Commit Graph

1937 Commits

Author SHA1 Message Date
Kyle Evans
69112cca60 getlogin_r: fix the type of len
getlogin_r is specified by POSIX to to take a size_t len, not int. Fix our
version to do the same, bump the symbol version due to ABI change and
provide compat.

This was reported to break compilation of Ruby 2.8.

Some discussion about the necessity of the ABI compat did take place in the
review. While many 64-bit platforms would likely be passing it in a 64-bit
register and zero-extended and thus, not notice ABI breakage, some do
sign-extend (e.g. mips).

PR:		247102
Submitted by:	Bertram Scharpf <software@bertram-scharpf.de> (original)
Submitted by:	cem (ABI compat)
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D26335
2020-09-09 18:07:13 +00:00
Mark Johnston
847ab36bf2 Include the psind in data returned by mincore(2).
Currently we use a single bit to indicate whether the virtual page is
part of a superpage.  To support a forthcoming implementation of
non-transparent 1GB superpages, it is useful to provide more detailed
information about large page sizes.

The change converts MINCORE_SUPER into a mask for MINCORE_PSIND(psind)
values, indicating a mapping of size psind, where psind is an index into
the pagesizes array returned by getpagesizes(3), which in turn comes
from the hw.pagesizes sysctl.  MINCORE_PSIND(1) is equal to the old
value of MINCORE_SUPER.

For now, two bits are used to record the page size, permitting values
of MAXPAGESIZES up to 4.

Reviewed by:	alc, kib
Sponsored by:	Juniper Networks, Inc.
Sponsored by:	Klara, Inc.
Differential Revision:	https://reviews.freebsd.org/D26238
2020-09-02 18:16:43 +00:00
Alan Somers
e3f1731aec [skip ci] document close_range(2) as async-signal-safe
Reviewed by:	bcr (manpages)
MFC after:	2 weeks
Sponsored by:	Axcient
Differential Revision:	https://reviews.freebsd.org/D25513
2020-07-21 16:46:40 +00:00
Gordon Bergling
e7677232d6 lseek(2): Document the seek behavior better and update the POSIX compliance
In certain situations lseek(2) will return successful although if no seek
was performed. This can happen when operating on devices that don't support
seeking (older tape drives) or when operating on changeable media devices
(such as DVD or Blu-ray devices) without a medium inserted.

Document this within the man page and update the POSIX compliance while here.

PR:		162765
Submitted by:	arundel@
Reported by:	arundel@
Reviewed by:	bcr (mentor)
Approved by:	bcr (mentor)
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D25646
2020-07-13 15:52:57 +00:00
Allan Jude
0e3972bc19 procctl(2): consistently refer to the last agrument as 'data'
Some older references called it 'arg'

Also fix a syntax error that was underlining an entire sentence.

PR:		247386
Reported by:	Paul Floyd <paulf@free.fr>, PauAmma (research)
MFC after:	2 weeks
Sponsored by:	Klara Inc.
2020-07-11 18:04:09 +00:00
Kyle Evans
423a033ba7 memfd_create: turn on SHM_GROW_ON_WRITE
memfd_create fds will no longer require an ftruncate(2) to set the size;
they'll grow (to the extent that it's possible) upon write(2)-like syscalls.

Reviewed by:	kib
Differential Revision:	https://reviews.freebsd.org/D25502
2020-07-10 00:45:16 +00:00
Mark Johnston
fe59cb6ba2 Apply the logic from r363051 to semctl(2) and __sem_base field.
Reported by:	Jeffball <jeffball@grimm-co.com>
MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D25600
2020-07-09 18:34:54 +00:00
Mark Johnston
f4f16af1d3 Avoid copying out kernel pointers from msgctl(IPC_STAT).
While this behaviour is harmless, it is really just an artifact of the
fact that the msgctl(2) implementation uses a user-visible structure as
part of the internal implementation, so it is not deliberate and these
pointers are not useful to userspace.  Thus, NULL them out before
copying out, and remove references to them from the manual page.

Reported by:	Jeffball <jeffball@grimm-co.com>
Reviewed by:	emaste, kib
MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D25600
2020-07-09 17:26:49 +00:00
Warner Losh
f045cfb816 Chroot actually appeared in 7th Edition Unix.
Chroot appeared during the development of 7th edition Unix. The FreeBSD jail
documents, incorrectly, that Bill Joy added this to 4.2BSD on 18 March
1982. That was when Bill Joy converted from a statically coded system call glue
to dynamically generated assembler. Chroot was present in 32V, 3BSD, 4.0BSD, 4.1BSD
and 4.1cBSD well in advance of this. Kirk McKusick agrees with this analysis.

See also:
	V7: https://minnie.tuhs.org/cgi-bin/utree.pl?file=V7/usr/src/libc/sys/chroot.s
	32V: https://minnie.tuhs.org/cgi-bin/utree.pl?file=32V/usr/src/libc/sys/chroot.s
	3BSD: https://minnie.tuhs.org/cgi-bin/utree.pl?file=3BSD/usr/src/libc/sys/chroot.s
	4BSD: https://minnie.tuhs.org/cgi-bin/utree.pl?file=4BSD/usr/src/libc/sys/chroot.s
	4.1cBSD: https://minnie.tuhs.org/cgi-bin/utree.pl?file=4.1cBSD/usr/src/libc/sys/chroot.s

The 6th and earlier editions do not have this system call, nor do they have
anything named chroot in the trees available from TUHS.

Reviewed by: allanjude@
Differential Revision: https://reviews.freebsd.org/D25475
2020-06-26 22:05:23 +00:00
Pawel Biernacki
eb8a06388c man page of select(2) should mention pselect(2)
Reviewed by:	bcr (manpages), kib, trasz
Approved by:	kib (mentor)
MFC after:	7 days
Sponsored by:	Mysterious Code Ltd.
Differential Revision:	https://reviews.freebsd.org/D25169
2020-06-25 12:31:05 +00:00
Mateusz Piotrowski
3b3e9cfb1b Fix a typo in cpuset_getdomain.2
PR:		247385
Reported by:	Paul Floyd <paulf free.fr>
MFC after:	1 week
2020-06-18 19:03:20 +00:00
Gordon Bergling
421f325efc libcasper(3): Document HISTORY within the manpages
Reviewed by:	bcr (mentor)
Approved by:	bcr (mentor)
MFC after:		7 days
Differential Revision:	https://reviews.freebsd.org/D24695
2020-06-16 16:48:52 +00:00
Gordon Bergling
e0f7c06de2 libc manpages: various improvements from NetBSD
- Add STANDARDS and HISTORY sections within the appropriate manpages
- Mention two USENIX papers within kqueue(2) and strlcpy(3)

Reviewed by:	bcr (mentor)
Approved by:	bcr (mentor)
Obtained from:	NetBSD
MFC after:	7 days
Differential Revision: https://reviews.freebsd.org/D24650
2020-06-14 05:59:30 +00:00
Konstantin Belousov
6cf8fba381 procctl(2): document PROC_KPTI
Reviewed by:	bcr
Sponsored by:	The FreeBSD Foundation
MFC after:	1 week
Differential revision:	https://reviews.freebsd.org/D25258
2020-06-13 18:19:42 +00:00
Konstantin Belousov
7e54fea1d1 procctl(2): consistently refer to the data pointer as 'data'.
Reviewed by:	bcr
Sponsored by:	The FreeBSD Foundation
MFC after:	1 week
Differential revision:	https://reviews.freebsd.org/D25258
2020-06-13 18:18:34 +00:00
Kyle Evans
63619b6dba vfs: add restrictions to read(2) of a directory [2/2]
This commit adds the priv(9) that waters down the sysctl to make it only
allow read(2) of a dirfd by the system root. Jailed root is not allowed, but
jail policy and superuser policy will abstain from allowing/denying it so
that a MAC module can fully control the policy.

Such a MAC module has been written, and can be found at:
https://people.freebsd.org/~kevans/mac_read_dir-0.1.0.tar.gz

It is expected that the MAC module won't be needed by many, as most only
need to do such diagnostics that require this behavior as system root
anyways. Interested parties are welcome to grab the MAC module above and
create a port or locally integrate it, and with enough support it could see
introduction to base. As noted in mac_read_dir.c, it is released under the
BSD 2 clause license and allows the restrictions to be lifted for only
jailed root or for all unprivileged users.

PR:		246412
Reviewed by:	mckusick, kib, emaste, jilles, cy, phk, imp (all previous)
Reviewed by:	rgrimes (latest version)
Differential Revision:	https://reviews.freebsd.org/D24596
2020-06-04 18:17:25 +00:00
Kyle Evans
dcef4f65ae vfs: add restrictions to read(2) of a directory [1/2]
Historically, we've allowed read() of a directory and some filesystems will
accommodate (e.g. ufs/ffs, msdosfs). From the history department staffed by
Warner: <<EOF

pdp-7 unix seemed to allow reading directories, but they were weird, special
things there so I'm unsure (my pdp-7 assembler sucks).

1st Edition's sources are lost, mostly. The kernel allows it. The
reconstructed sources from 2nd or 3rd edition read it though.

V6 to V7 changed the filesystem format, and should have been a warning, but
reading directories weren't materially changed.

4.1b BSD introduced readdir because of UFS. UFS broke all directory reading
programs in 1983. ls, du, find, etc all had to be rewritten. readdir() and
friends were introduced here.

SysVr3 picked up readdir() in 1987 for the AT&T fork of Unix. SysVr4 updated
all the directory reading programs in 1988 because different filesystem
types were introduced.

In the 90s, these interfaces became completely ubiquitous as PDP-11s running
V7 faded from view and all the folks that initially started on V7 upgraded
to SysV. Linux never supported this (though I've not done the software
archeology to check) because it has always had a pathological diversity of
filesystems.
EOF

Disallowing read(2) on a directory has the side-effect of masking
application bugs from relying on other implementation's behavior
(e.g. Linux) of rejecting these with EISDIR across the board, but allowing
it has been a vector for at least one stack disclosure bug in the past[0].

By POSIX, this is implementation-defined whether read() handles directories
or not. Popular implementations have chosen to reject them, and this seems
sensible: the data you're reading from a directory is not structured in some
unified way across filesystem implementations like with readdir(2), so it is
impossible for applications to portably rely on this.

With this patch, we will reject most read(2) of a dirfd with EISDIR. Users
that know what they're doing can conscientiously set
bsd.security.allow_read_dir=1 to allow read(2) of directories, as it has
proven useful for debugging or recovery. A future commit will further limit
the sysctl to allow only the system root to read(2) directories, to make it
at least relatively safe to leave on for longer periods of time.

While we're adding logic pertaining to directory vnodes to vn_io_fault, an
additional assertion has also been added to ensure that we're not reaching
vn_io_fault with any write request on a directory vnode. Such request would
be a logical error in the kernel, and must be debugged rather than allowing
it to potentially silently error out.

Commented out shell aliases have been placed in root's chsrc/shrc to promote
awareness that grep may become noisy after this change, depending on your
usage.

A tentative MFC plan has been put together to try and make it as trivial as
possible to identify issues and collect reports; note that this will be
strongly re-evaluated. Tentatively, I will MFC this knob with the default as
it is in HEAD to improve our odds of actually getting reports. The future
priv(9) to further restrict the sysctl WILL NOT BE MERGED BACK, so the knob
will be a faithful reversion on stable/12. We will go into the merge
acknowledging that the sysctl default may be flipped back to restore
historical behavior at *any* point if it's warranted.

[0] https://www.freebsd.org/security/advisories/FreeBSD-SA-19:10.ufs.asc

PR:		246412
Reviewed by:	mckusick, kib, emaste, jilles, cy, phk, imp (all previous)
Reviewed by:	rgrimes (latest version)
MFC after:	1 month (note the MFC plan mentioned above)
Relnotes:	absolutely, but will amend previous RELNOTES entry
Differential Revision:	https://reviews.freebsd.org/D24596
2020-06-04 18:09:55 +00:00
Ed Maste
3f65edb369 mmap.2: correct prot argument terminology
One of the error descriptions referred to permissions; in context the
meaning was probably clear, but the prot values are properly called
protections.

MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
2020-06-03 20:42:52 +00:00
John Baldwin
ae84ff9c47 Document SO_NO_OFFLOADS and SO_NO_DDP.
Reviewed by:	bcr, np
MFC after:	1 week
Sponsored by:	Chelsio Communications
Differential Revision:	https://reviews.freebsd.org/D25043
2020-06-03 18:59:31 +00:00
Rick Macklem
6f05ed08c2 Add an entry to Symbol.map for the rpctls_syscall added by r361599.
Reviewed by:	brooks
Differential Revision:	https://reviews.freebsd.org/D24949
2020-05-28 21:26:26 +00:00
Kyle Evans
880ff10ba9 procctl(2): correct a minor cut-n-pasto
This is clearly describing PROC_PROTMAX_FORCE_DISABLE, rather than
PROC_ASL_FORCE_DISABLE.

Submitted by:	sigsys@gmail.com
2020-05-16 04:52:29 +00:00
Benedict Reuschling
6a7016194d Add HISTORY sections to document when this
functionality first appeared in FreeBSD.

Submitted by:	Gordon Bergling gbergling_gmail.com
Approved by:	bcr
Differential Revision:	https://reviews.freebsd.org/D24677
2020-05-05 19:31:47 +00:00
Mark Johnston
bea2668321 Document handling of connection-mode sockets by sendto(2).
sendto(2), sendmsg(2) and sendmmsg(2) return ENOTCONN if a destination
address is specified and the socket is not connected and the socket
protocol does not automatically connect ("implied connect").  Document
that.  Also document the fact that the destination address is ignored
for connection-mode sockets if the socket is already connected.

PR:		245817
Submitted by:	Erik Inge Bolsø <knan-bfo@modirum.com>
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D24530
2020-04-27 16:12:32 +00:00
Mark Johnston
569eb766c5 Fix handling of EV_EOF for named pipes.
Contrary to the kevent man page, EV_EOF on a fifo is not cleared by
EV_CLEAR.  Modify the read and write filters to clear EV_EOF when the
fifo's PIPE_EOF flag is clear, and update the man page to document the
new behaviour.

Modify the write filter to return the amount of buffer space available
even if no readers are present.  This matches the behaviour for sockets.

When reading from a pipe, only call pipeselwakeup() if some data was
actually read.  This prevents the continuous re-triggering of a
EVFILT_READ event on EOF when in edge-triggered mode.

PR:		203366, 224615
Submitted by:	Jan Kokemüller <jan.kokemueller@gmail.com>
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D24528
2020-04-27 15:59:19 +00:00
Conrad Meyer
1e72c52e23 libc: partially revert r326576
In r326576 ("use @@@ instead of @@ in __sym_default"), an earlier version of
the phabricator-discussed patch was inadvertently committed.  The commit
message claims that @@@ means that weak is not needed, but that was due to a
misunderstanding of the use of weak symbols in this context by the submitted
in the first draft of the patch; the description text was not updated to
match the discussion.  As discussed in phabricator, weak is needed for
symbol interposing because of the behavior of our rtld, and is widely used
elsewhere in libc.

This partial revert restores the approved version of the patch and permits
symbol interposing for openat.

Reported by:	Raymond Ramsden <rramsden AT isilon.com>
Reviewed by:	dim, emaste, kib (2017)
Discussed with:	kib (2020)
Differential Revision:	https://reviews.freebsd.org/D11653
2020-04-25 14:24:54 +00:00
Mateusz Piotrowski
5dcf0083fc Fix a typo
Reported by:	pstef
MFC after:	2 days
2020-04-24 22:04:14 +00:00
Kyle Evans
a269a14ff0 kqueue(2): de-vandalize the random sentence in the middle
A last minute change appears to have inadvertently vandalized unrelated
parts of the manpage with the date. =-(

Reported by:	rpokala
2020-04-22 04:05:02 +00:00
Kyle Evans
00b0f94c58 kqueue(2): add a note about EV_RECEIPT
In the below-referenced PR, a case is attached of a simple reproducer that
exhibits suboptimal behavior: EVFILT_READ and EVFILT_WRITE being set in the
same kevent(2) call will only honor the first one. This is, in-fact, how
it's supposed to work.

A read of the manpage leads me to believe we could be more clear about this;
right now there's a logical leap to make in the relevant statement: "When
passed as input, it forces EV_ERROR to always be returned." -- the logical
leap being that this indicates the caller should have allocated space for
the change to be returned with EV_ERROR indicated in the events, or
subsequent filters will get dropped on the floor.

Another possible workaround that accomplishes similar effect without needing
space for all events is just setting EV_RECEIPT on the final change being
passed in; if any errored before it, the kqueue would not be drained. If we
made it to the final change with EV_RECEIPT set, then we would return that
one with EV_ERROR and still not drain the kqueue. This would seem to not be
all that advisable.

PR:		229741
MFC after:	1 week
2020-04-22 03:45:52 +00:00
Kyle Evans
7851fb8ecb closefrom: clamp lowfd to >= 0; close_range's parameters are unsigned.
Pointy hat:	kevans
Reported by:	CI (lwhsu)
2020-04-14 23:24:24 +00:00
Kyle Evans
7d03e08112 Mark closefrom(2) COMPAT12, reimplement in libc to wrap close_range
Include a temporarily compatibility shim as well for kernels predating
close_range, since closefrom is used in some critical areas.

Reviewed by:	markj (previous version), kib
Differential Revision:	https://reviews.freebsd.org/D24399
2020-04-14 18:07:42 +00:00
Jonathan T. Looney
fb401f1bba Make sonewconn() overflow messages have per-socket rate-limits and values.
sonewconn() emits debug-level messages when a listen socket's queue
overflows. Currently, sonewconn() tracks overflows on a global basis. It
will only log one message every 60 seconds, regardless of how many sockets
experience overflows. And, when it next logs at the end of the 60 seconds,
it records a single message referencing a single PCB with the total number
of overflows across all sockets.

This commit changes to per-socket overflow tracking. The code will now
log one message every 60 seconds per socket. And, the code will provide
per-socket queue length and overflow counts. It also provides a way to
change the period between log messages using a sysctl.

Reviewed by:	jhb (previous version), bcr (manpages)
MFC after:	2 weeks
Sponsored by:	Netflix, Inc.
Differential Revision:	https://reviews.freebsd.org/D24316
2020-04-14 15:38:18 +00:00
Kyle Evans
7c5e60c72e libc: remove shm_open(2)'s compat fallback
This had been introduced to ease any pain for using slightly older kernels
with a newer libc, e.g., for bisecting a kernel across the introduction of
shm_open2(2). 6 months has passed, retire the fallback and let shm_open()
unconditionally call shm_open2().

Stale includes are removed as well.
2020-04-13 15:59:15 +00:00
Kyle Evans
472ced39ef Implement a close_range(2) syscall
close_range(min, max, flags) allows for a range of descriptors to be
closed. The Python folk have indicated that they would much prefer this
interface to closefrom(2), as the case may be that they/someone have special
fds dup'd to higher in the range and they can't necessarily closefrom(min)
because they don't want to hit the upper range, but relocating them to lower
isn't necessarily feasible.

sys_closefrom has been rewritten to use kern_close_range() using ~0U to
indicate closing to the end of the range. This was chosen rather than
requiring callers of kern_close_range() to hold FILEDESC_SLOCK across the
call to kern_close_range for simplicity.

The flags argument of close_range(2) is currently unused, so any flags set
is currently EINVAL. It was added to the interface in Linux so that future
flags could be added for, e.g., "halt on first error" and things of this
nature.

This patch is based on a syscall of the same design that is expected to be
merged into Linux.

Reviewed by:	kib, markj, vangyzen (all slightly earlier revisions)
Differential Revision:	https://reviews.freebsd.org/D21627
2020-04-12 21:23:19 +00:00
Konstantin Belousov
09bae0a023 libc: Fix possible overflow in binuptime().
This is an application of the kernel overflow fix from r357948 to
userspace, based on the algorithm developed by Bruce Evans. To keep
the ABI of the vds_timekeep stable, instead of adding the large_delta
member, MSB of both multipliers are added to quickly estimate the overflow.

Sponsored by:	The FreeBSD Foundation
MFC after:	2 weeks
2020-04-09 23:22:35 +00:00
John Baldwin
da8c654e99 Trim some duplicate EIO descriptions.
While here, drop an extra conjunction from the list of error
conditions for the remaining EIO description in symlink(2).

Discussed with:	mckusick (trimming duplicates)
MFC after:	2 weeks
2020-03-30 21:48:47 +00:00
John Baldwin
e42b096439 Document EINTEGRITY errors for many system calls.
EINTEGRITY was previously documented as a UFS-specific error for
mount(2).  This documents EINTEGRITY as a filesystem-independent error
that may be reported by the backing store of a filesystem.

While here, document EIO as a filesystem-independent error for both
mount(2) and posix_fadvise(2).  EIO was previously only documented for
UFS for mount(2).

Reviewed by:	mckusick
Suggested by:	mckusick
MFC after:	2 weeks
Sponsored by:	Chelsio Communications
Differential Revision:	https://reviews.freebsd.org/D24168
2020-03-30 21:44:00 +00:00
Warner Losh
56c995d658 exec{l,v}{e,p} arrived in 7th Edition research Unix to support the Bourne Shell
which introduced environment variables. Document that here. Verified by
consulting the TUHS archive.
2020-03-24 19:33:21 +00:00
Michael Tuexen
db4493f7b6 sendfile() does currently not support SCTP sockets.
Therefore, fail the call.

Reviewed by:		markj@
MFC after:		1 week
Differential Revision:	https://reviews.freebsd.org/D24059
2020-03-13 18:38:28 +00:00
Kirk McKusick
95ca762da8 When mounting a UFS filesystem, return EINTEGRITY rather than EIO
when a superblock check-hash error is detected. This change clarifies
a mount that failed due to media hardware failures (EIO) from a mount
that failed due to media errors (EINTEGRITY) that can be corrected by
running fsck(8).

Sponsored by: Netflix
2020-03-11 21:00:40 +00:00
Ed Maste
0a052459e6 umtx_op.2: correct typo
PR:		244611
Submitted by:	John F. Carr <jfc@mit.edu>
MFC after:	3 days
2020-03-05 15:51:44 +00:00
Mateusz Piotrowski
a81c96922d thr_self.2: Fix some typos in the thread identifier range
Reported by:	kaktus
Approved by:	bcr (mentor)
Differential Revision:	https://reviews.freebsd.org/D23936
2020-03-03 09:51:53 +00:00
Ed Maste
acb8858f05 Return ENOTSUP for mmap/mprotect if prot not subset of prot_max
From POSIX,

[ENOTSUP]
    The implementation does not support the combination of accesses
    requested in the prot argument.

This fits the case that prot contains permissions which are not a subset
of prot_max.

Reviewed by:	brooks, cem
Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D23843
2020-02-26 20:03:43 +00:00
Warner Losh
a5b6c2960d Remove sparc64 specific parts of libc.
Also update comments for which architectures use 128 bit long doubles,
as appropriate.

The softfloat specialization routines weren't updated since they
appear to be from an upstream source which we may want to update in
the future to get a more favorable license.

Reviewed by: emaste@
Differential Revision:  https://reviews.freebsd.org/D23658
2020-02-26 18:55:09 +00:00
Ed Maste
5c6d07fb9c mprotect.2: sort errors alphabetically
Reported by:	brooks
MFC after:	3 days
2020-02-26 18:46:41 +00:00
Eric van Gyzen
3ae8839afe truncate(2): extending the file is required by POSIX 2008
Update the man page to mention that extending a file with truncate(2)
is required by POSIX as of 2008.

Reviewed by:	bcr
MFC after:	2 weeks
Sponsored by:	Dell EMC Isilon
Differential Revision:	https://reviews.freebsd.org/D23354
2020-02-20 23:47:09 +00:00
Konstantin Belousov
146fc63fce Add a way to manage thread signal mask using shared word, instead of syscall.
A new syscall sigfastblock(2) is added which registers a uint32_t
variable as containing the count of blocks for signal delivery.  Its
content is read by kernel on each syscall entry and on AST processing,
non-zero count of blocks is interpreted same as the signal mask
blocking all signals.

The biggest downside of the feature that I see is that memory
corruption that affects the registered fast sigblock location, would
cause quite strange application misbehavior. For instance, the process
would be immune to ^C (but killable by SIGKILL).

With consumers (rtld and libthr added), benchmarks do not show a
slow-down of the syscalls in micro-measurements, and macro benchmarks
like buildworld do not demonstrate a difference. Part of the reason is
that buildworld time is dominated by compiler, and clang already links
to libthr. On the other hand, small utilities typically used by shell
scripts have the total number of syscalls cut by half.

The syscall is not exported from the stable libc version namespace on
purpose.  It is intended to be used only by our C runtime
implementation internals.

Tested by:	pho
Disscussed with:	cem, emaste, jilles
Sponsored by:	The FreeBSD Foundation
Differential revision:	https://reviews.freebsd.org/D12773
2020-02-09 11:53:12 +00:00
Kyle Evans
6a5abb1ee5 Provide O_SEARCH
O_SEARCH is defined by POSIX [0] to open a directory for searching, skipping
permissions checks on the directory itself after the initial open(). This is
close to the semantics we've historically applied for O_EXEC on a directory,
which is UB according to POSIX. Conveniently, O_SEARCH on a file is also
explicitly undefined behavior according to POSIX, so O_EXEC would be a fine
choice. The spec goes on to state that O_SEARCH and O_EXEC need not be
distinct values, but they're not defined to be the same value.

This was pointed out as an incompatibility with other systems that had made
its way into libarchive, which had assumed that O_EXEC was an alias for
O_SEARCH.

This defines compatibility O_SEARCH/FSEARCH (equivalent to O_EXEC and FEXEC
respectively) and expands our UB for O_EXEC on a directory. O_EXEC on a
directory is checked in vn_open_vnode already, so for completeness we add a
NOEXECCHECK when O_SEARCH has been specified on the top-level fd and do not
re-check that when descending in namei.

[0] https://pubs.opengroup.org/onlinepubs/9699919799/

Reviewed by:	kib
Differential Revision:	https://reviews.freebsd.org/D23247
2020-02-02 16:34:57 +00:00
Mateusz Guzik
d3cc535474 vfs: provide F_ISUNIONSTACK as a kludge for libc
Prior to introduction of this op libc's readdir would call fstatfs(2), in
effect unnecessarily copying kilobytes of data just to check fs name and a
mount flag.

Reviewed by:	kib (previous version)
Differential Revision:	https://reviews.freebsd.org/D23162
2020-01-17 14:42:25 +00:00
Conrad Meyer
86def3dcd6 getrandom(2): Add Linux GRND_INSECURE API flag
Treat it as a synonym for GRND_NONBLOCK.  The reasoning is this:

We have two choices for handling Linux's GRND_INSECURE API flag.

1. We could ignore it completely (like GRND_RANDOM).  However, this might
produce the surprising result of GRND_INSECURE requests blocking, when the
Linux API does not block.

2. Alternatively, we could treat GRND_INSECURE requests as requests for
GRND_NONBLOCk.  Here, the surprising result for Linux programs is that
invocations with unseeded random(4) will produce EAGAIN, rather than
garbage.

Honoring the flag in the way Linux does seems fraught.  If we actually use
the output of a random(4) implementation prior to seeding, we leak some
entropy (in an information theory and also practical sense) from what will
be the initial seed to attackers (or allow attackers to arbitrary DoS
initial seeding, if we don't leak).  This seems unacceptable -- it defeats
the purpose of blocking on initial seeding.

Secondary to that concern, before seeding we may have arbitrarily little
entropy collected; producing output from zero or a handful of entropy bits
does not seem particularly useful to userspace.

If userspace can accept garbage, insecure, non-random bytes, they can create
their own insecure garbage with srandom(time(NULL)) or similar.  Any program
which would be satisfied with a 3-bit key CTR stream has no need for CSPRNG
bytes.  So asking the kernel to produce such an output from the secure
getrandom(2) API seems inane.

For now, we've elected to emulate GRND_INSECURE as an alternative spelling
of GRND_NONBLOCK (2).  Consider this API not-quite stable for now.  We
guarantee it will never block.  But we will attempt to monitor actual port
uptake of this bizarre API and may revise our plans for the unseeded
behavior (prior stable/13 branching).

Approved by:	csprng(markm), manpages(bcr)
See also:	https://lwn.net/ml/linux-kernel/cover.1577088521.git.luto@kernel.org/
See also:	https://lwn.net/ml/linux-kernel/20200107204400.GH3619@mit.edu/
Differential Revision:	https://reviews.freebsd.org/D23130
2020-01-12 20:47:38 +00:00
Kyle Evans
2856d85ecb posix_fallocate: push vnop implementation into the fileop layer
This opens the door for other descriptor types to implement
posix_fallocate(2) as needed.

Reviewed by:	kib, bcr (manpages)
Differential Revision:	https://reviews.freebsd.org/D23042
2020-01-08 19:05:32 +00:00