Commit Graph

6478 Commits

Author SHA1 Message Date
Warner Losh
6dcff5b77c Move /etc/ to SRCTOP
Prefer ${SRCTOP}/ to ${.CURDIR}/../ and ${.CURDIR}/../../ as appropriate.

Differential Revision:  https://reviews.freebsd.org/D9932
Sponsored by:		Netflix
Silence On:		arch@ (twice)
2017-03-12 18:58:55 +00:00
Baptiste Daroussin
84e1ba258b Add the diff to the tests mtree
Reported by:	lwhsu
2017-03-11 06:27:06 +00:00
Baptiste Daroussin
d2baa3fdee texinfo is gone in r276551 remove the related directories
Reported by:	jbeich
2017-03-08 08:52:15 +00:00
Enji Cooper
d0d6d69788 Only install 900.tcpwrap if MK_INETD != "no" and MK_TCP_WRAPPERS != "no"
It relies on output from inetd that is triggered by MK_TCP_WRAPPERS=yes.

We need to check for both knobs being set -- otherwise the script doesn't
have much value.

PR:		217577
Submitted by:	Sergey <kpect@protonmail.com> (MK_TCP_WRAPPERS piece)
MFC after:	1 week
Sponsored by:	Dell EMC Isilon
2017-03-08 06:12:16 +00:00
Cy Schubert
05de3f339a Fix install due to incorrect placement of pwait dir in r314886.
Reported by:	Shawn Webb <shawn.webb@hardenedbsd.org>
MFC after:	2 weeks
X-MFC with:	r314886
2017-03-08 05:27:04 +00:00
Bryan Drewery
b06b52baac pwait: Add a -t flag to specify a timeout before exiting, and tests.
The exit status will be 124, as the timeout(1) utility uses.

Reviewed by:	jilles
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D9697
2017-03-07 22:16:55 +00:00
Enji Cooper
7d9ade5da1 Integrate indent tests added in r313544 into ATF/Kyua and the FreeBSD
test suite

This change does the following:

- Introduces symmetry in the test inputs/outputs by adding the exit
  code to the files. This simplified the test driver notably by
  requiring less filename/test name manipulation.
- Adds a test driver for the testcases added in r313544, patterned
  after bin/sh/tests/functional_test.sh . The driver calls indent as
  noted in r313544, with an exception: The $FreeBSD$ RCS keyword's
  expansion is reindented with indent, which means that the output
  differs from the expected output. Thus, all lines with $FreeBSD$
  in them are deleted on the fly, both in the input file and the
  output file.

  The test inputs/outputs are copied to the kyua sandbox before the
  test is run as the pathing in some of the files relies on pathing
  normalized to the current directory (copying the files is the
  easiest way to resolve the issue).

Approved by:	pstef (maintainer)
Reviewed by:	pstef
X-MFC with:	r313544
Sponsored by:	Dell EMC Isilon
Differential Revision:	https://reviews.freebsd.org/D9682
2017-03-03 20:15:22 +00:00
Dimitry Andric
be64968040 Merge ^/head r314270 through r314419. 2017-02-28 21:30:26 +00:00
Gleb Smirnoff
efe3b0de14 Remove SVR4 (System V Release 4) binary compatibility support.
UNIX System V Release 4 is operating system released in 1988. It ceased
to exist in early 2000-s.
2017-02-28 05:14:42 +00:00
Alan Somers
7bcb2e63aa Update devd.conf for ports change 421360
Ports change 421360 changed the name and UID of the postgres user

Reviewed by:	trasz, imp, girgen
MFC after:	3 weeks
Sponsored by:	Spectra Logic Corp
Differential Revision:	https://reviews.freebsd.org/D9746
2017-02-27 15:32:56 +00:00
Dimitry Andric
eedd67c033 Merge ^/head r314129 through r314177. 2017-02-23 19:32:25 +00:00
Yoshihiro Takahashi
041377941a The ct driver was removed by r312910. 2017-02-23 16:42:48 +00:00
Dimitry Andric
6ae9acde63 Merge ^/head r313896 through r314128. 2017-02-23 07:45:58 +00:00
Warner Losh
b8efe21815 Remove more stray EISA refernces: ahb was removed. Remove the cross
reference and replace, where appropiate, with ahd.4.
2017-02-22 20:47:25 +00:00
Enji Cooper
81e8601f58 Remove lib/libpam tests after they were removed from the source tree in r313975
X-MFC with:	r313975
Sponsored by:	Dell EMC Isilon
2017-02-20 01:45:12 +00:00
Allan Jude
85c15ab853 improve PBKDF2 performance
The PBKDF2 in sys/geom/eli/pkcs5v2.c is around half the speed it could be

GELI's PBKDF2 uses a simple benchmark to determine a number of iterations
that will takes approximately 2 seconds. The security provided is actually
half what is expected, because an attacker could use the optimized
algorithm to brute force the key in half the expected time.

With this change, all newly generated GELI keys will be approximately 2x
as strong. Previously generated keys will talk half as long to calculate,
resulting in faster mounting of encrypted volumes. Users may choose to
rekey, to generate a new key with the larger default number of iterations
using the geli(8) setkey command.

Security of existing data is not compromised, as ~1 second per brute force
attempt is still a very high threshold.

PR:		202365
Original Research:	https://jbp.io/2015/08/11/pbkdf2-performance-matters/
Submitted by:	Joe Pixton <jpixton@gmail.com> (Original Version), jmg (Later Version)
Reviewed by:	ed, pjd, delphij
Approved by:	secteam, pjd (maintainer)
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D8236
2017-02-19 19:30:31 +00:00
Dimitry Andric
1a36faad54 Merge ^/head r313301 through r313643. 2017-02-11 14:04:18 +00:00
Enji Cooper
15df32b48d MFhead@r313360 2017-02-07 01:33:39 +00:00
Dimitry Andric
f9edb08480 Merge ^/head r313055 through r313300. 2017-02-05 20:03:05 +00:00
Enji Cooper
7664382295 Use kldload -n when loading if_deqna
This fixes if_deqna from being loaded by accident twice if it's already loaded
in the kernel.

MFC after:	1 week
Sponsored by:	Dell EMC Isilon
2017-02-05 08:24:37 +00:00
Enji Cooper
9b3ece1c2e MFhead@r313243 2017-02-04 18:06:09 +00:00
Alan Somers
cb23468e75 Allow 999.local to run scripts in any language
If one of the scripts listed in (daily|weekly|monthly)_local is executable,
999.local should simply execute it. Only if the script isn't executable
should 999.local assume it needs /bin/sh.

Reviewed by:	brian
MFC after:	3 weeks
Sponsored by:	Spectra Logic Corp
2017-02-01 23:22:54 +00:00
Dimitry Andric
65575c1424 Merge ^/head r312894 through r312967. 2017-01-29 22:00:47 +00:00
Yoshihiro Takahashi
2b375b4edd Remove pc98 support completely.
I thank all developers and contributors for pc98.

Relnotes:	yes
2017-01-28 02:22:15 +00:00
Dimitry Andric
2004ce3f0d Merge ^/head r312624 through r312719. 2017-01-24 19:59:25 +00:00
Kevin Lo
a6bac5b604 Sort REALTEK section and remove duplicate entry for RTL8192CU. 2017-01-24 03:00:22 +00:00
Kevin Lo
60b9567d16 Add support for the Realtek RTL8192EU chipset.
Committed over the D-Link DWA-131 rev E1 on amd64 with WPA.

Reviewed by:	avos
2017-01-24 02:35:38 +00:00
Dimitry Andric
a4aa656aa5 Merge ^/head r312309 through r312623. 2017-01-22 16:05:13 +00:00
Ed Maste
6b02cd2c8f Remove obsolete /usr/lib/debug/usr/lib/private dir
Missed in r282420

Reported by:	dim
2017-01-20 03:14:18 +00:00
Enji Cooper
71164a14d0 Integrate .../contrib/netbsd-tests/usr.bin/uniq into the FreeBSD test
suite as .../usr.bin/uniq/tests

Sponsored by:	Dell EMC Isilon
2017-01-14 06:51:31 +00:00
Dimitry Andric
8a6fe8ce60 Merge ^/head r311812 through r311939. 2017-01-11 21:05:13 +00:00
Ian Lepore
6a4b451a11 Follow r311103: add "pool" to the keywords that rc.d/ntpdate examines to
find a server address in ntp.conf.

Submitted by:	Ronald Klop <ronald@klop.ws>
Pointy hat to:	ian
2017-01-11 00:14:47 +00:00
Alan Somers
cdb7a6fc42 Fix memory leaks during "tail -r" of an irregular file
* Rewrite r_buf to use standard tail queues instead of a hand-rolled
  circular linked list. Free dynamic allocations when done.
* Remove an optimization for the case where the file is a multiple of 128KB
  in size and there is a scarcity of memory.
* Add ATF tests for "tail -r" and its variants.

Reported by:	Valgrind
Reviewed by:	ngie
MFC after:	4 weeks
Sponsored by:	Spectra Logic Corp
Differential Revision:	https://reviews.freebsd.org/D9067
2017-01-10 20:43:32 +00:00
Dimitry Andric
69415bc524 Merge ^/head r311546 through r311683. 2017-01-08 14:36:18 +00:00
Enji Cooper
3bc6f09c7b Move the mibII module up so uncommenting the bridge module works
Add a note about how module ordering and dependent modules

MFC after:	1 week
2017-01-07 09:03:40 +00:00
Dimitry Andric
2b532af829 Merge ^/head r311314 through r311459. 2017-01-05 20:50:44 +00:00
Dimitry Andric
53fe1d28fa Adjust version numbers for the clang library directory. 2017-01-05 18:32:18 +00:00
Alan Somers
0dbb4093ef Fix typo from r311349
Reported by:	lwhsu
Pointy-hat-to:	asomers
MFC after:	4 weeks
X-MFC-with:	311349
2017-01-05 15:07:04 +00:00
Alan Somers
371f86d244 tabs -> spaces in etc/mtree
MFC after:	4 weeks
2017-01-05 02:47:56 +00:00
Ian Lepore
9f5b5f5a4d Update ntp.conf to use the ntpd pool feature.
Our previous ntp.conf file configured 3 servers from freebsd.pool.ntp.org
using 3 separate 'server' config lines.  That is now replaced with a single
'pool' line which causes ntpd to add multiple servers from the pool.

More than just making the config smaller, the pool feature in ntpd has one
major advantage over configuring 3 separate servers from a pool: if a server
that was added using a 'pool' statement provides bad time (initially or at
some later date), ntpd automatically discards it and configures a new
different server from the pool without needing to be restarted.

These changes also add a 'tos' line to control how many pool servers get
added, a 'restrict source' line that is required to allow ntpd to add new
peers from the pool, and it deletes a 'restrict 127.127.1.0' line that does
nothing and should never have been there (127.127.1.0 is not a valid IP
address, it's a refclock identifier).

Differential Revision:	https://reviews.freebsd.org/D9011
2017-01-02 15:19:22 +00:00
Enji Cooper
79030cf6d9 Provide some guidance when dealing with sections and variables contained
within them

For example, using variables designated for %usm requires uncommenting
%usm section header

MFC after:	1 month
2016-12-23 08:59:23 +00:00
Enji Cooper
62530c3f9e Don't hardcode $(securityModelUSM) (3) in the authPriv example under the %vacm
section

MFC after:	1 week
2016-12-23 08:54:44 +00:00
Enji Cooper
ad59cea045 Group all loadable modules in the %default section
This will allow new users to uncomment the modules and have things work
with less head scratching, in the event they decide to uncomment any
of the section separators, e.g. %usm or %vcm, as the module loading is
only effective in the %default section.

MFC after:	1 week
2016-12-23 06:56:48 +00:00
Enji Cooper
bedfa5f26a Clean up trailing whitespace
No functional change

MFC after:	3 days
2016-12-23 06:35:18 +00:00
Ed Schouten
1982624784 Add an example inetd(8) entry for the Prometheus sysctl exporter.
I went through the process of allocating a default port number for this
exporter, TCP 9124. This means that we can add an entry to the services
file as well.

List of Prometheus default port numbers:
https://github.com/prometheus/prometheus/wiki/Default-port-allocations
2016-12-21 08:32:20 +00:00
Dimitry Andric
3ffd353070 Merge ^/head r309817 through r310168. 2016-12-16 18:38:31 +00:00
Konrad Witaszczyk
480f31c214 Add support for encrypted kernel crash dumps.
Changes include modifications in kernel crash dump routines, dumpon(8) and
savecore(8). A new tool called decryptcore(8) was added.

A new DIOCSKERNELDUMP I/O control was added to send a kernel crash dump
configuration in the diocskerneldump_arg structure to the kernel.
The old DIOCSKERNELDUMP I/O control was renamed to DIOCSKERNELDUMP_FREEBSD11 for
backward ABI compatibility.

dumpon(8) generates an one-time random symmetric key and encrypts it using
an RSA public key in capability mode. Currently only AES-256-CBC is supported
but EKCD was designed to implement support for other algorithms in the future.
The public key is chosen using the -k flag. The dumpon rc(8) script can do this
automatically during startup using the dumppubkey rc.conf(5) variable.  Once the
keys are calculated dumpon sends them to the kernel via DIOCSKERNELDUMP I/O
control.

When the kernel receives the DIOCSKERNELDUMP I/O control it generates a random
IV and sets up the key schedule for the specified algorithm. Each time the
kernel tries to write a crash dump to the dump device, the IV is replaced by
a SHA-256 hash of the previous value. This is intended to make a possible
differential cryptanalysis harder since it is possible to write multiple crash
dumps without reboot by repeating the following commands:
# sysctl debug.kdb.enter=1
db> call doadump(0)
db> continue
# savecore

A kernel dump key consists of an algorithm identifier, an IV and an encrypted
symmetric key. The kernel dump key size is included in a kernel dump header.
The size is an unsigned 32-bit integer and it is aligned to a block size.
The header structure has 512 bytes to match the block size so it was required to
make a panic string 4 bytes shorter to add a new field to the header structure.
If the kernel dump key size in the header is nonzero it is assumed that the
kernel dump key is placed after the first header on the dump device and the core
dump is encrypted.

Separate functions were implemented to write the kernel dump header and the
kernel dump key as they need to be unencrypted. The dump_write function encrypts
data if the kernel was compiled with the EKCD option. Encrypted kernel textdumps
are not supported due to the way they are constructed which makes it impossible
to use the CBC mode for encryption. It should be also noted that textdumps don't
contain sensitive data by design as a user decides what information should be
dumped.

savecore(8) writes the kernel dump key to a key.# file if its size in the header
is nonzero. # is the number of the current core dump.

decryptcore(8) decrypts the core dump using a private RSA key and the kernel
dump key. This is performed by a child process in capability mode.
If the decryption was not successful the parent process removes a partially
decrypted core dump.

Description on how to encrypt crash dumps was added to the decryptcore(8),
dumpon(8), rc.conf(5) and savecore(8) manual pages.

EKCD was tested on amd64 using bhyve and i386, mipsel and sparc64 using QEMU.
The feature still has to be tested on arm and arm64 as it wasn't possible to run
FreeBSD due to the problems with QEMU emulation and lack of hardware.

Designed by:	def, pjd
Reviewed by:	cem, oshogbo, pjd
Partial review:	delphij, emaste, jhb, kib
Approved by:	pjd (mentor)
Differential Revision:	https://reviews.freebsd.org/D4712
2016-12-10 16:20:39 +00:00
Dimitry Andric
1bde3b7066 Merge ^/head r309519 through r309757. 2016-12-09 20:57:43 +00:00
Andriy Voskoboinyk
7d3a36a88e Do not try to recreate wlan(4) interface if it already exists.
This should fix error messages caused by devd(8) during startup:

Starting Network: lo0 wlan0.
...
Starting devd.
ifconfig: SIOCS80211: Device busy
wpa_supplicant already running?  (pid=323).

MFC after:	2 weeks
2016-12-04 15:58:34 +00:00
Dimitry Andric
4f9d94bf64 Merge ^/head r309263 through r309518. 2016-12-04 00:00:56 +00:00