Commit Graph

172 Commits

Author SHA1 Message Date
markj
5f4a081625 Disable savecore(8)'s libcasper support when WITHOUT_DYNAMICROOT=yes.
This follows the example of other Capsicumized programs in /sbin.

Reported by:	Manfred Antar <manfredantar@gmail.com>
MFC with:	r342699
Sponsored by:	The FreeBSD Foundation
2019-01-04 19:20:19 +00:00
markj
14659e9590 Fix an error check after r342699.
Reported by:	gcc
MFC with:	r342699
Sponsored by:	The FreeBSD Foundation
2019-01-02 17:34:25 +00:00
markj
4196352ea1 Capsicumize savecore(8).
- Use cap_fileargs(3) to open dump devices after entering capability
  mode, and use cap_syslog(3) to log messages.
- Use a relative directory fd to open output files.
- Use zdopen(3) to compress kernel dumps in capability mode.

Reviewed by:	cem, oshogbo
MFC after:	2 months
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D18458
2019-01-02 17:09:35 +00:00
garga
e1fe089811 Restore /var/crash permissions to 0750, as declared in mtree file. After
r337337 it changed to 0755.

Reviewed by:	loos
Approved by:	loos
MFC after:	3 days
Sponsored by:	Rubicon Communications, LLC (Netgate)
Differential Revision:	https://reviews.freebsd.org/D18355
2018-12-04 12:34:22 +00:00
brd
2f83af4c9b Move etc/minfree to sbin/savecore/.
This is prep for pkgbase to have config files tagged as such.

Approved by:	will (mentor)
Differential Revision:	https://reviews.freebsd.org/D16558
2018-08-04 22:15:59 +00:00
markj
334106354e The extension for zstd-compressed files is ".zst".
Reported by:	manu
2018-05-29 16:04:53 +00:00
trasz
21f78a846d Bump .Dd after r331113.
Reported by:	oshogbo@
MFC after:	2 weeks
2018-03-27 16:38:32 +00:00
trasz
6a49f23154 Xr crashinfo(8) from savecore(8).
MFC after:	2 weeks
2018-03-17 21:58:41 +00:00
silby
e41d5feab3 Prevent savecore from reading bounds from the current directory.
Rev 244218 removed the requirement that you provide a dump
directory when checking if there is a coredump ready to be written.
That had the side-effect of causing the bounds file to be read
from the current working directory instead of the dump directory.
As the bounds file is irrelevant when just checking, the simplest
fix is to not read the bounds file when checking.

Reviewed by:	markj
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D14383
2018-02-16 06:51:39 +00:00
markj
4c9fc08f4a Add support for zstd-compressed user and kernel core dumps.
This works similarly to the existing gzip compression support, but
zstd is typically faster and gives better compression ratios.

Support for this functionality must be configured by adding ZSTDIO to
one's kernel configuration file. dumpon(8)'s new -Z option is used to
configure zstd compression for kernel dumps. savecore(8) now recognizes
and saves zstd-compressed kernel dumps with a .zst extension.

Submitted by:	cem (original version)
Relnotes:	yes
Sponsored by:	Dell EMC Isilon
Differential Revision:	https://reviews.freebsd.org/D13101,
			https://reviews.freebsd.org/D13633
2018-02-13 19:28:02 +00:00
pfg
872b698bd4 General further adoption of SPDX licensing ID tags.
Mainly focus on files that use BSD 3-Clause license.

The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.

Special thanks to Wind River for providing access to "The Duke of
Highlander" tool: an older (2014) run over FreeBSD tree was useful as a
starting point.
2017-11-20 19:49:47 +00:00
bdrewery
a598c4b809 DIRDEPS_BUILD: Update dependencies.
Sponsored by:	Dell EMC Isilon
2017-10-31 00:07:04 +00:00
markj
a049a758b2 Add support for compressed kernel dumps.
When using a kernel built with the GZIO config option, dumpon -z can be
used to configure gzip compression using the in-kernel copy of zlib.
This is useful on systems with large amounts of RAM, which require a
correspondingly large dump device. Recovery of compressed dumps is also
faster since fewer bytes need to be copied from the dump device.

Because we have no way of knowing the final size of a compressed dump
until it is written, the kernel will always attempt to dump when
compression is configured, regardless of the dump device size. If the
dump is aborted because we run out of space, an error is reported on
the console.

savecore(8) is modified to handle compressed dumps and save them to
vmcore.<index>.gz, as it does when given the -z option.

A new rc.conf variable, dumpon_flags, is added. Its value is added to
the boot-time dumpon(8) invocation that occurs when a dump device is
configured in rc.conf.

Reviewed by:	cem (earlier version)
Discussed with:	def, rgrimes
Relnotes:	yes
Sponsored by:	Dell EMC Isilon
Differential Revision:	https://reviews.freebsd.org/D11723
2017-10-25 00:51:00 +00:00
markj
52de978fec Fix style and wrap lines to 80 columns in savecore.c.
No functional change intended.

MFC after:	3 days
2017-07-24 21:51:41 +00:00
markj
f60764cc69 Revert r320918 and have mkdumpheader() handle version string truncation.
Reported by:	jhb
MFC after:	1 week
2017-07-15 20:53:08 +00:00
markj
ec4ae1e66d Add a newline after the version string.
MFC after:	3 days
2017-07-12 18:29:25 +00:00
markj
52c583799a Add a subroutine for comparing kerneldump identifiers.
MFC after:	2 weeks
2017-07-11 18:24:05 +00:00
ngie
9efe0fc3f6 Switch back to non-IEC units for 1024 bytes
I was swayed a little too quickly when I saw the wiki page discussing
kB vs KiB. Switch back as none of the code in base openly uses
IEC units via humanize_number(3) (which was my next step), and there's
a large degree of dislike with IEC vs more SI-like units.

MFC after:	7 weeks
Submitted by:	jhb, rgrimes
Sponsored by:	Dell EMC Isilon
2017-04-15 06:53:07 +00:00
ngie
c7c342ccf1 savecore: fix space calculation with respect to minfree in check_space(..)
- Use strtoll(3) instead of atoi(3), because atoi(3) limits the
  representable data to INT_MAX. Check the values received from
  strtoll(3), trimming trailing whitespace off the end to maintain
  POLA.
- Use `KiB` instead of `kB` when describing free space, total space,
  etc. I am now fully aware of `KiB` being the IEC standard for 1024
  bytes and `kB` being the IEC standard for 1000 bytes.
- Store available number of KiB in `available` so it can be more
  easily queried and compared to ensure that there are enough KiB to
  store the dump image on disk.
- Print out the reserved space on disk, per `minfree`, so end-users
  can troubleshoot why check_space(..) is reporting that there isn't
  enough free space.

MFC after:	7 weeks
Reviewed by:	Anton Rang <rang@acm.com> (earlier diff), cem (earlier diff)
Tested with:	positive/negative cases (see review); make tinderbox
Sponsored by:	Dell EMC Isilon
Differential Revision:	D10379
2017-04-14 19:41:48 +00:00
ngie
8c05ff17fa Clarify units for mediasize and sectorsize in DoFile(..)
They're byte quantities.

MFC after:	7 weeks
Sponsored by:	Dell EMC Isilon
2017-04-12 20:20:04 +00:00
ngie
720683bc93 Clarify minfree warning message in check_space(..)
- State that the units are kB.
- Be more complete/concise in terms of what is required (in this case
  `minfree` must be at least `X`kB)

MFC after:	7 weeks
Sponsored by:	Dell EMC Isilon
2017-04-12 20:08:39 +00:00
imp
7e6cabd06e Renumber copyright clause 4
Renumber cluase 4 to 3, per what everybody else did when BSD granted
them permission to remove clause 3. My insistance on keeping the same
numbering for legal reasons is too pedantic, so give up on that point.

Submitted by:	Jan Schaumann <jschauma@stevens.edu>
Pull Request:	https://github.com/freebsd/freebsd/pull/96
2017-02-28 23:42:47 +00:00
trasz
b1c4c43759 Make savecore(8) output nicer by specifying the maximum field width
instead of minimum one (precision instead of width).

MFC after:	2 weeks
Sponsored by:	DARPA, AFRL
2017-02-19 16:59:00 +00:00
def
1bdea4b6ed Fix bugs found by Coverity in decryptcore(8) and savecore(8):
- Perform final decryption and write decrypted data in case of non-block aligned
input data;
- Use strlcpy(3) instead of strncpy(3) to verify if paths aren't too long;
- Check errno after calling unlink(2) instead of calling stat(2) in order to
verify if a decrypted core was created by a child process;
- Free dumpkey.

Reported by:	Coverity, cem, pfg
Suggested by:	cem
CID:		1366936, 1366942, 1366951, 1366952
Approved by:	pjd (mentor)
2017-02-04 14:10:16 +00:00
def
f63c437216 Add support for encrypted kernel crash dumps.
Changes include modifications in kernel crash dump routines, dumpon(8) and
savecore(8). A new tool called decryptcore(8) was added.

A new DIOCSKERNELDUMP I/O control was added to send a kernel crash dump
configuration in the diocskerneldump_arg structure to the kernel.
The old DIOCSKERNELDUMP I/O control was renamed to DIOCSKERNELDUMP_FREEBSD11 for
backward ABI compatibility.

dumpon(8) generates an one-time random symmetric key and encrypts it using
an RSA public key in capability mode. Currently only AES-256-CBC is supported
but EKCD was designed to implement support for other algorithms in the future.
The public key is chosen using the -k flag. The dumpon rc(8) script can do this
automatically during startup using the dumppubkey rc.conf(5) variable.  Once the
keys are calculated dumpon sends them to the kernel via DIOCSKERNELDUMP I/O
control.

When the kernel receives the DIOCSKERNELDUMP I/O control it generates a random
IV and sets up the key schedule for the specified algorithm. Each time the
kernel tries to write a crash dump to the dump device, the IV is replaced by
a SHA-256 hash of the previous value. This is intended to make a possible
differential cryptanalysis harder since it is possible to write multiple crash
dumps without reboot by repeating the following commands:
# sysctl debug.kdb.enter=1
db> call doadump(0)
db> continue
# savecore

A kernel dump key consists of an algorithm identifier, an IV and an encrypted
symmetric key. The kernel dump key size is included in a kernel dump header.
The size is an unsigned 32-bit integer and it is aligned to a block size.
The header structure has 512 bytes to match the block size so it was required to
make a panic string 4 bytes shorter to add a new field to the header structure.
If the kernel dump key size in the header is nonzero it is assumed that the
kernel dump key is placed after the first header on the dump device and the core
dump is encrypted.

Separate functions were implemented to write the kernel dump header and the
kernel dump key as they need to be unencrypted. The dump_write function encrypts
data if the kernel was compiled with the EKCD option. Encrypted kernel textdumps
are not supported due to the way they are constructed which makes it impossible
to use the CBC mode for encryption. It should be also noted that textdumps don't
contain sensitive data by design as a user decides what information should be
dumped.

savecore(8) writes the kernel dump key to a key.# file if its size in the header
is nonzero. # is the number of the current core dump.

decryptcore(8) decrypts the core dump using a private RSA key and the kernel
dump key. This is performed by a child process in capability mode.
If the decryption was not successful the parent process removes a partially
decrypted core dump.

Description on how to encrypt crash dumps was added to the decryptcore(8),
dumpon(8), rc.conf(5) and savecore(8) manual pages.

EKCD was tested on amd64 using bhyve and i386, mipsel and sparc64 using QEMU.
The feature still has to be tested on arm and arm64 as it wasn't possible to run
FreeBSD due to the problems with QEMU emulation and lack of hardware.

Designed by:	def, pjd
Reviewed by:	cem, oshogbo, pjd
Partial review:	delphij, emaste, jhb, kib
Approved by:	pjd (mentor)
Differential Revision:	https://reviews.freebsd.org/D4712
2016-12-10 16:20:39 +00:00
cem
44e4206520 savecore(8): Fix buffer overrun inspecting disks with varying sector size
A premature optimization lead to caching a native-sector sized memory
allocation.  If the program examined a 512 byte sector disk, then a 4096
byte sector disk, the program would overrun the cached 512 byte buffer.

Just remove the optimization to fix the bug.  This was introduced with the 4Kn
dump support in r298076.

Reported by:	markj
Reviewed by:	markj, rpokala
Sponsored by:	Dell EMC Isilon
Differential Revision:	https://reviews.freebsd.org/D8162
2016-10-06 05:16:44 +00:00
ngie
f1d4f395a6 Don't leak fd on sectorsize malloc failure
Also, call endfsent after calling getfsent (i.e. when not explicitly called
with a swap device) for code cleanliness

CID: 1354785
Differential Revision: https://reviews.freebsd.org/D6014
X-MFC with: r298076
Reported by: Coverity
Reviewed by: cem
Sponsored by: EMC / Isilon Storage Division
2016-04-20 00:49:49 +00:00
gjb
6549ef7d12 MFH
Sponsored by:	The FreeBSD Foundation
2016-04-16 02:32:12 +00:00
cem
65445cc442 savecore(8): Explicitly cast to fix i386 warning 2016-04-15 20:19:32 +00:00
cem
98188ed5c2 Add 4Kn kernel dump support
(And 4Kn minidump support, but only for amd64.)

Make sure all I/O to the dump device is of the native sector size.  To
that end, we keep a native sector sized buffer associated with dump
devices (di->blockbuf) and use it to pad smaller objects as needed (e.g.
kerneldumpheader).

Add dump_write_pad() as a convenience API to dump smaller objects with
zero padding.  (Rather than pull in NPM leftpad, we wrote our own.)

Savecore(1) has been updated to deal with these dumps.  The format for
512-byte sector dumps should remain backwards compatible.

Minidumps for other architectures are left as an exercise for the
reader.

PR:		194279
Submitted by:	ambrisko@
Reviewed by:	cem (earlier version), rpokala
Tested by:	rpokala (4Kn/512 except 512 fulldump), cem (512 fulldump)
Relnotes:	yes
Sponsored by:	EMC / Isilon Storage Division
Differential Revision:	https://reviews.freebsd.org/D5848
2016-04-15 17:45:12 +00:00
gjb
4e38aaedb8 Explicitly add more files to the 'runtime' package.
Sponsored by:	The FreeBSD Foundation
2016-02-09 20:19:31 +00:00
rodrigc
9405dd95c9 Add more text to explain --libxo flag. 2015-12-01 19:18:53 +00:00
cem
f7f2a93345 savecore(8): Be quiet unless the user asks for verbose
Make savecore(8) more suitable for init-time scripts; be quiet by default.

Sponsored by:	EMC / Isilon Storage Division
Differential Revision:	https://reviews.freebsd.org/D3229
2015-11-07 23:27:03 +00:00
asomers
d527e5dce9 Always check the return value of lseek.
This is a follow-up to r289845, which only fixed one occurence of CID
1009429.

Coverity CID:	1009429
Reviewed by:	markj
MFC after:	2 weeks
X-MFC-With:	r289845
Sponsored by:	Spectra Logic
Differential Revision:	https://reviews.freebsd.org/D4096
2015-11-06 19:18:20 +00:00
asomers
f11412f79e Fix various Coverity issues in sbin/savecore/savecore.c:
CID1009429: Fix unchecked return value from lseek while clearing dump
CID1007781: Fix file descriptor leak in DoFile
CID1007261: Don't send potentially unterminated string to syslog(3)

Coverity CID:	1009429
Coverity CID:	1007781
Coverity CID:	1007261
MFC after:	2 weeks
Sponsored by:	Spectra Logic
Differential Revision:	https://reviews.freebsd.org/D3991
2015-10-23 19:28:24 +00:00
ngie
5c0da1966c Make libxo depend on libutil because it uses humanize_number after r287111
Remove overlinking in lib/libxo/tests, sbin/savecore, and
usr.bin/{iscsictl,wc,xo}

PR: 203673
Sponsored by: EMC / Isilon Storage Division
2015-10-18 07:30:50 +00:00
bdrewery
bdebc05d94 Update META_MODE dependencies. 2015-09-17 05:06:34 +00:00
marcel
02ffac2cca Upgrade libxo to 0.4.5.
Local changes incorporated by 0.4.5: r284340
Local changes retained: r276260, r282117

Obtained from:	https://github.com/Juniper/libxo
2015-08-24 16:26:20 +00:00
sjg
008d7c831f Add META_MODE support.
Off by default, build behaves normally.
WITH_META_MODE we get auto objdir creation, the ability to
start build from anywhere in the tree.

Still need to add real targets under targets/ to build packages.

Differential Revision:       D2796
Reviewed by: brooks imp
2015-06-13 19:20:56 +00:00
sjg
75a137820d dirdeps.mk now sets DEP_RELDIR 2015-06-08 23:35:17 +00:00
sjg
65145fa4c8 Merge sync of head 2015-05-27 01:19:58 +00:00
scottl
ae2db51f38 Convert savecore to libxo. The 'verbose' paths still use printf since they're
meant for interactivity on the command line and contain a lot of redundant
information.

Obtained from:	Netflix, Inc.
2015-03-22 17:29:14 +00:00
bapt
6fdc031751 Convert sbin/ to LIBADD
Reduce overlinking
2014-11-25 11:23:12 +00:00
sjg
b137080f19 Merge from head@274682 2014-11-19 01:07:58 +00:00
bdrewery
3f85fc7387 If fgets(3) fails in getbounds(), show strerror(3) if not an EOF. Also fix
a FILE* leak in getbounds().

Submitted by:	Conrad Meyer <conrad.meyer@isilon.com>
PR:		192032
Sponsored by:	EMC / Isilon Storage Division
MFC after:	1 week
2014-09-17 19:09:58 +00:00
sjg
5860f0d106 Updated dependencies 2014-05-16 14:09:51 +00:00
sjg
1a7e48acf1 Updated dependencies 2014-05-10 05:16:28 +00:00
sjg
5e568154a0 Merge head 2014-04-28 07:50:45 +00:00
brueffer
8ac2dd562f Fix double fclose() in an error case.
CID:		1006120
Found with:	Coverity Prevent(tm)
MFC after:	1 week
2014-04-14 21:44:34 +00:00
markj
bfcbf2a469 Log the name of the device that we failed to open rather than an
uninitialized buffer.

MFC after:	3 days
2014-03-05 04:15:17 +00:00