to move clean pages to the cache queue if
possible.
To preserve the ABI of struct file, the f_cdevpriv pointer is now reused
in a union to point to the currently active advice region if one is
present for regular files.
Reviewed by: jilles, kib, arch@
Approved by: re (kib)
MFC after: 1 month
the word alignment, some versions of gcc do require 16-byte alignment.
Make sure the stack is 16-byte aligned before calling a subroutine.
Inspired by: PR amd64/162214
MFC after: 1 week
as it is required by amd64 ABI. Add a comment for the places were
the stack is accidentally properly aligned already.
PR: amd64/162214
Submitted by: yamayan <yamayan kbh biglobe ne jp>
MFC after: 1 week
When booting the system, truncate the utx.active file, but do write the
BOOT_TIME record into it afterwards. This allows one to obtain the boot
time of the system as follows:
struct utmpx u1 = { .ut_type = BOOT_TIME }, *u2;
setutxent();
u2 = getutxid(&u1);
Now, the boot time is stored in u2->ut_tv, just like on Linux and other
systems.
We don't open the utx.active file with O_EXLOCK. It's rather unlikely
that other applications use this database at the same time and I want to
prevent the possibility of deadlocks in init(8).
Discussed with: pluknet
working MI one. The MI one only needs to be overridden on machines
with non-IEEE754 arithmetic. (The last supported one was the VAX.)
It can also be overridden if someone comes up with a faster one that
actually passes the regression tests -- but this is harder than it sounds.
