On systems where mac_veriexec is enforced, init should run its scripts in verified mode.
This relies on the verify shell option introduced by D30464. init will detect if the shell
is /bin/sh, and in which case, add the verify option to the argument vector.
The verify option propagates to all files sourced by the shell, ensuring a better
protection than if the script was tested against an open(O_VERIFY) before running it.
This security can be bypassed with the kenv which overloads the shell to use.
However we feel confident that on systems running with mac_veriexec, this kenv will be blocked somehow.
Also, the verify option has no effect on systems where mac_veriexec is not loaded nor enforced.
Differential revision: https://reviews.freebsd.org/D34622
Reviewed by: sjg, wma
When calling shutdown, shutdown sends a signal to init and exits. This
causes a race condition for the waitpid function. If the signal wins the
race, wpid will be set to -1 and init calls death_single. If shutdown
wins the race, wpid will be set to the pid of the shutdown process and
the requested_transition will be ignored.
Reviewed by: imp
Differential Revision: https://reviews.freebsd.org/D36356
MFC after: 1 week
Sponsored by: Beckhoff Automation GmbH & Co. KG
Add boottrace annotations to record events in init(8), shutdown(8), and
reboot(8).
Sponsored by: NetApp, Inc.
Sponsored by: Klara, Inc.
X-NetApp-PR: #23
Differential Revision: https://reviews.freebsd.org/D31928
This can be useful for, e.g., unmounting filesystems that were needed
for shutdown.
Reviewed by: kib
Sponsored by: NetApp, Inc.
Sponsored by: Klara, Inc.
X-NetApp-PR: #63
Differential Revision: https://reviews.freebsd.org/D31230
Xen VMs get a simulated serial device meant for use as a console. Often
an xterm or other advanced terminal is used, so use xterm as the type.
Depending on configuration, FreeBSD on Xen for amd64 may instead use an
emulated serial port, but the virtual console may also be available.
Submitted by: Elliott Mitchell <ehem+freebsd@m5p.com>
Reviewed by: imp (slightly earlier version)
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D29873
The tty lists were already pretty similar and there hadn't been any real
need for them to remain distinct for some time. As such, merge to a
single file.
The RISC-V console is preserved. For systems where it doesn't exist, its
presence in /etc/ttys is harmless. The uncommented version of the
ttyv8/XDM line from ttys.amd64 was the one chosen.
Reviewed by: imp
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D30256
Back in the day, we used to have a number of entries that were either
'on' or 'off' directly, rather than conditionally on 'onifexists'
etc. Back then, we tried to line up the 'secure' columns by using the
construct 'on secure' or 'off secure' (one space or two). Now that these
have all moved to a conditional construct, remove the second space on
the ttys that still have it. This reduces diffs between the different
ttys and is no functional change. i386 and amd64 did this a long time
ago, and those are the only ones that affected external users (who used
to sed 's/on /off /' the entires as part of the automation).
MFC After: 3 days
Sponsored by: Netflix
This is a nop in practice, because it cannot be proven that this
particular bzero() is not significant. Make it explicit anyways, rather
than relying on an implementation detail of how the password is
collected.
Discussed with: Andrew Gierth <andrew tao146 riddles org uk>
The badsys() handler for SIGSYS was added as a transtion aid for kernels
lacking sysctl() in 1993. It is unsafe and unsound so remove it rather
than running the risk of a privilege-dropping system call being silently
omitted.
This partially reverts SCCSID 6.12 (Berkeley) 03/03/93 "add code to
change the system security level".
Reviewed by: mckusick, imp, kevans
Obtained from: CheriBSD
MFC after: 1 week
Sponsored by: DARPA
Differential Revision: https://reviews.freebsd.org/D26289
Specifically, when running /etc/rc. This allows one to specify via
login.conf(5) an environment that should be used when running services to
ease, e.g., setting up env vars for an HTTP proxy consistently across cron
and services alike.
Future changes will extend cron(8)/service(8) to use environment vars
pecified in login.conf(5) as well to promote a more cohesive experience.
This is a part of D21481.
Submitted by: Andrew Gierth <andrew_tao173.riddles.org.uk>
'shutdown -c' is supposed to power cycle the system rather than doing a normal
reboot. However, when that fails, it halts the system. This is not quite right
since the intent isn't to halt the system but to restart. Make the default init
behavior be to restart the system. The halt(8) interface can be used if you'd
like to powercycle or halt.
MFC After: 1 week
Differential Revision: https://reviews.freebsd.org/D23129
This change allows to specify a watchdog(9) timeout for a system
shutdown. The timeout is activated when the watchdogd daemon is
stopped. The idea is to a prevent any indefinite hang during late
stages of the shutdown. The feature is implemented in rc.d/watchdogd,
it builds upon watchdogd -x option.
Note that the shutdown timeout is not actiavted when the watchdogd
service is individually stopped by an operator. It is also not
activated for the 'shutdown' to the single-user mode. In those cases it
is assumed that the operator knows what they are doing and they have
means to recover the system should it hang.
Significant subchanges and implementation details:
- the argument to rc.shutdown, completely unused before, is assigned to
rc_shutdown variable that can be inspected by rc scripts
- init(8) passes "single" or "reboot" as the argument, this is not
changed
- the argument is not mandatory and if it is not set then rc_shutdown is
set to "unspecified"
- however, the default jail management scripts and jail configuration
examples have been updated to pass "jail" to rc.shutdown, just in case
- the new timeout can be set via watchdogd_shutdown_timeout rc option
- for consistency, the regular timeout can now be set via
watchdogd_timeout rc option
- watchdogd_shutdown_timeout and watchdogd_timeout override timeout
specifications in watchdogd_flags
- existing configurations, where the new rc options are not set, should
keep working as before
I am not particularly wed to any of the implementation specifics.
I am open to changing or removing any of them as long as the provided
functionality is the same (or very close) to the proposed one.
For example, I think it can be implemented without using watchdogd -x,
by means of watchdog(1) alone. In that case there would be a small
window between stopping watchdogd and running watchdog, but I think that
that is acceptable.
Reviewed by: bcr (man page changes)
MFC after: 5 weeks
Relnotes: yes
Differential Revision: https://reviews.freebsd.org/D21221
Direct /etc/rc exec was introduced in r337321, with a fallback to
passing it to sh if direct exec fails. "Can't exec" is slightly
misleading in this case (the script is still executed, just not
directly).
The reasons for this are forward looking to pkgbase:
* /sbin/init is a special binary; try not to replace it with
every package update because an rc script was touched.
(a follow-up commit will make init its own package)
* having rc in its own place will allow more easy replacement
of the rc framework with alternatives, such as openrc.
Discussed with: brd (during BSDCam), kmoore
Requested by: cem, bz
PR: 231522
Approved by: re (gjb)
After r273201 it is supported "/{udp,tcp,proto}" suffix into
$firewall_myservices, and in the rc.conf the information is outdated.
Reviewed by: bcr, rgrimes
Approved by: re (gjb), doc (bcr), src (rgrimes)
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D17338
mips64 supports COMPAT_FREEBSD32 (for o32 binaries), so run the 32-bit
compat ldconfig on it as well.
Reported by: brooks
Reviewed by: brooks, kib
Approved by: re (gjb)
Differential Revision: https://reviews.freebsd.org/D17342
Since r154114 which introduced ldconfig_local32_dirs, ldconfig -32 was
called with -m. This means that ld-elf32.so.hints paths set is not
cleared for compat32 on boot, unlike ld,so,hints. Same -m was used in
r294295 for ld-elf-soft.so.hints on arm. The patch fixes the
asymmetry.
Noted by: Andreas Longwitz <longwitz@incore.de>
Reviewed by: brooks, emaste, imp
Discussed with: bdrewery
Sponsored by: The FreeBSD Foundation
Approved by: re (gjb)
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D17331
And simplify this a little by flattening the directory structure.
Approved by: re (gjb), will (mentor)
Differential Revision: https://reviews.freebsd.org/D16955
devmatch_blacklist is a space separated list of modules (w/o the .ko
or full path) to exclude from devmatch's processing.
Differential Revision: https://reviews.freebsd.org/D16735
Use devctl freeze / thaw to allow us to laod multiple modules before
doing the probe/attach so they all get a bite at the apple.
Differential Revision: https://reviews.freebsd.org/D16735
after opening the console, replacing init as PID 1.
From the user point of view, it makes it possible to run eg the
shell as PID 1, using 'set init_exec=/bin/sh' at the loader(8)
prompt.
Reviewed by: kib
MFC after: 2 weeks
Relnotes: yes
Sponsored by: DARPA, AFRL
Differential Revision: https://reviews.freebsd.org/D16625
The main dhclient process is Capsicumized but also chroots to
restrict filesystem access. With r322369, pidfile(3) maintains a
directory descriptor for the pidfile, which can cause the chroot
to fail in certain cases. To minimize the problem, only chroot
if we fail to enter capability mode, and store dhclient pidfiles
in a subdirectory of /var/run, thus restricting access via
pidfile(3)'s directory descriptor.
PR: 223327
Reviewed by: cem, oshogbo
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D16584
scripts. This means one should be able to eg rewrite their /etc/rc
in Python.
Reviewed by: kib
MFC after: 2 weeks
Relnotes: yes
Sponsored by: DARPA, AFRL
Differential Revision: https://reviews.freebsd.org/D16565
from being installed in the correct directory.
Resurrect a few rc.d scripts that were prematurely deleted from the
Makefile by r336845.
Reviewed by: brd
This keeps most startup scripts as CONFS per discussion on src-committers from
back during BSDCan.
Approved by: will (mentor)
Differential Revision: https://reviews.freebsd.org/D16466
nothing - it was checking for ENXIO, which, with devfs, is no longer
returned - and was badly placed anyway, and replaces it with similar
one that works, and is done just before starting getty, instead of being
done when rereading ttys(5).
From the practical point of view, this makes init(8) handle disappearing
terminals (eg /dev/ttyU*) gracefully, without unneccessary getty restarts
and resulting error messages.
Reviewed by: imp@
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D14307
Mainly focus on files that use BSD 3-Clause license.
The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.
Special thanks to Wind River for providing access to "The Duke of
Highlander" tool: an older (2014) run over FreeBSD tree was useful as a
starting point.
In r231994, an attempt was made to fix crypt(3) failure returns (NULL).
However, instead of treating crypt(3) failure as authentication failure,
some of the changes treated crypt(3) failure as authentication success.
This is wrong.
r324225 fixed this for ppp, which also inspired this review. The other
changes in the 231994 revision were audited for correctness and look ok.
Reviewed by: jhb
Security: yes
Sponsored by: Dell EMC Isilon
Differential Revision: https://reviews.freebsd.org/D12571
Renumber cluase 4 to 3, per what everybody else did when BSD granted
them permission to remove clause 3. My insistance on keeping the same
numbering for legal reasons is too pedantic, so give up on that point.
Submitted by: Jan Schaumann <jschauma@stevens.edu>
Pull Request: https://github.com/freebsd/freebsd/pull/96
shell, ensure that we do sleep for at least the specified time, in
presence of signals.
Interrupted sleep(3) is followed by _exit(), which might cause 'Going
nowhere without my init' panic if init(8) exits before the reboot(2)
really started, or before SIGTSTP stopped init(8) (both events are
initiated by the parallel reboot(8) operation).
I do not see other calls to sleep(STALL_TIMEOUT) as having the same
disasterous consequences and kept them as is until the similar change
is proven required.
Reported and tested by: Andy Farkas <chuzzwassa@gmail.com>
Sponsored by: The FreeBSD Foundation
MFC after: 3 weeks
it via kern.proc.pathname sysctl(2). In some cases - booting from NFS
or rerooting after replacing the init binary with a new one - the sysctl
would fail. In other cases - after upgrading, which moves the old init
to /sbin/init.bak - it would return /sbin/init.bak, which is the actual
path of the running init, instead of /sbin/init.
Reported by: Melissa Jenkins <melissa-freebsd at littlebluecar.co.uk>, jilles@
MFC after: 1 month
Sponsored by: The FreeBSD Foundation
this by myself, but apparently it sometimes happens when rerooting from
single user mode.
Reported by: jilles@
MFC after: 1 month
Sponsored by: The FreeBSD Foundation