5290493a20
The sysctl is kern.elf64.allow_wx and defaults to 1, allow W+X mappings. Reported by: alc
306 lines
11 KiB
Plaintext
306 lines
11 KiB
Plaintext
Release notes for FreeBSD 13.0.
|
|
|
|
This file describes new user-visible features, changes and updates relevant to
|
|
users of binary FreeBSD releases. Each entry should describe the change in no
|
|
more than several sentences and should reference manual pages where an
|
|
interested user can find more information. Entries should wrap after 80
|
|
columns. Each entry should begin with one or more commit IDs on one line,
|
|
specified as a comma separated list and/or range, followed by a colon and a
|
|
newline. Entries should be separated by a newline.
|
|
|
|
Changes to this file should not be MFCed.
|
|
|
|
074a91f746bd:
|
|
The aesni(4) and armv8crypto(4) devices are now included in
|
|
GENERIC on amd64, i386, and arm64.
|
|
|
|
2e1c94aa1fd5:
|
|
Add support for enforcing W^X mapping policy for user
|
|
processes. The policy is not enforced by default but can be
|
|
enabled by setting the kern.elf32.allow_wx and
|
|
kern.elf64.allow_wx sysctls to 0. Individual binaries can be
|
|
exempted from the policy by elfctl(1) via the wxneeded
|
|
feature.
|
|
|
|
4979620ece98:
|
|
Add AES-XTS support to armv8crypto(4) providing accelerated
|
|
software support for the default GELI cipher on arm64 systems.
|
|
|
|
r368667:
|
|
GDB 6.1.1 was removed. Users of crashinfo(8) should install the
|
|
gdb package or devel/gdb port.
|
|
|
|
r368559:
|
|
The hme(4) driver was removed.
|
|
|
|
r367660:
|
|
Fixes the case where gssd will not startup because /usr is a separate
|
|
local file system that is not yet mounted. It does not fix the case
|
|
where /usr is a separately mounted remote file system (such as NFS).
|
|
This latter case can be fixed by adding mountcritremote to the
|
|
REQUIRED line. Unfortunately doing so implies that all Kerberized
|
|
NFS mounts in /etc/fstab will need the "late" mount option.
|
|
This was not done, since the requirement for "late" would introduce
|
|
a POLA violation.
|
|
|
|
r367423:
|
|
This commit added a new startup scripts variable called
|
|
nfsv4_server_only which uses the -R option on mountd added by r367026.
|
|
When nfsv4_server_only is set to "YES" in /etc/rc.conf, the NFS server
|
|
only handles NFSv4 and does not register with rpcbind. As such, rpcbind
|
|
does not need to be running. Useful for sites which consider rpcbind a
|
|
security issue.
|
|
|
|
r366267:
|
|
Kernel option ACPI_DMAR was renamed to IOMMU. amd64's IOMMU subsystem
|
|
was split out from amd64 DMAR support and is now generic, i.e., it can
|
|
be used by all architectures.
|
|
|
|
r364896:
|
|
A series of commits ending with r364896 added NFS over TLS
|
|
to the kernel. This is believed to be compatible with
|
|
the Internet Draft titled "Towards Remote Procedure Call Encryption
|
|
By Default" (expected to soon become an RFC).
|
|
The mount_nfs(8) and exports(5) man pages describe the mount and
|
|
export option(s) related to NFS over TLS.
|
|
For NFS over TLS to work, the rpctlscd(8) { client } or rpctlssd(8)
|
|
{ server } must be running on a kernel built with "options KERN_TLS"
|
|
on an architecture where PMAP_HAS_DMAP != 0.
|
|
|
|
r364725:
|
|
Changes to one obscure devd event generated on resume need to
|
|
be documented. The old form will still be generated in 13, but not
|
|
in 14.
|
|
|
|
r363679:
|
|
Applications using regex(3), e.g. sed/grep, will no longer accept
|
|
redundant escapes for most ordinary characters.
|
|
|
|
r363253:
|
|
SCTP support has been removed from GENERIC kernel configurations.
|
|
The SCTP stack is now built as sctp.ko and can be dynamically loaded.
|
|
|
|
r363233:
|
|
Merge sendmail 8.16.1: See contrib/sendmail/RELEASE_NOTES for details.
|
|
|
|
r363180:
|
|
The safexcel(4) crypto offload driver has been added.
|
|
|
|
r363084:
|
|
nc(1) now implements SCTP mode, enabled by specifying the --sctp option.
|
|
|
|
r362681:
|
|
A new implementation of bc and dc has been imported. It offers
|
|
better standards compliance, performance, localization and comes
|
|
with extensive test cases that are optionally installed.
|
|
Use WITHOUT_GH_BC=yes to build and install the world with the
|
|
previous version instead of the new one, if required.
|
|
|
|
r362158, r362163:
|
|
struct export_args has changed so that the "user" specified for
|
|
the -maproot and -mapall exports(5) options may be in more than
|
|
16 groups.
|
|
|
|
r361884:
|
|
sed(1) has learned about hex escapes (e.g. \x27) and will now do the
|
|
right thing with them, removing the need for printf magic or obnoxious
|
|
escaping in many scenarios.
|
|
|
|
r361238, r361798, r361799:
|
|
ZFS will now unconditionally reject read(2) of a directory with EISDIR.
|
|
Additionally, read(2) of a directory is now rejected with EISDIR by
|
|
default and may be re-enabled for non-ZFS filesystems that allow it with
|
|
the sysctl(8) MIB 'security.bsd.allow_read_dir'.
|
|
|
|
Aliases for grep to default to '-d skip' may be desired if commonly
|
|
non-recursively grepping a list that includes directories and the
|
|
possibility of EISDIR errors in stderr is not tolerable. Example
|
|
aliases, commented out, have been installed in /root/.cshrc and
|
|
/root/.shrc.
|
|
|
|
r361066:
|
|
Add exec.prepare and exec.release hooks for jail(8) and jail.conf(5).
|
|
exec.prepare runs before mounts, so can be used to populate new jails.
|
|
exec.release runs after unmounts, so can be used to remove ephemeral
|
|
jails.
|
|
|
|
r360920,r360923,r360924,r360927,r360928,r360931,r360933,r360936:
|
|
Remove support for ARC4, Blowfish, Cast, DES, Triple DES, MD5,
|
|
MD5-KPDK, MD5-HMAC, SHA1-KPDK, and Skipjack algorithms from
|
|
the kernel open cryptographic framework (OCF).
|
|
|
|
r360562:
|
|
Remove support for ARC4, Blowfish, Cast, DES, Triple DES,
|
|
MD5-HMAC, and Skipjack algorithms from /dev/crypto.
|
|
|
|
r360557:
|
|
Remove support for DES, Triple DES, Blowfish, Cast, and
|
|
Camellia ciphers from IPsec(4). Remove support for MD5-HMAC,
|
|
Keyed MD5, Keyed SHA1, and RIPEMD160-HMAC from IPsec(4).
|
|
|
|
r359945:
|
|
Remove support for Triple DES, Blowfish, and MD5 HMAC from
|
|
geli(4).
|
|
|
|
r359786-r359787:
|
|
Remove support for DES, Triple DES, and RC4 from in-kernel GSS
|
|
authentication.
|
|
|
|
r357627:
|
|
remove elf2aout.
|
|
|
|
r357560-r357565:
|
|
init(8), service(8), and cron(8) will now adopt user/class environment
|
|
variables (excluding PATH, by default, which will be overwritten) by
|
|
default. Notably, environment variables for all cron jobs and rc
|
|
services can now be set via login.conf(5).
|
|
|
|
r357455:
|
|
sparc64 has been removed from FreeBSD.
|
|
|
|
r355677:
|
|
Adds support for NFSv4.2 (RFC-7862) and Extended Attributes
|
|
(RFC-8276) to the NFS client and server.
|
|
NFSv4.2 is comprised of several optional features that can be supported
|
|
in addition to NFSv4.1. This patch adds the following optional features:
|
|
- posix_fadvise(POSIX_FADV_WILLNEED/POSIX_FADV_DONTNEED)
|
|
- posix_fallocate()
|
|
- intra server file range copying via the copy_file_range(2) syscall
|
|
--> Avoiding data tranfer over the wire to/from the NFS client.
|
|
- lseek(SEEK_DATA/SEEK_HOLE)
|
|
- Extended attribute syscalls for "user" namespace attributes as defined
|
|
by RFC-8276.
|
|
|
|
For the client, NFSv4.2 is only used if the mount command line option
|
|
minorversion=2 is specified.
|
|
For the server, two new sysctls called vfs.nfsd.server_min_minorversion4
|
|
and vfs.nfsd.server_max_minorversion4 have been added that allow
|
|
sysadmins to limit the minor versions of NFSv4 supported by the nfsd
|
|
server.
|
|
Setting vfs.nfsd.server_max_minorversion4 to 0 or 1 will disable NFSv4.2
|
|
on the server.
|
|
|
|
r356263:
|
|
armv5 support has been removed from FreeBSD.
|
|
|
|
r354517:
|
|
iwm(4) now supports most Intel 9260, 9460 and 9560 Wi-Fi devices.
|
|
|
|
r354269:
|
|
sqlite3 is updated to sqlite3-3.30.1.
|
|
|
|
r352668:
|
|
cron(8) now supports the -n (suppress mail on succesful run) and -q
|
|
(suppress logging of command execution) options in the crontab format.
|
|
See the crontab(5) manpage for details.
|
|
|
|
r352304:
|
|
ntpd is no longer by default locked in memory. rlimit memlock 32
|
|
or rlimit memlock 0 can be used to restore this behaviour.
|
|
|
|
r351863:
|
|
rc.subr(8) now honors ${name}_env in all rc(8) scripts. Previously,
|
|
environment variables set by a user via ${name}_env were ignored
|
|
if the service defined a custom *_cmd variable to control the behavior
|
|
of the run_rc_command function, e.g., start_cmd, instead of relying on
|
|
the variables like command and command_args,
|
|
|
|
r351770,r352920,r352922,r352923:
|
|
dd(1) now supports conv=fsync, conv=fdatasync, oflag=fsync, oflag=sync,
|
|
and iflag=fullblock flags, compatible with illumos and GNU.
|
|
|
|
r351522:
|
|
Add kernel-side support for in-kernel Transport Layer Security
|
|
(KTLS). KTLS permits using sendfile(2) over sockets using
|
|
TLS.
|
|
|
|
r351397:
|
|
WPA is updated from 2.8 to 2.9.
|
|
|
|
r351361:
|
|
Add probes for lockmgr(9) to the lockstat DTrace provider, add
|
|
corresponding lockstat(1) events, and document the new probes in
|
|
dtrace_lockstat.4.
|
|
|
|
r351356:
|
|
Intel RST is a new 'feature' that remaps NVMe devices from
|
|
their normal location to part of the AHCI bar space. This
|
|
will eliminate the need to set the BIOS SATA setting from RST
|
|
to AHCI causing the nvme drive to be erased before FreeBSD
|
|
will see the nvme drive. FreeBSD will now be able to see the
|
|
nvme drive now in the default config.
|
|
|
|
r351201, r351372:
|
|
Add a vop_stdioctl() call, so that file systems that do not support
|
|
holes will have a trivial implementation of lseek(SEEK_DATA/SEEK_HOLE).
|
|
The algorithm appears to be compatible with the POSIX draft and
|
|
the implementation in Linux for the case of a file system that
|
|
does not support holes. Prior to this patch, lseek(2) would reply
|
|
-1 with errno set to ENOTTY for SEEK_DATA/SEEK_HOLE on files in
|
|
file systems that do not support holes.
|
|
r351372 maps ENOTTY to EINVAL for lseek(SEEK_DATA/SEEK_HOLE) for
|
|
any other cases, such as a ENOTTY return from vn_bmap_seekhole().
|
|
|
|
r350665:
|
|
The fuse driver has been renamed to fusefs(5) and been substantially
|
|
rewritten. The new driver includes many bug fixes and performance
|
|
enhancements, as well as the following user-visible features:
|
|
* Optional kernel-side permissions checks (-o default_permissions)
|
|
* mknod(2), socket(2), and pipe(2) support
|
|
* server side locking with fcntl(2)
|
|
* FUSE operations are now interruptible when mounted with -o intr
|
|
* server side handling of UTIME_NOW during utimensat(2)
|
|
* mount options may be updated with "mount -u"
|
|
* fusefs file system may now be exported over NFS
|
|
* RLIMIT_FSIZE support
|
|
* support for fuse file systems using protocols as old as 7.4
|
|
|
|
FUSE file system developers should also take note of the following new
|
|
features:
|
|
* The protocol level has been raised from 7.8 to 7.23
|
|
* kqueue support on /dev/fuse
|
|
* server-initiated cache invalidation via FUSE_NOTIFY_REPLY
|
|
|
|
r350471:
|
|
gnop(8) can now configure a delay to be applied to read and write
|
|
request delays. See the -d, -q and -x parameters.
|
|
|
|
r350315, r350316:
|
|
Adds a Linux compatible copy_file_range(2) syscall.
|
|
|
|
r350307:
|
|
libcap_random(3) has been removed. Applications can use native
|
|
APIs to get random data in capability mode.
|
|
|
|
r349529,r349530:
|
|
Add support for using unmapped mbufs with sendfile(2).
|
|
|
|
r349352:
|
|
nand(4) and related components have been removed.
|
|
|
|
r349349:
|
|
The UEFI loader now supports HTTP boot.
|
|
|
|
r349335:
|
|
bhyve(8) now implements a High Definition Audio (HDA) driver, allowing
|
|
guests to play to and record audio data from the host.
|
|
|
|
r349286:
|
|
swapon(8) can now erase a swap device immediately before enabling it,
|
|
similar to newfs(8)'s -E option. This behaviour can be specified by
|
|
adding -E to swapon(8)'s command-line parameters, or by adding the
|
|
"trimonce" option to a swap device's /etc/fstab entry.
|
|
|
|
r347908-r347923:
|
|
The following network drivers have been removed: bm(4), cs(4), de(4),
|
|
ed(4), ep(4), ex(4), fe(4), pcn(4), sf(4), sn(4), tl(4), tx(4), txp(4),
|
|
vx(4), wb(4), xe(4).
|
|
|
|
r347532:
|
|
Wired page accounting has been split into kernel wirings and user
|
|
wirings (e.g., by mlock(2)). Kernel wirings no long count towards
|
|
the global limit, which is renamed to vm.max_user_wired. bhyve -S
|
|
allocates user-wired memory and is now subject to that limit.
|
|
|
|
$FreeBSD$
|