The goal of saving entropy in Fortuna is two-fold: (1) to provide early
availability of the random device (unblocking) on next boot; and (2), to
have known, high-quality entropy available for that initial seed. We know
it is high quality because it's output taken from Fortuna.
The FS&K paper makes it clear that Fortuna unblocks when enough bits have
been input that the output //may// be safely seeded. But they emphasize
that the quality of various entropy sources is unknown, and a saved entropy
file is essential for both availability and ensuring initial
unpredictability.
In FreeBSD we persist entropy using two mechanisms:
1. The /etc/rc.d/random shutdown() function, which is used for ordinary
shutdowns and reboots; and,
2. A cron job that runs every dozen minutes or so to persist new entropy, in
case the system suffers from power loss or a crash (bypassing the
ordinary shutdown path).
Filesystems are free to cache dirty data indefinitely, with arbitrary flush
policy. Fsync must be used to ensure the data is persisted, especially for
the cron job save-entropy, whose entire goal is power loss and crash safe
entropy persistence.
Ordinary shutdown may not need the fsync because unmount should flush out
the dirty entropy file shortly afterwards. But it is always possible power
loss or crash occurs during the short window after rc.d/random shutdown runs
and before the filesystem is unmounted, so the additional fsync there seems
harmless.
PR: 230876
Reviewed by: delphij, markj, markm
Approved by: secteam (delphij)
Differential Revision: https://reviews.freebsd.org/D19742
If dso uses initial exec TLS mode, rtld tries to allocate TLS in
static space. If there is no space left, the dlopen(3) fails. If space
if allocated, initial content from PT_TLS segment is distributed to
all threads' pcbs, which was missed and caused un-initialized TLS
segment for such dso after dlopen(3).
The mode is auto-detected either due to the relocation used, or if the
DF_STATIC_TLS dynamic flag is set. In the later case, the TLS segment
is tried to allocate earlier, which increases chance of the dlopen(3)
to succeed. LLD was recently fixed to properly emit the flag, ld.bdf
did it always.
Initial test by: dumbbell
Tested by: emaste (amd64), ian (arm)
Tested by: Gerald Aryeetey <aryeeteygerald_rogers.com> (arm64)
Sponsored by: The FreeBSD Foundation
MFC after: 2 weeks
Differential revision: https://reviews.freebsd.org/D19072
allocate_tls_offset returns true on success. The same issue existed
on arm and was fixed in r345693.
PR: 236880
MFC after: 1 month
Sponsored by: The FreeBSD Foundation
allocate_tls_offset returns true on success. This still needs more
testing and review, but this change is consistent with other archs.
PR: 236880
Reported by: Andrew Gierth <andrew@tao11.riddles.org.uk>
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
r345620 by kib@ fixed the rtld issue that caused a crash at startup
during resolution of libc's ifuncs with BIND_NOW.
PR: 233333
Sponsored by: The FreeBSD Foundation
modules by declaring corresponding variables in rc.conf. Also document
them in rc.conf(5).
Submitted by: Dries Michiels
Differential Revision: https://reviews.freebsd.org/D19673
It seems my subconcious plan in r345088 to not only prefer IPv6 autoconf
but to also slowly deteriorate legacy IP auto-configuration was uncovered
way too early.
In case IPv6 is a thing yet ipv6_autoconfif was not true, we would not
bring up the interface yet tell the follow-up DHCPv4 configuration in
ifconfig_up() that we did. So unless you were doing SYNCDHCP or IPv6
you would not get legacy-IP DHCPv4 configuration.
I see multiple problems here: (a) people not yet using IPv6 (obviously a
problem), and (b) the dhclient startup script not running dhclient in
that case despite configured to do so (needs to be investigated seperately).
Reported by: Pawel Biernacki (pawel.biernacki gmail.com)
Tested by: Pawel Biernacki
Differential Revision: https://reviews.freebsd.org/D19488
Pointyhat to: bz (not sure if it is for breaking or
for letting them notice it so easily)
Before this change we would only run rtsol on an interface which was
set to accept_rtadv and did not have rtsold enabled. This change
removes the latter condition and always runs rtsol (rather than the
deferred rtsold) to reduce the delay until we send the first RS.
This change will also handle the accept_rtadv before dhcp hence
starting IPv6 auto-configuration before IPV4 DHCP.
This change is intended for FreeBSD 13 and later only and will not be MFCed.
Reviewed by: hrs
Differential Revision: https://reviews.freebsd.org/D19488
FreeBSD removed the default /etc/pf.conf file in previous releases, but
the documentation kept mentioning it like any other file present in the
system. Change pf.conf(5) to mention in the description of the default
ruleset location that this file needs to be created manually. Also, the
default rc.conf file had it's comment extended a bit to let people know
that this file does not exist by default.
PR: 231977
Submitted by: koobs@
Reviewed by: kp@, 0mp@
Approved by: kp@
MFC after: 10 days
Differential Revision: https://reviews.freebsd.org/D19530
is specified.
When WITHOUT_IPFILTER is specified, delete-old-files fails to delete
the optional rc.d files from above. Fix this.
WITHOUT_IPFILTER fails to delete the ipfilter.5 optional file during
delete-old-files. Fix this.
Reported by: Dmitry Luhtionov <dmitryluhtionov@gmail.com>
MFC after: 1 week
When piping to awk, it's almost always an anti-pattern to use 'grep'
first.
When not in a pipeline, sometimes it is faster to use tail, as awk
must process all the lines in the input stream, and won't 'seek'.
In a pipeline, both grep and awk must process all lines, so we might
as well skip the extra process creation for tail and just use awk
for all the processing.
Reviewed by: jilles
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D19441
Specifically, this allows (via "-V vhostname") telling nfsd what principal
to use, instead of the hostname. This is used at iXsystems for fail-over in
HA systems.
Reviewed by: macklem
Sponsored by: iXsystems Inc.
Differential Revision: https://reviews.freebsd.org/D19191
Building binaries as PIE allows the executable itself to be loaded at a
random address when ASLR is enabled (not just its shared libraries).
With this change PIE objects have a .pieo extension and INTERNALLIB
libraries libXXX_pie.a.
MK_PIE is disabled for some kerberos5 tools, Clang, and Subversion, as
they explicitly reference .a libraries in their Makefiles. These can
be addressed on an individual basis later. MK_PIE is also disabled for
rtld-elf because it is already position-independent using bespoke
Makefile rules.
Currently only dynamically linked binaries will be built as PIE.
Discussed with: dim
Reviewed by: kib
MFC after: 1 month
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D18423
There are many cases which this code does not handle (e.g. ZFS mirrors)
but the code can handle the single-disk case -- so it's enough to take
care of the "disk image which gets booted into a VM with a larger than
expected disk" case for which this firstboot script was created.
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D19095
This allows to reuse the allocator in other environments that get
malloc(3) and related functions from libc or interposer.
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
Differential revision: https://reviews.freebsd.org/D18988
They will stop it automatically ('Interface wlan0 is down,
dhclient exiting'); use /etc/rc.d/dhclient stop command only when
none of them is used.
MFC after: 5 days
removed as part of r341441.
This call to reloc_non_plt() may crash if ifunc resolvers use the
needed libraries symbols since the pass over the needed libs
relocation is not yet done. The change in r341441 ensures the right
relocation order otherwise.
Submitted by: theraven
MFC after: 1 week
Discussed in: https://reviews.freebsd.org/D17529
The buffer allocated in read_chat() could be 1 element too short, if the
chatstr parameter passed in is 1 or 3 charachters long (e.g. "a" or "a b").
The allocation of the pointer array does not account for the terminating
NULL pointer in that case.
Overlapping source and destination strings are undefined in strcpy().
Instead of moving a string to the left by one character just increment the
char pointer before it is assigned to the results array.
MFC after: 2 weeks
Summary: reloc_jmpslot function parameter 'defobj' is not used when using ELFv2
ABI
Submitted by: alfredo.junior_eldorado.org.br
Reviewed By: kib, git_bdragon.rtk0.net, emaste, jhibbits
Differential Revision: https://reviews.freebsd.org/D18808
Originally intended as 'in case in needs to be re-invoked', but it was later
decided (by myself) that 're-invoke itself' makes it more clear that the
script is expected to use this in a way.
Reported by: Jose Luis Duran (jlduran @ github)
X-MFC-With: r342792
Some rc scripts in ports (e.g. uwsgi, apache, openvpn) allow for
'application profiles' that usually require the rc script to be invoked
again for each active profile. Because there's no consistent way to
determine the path because it differs between manual/service(8) invocations
and /etc/rc invocations, this leads to patterns like these:
- www/uwsgi hardcodes the script path
- security/openvpn guesses either $_file or $0 based on $0 = /etc/rc
Instead of forcing rc scripts to guess, provide an rc_service variable to
the scripts that gets set appropriately both for direct execution or when a
script is being executed via run_rc_script (e.g. /etc/rc).
This is our analog of an OpenRC variable with the same name, different case
(RC_SERVICE).
PR: 234614
Reported by: koobs
Reviewed by: dteske, jilles
MFC after: 3 days
We need to subtract the TLS_TCB_SIZE to get to the real data pointer, since
r13 points to the end of the TCB structure. Prior to this, devel/protobuf-c
port broke with recent update to devel/protobuf, which exposed this issue.
Submitted by: andreast
Reported by: Piotr Kubaj
MFC after: 1 week
iBCS2 was disconnected from the build in 2015 (see r291419)
bsdconfig parts submitted by dteske.
Reviewed by: kib (previous version)
Sponsored by: The FreeBSD Foundation
Due to insufficient validation of network-provided data it may have been
possible for a malicious actor to craft a bootp packet which could cause
a stack buffer overflow.
admbugs: 850
Reported by: Reno Robert
Reviewed by: markj
Approved by: so
Security: FreeBSD-SA-18:15.bootpd
Sponsored by: The FreeBSD Foundation
/usr/sbin/audit(dist)?d are only installed if ${MK_AUDIT} == yes. Their
supporting scripts should only be installed in those instances as well.
Submitted by: ngie
Reviewed by: emaste
MFC after: 2 weeks
Pull Request: https://github.com/freebsd/freebsd/pull/242
The original code did not support dynamically loaded libraries and used
suboptimal access to TLS variables.
New implementation removes lazy resolving of TLS relocation - due to flaw
in TLSDESC design is impossible to switch resolver function at runtime
without expensive locking.
Due to this, 3 specialized resolvers are implemented:
- load time resolver for TLS relocation from libraries loaded with main
executable (thus with known TLS offset).
- resolver for undefined thread weak symbols.
- slower lazy resolver for dynamically loaded libraries with fast path for
already resolved symbols.
PR: 228892, 232149, 233204, 232311
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D18417
'read' pessimistically read(2)s one byte at a time, which can be quite
silly for large environments in slow emulators.
In my boring user environment, truss shows that the number of read()
syscalls to source rc.subr and invoke list_vars is reduced by something like
3400 to 60. ministat(1) shows a significant time difference of about -71%
for my environment.
Suggested by: jilles
Discussed with: dteske, jhb, jilles
Differential Revision: https://reviews.freebsd.org/D18481
Although these are slightly obsolete in favor of R_AARCH64_TLSDESC,
gcc -mtls-dialect=trad still use them.
Please note that definition of TLS_DTPMOD64 and TLS_DTPREL64 are incorrectly
exchanged in GNU binutils. TLS_DTPREL64 should be encoded to 1028 (as is
defined in ARM ELF ABI) but binutils encode it to 1029. And vice versa,
TLS_DTPMOD64 should be encoded to 1029 but binutils encode it to 1028.
While I'm in, add also R_AARCH64_NONE. It can be produced as result of linker
relaxation.
MFC after: 1 week
- don't relocate jump slots multiple times (if LD_BIND_NOW is defined).
- process only R_AARCH64_JUMP_SLOT here, other relocation types are handled
by reloc_plt().
MFC after: 1 week
- Do not perform ifunc relocations together with other PLT relocations
in PLT. Instead, do it during an additional pass over the init
list, so that ifuncs are resolved in the order of dso
dependencies. This allows the ifuncs resolvers to call into depended
libs. Init list now includes all objects instead of only objects
with init/fini callables.
- Disable relro protection around bind_now ifunc relocations.
I considered calling ifunc resolvers of dso after initializers of all
dependencies are processed, and decided that this is wrong/should not
be supported. The order now is normal relocations for all
objects->ifunc resolution in init order->initializers, where each step
does complete pass over all loaded objects before moving to the next
step.
Reported, tested and reviewed by: emaste
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D18400
bzero(3) for rtld.
This again reduces rtld dependency on libc, and in future, avoid ifunc
relocations when the functions are converted to ifuncs in libc.
Reported by: mjg
Reviewed by: emaste
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D18400
An issue remains with BIND_NOW and processes using threads. For now,
restore libc's BIND_NOW disable, and also disable BIND_NOW in rtld and
libthr.
A patch is in review (D18400) that likely fixes this issue, but just
disable BIND_NOW pending further testing after it is committed.
PR: 233333
Sponsored by: The FreeBSD Foundation