This fixes a situation where GDB gives incorrect backtraces when a signal
handler is in the call chain.
Submitted by: Stu Grossman <grossman@juniper.net>
since the last import:
OpenBSM 1.0
- Fix bug in auditreduce(8) which resulted in a memory fault/crash when
the user specified an event name with -m.
- Remove AU_.* hard-coded audit class constants, as udit classes are now
entirely dynamically configured using /etc/security/audit_class.
MFC after: 3 days
Obtained from: TrustedBSD Project
following changes:
: 2007-10-02 Ruslan Ermilov <ru@FreeBSD.org>
:
: * tmac/doc-common, tmac/groff_doc.man: Add FreeBSD 6.2, document
: FreeBSD 5.5 and 7.0.
:
: * tmac/doc-syms: Give better names for System V releases.
: 2007-05-30 Werner LEMBERG <wl@gnu.org>
:
: * tmac/groff_mdoc.man: Convert `-' to `\-' where appropriate.
: Recommend `tbl' instead of `-column' lists for more complicated
: cases.
in *all* less_is_more cases, On the other hand, quit_if_one_screen
should apply iff less_is_more *and* -e.
This change revises the previous change further, which tried
to make less(1) not to send @ti:@te before and after view of
one file in more(1) mode, but affected less -e behavior by
accident.
This is essentially the same patch desichen@ has posted on
-current@. I have adjusted it a bit in order to minimize
difference between our version and the vendor branch.
Approved by: re (bmah, earlier logically equivalent version)
1. The default access control lists (acls) are not being
correctly set. If not set anyone can make recursive queries
and/or query the cache contents.
See also:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2925
2. The DNS query id generation is vulnerable to cryptographic
analysis which provides a 1 in 8 chance of guessing the next
query id for 50% of the query ids. This can be used to perform
cache poisoning by an attacker.
This bug only affects outgoing queries, generated by BIND 9 to
answer questions as a resolver, or when it is looking up data
for internal uses, such as when sending NOTIFYs to slave name
servers.
All users are encouraged to upgrade.
See also:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2926
Approved by: re (kensmith, implicit)
history since the last import:
OpenBSM 1.0 alpha 15
- Fix bug when processing in_addr_ex tokens.
- Restore the behavior of printing the string/text specified while
auditing arg32 tokens.
- Synchronized audit event list to Solaris, picking up the *at(2) system call
definitions, now required for FreeBSD and Linux. Added additional events
for *at(2) system calls not present in Solaris.
- Bugs in auditreduce(8) fixed allowing partial date strings to be used in
filtering events.
Approved by: re (hrs)
MFC after: 3 weeks
Obtained from: TrustedBSD Project
and deinit characters are not delivered.
Instead of hacking screen.c, we set no_init to implement the behavior.
Reported by: mnag
Approved by: re (hrs)
which caused the cursor not to return to the place
it should when -w is used with -e.
Note that this is a commit against -HEAD because
we already have the file off the vendor branch.
Reported by: Tom Uffner (on -current@)
Obtained from: http://www.greenwoodsoftware.com/less/less-405.tar.gz
header <term.h>, which is required by both tputs() and tgoto().
Without this header, nvi crashes with the call to tputs() at line 114.
This is because the first argument of tputs() is a pointer, and the
returned pointer from tgoto() is casted to an integer by compiler.
For some reasons, this only crashes on amd64+CURRENT. On 6.x system,
this does not happen.
PR: 101248
Reported by: yar, infofarmer, Roland Smith
Tested by: infofarmer, delphij, rafan
Approved by: delphij (mentor)
the correct symbol, thus causing a warning with GCC 4.2.0. Committed
into the vendor branch since this is already in the csup repository.
Reported by: kan (ages ago)
and show up with different names: first try to open provider using
remembered name and compare its ident, if equal, this is our provider,
if not equal or there is no provider with such name, find provider with
remembered ident and don't care about the name.
traceroute6(8) force -w flag (wait time) to be > 1 sec. Make it
possible to use 1 sec wait time.
PR: bin/110933
Submitted by: Dmitry Marakasov
Reviewed by: freebsd-net (silence)
MFC after: 1 month
@118370 Correct typo.
@118371 Integrate changes from vendor.
@118491 Show backtrace on unexpected code paths.
@118494 Integrate changes from vendor.
@118504 Fix sendfile(2). I had two ways of fixing it:
1. Fixing sendfile(2) itself to use VOP_GETPAGES() instead of
hacking around with vn_rdwr(UIO_NOCOPY), which was suggested
by ups.
2. Modify ZFS behaviour to handle this special case.
Although 1 is more correct, I've choosen 2, because hack from 1
have a side-effect of beeing faster - it reads ahead MAXBSIZE
bytes instead of reading page by page. This is not easy to implement
with VOP_GETPAGES(), at least not for me in this very moment.
Reported by: Andrey V. Elsukov <bu7cher@yandex.ru>
@118525 Reorganize the code to reduce diff.
@118526 This code path is expected. It is simply when file is opened with
O_FSYNC flag.
Reported by: kris
Reported by: Michal Suszko <dry@dry.pl>
history notes since the last import:
OpenBSM 1.0 alpha 14
- Fix endian issues when processing IPv6 addresses for extended subject
and process tokens.
- gcc41 warnings clean.
- Teach audit_submit(3) about getaudit_addr(2).
- Add support for zonename tokens.
OpenBSM 1.0 alpha 13
- compat/clock_gettime.h now provides a compatibility implementation of
clock_gettime(), which fixes building on Mac OS X.
- Countless man page improvements, markup fixes, content fixs, etc.
- XML printing support via "praudit -x".
- audit.log.5 expanded to include additional BSM token types.
- Added encoding and decoding routines for process64_ex, process32_ex,
subject32_ex, header64, and attr64 tokens.
- Additional audit event identifiers for listen, mlockall/munlockall,
getpath, POSIX message queues, and mandatory access control.
Approved by: re (bmah)
MFC after: 3 weeks
Obtained from: TrustedBSD Project
titles extracted from argv vector instead of the real executable names.
This is useful when you want to watch applications that set their status
information via setproctitle(3).
Approved by: alfred
MFC after: 2 weeks
------------------------------------------------------------------------
r380 | des | 2006-03-14 15:42:09 +0100 (Tue, 14 Mar 2006) | 1 line
Fix signedness mismatch, and use an explicit cast when calling ctype functions.
------------------------------------------------------------------------
ZFS file system was ported from OpenSolaris operating system. The code in under
CDDL license.
I'd like to thank all SUN developers that created this great piece of software.
Supported by: Wheel LTD (http://www.wheel.pl/)
Supported by: The FreeBSD Foundation (http://www.freebsdfoundation.org/)
Supported by: Sentex (http://www.sentex.net/)
- BIOCGDIRECTION and BIOCSDIRECTION get or set the setting determining
whether incoming, outgoing, or all packets on the interface should be
returned by BPF. Set to BPF_D_IN to see only incoming packets on the
interface. Set to BPF_D_INOUT to see packets originating locally and
remotely on the interface. Set to BPF_D_OUT to see only outgoing
packets on the interface. This setting is initialized to BPF_D_INOUT
by default. BIOCGSEESENT and BIOCSSEESENT are obsoleted by these but
kept for backward compatibility.
- BIOCFEEDBACK sets packet feedback mode. This allows injected packets
to be fed back as input to the interface when output via the interface is
successful. When BPF_D_INOUT direction is set, injected outgoing packet
is not returned by BPF to avoid duplication. This flag is initialized to
zero by default.
Note that libpcap has been modified to support BPF_D_OUT direction for
pcap_setdirection(3) and PCAP_D_OUT direction is functional now.
Reviewed by: rwatson
- New Darwin, FreeBSD, and NetBSD versions.
- DragonFly support including the new .Dx macro.
- New .St strings: -isoC-amd1, -isoC-tcor1, -isoC-tcor2, and -ieee1275-94.
contains a sigdec[] vector of structures, but the generated output is
missing braces around the initializer of each struct, which
triggers warnings in WARNS=3:
src/usr.bin/top/sigdesc.h:10: warning: missing braces around initializer
src/usr.bin/top/sigdesc.h:10: warning: (near initialization for `sigdesc[0]')
* Fix the sigconv.awk script to generate a header with initializers
which look better.
* Add rules to usr.bin/top/Makefile that rebuilds a new sigconv.h
header which matches the correct signal set from the build-time
version of `${DESTDIR}/usr/include/signal.h' (so sigconv.h doesn't
get stale once changes are made to the header).
* Remove the old sigconv.h header, now that it is autoupdated at
build time.
* Various Makefile style fixes (the committed Makefile was kindly
submitted by Ruslan):
- Reorder .PATH, PROG, SRCS and CFLAGS to match style.Makefile(5)
- Split off the generated sources (sigdesc.h top.local.h) in an
SRCS+= line of their own.
- Add entries to CLEANFILES near the rules that generate the
respective files.
- Move the explicit rule which builds top.1 after the implicit
rules which generate its dependencies.
Reviewed by: ru, bde
Submitted by: ru (Makefile)
MFC after: 2 weeks
fix servicecurve check; no point in checking the same sc three times, it
was obviously intended to check all three. has been wrong since the
beginning, 4 years... noticed by Earl Lapus <earl.lapus@gmail.com>, Vasil
Dimov <vd@FreeBSD.org> mailed me then, ok mcbride
MFC after: 3 days
announced by ISC dated 31 October (delivered via e-mail to the
bind-announce@isc.org list on 2 November):
Description:
Because of OpenSSL's recently announced vulnerabilities
(CAN-2006-4339, CVE-2006-2937 and CVE-2006-2940) which affect named,
we are announcing this workaround and releasing patches. A proof of
concept attack on OpenSSL has been demonstrated for CAN-2006-4339.
OpenSSL is required to use DNSSEC with BIND.
Fix for version 9.3.2-P1 and lower:
Upgrade to BIND 9.3.2-P2, then generate new RSASHA1 and
RSAMD5 keys for all old keys using the old default exponent
and perform a key rollover to these new keys.
These versions also change the default RSA exponent to be
65537 which is not vulnerable to the attacks described in
CAN-2006-4339.
understand that non-local variables can never be collected, and when
it collected the static variable for mexitcount_libfunc, gcc aborted
on the next use of this variable.
This quick fix is to reinitialize the variable on every use and depend
on garbage collection recovering the small amount of memory wasted by
this, and not worry by the small amount of time wasted by this. It
would be better to initialize the variable together with most of the
other libfuncs in optabs.c and depend on whatever magic is there to
prevent its collection, but we initialize it here to avoid taking at
least 2 more files off the vendor branch.
the probe packet we sent and the packet quoted by the ICMP response.
Can be useful for spotting hops that change the packet in-flight
or have problems generating correct ICMP responses.
MFC after: 3 weeks
history notes since the last import:
OpenBSM 1.0 alpha 12
- Correct bug in auditreduce which prevented the -c option from working
correctly when the user specifies to process successful or failed events.
The problem stemmed from not having access to the return token at the time
the initial preselection occurred, but now a second preselection process
occurs while processing the return token.
- getacfilesz(3) API added to read new audit_control(5) filesz setting,
which auditd(8) now sets the kernel audit trail rotation size to.
- auditreduce(1) now uses stdin if no file names are specified on the command
line; this was the documented behavior previously, but it was not
implemented. Be more specific in auditreduce(1)'s examples section about
what might be done with the output of auditreduce.
- Add audit_warn(5) closefile event so that administrators can hook
termination of an audit trail file. For example, this might be used to
compress the trail file after it is closed.
- auditreduce(1) now uses regular expressions for pathname matching. Users can
now supply one or more (comma delimited) regular expressions for searching
the pathnames. If one of the regular expressions is prefixed with a tilde
(~), and a path matches, it will be excluded from the search results.
MFC after: 3 days
Obtained from: TrustedBSD Project
notes since the last import:
OpenBSM 1.0 alpha 11
- Reclassify certain read/write operations as having no class rather than the
fr/fw class; our default classes audit intent (open) not operations (read,
write).
- Introduce AUE_SYSCTL_WRITE event so that BSD/Darwin systems can audit reads
and writes of sysctls as separate events. Add additional kernel
environment and jail events for FreeBSD.
- Break AUDIT_TRIGGER_OPEN_NEW into two events, AUDIT_TRIGGER_ROTATE_USER
(issued by the user audit(8) tool) and AUDIT_TRIGGER_ROTATE_KERNEL (issued
by the kernel audit implementation) so that they can be distinguished.
- Disable rate limiting of rotate requests; as the kernel doesn't retransmit
a dropped request, the log file will otherwise grow indefinitely if the
trigger is dropped.
- Improve auditd debugging output.
- Fix a number of threading related bugs in audit_control file reading
routines.
- Add APIs au_poltostr() and au_strtopol() to convert between text
representations of audit_control policy flags and the flags passed to
auditon(A_SETPOLICY) and retrieved from auditon(A_GETPOLICY).
- Add API getacpol() to return the 'policy:' entry from audit_control, an
extension to the Solaris file format to allow specification of policy
persistent flags.
- Update audump to print the audit_control policy field.
- Update auditd to read the audit_control policy field and set the kernel
policy to match it when configuring/reconfiguring. Remove the -s and -h
arguments as these policies are now set via the configuration file. If a
policy line is not found in the configuration file, continue with the
current default of setting AUDIT_CNT.
- Fix bugs in the parsing of large execve(2) arguments and environmental
variable tokens; increase maximum parsed argument and variable count.
- configure now detects strlcat(), used by policy-related functions.
- Reference token and record sample files added to test tree.
Obtained from: TrustedBSD Project
- auditd now generates complete audit records for its events, as required for
application-submitted audit records in the the FreeBSD kernel audit
implementation.
This also restores contrib/openbsm/bsm/audit_record to the vendor version
after the build fixes previously committed; however, this file is not used
in the build.
Obtained from: TrustedBSD Project
contrib/openbsm/bsm and sys/bsm. This will help avoid triggering
problems due to an inconsistent include order between the base and
lib32 builds. We will continue to import these files on the vendor
branch. Files used purely in user space (audit_uevents.h) are not
removed.
Suggested by: ru
+ Add PAM and LOGIN_CAP support. Mostly from FreeBSD.
+ Implement option "-D", for running ftpd in standalone mode (daemon).
+ NLST should return 450 instead of 550 upon error, per RFC 959.
+ Add recvbufsize configuration option
+ Remove unreachable code (res could never be NULL here), Coverity CID 712.
+ Set file to NULL after calling fclose(), Coverity CID 2669.
+ Make sure that "su" is initialized before dereferencing it, Coverity CID 1075.
+ Cleanup utmp and utmpx support.
the build. The openbsm folks are free to fix it in any other way they
see fit once they resurface.
Basically, make everything always be const char **, even though const
char ** usually should be 'const char * const *' in most cases. This
makes the three different definitions consistant and allows world to
build.
notes since the last import:
OpenBSM 1.0 alpha 9
- Rename many OpenBSM-specific constants and API elements containing the
strings "BSM" and "bsm" to "AUDIT" and "audit", observing that this is true
for almost all existing constants and APIs.
- Instead of passing a per-instance cookie directly into all audit filter
APIs, pass in the audit filter daemon state pointer, which is then used by
the module using an audit_filter_{get,set}cookie() API. This will allow
future service APIs provided by the filter daemon to maintain their own
state -- for example, per-module preselection state.
OpenBSM 1.0 alpha 8
- Correct typo in definition of AUR_INT.
- Adopt OpenSolaris constant values for AUDIT_* configuration flags.
- Arguments to au_to_exec_args() and au_to_exec_env() no longer const.
- Add kernel versions of au_to_exec_args() and au_to_exec_env().
- Fix exec argument type that is printed for env strings from 'arg' to 'env'.
- New OpenBSM token version number assigned, constants added for other
commonly seen version numbers.
- OpenBSM-specific events assigned numbers in the 43xxx range to avoid future
collisions with Solaris. Darwin events renamed to AUE_DARWIN_foo, as they
are now deprecated numberings.
- autoconf now detects clock_gettime(), which is not available on Darwin.
- praudit output fixes relating to arg32 and arg64 tokens.
- Maximum record size updated to 64k-1 to match Solaris record size limit.
- Various style and comment cleanups in include files.
This is an MFC candidate to RELENG_6.
Obtained from: TrustedBSD Project
notes:
- Adopted Solaris-compatible format for subject32_ex and subject64_ex
tokens, which previously did not correctly implement variable length
address storage.
- Prefer inttypes.h to stdint.h; enhance queue.h detection to test for
TAILQ_FOREACH_SAFE(), which is present in recent BSD queue.h's, but not
older ones. OpenBSM now builds on some FreeBSD 4.x version.
- New event types for extended attributes, ACLs, and scheduling.
Obtained from: TrustedBSD Project
