This requires minor changes to the audit framework to allow capturing
paths that are not filesystem paths (i.e., will not be canonicalised
relative to the process current working directory and/or filesystem
root).
Obtained from: TrustedBSD Project
MFC after: 3 weeks
Sponsored by: DARPA, AFRL
external action is completed, but the rule search is continued.
External action handler can change the content of @args argument,
that is used for dynamic state lookup. Enforce the new lookup to be able
install new state, when the search is continued.
Obtained from: Yandex LLC
MFC after: 1 week
Sponsored by: Yandex LLC
If a jail has an explicitly assigned IPv6 loopback address then allow it
to be used instead of remapping requests for the loopback adddress to the
first IPv6 address assigned to the jail.
This fixes issues where applications attempt to detect their bound port
where they requested a loopback address, which was available, but instead
the kernel remapped it to the jails first address.
This is the same fix applied to IPv4 fix by: r316313
Also:
* Correct the description of prison_check_ip6_locked to match the code.
MFC after: 2 weeks
Relnotes: Yes
Sponsored by: Multiplay
top(1) read the wrong amount of data from sysctl, uint64_t instead of
boolean_t, resulting in the stats not showing in many cases.
X-MFC-With: r315435
Sponsored by: ScaleEngine Inc.
If a jail has an explicitly assigned loopback address then allow it to be
used instead of remapping requests for the loopback adddress to the first
IPv4 address assigned to the jail.
This fixes issues where applications attempt to detect their bound port
where they requested a loopback address, which was available, but instead
the kernel remapped it to the jails first address.
A example of this is binding nginx to 127.0.0.1 and then running "service
nginx upgrade" which before this change would cause nginx to fail.
Also:
* Correct the description of prison_check_ip4_locked to match the code.
MFC after: 2 weeks
Relnotes: Yes
Sponsored by: Multiplay
In GELI, anywhere we are zeroing out possibly sensitive data, like
the metadata struct, the metadata sector (both contain the encrypted
master key), the user key, or the master key, use explicit_bzero.
Didn't touch the bzero() used to initialize structs.
Reviewed by: delphij, oshogbo
Sponsored by: ScaleEngine Inc.
Differential Revision: https://reviews.freebsd.org/D9809
Make sure sensitive memory is properly cleared when finished with it
Reviewed by: Eric McCorkle <eric@metricspace.net>
Sponsored by: ScaleEngine Inc.
Differential Revision: https://reviews.freebsd.org/D9798
Fallback to Linux video interface bindings introduced in r313068 worked
with then current DTS but that DTS turned out to be not conformant to
the the bindings spec. DTS import in r314854 fixed the conformancy but
broke the functionality. This commit syncs up functionality to the actual
spec.
Reported by: manu@
AUE_PROCCTL, AUE_SENDFILE, AUE_ACL_*, and AUE_POSIX_FALLOCATE.
Audit AUE_SHMUNLINK path in the path token rather than as a
text string, and AUE_SHMOPEN flags as an integer token rather
than a System V IPC address token.
Obtained from: TrustedBSD Project
MFC after: 3 weeks
Sponsored by: DARPA, AFRL
We have parallel NFSv2 and NFSv3 reader implementations, only configurable at
build time, defaulting to v3. Remove v2.
Reviewed by: allanjude
Approved by: allanjude (mentor)
Differential Revision: https://reviews.freebsd.org/D10206
resulting in a process dumping core in the corefile.
Also extend procstat to view select members of 'struct ptrace_lwpinfo'
from the contents of the note.
Sponsored by: Dell EMC Isilon
Also make sure that the renewal is never more than 1/2 * expiry and
rebind never more than 7/4 * renewal (the default values in the spec).
This should allow adjusting high values from the server as well as
making sure the values from the server make sense.
Renewal and rebind times will be adjusted down if the expiry time is set
very high in a server, not the other way around. This change just makes
sure the values keep making sense.
The current efi_zfs_probe() is overcomplicated and can be made
simpler. Still we need to pick up the device handle for our boot
disk first, because the ESP does not have to be the first partition on the
disk.
Once we do have the handle for boot disk, we probe that disk with
pointer for pool GUID.
Reviewed by: allanjude
Approved by: allanjude (mentor)
Differential Revision: https://reviews.freebsd.org/D10198
While testing 32bit UEFI OVMF (which has bug about how the disk size
is presented), I did witness the errors from blkio->ReadBlocks().
It became apparent we can not entirely trust UEFI interfaces either,
so additional checks are needed.
So we use disk_ioctl(DIOCGMEDIASIZE) for disks, with fallback of
Media->LastBlock for other media.
In addition, we need to check if there is media present.
+ small fixes for error printout, and avoiding multiple blk * 512.
Reviewed by: allanjude
Approved by: allanjude (mentor)
Differential Revision: https://reviews.freebsd.org/D10197
definitions for the DTrace audit provider, so that the dtaudit module
can compile in the absence of kernel DTrace support. This doesn't
really make run-time sense (since the binary dependencies for the
module won't be present), but it allows the dtaudit module to compile
successfully regardless of the kernel configuration.
MFC after: 3 weeks
Sponsored by: DARPA, AFRL
Reported by: kib
Restore the stock (upstream) code under an #else block, so it's easier
for me to visualize and understand the code that needs to be upstreamed.
MFC after: 2 months
X-MFC with: r316178, r316179, r316180
Sponsored by: Dell EMC Isilon
The prerequisite for '#if __EXT1_VISIBLE' functionality is the
inclusion of sys/cdefs.h. errno.h only auto-includes the header for
non-kernel environment, and EXT1 block only useful for non-kernel as
well.
Reported by: lwhsu
Sponsored by: The FreeBSD Foundation
MFC after: 3 weeks
9899:2011 Appendix K 3.7.4.1.
Other needed supporting types, defines and constraint_handler
infrastructure is added as specified in the C11 spec.
Submitted by: Tom Rix <trix@juniper.net>
Sponsored by: Juniper Networks
Discussed with: ed
MFC after: 3 weeks
Differential revision: https://reviews.freebsd.org/D9903
Differential revision: https://reviews.freebsd.org/D10161
The goal of this work is to remove the explicit dependency for ctl(4)
on iscsi(4), so end-users without iscsi(4) support in the kernel can
use ctl(4) for its other functions.
This allows those without iscsi(4) support built into the kernel to use
ctl(4) as a test mechanism. As a sidenote, this was possible around the
10.0-RELEASE period, but made impossible for end-users without iscsi(4)
between 10.0-RELEASE and 11.0-RELEASE.
Automatically load cfiscsi(4) from ctladm(8) and ctld(8) for backwards
compatibility with previously releases. The automatic loading feature is
compiled into the beforementioned tools if MK_ISCSI == yes when building
world.
Add a manpage for cfiscsi(4) and refer to it in ctl(4).
Differential Revision: D10099
MFC after: 2 months
Relnotes: yes
Reviewed by: mav, trasz
Sponsored by: Dell EMC Isilon
map the 'which' argument into a suitable audit event identifier for the
specific operation requested.
Obtained from: TrustedBSD Project
MFC after: 3 weeks
Sponsored by: DARPA, AFRL
msgsnd(2)'s msgsz argument does not describe the full structure, only the
message component.
Reported by: Coverity
CIDs: 1368703, 1368711
Sponsored by: Dell EMC Isilon
msgsnd's msgsz argument is the size of the message following the 'long'
message type. Don't include the message type in the size of the message
when invoking msgsnd(2).
Reported by: Coverity
CID: 1368712
Sponsored by: Dell EMC Isilon
Coverity warns that it is invalid to access following struct members by
accessing the current struct member pointer plus one. Assuming the
compilers aren't abusing this kind of UB yet, this cleanup isn't a
functional change.
Reported by: Coverity
CID: 1368713
Sponsored by: Dell EMC Isilon
This is a collection of minor changes as diff reduction against NetBSD.
NetBSD revs:
cd9660.c 1.39
cd9660.h 1.19
makefs.c 1.34
Obtained from: NetBSD
Sponsored by: The FreeBSD Foundation
instrument security event auditing rather than relying on conventional BSM
trail files or audit pipes:
- Add a set of per-event 'commit' probes, which provide access to
particular auditable events at the time of commit in system-call return.
These probes gain access to audit data via the in-kernel audit_record
data structure, providing convenient access to system-call arguments and
return values in a single probe.
- Add a set of per-event 'bsm' probes, which provide access to particular
auditable events at the time of BSM record generation in the audit
worker thread. These probes have access to the in-kernel audit_record
data structure and BSM representation as would be written to a trail
file or audit pipe -- i.e., asynchronously in the audit worker thread.
DTrace probe arguments consist of the name of the audit event (to support
future mechanisms of instrumenting multiple events via a single probe --
e.g., using classes), a pointer to the in-kernel audit record, and an
optional pointer to the BSM data and its length. For human convenience,
upper-case audit event names (AUE_...) are converted to lower case in
DTrace.
DTrace scripts can now cause additional audit-based data to be collected
on system calls, and inspect internal and BSM representations of the data.
They do not affect data captured in the audit trail or audit pipes
configured in the system. auditd(8) must be configured and running in
order to provide a database of event information, as well as other audit
configuration parameters (e.g., to capture command-line arguments or
environmental variables) for the provider to operate.
Reviewed by: gnn, jonathan, markj
Sponsored by: DARPA, AFRL
MFC after: 3 weeks
Differential Revision: https://reviews.freebsd.org/D10149
A request may be queued while the queue lock is dropped when the mirror is
being destroyed. The corresponding wakeup would be lost, possibly resulting
in an apparent hang of the mirror worker thread.
Tested by: pho (part of a larger patch)
MFC after: 1 week
Sponsored by: Dell EMC Isilon
The worker thread will destroy the mirror provider as part of its teardown
sequence. The call made sense in the initial revision of gmirror, but
became unnecessary in r137248.
Tested by: pho (part of a larger diff)
MFC afteR: 2 weeks
Sponsored by: Dell EMC Isilon