Closing stdin/stdout/stderr is often a bad idea as a future open()
can end up with its fd. Leave it open and limit it to no rights
instead.
Reviewed by: cem
Differential Revision: https://reviews.freebsd.org/D7984
bspatch previously included sys/capability.h or sys/capsicum.h based
on __FreeBSD_version, as FreeBSD is the upstream for bsdiff and we may
see this file incorporated into other third-party software.
The Capsicum header is now installed as sys/capsicum.h in stable/10 and
FreeBSD 10.3, so we can just use sys/capsicum.h and simplify the logic.
Reviewed by: allanjude
Differential Revision: https://reviews.freebsd.org/D7954
This is not actually documented or even implied in style(9). Make the change
to match convention. Someone should document this convention in style(9).
Reported by: jhb
Sponsored by: EMC Dell Isilon
This is a nice and trivial program for sandboxing. One input file, one
output file.
Reviewed by: pfg
Sponsored by: Dell EMC Isilon
Differential Revision: https://reviews.freebsd.org/D7920
This is a straightforward single input, single output program for
capsicum.
Reviewed by: bapt
Sponsored by: Dell EMC Isilon
Differential Revision: https://reviews.freebsd.org/D7928
stdio uses fstat and the TIOCGETA ioctl. Also collapse the
cap_rights_limit and new cap_ioctls_limit calls into one if statement.
Errors here are not actionable by the user and distinguishing stdout
from stderr doesn't really have value.
Reported by: kib
Reviewed by: allanjude, bapt
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D7944
if getcwd fails: just ignore it and do not try to adding to the list of possible
path where to find the files.
if fdopen fails, warn and return NULL the rest of the code knows how to deal
with it
Reported by: oshogbo
As a trick to be able to access all files passed in arguments (readonly) within
the sandbox we first open the root directory, then consider all files as
relative to this file descriptor.
This might be improved once casper add supports for filesystem.
MFC after: 1 month
Reviewed by: allanjude
Differential Revision: https://reviews.freebsd.org/D7936
errx() prefixes the error string with argv[0] so including "login: "
in the string is redundant. Also remove a superfluous newline.
Sponsored by: The FreeBSD Foundation
The first argument of calloc(3) should be an ordinal type, and the
second a size: split a multiplication to make better use of calloc(3)
and detect overflows.
Do some other re-ordering and style fixes while here.
MFC after: 3 weeks
Note that this introduces an explicit 2GB limit, but this was already
implicit in variable and function argument types.
This is based on the "non-cryptanalytic attacks against freebsd
update components" anonymous gist. Further refinement is planned.
Reviewed by: allanjude, cem, kib
Obtained from: anonymous gist
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D7619
process. We don't *quite* pull that number out of our backside, as
the actual number is difficult to determine without modifying the VM
system to report it, but it's still useful to get an idea of what's
going on when a machine unexpectedly starts swapping.
MFC after: 1 week
(On RISC-V MK_CXX is in BROKEN_OPTIONS, so users remains skipped there.)
Reviewed by: bdrewery
Differential Revision: https://reviews.freebsd.org/D7725
to -32768 when it is used as an argument to mp_itom(), in both libtelnet
and newkey. This code has been wrong since r26238 (!), so after almost
20 years it is rather useless to try to correct it.
MFC after: 1 week
It's not necessarily intuitive that the variables to query contain TRUSTEDBSD
in the prefix. Add non-TRUSTEDBSD prefixed knobs for querying things like
"_PC_ACL_NFS4".
MFC after: 1 week
Relnotes: yes
Reviewed by: wollman
Sponsored by: EMC / Isilon Storage Division
Differential Revision: https://reviews.freebsd.org/D7618
Move all of the fopen() and open() calls to the top of main()
Restrict each FD to least privilege (read/seek only, write only, etc)
cap_enter(), and make all except the output FD read/seek only.
Reviewed by: emaste, ed, oshogbo, delphij
Approved by: so
MFC after: 3 days
Relnotes: yes
Sponsored by: ScaleEngine Inc.
Differential Revision: https://reviews.freebsd.org/D7358
Decouple the send and receive limits on the amount of data in a single
iSCSI PDU. MaxRecvDataSegmentLength is declarative, not negotiated, and
is direction-specific so there is no reason for both ends to limit
themselves to the same min(initiator, target) value in both directions.
Allow iSCSI drivers to report their send, receive, first burst, and max
burst limits explicitly instead of using hardcoded values or trying to
derive all of them from the receive limit (which was the only limit
reported by the drivers prior to this change).
Display the send and receive limits separately in the userspace iSCSI
utilities.
Reviewed by: jpaetzel@ (earlier version), trasz@
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D7279
The TRUSTEDBSD prefix was chosen for consistency with the other
related `_PC_ACL*` prefixed variables.
MFC after: 3 days
Sponsored by: EMC / Isilon Storage Division
This allows shell programs to programmatically determine whether
or not a filesystem supports sparse files
MFC after: 3 days
Sponsored by: EMC / Isilon Storage Division
Make style changes (and trivial refactoring of open calls) now in order
to reduce noise in diffs for future capsicum changes.
Reviewed by: oshogbo
No objection: cperciva
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D7610
Coverity correctly reported that it's impossible for /comparison/ to be 0
here, because the only way for the for loop to end is by /comparison/
being < 0.
Fortunately the consequences of this bug weren't severe; for duplicated
entries in the typedef names file it would unnecessarily duplicate strings
with strdup(), but pointers to those would replace existing ones. So this
was a memory leak at worst.
CID: 1361477
Obtained from: Piotr Stephaniak
Shift the responsibility of allocating memory for the string duplicate
from the caller (set_option, add_typedefs_from_file) to the callee
(add_typename) as it has more knowledge about when the duplication
actually needs to occur.
Taken from: Piotr Stefaniak
Now that we've switched over to using the vDSO on CloudABI, it becomes a
lot easier for us to phase out old features. System call numbering is no
longer something that's part of the ABI. It's fully based on names. As
long as the numbering used by the kernel and the vDSO is consistent
(which it always is), it's all right.
Let's put this to the test by removing a system call (thread_tcb_set())
that's already unused for quite some time now, but was only left intact
to serve as a placeholder. Sync in the new system call table that uses
alphabetic sorting of system calls.
Obtained from: https://github.com/NuxiNL/cloudabi