Commit Graph

58724 Commits

Author SHA1 Message Date
Alfred Perlstein
1375ed7eb7 convert if/panic -> KASSERT, explain what triggered the assertion 2001-04-13 10:15:53 +00:00
Mark Murray
c13d191de3 Make this more lint-friendly. This file seems to be invoked in just
about any .c file that includes a .h, and lint produces copious
whining because of the asm ...; stuff.
2001-04-13 09:46:54 +00:00
Murray Stokely
a4e6da691f Generate useful error messages. 2001-04-13 09:37:25 +00:00
Ruslan Ermilov
dc1e426492 mdoc(7) police: Fixed markup. 2001-04-13 09:33:03 +00:00
Mark Murray
f0b60d7560 Handle a rare but fatal race invoked sometimes when SIGSTOP is
invoked.
2001-04-13 09:29:34 +00:00
Ruslan Ermilov
488379bb11 mdoc(7) police: Fixed markup in rev.1.5. 2001-04-13 09:17:56 +00:00
Ruslan Ermilov
471b9c332c mdoc(7) police: Fixed typo and markup in rev.1.11. 2001-04-13 09:15:16 +00:00
Ruslan Ermilov
566f5a4859 mdoc(7) police: removed hard sentence breaks introduced in rev.1.10. 2001-04-13 08:49:52 +00:00
John Baldwin
7a9aa5d372 - Add a comment at the start of the spin locks list.
- The alpha SMP code uses an "ap boot" spinlock as well.
2001-04-13 08:31:38 +00:00
Ruslan Ermilov
8f00082cd6 Document /usr/include/fs/smbfs and /usr/include/netsmb.
Submitted by:	bp
2001-04-13 08:14:58 +00:00
Alfred Perlstein
7d26b6a450 Use a macro wrapper over printf along with KASSERT to reduce the amount
of code here.
2001-04-13 08:07:37 +00:00
Ruslan Ermilov
ebce6f8a5c People, please read the README file!!!
: These files use 4 space indentation, and other than in the header
: comments, should not contain any tabs.
2001-04-13 06:56:16 +00:00
Dima Dorfman
2306a12f75 Back out most of revision 1.28: lists of diagnostics must use -diag,
not -tag.  Instead, put a period after the error messages to aide
those using dumb terminals not capable of properly displaying markup.

Requested by:	ru
2001-04-13 06:54:05 +00:00
Ruslan Ermilov
506c373bc0 Update comment to match ipfw/ipfw.c,v 1.95. 2001-04-13 06:49:47 +00:00
Alfred Perlstein
7bbd138e2f Make SOMAXCONN a kernel option.
Submitted by: Terry Lambert <terry@lambert.org>
2001-04-13 03:50:37 +00:00
Robert Watson
44c3e09cdc o Disallow two "allow this" exceptions in p_cansignal() restricting
the ability of unprivileged processes to deliver arbitrary signals
  to daemons temporarily taking on unprivileged effective credentials
  when P_SUGID is not set on the target process:
  Removed:
     (p1->p_cred->cr_ruid != ps->p_cred->cr_uid)
     (p1->p_ucred->cr_uid != ps->p_cred->cr_uid)
o Replace two "allow this" exceptions in p_cansignal() restricting
  the ability of unprivileged processes to deliver arbitrary signals
  to daemons temporarily taking on unprivileged effective credentials
  when P_SUGID is set on the target process:
  Replaced:
     (p1->p_cred->p_ruid != p2->p_ucred->cr_uid)
     (p1->p_cred->cr_uid != p2->p_ucred->cr_uid)
  With:
     (p1->p_cred->p_ruid != p2->p_ucred->p_svuid)
     (p1->p_ucred->cr_uid != p2->p_ucred->p_svuid)
o These changes have the effect of making the uid-based handling of
  both P_SUGID and non-P_SUGID signal delivery consistent, following
  these four general cases:
     p1's ruid equals p2's ruid
     p1's euid equals p2's ruid
     p1's ruid equals p2's svuid
     p1's euid equals p2's svuid
  The P_SUGID and non-P_SUGID cases can now be largely collapsed,
  and I'll commit this in a few days if no immediate problems are
  encountered with this set of changes.
o These changes remove a number of warning cases identified by the
  proc_to_proc inter-process authorization regression test.
o As these are new restrictions, we'll have to watch out carefully for
  possible side effects on running code: they seem reasonable to me,
  but it's possible this change might have to be backed out if problems
  are experienced.

Submitted by:		src/tools/regression/security/proc_to_proc/testuid
Reviewed by:		tmm
Obtained from:	TrustedBSD Project
2001-04-13 03:06:22 +00:00
Peter Wemm
8966f5046e Remove the 'DO NOT EDIT THIS FILE' crud that we spit out with 'crontab -l'.
Otherwise, "crontab -l > file; vi file; crontab file" adds an extra set
of "DO NOT EDIT" markers each and every time which is a bit silly.
2001-04-13 01:45:22 +00:00
Gregory Neil Shapiro
584096c53e With the recent change to ip6fw, it is safe to return to using ${fw6cmd}
which may include the -q flag.
2001-04-13 01:40:27 +00:00
Gregory Neil Shapiro
3371e17cb6 Match ip6fw's command line options to those of ipfw (specifically, added
the ability to use a preprocessor, use the -q (quiet) flag when reading
from a file).  The source used is from ipfw.

Clean up exit codes while I am here.

KAME has been informed and plans on integrating these patches into their
own source as well.
2001-04-13 01:31:17 +00:00
Robert Watson
0489082737 o Disable two "allow this" exceptions in p_cansched()m retricting the
ability of unprivileged processes to modify the scheduling properties
  of daemons temporarily taking on unprivileged effective credentials.
  These cases (p1->p_cred->p_ruid == p2->p_ucred->cr_uid) and
  (p1->p_ucred->cr_uid == p2->p_ucred->cr_uid), respectively permitting
  a subject process to influence the scheduling of a daemon if the subject
  process has the same real uid or effective uid as the daemon's effective
  uid.  This removes a number of the warning cases identified by the
  proc_to_proc iner-process authorization regression test.
o As these are new restrictions, we'll have to watch out carefully for
  possible side effects on running code: they seem reasonable to me,
  but it's possible this change might have to be backed out if problems
  are experienced.

Reported by:	src/tools/regression/security/proc_to_proc/testuid
Obtained from:	TrustedBSD Project
2001-04-12 22:46:07 +00:00
Alfred Perlstein
b28cb1ca07 remove truncated part from commment 2001-04-12 21:50:03 +00:00
Robert Watson
e386f9bda3 o Make kqueue's filt_procattach() function use the error value returned
by p_can(...P_CAN_SEE), rather than returning EACCES directly.  This
  brings the error code used here into line with similar arrangements
  elsewhere, and prevents the leakage of pid usage information.

Reviewed by:	jlemon
Obtained from:	TrustedBSD Project
2001-04-12 21:32:02 +00:00
Robert Watson
d34f8d3030 o Limit process information leakage by introducing a p_can(...P_CAN_SEE...)
in rtprio()'s RTP_LOOKIP implementation.

Obtained from:	TrustedBSD Project
2001-04-12 20:46:26 +00:00
Brian Somers
cdf6f0b1ae Correct some markup
Submitted by:	bde
2001-04-12 20:04:54 +00:00
Robert Watson
eb9e5c1d72 o Reduce information leakage into jails by adding invocations of
p_can(...P_CAN_SEE...) to getpgid(), getsid(), and setpgid(),
  blocking these operations on processes that should not be visible
  by the requesting process.  Required to reduce information leakage
  in MAC environments.

Obtained from:	TrustedBSD Project
2001-04-12 19:39:00 +00:00
Robert Watson
bacff58c0e o Expand inter-process authorization regression test to include
signalling with sigsegv as one of the tests.
o Teach errno_to_string() about ENOTSUPP.

Obtained from:  TrustedBSD Project
2001-04-12 17:46:20 +00:00
Andrey A. Chernov
7de69ff097 Activate backward-compatible prototypes 2001-04-12 17:18:46 +00:00
KATO Takenori
4dfe1d3b64 Merged from options.i386 revision 1.147. 2001-04-12 12:28:42 +00:00
KATO Takenori
a3758914a0 Merged from files.i386 revisions 1.359 and 1.360. 2001-04-12 12:26:40 +00:00
Nick Hibma
1470e6aaeb Regen. 2001-04-12 11:08:59 +00:00
Nick Hibma
47a9ad6b89 TDK ids
Submitted by:	Hidetoshi Shimokawa <simokawa@sat.t.u-tokyo.ac.jp>
2001-04-12 11:04:08 +00:00
Nick Hibma
426128e90b From NetBSD 2001-04-12 10:59:30 +00:00
Andrey A. Chernov
6055a95fee Back out history.3 link removing - conflict fixed in libreadline instead 2001-04-12 09:57:12 +00:00
Andrey A. Chernov
465ccb3095 Install history.3 as rlhistory.3 to not conflict with existing libedit function 2001-04-12 09:54:44 +00:00
Andrey A. Chernov
45b655df03 Comment out one of many editline.3 MLINKS conflicting with libreadline
(history.3)
2001-04-12 03:33:13 +00:00
Robert Watson
4c5eb9c397 o Replace p_cankill() with p_cansignal(), remove wrappage of p_can()
from signal authorization checking.
o p_cansignal() takes three arguments: subject process, object process,
  and signal number, unlike p_cankill(), which only took into account
  the processes and not the signal number, improving the abstraction
  such that CANSIGNAL() from kern_sig.c can now also be eliminated;
  previously CANSIGNAL() special-cased the handling of SIGCONT based
  on process session.  privused is now deprecated.
o The new p_cansignal() further limits the set of signals that may
  be delivered to processes with P_SUGID set, and restructures the
  access control check to allow it to be extended more easily.
o These changes take into account work done by the OpenBSD Project,
  as well as by Robert Watson and Thomas Moestl on the TrustedBSD
  Project.

Obtained from:  TrustedBSD Project
2001-04-12 02:38:08 +00:00
Warner Losh
a9304a4eb5 Fix minor typo in comment. 112x -> 12xx 2001-04-11 22:49:00 +00:00
Brian Somers
ff1b168b6e Introduce -osid and -otsid
Submitted by: dd
2001-04-11 22:42:54 +00:00
Chris D. Faulhaber
bbf2cf59fc Revamp acl_create_entry() so it actually works.
Obtained from:	TrustedBSD Project
2001-04-11 22:09:51 +00:00
Archie Cobbs
422c727634 Don't reference a node after we dropped a reference to it
(same as in previous checkin, but in a different function).
2001-04-11 22:04:47 +00:00
Boris Popov
cdcb16abd2 Pull constants from netsmb/smb.h. 2001-04-11 21:35:51 +00:00
Robert Watson
3ceef0c3d7 o Enable -DSETSUGID_SUPPORTED in inter-process authorization regression
test by default, as setugid() is now part of the base kernel (assuming
  (options REGRESSION) has been enabled for the running kernel).

Obtained from: TrustedBSD Project
2001-04-11 20:23:23 +00:00
Warner Losh
a17e1baffd Add IBM3765 to newcard's pcic pnp device list 2001-04-11 20:22:16 +00:00
Robert Watson
40829dd2dc o Regenerated following introduction of __setugid() system call for
"options REGRESSION".

Obtained from:	TrustedBSD Project
2001-04-11 20:21:37 +00:00
Robert Watson
130d0157d1 o Introduce a new system call, __setsugid(), which allows a process to
toggle the P_SUGID bit explicitly, rather than relying on it being
  set implicitly by other protection and credential logic.  This feature
  is introduced to support inter-process authorization regression testing
  by simplifying userland credential management allowing the easy
  isolation and reproduction of authorization events with specific
  security contexts.  This feature is enabled only by "options REGRESSION"
  and is not intended to be used by applications.  While the feature is
  not known to introduce security vulnerabilities, it does allow
  processes to enter previously inaccessible parts of the credential
  state machine, and is therefore disabled by default.  It may not
  constitute a risk, and therefore in the future pending further analysis
  (and appropriate need) may become a published interface.

Obtained from:	TrustedBSD Project
2001-04-11 20:20:40 +00:00
Warner Losh
e5eac10b13 Add #define for IBM3765.
Fix SWAMPBOX.  It had actiontec's ID.
Reorder pnpids so they are in alphabetical order.
2001-04-11 20:18:29 +00:00
Robert Watson
0b5438c6d1 o Introduce "options REGRESSION", a kernel option which enables
interfaces and functionality intended for use during correctness and
  regression testing.  Features enabled by "options REGRESSION" may
  in and of themselves introduce security or correctness problems if
  used improperly, and so are not intended for use in production
  systems, only in testing environments.

Obtained from:	TrustedBSD Project
2001-04-11 19:29:24 +00:00
John Baldwin
7b531e6037 Stick proc0 in the PID hash table. 2001-04-11 18:50:50 +00:00
Robert Watson
274f7445fd o First pass at an inter-process authorization regression testing suite.
This test utility attempts to evaluate the current kernel policy
  for authorization inter-process activities, currently ptrace(),
  kill(, SIGHUP), getpriority(), and setpriority().  The utility creates
  pairs of processes, initializes their credential sets to useful
  cases, and reports on whether the results are in keeping with hard-coded
  safety expectations.

o Currently, this utility relies on the availability of __setugid(),
  an uncomitted system call used for managing the P_SUGID bit.  Due to
  continuing discussion of optional regression testing kernel components
  ("options REGRESSION") I'll hold off on committing that until the
  discussion has reached its natural termination.

o A number of additional testing factors should be taken into account
  in the testing, including tests for different classes of signals,
  interactions with process session characteristics, I/O signalling,
  broadcast activities such as broadcast signalling, mass priority
  setting, and to take into group-related aspects of credentials.
  Additional operations should also be taken into account, such as ktrace,
  debugging attach using procfs, and so on.

o This testing suite is intended to prevent the introduction of bugs
  in the upcoming sets of authorization changes associated with the
  introduction of process capabilities and mandatory access control.

Obtained from: TrustedBSD Project
2001-04-11 17:21:14 +00:00
John Baldwin
2fea957dc5 Rename the IPI API from smp_ipi_* to ipi_* since the smp_ prefix is just
"redundant noise" and to match the IPI constant namespace (IPI_*).

Requested by:	bde
2001-04-11 17:06:02 +00:00