system calls, and prefer these calls over getsockopt()/setsockopt()
for ABI reasons. When addressing UNIX domain sockets, these calls
retrieve and modify the socket label, not the label of the
rendezvous vnode.
- Create mac_copy_socket_label() entry point based on
mac_copy_pipe_label() entry point, intended to copy the socket
label into temporary storage that doesn't require a socket lock
to be held (currently Giant).
- Implement mac_copy_socket_label() for various policies.
- Expose socket label allocation, free, internalize, externalize
entry points as non-static from mac_net.c.
- Use mac_socket_label_set() in __mac_set_fd().
MAC-aware applications may now use mac_get_fd(), mac_set_fd(), and
mac_get_peer() to retrieve and set various socket labels without
directly invoking the getsockopt() interface.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
will now need editing except for spot checks.
Changed this buffer from a circular one to a linear one. This is more
useful for some cases and the sysctl that prints it doesn't support
circular buffers.
Fixed (output) formatting bugs in this sysctl. An off by 1 error caused
a garbage byte to be returned after annotation of large deltas, and
a race with the writer sometimes caused premature string termination.
o when compiling lint, undefine certain things and redefine them so that the
driver doesn't #error out. Since lint kernels aren't supposed to be
bootable, I'm no troubled by this breakage.
This fixes the tinderbox
Suggested by: rwatson
Approved by: bms
is possible for an error to occur while trying to log an error, and
this can result in infinite recursion (or at least until we run out
of stack).
Rather than this, we ignore requests to log an error while logging an
error.
PR: 51253
MFC after: 2 weeks
context of sockets, and document EINVAL as a possible failure mode
based on the object selected, not just the label provided.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
SO_PEERLABEL. This provides an interface to query the label of a
socket peer without embedding implementation details of mac_t in
the application. Previously, sizeof(*mac_t) had to be specified
by an application when performing getsockopt().
Document mac_get_peer(3), and expand documentation of the other
mac_get(3) functions. Note that it's possible to get EINVAL back
from mac_get_fd(3) when pointing it at an inappropriate object.
NOTE: mac_get_fd() and mac_set_fd() support for sockets will
follow shortly, so the documentation is slightly ahead of the
code.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
mac_setsockopt_label() into mac_socket_label_set(); make it non-static
so that it can be invoked from kern_mac.c for mac_set_fd().
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
While we end up the same place, we end up with two different CS register
values after the jump and 0xf000 is compatible with the hardware reset
value.
This makes a difference if the BIOS does a near jump before a far jump.
Detective work and patch by: Adrian Steinmann <ast@marabu.ch>
a non-fsid unmount if the file system ID is all zeros. This is a
temporary workaround for warnings that occur in the vfs.usermount=1
case because non-root users get a zeroed filesystem ID. I have a
more complete fix in the works, but I won't get it done for 5.2.
- improve sysinfo(2) syscall;
- add dummy fadvise64(2) syscall;
- add dummy *xattr(2) family of syscalls;
- add protos for the syscalls 222-225, 238-249 and 253-267;
- add exit_group(2) syscall, which is currently just wired to exit(2).
Obtained from: OpenBSD
MFC after: 2 weeks
Its restoration in rev.1.102 was mistranslated to the equivalent of
setsofttty() in rev.1.105. This increased overheads by causing a
context switch to the SWI handler after almost every interrupt. The
increase was approx. 50% on a Celeron 366 (from 23 usec to 34 usec
per interrupt).
I'm having bad luck with different parts of the sys tree being checked
out at slightly different times. Back it out, noting it doesn't cause
harm in any case. Tinderbox also makes these things more fun.
of trying to directly create the snapshot itself. This change allows
users logged into the system as operator to run live dumps.
Note that dump no longer tries to create the snapshot in the root of
the filesystem, but rather in a .snap directory in the root of the
filesystem. The reason is that the operator is usually not permitted
to write into the root of the filesystem. The newfs command and
background fsck have both been modified to create a .snap directory
in the root of the filesystem, but if neither of these have been run,
then the .snap directory must be created manually by the superuser
before a live dump can be run. The .snap directory should be owned
by user root and group operator and set to mode 770.
of newfs, to signify the newfs operation has not yet completed. Re-
write the superblock with the correct magic number once all of the
cylinder groups have been created to show the operation has finished.
Sponsored by: St. Bernard Software
physical mapping.
- Move the sf_buf API to its own header file; make struct sf_buf's
definition machine dependent. In this commit, we remove an
unnecessary field from struct sf_buf on the alpha, amd64, and ia64.
Ultimately, we may eliminate struct sf_buf on those architecures
except as an opaque pointer that references a vm page.
dynamically linked. This has been a long time coming with the move of
critical libraries from /usr/lib to /lib. If you don't feel comfortable
with dynamically linked binaries in your root partition, now is the
time to define NO_DYNAMICROOT in your make.conf.
Approved by: re
mac_free(3), which is used only for variables of type mac_t in
the FreeBSD implementation.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
sure to sooptcopyin() the (struct mac) so that the MAC Framework
knows which label types are being requested. This fixes process
queries of socket labels.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
opt_ddb.h. These changes expand green's work of including
opt_global.h to prefer opt files in the kernel directory. Further
refinement might be needed, but I think this is good.
Note: While this is a step on the path to moving the meta information
about modules into the config files, it doesn't actually do that. It
just pulls in the opt files in a way that allows one to build
'generic' modules outside the tree.
disposing fifo resources in fifo_cleanup() instead using of
"vp->v_usecount == 1". There may be other references to the vnode, for
instance by nullfs, at the time fifo_open() or fifo_close() is called,
which could cause a resource leak.
Don't bother grabbing the vnode interlock in fifo_cleanup() since it no
longer accesses v_usecount.
the nfsv4 files. It is intended to be a short-term bridge while
alfred deals with the problem in a better way (eg, don't hesitate to
back this out when the real fix comes along). I've not heard back
from alfred in a few hours and other people are hitting this problem.
Approved by: markm, rwatson, grog, murray