We can no longer use sizeof() to get the path buffer's size. Apply
a straightforward fix for now with the aim of MFCing soon.
PR: 233633
Submitted by: Katsuyuki Miyoshi <katsu@miyoshi.matsuyama.ehime.jp>
MFC after: 3 days
node is set, allow setting security.bsd.unprivileged_proc_debug per-jail.
In part, this is needed to create jails in which the Address Sanitizer
(ASAN) fully works as ASAN utilizes libkvm to inspect the virtual address
space. Instead of having to allow unprivileged process debugging for the
entire system, allow setting it on a per-jail basis.
The sysctl node is still security.bsd.unprivileged_proc_debug and the
jail(8) param is allow.unprivileged_proc_debug. The sysctl code is now a
sysctl proc rather than a sysctl int. This allows us to determine setting
the flag for the corresponding jail (or prison0).
As part of the change, the dynamic allow.* API needed to be modified to
take into account pr_allow flags which may now be disabled in prison0.
This prevents conflicts with new pr_allow flags (like that of vmm(4)) that
are added (and removed) dynamically.
Also teach the jail creation KPI to allow differences for certain pr_allow
flags between the parent and child jail. This can happen when unprivileged
process debugging is disabled in the parent prison, but enabled in the
child.
Submitted by: Shawn Webb <lattera at gmail.com>
Obtained from: HardenedBSD (45b3625edba0f73b3e3890b1ec3d0d1e95fd47e1, deba0b5078cef0faae43cbdafed3035b16587afc, ab21eeb3b4c72f2500987c96ff603ccf3b6e7de8)
Relnotes: yes
Sponsored by: HardenedBSD and G2, Inc
Differential Revision: https://reviews.freebsd.org/D18319
from setting the volume serial number. This unbreaks older boot blocks
that don't support serial numbers, and allows boot0cfg to set the serial
number itself if requested by the user.
Submitted by: lev@, yuripv@
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D17386
to avoid buffer accessed out of bounds, also switch to snprintf(3).
PR: 200859
Submitted by: Caglar <caglar@10ur.org>
Obtained from: https://github.com/mist64/xhyve/pull/24
MFC after: 4 weeks
Sponsored by: iXsystems Inc.
option, we pass -1 down to listen, which causes it to use the
kern.ipc.soacceptqueue sysctl.
Approved by: mav
MFC after: 2 weeks
Sponsored by: iXsystems Inc
- Adding a note to UPDATING
- Adding a note to the history section of the manpage ctm.1
- Adding a message printed to STDERR to the ctm program
This version is meant for release in FreeBSD-12.0 and should remain in
FreeBSD-12 over its life-time.
A follow-up commit will remove ctm from -CURRENT after the MFC to 12
has happened.
Approved by: imp, rgrimes, bcr (man-page)
MFC after: 3 days
Relnotes: yes
Differential Revision: https://reviews.freebsd.org/D17969
Every µcode-updater must open the cpucontrol devfs node RDWR, open a
firmware file, validate the FW file has a positive length, mmap it, etc.
De-duplicate that identical logic between every individual platform.
Also, constify references to the readonly-mapped firmware files while here.
Sponsored by: Dell EMC Isilon
Exit with a zero status when Postfix reports "Mail queue is empty" so this
section won't appear in the report at all when daily_show_success="NO".
MFC after: 2 weeks
Sponsored by: Dell EMC Isilon
of jails. Jails have their own user/group databases and this script
can produce multiple false warnings, not to mention significant extra
load in case of large jailed subtrees. Leave this check for jailed
invocations of the same script.
MFC after: 1 month
a list of configured non-wildcard jails with their parameters,
no matter running or not.
The option -e takes separator argument that is used
to separate printed parameters. It will be used with following
additions to system periodic scripts to differentiate parts
of directory tree belonging jails as opposed to host's.
MFC after: 1 month
The new default config will only include files from the following
directories which end with '.conf' and do not beginning with a '.'
character:
- /etc/newsyslog.conf.d/
- /usr/local/etc/newsyslog.conf.d/
This matches the syslog.conf(5) functionality, and also prevents '.sample' or
'.pkgnew' files being included. This is important for ports which install files
in /usr/local/etc/newsyslog.conf.d/ and also for pkgbase.
Approved by: eadler
Approved by: bapt
Relnotes: yes
Differential Revision: https://reviews.freebsd.org/D17086
Also switch from int to size_t to keep portability.
Reviewed by: brooks
Sponsored by: iXsystems Inc.
Differential Revision: https://reviews.freebsd.org/D17795
Factorize code by using struct sockaddr_storage to handle both ipv6 and ipv4
Discussed with: rmacklem
Reviewed by: manu
MFC after: 1 month
Sponsored by: Gandi.net
Differential Revision: https://reviews.freebsd.org/D13223
Having the flag named "6" can possibly be a problem for configurations
where parsing strings and numbers can produce ambivalent results.
Rename the "6" flag to the "S"ix (or Silence-IPv4) flag.
This fixes signed IOCTL value warnings in uhsoctl().
MFC after: 1 week
Submitted by: Marcin Cieslak <saper@saper.info>
Sponsored by: Mellanox Technologies
This change defines the RA "6" (IPv6-Only) flag which routers
may advertise, kernel logic to check if all routers on a link
have the flag set and accordingly update a per-interface flag.
If all routers agree that it is an IPv6-only link, ether_output_frame(),
based on the interface flag, will filter out all ETHERTYPE_IP/ARP
frames, drop them, and return EAFNOSUPPORT to upper layers.
The change also updates ndp to show the "6" flag, ifconfig to
display the IPV6_ONLY nd6 flag if set, and rtadvd to allow
announcing the flag.
Further changes to tcpdump (contrib code) are availble and will
be upstreamed.
Tested the code (slightly earlier version) with 2 FreeBSD
IPv6 routers, a FreeBSD laptop on ethernet as well as wifi,
and with Win10 and OSX clients (which did not fall over with
the "6" flag set but not understood).
We may also want to (a) implement and RX filter, and (b) over
time enahnce user space to, say, stop dhclient from running
when the interface flag is set. Also we might want to start
IPv6 before IPv4 in the future.
All the code is hidden under the EXPERIMENTAL option and not
compiled by default as the draft is a work-in-progress and
we cannot rely on the fact that IANA will assign the bits
as requested by the draft and hence they may change.
Dear 6man, you have running code.
Discussed with: Bob Hinden, Brian E Carpenter
dialog will conditionally ignore the --hline option if not enough space
was available to accomodate for the text width. Traditionally the width
of the widget had to be 10 wider than the text. Recent updates to dialog
have changed the requirement to be at least 12 wider than the hline text
else the hline text is not rendered at the bottom of the widget.
Sponsored by: Smule, Inc.
