Commit Graph

101 Commits

Author SHA1 Message Date
lidl
cb2fd85b37 Separate BLACKLIST vs BLACKLIST_SUPPORT properly
Sponsored by:	The FreeBSD Foundation
2016-06-07 16:31:03 +00:00
lidl
6f31a383cc Add basic blacklist build support
Reviewed by:	rpaulo
Approved by:	rpaulo
Relnotes:	YES
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D5913
2016-06-02 19:06:04 +00:00
oshogbo
023f14d65b Convert casperd(8) daemon to the libcasper.
After calling the cap_init(3) function Casper will fork from it's original
process, using pdfork(2). Forking from a process has a lot of advantages:
1. We have the same cwd as the original process.
2. The same uid, gid and groups.
3. The same MAC labels.
4. The same descriptor table.
5. The same routing table.
6. The same umask.
7. The same cpuset(1).
From now services are also in form of libraries.
We also removed libcapsicum at all and converts existing program using Casper
to new architecture.

Discussed with:		pjd, jonathan, ed, drysdale@google.com, emaste
Partially reviewed by:	drysdale@google.com, bdrewery
Approved by:		pjd (mentor)
Differential Revision:	https://reviews.freebsd.org/D4277
2016-02-25 18:23:40 +00:00
bdrewery
217f6f397b Fix installation of makewhatis.local(1) since r283777.
The wrapper script has moved to libexec/makewhatis.local since it is not
directlry related to the older makewhatis(1) utility that has been replaced
by the usr.bin/mandoc version.

Reported by:	vangyzen
2016-02-18 00:26:21 +00:00
bapt
fc9c658565 Move all the dma(8) components into one single directory
Simplifying maintainance and options (only one place to deal with MK_DMAGENT)

This also makes packaging base less intrusive by getting a single point where
to add tags.
2015-10-09 22:09:44 +00:00
ngie
06520f16dd Add the following options to enable/disable several features in the base system
WITHOUT_BOOTPARAMD - bootparamd
WITHOUT_BOOTPD - bootpd
WITHOUT_FINGER - finger, fingerd
WITHOUT_FTP - ftp, ftpd
WITHOUT_INETD - inetd
WITHOUT_RBOOTD - rbootd
WITHOUT_TCP_WRAPPERS - tcpd, et al
WITHOUT_TFTP - tftp, tftp-server
WITHOUT_TIMED - timed

MFC after: 2 weeks
Sponsored by: EMC / Isilon Storage Division
2015-02-04 10:19:32 +00:00
ngie
21e793b32c Add MK_TALK knob for building the talk and talkd
MFC after: 2 weeks
Sponsored by: EMC / Isilon Storage Division
2015-01-25 04:37:44 +00:00
imp
e33f69c523 HYPERV isn't available on all architectures, but just on by default
for i386/amd64. Rather, it only works on i386/amd64 and should only be
built there. Rather than change the default based on which
architecutre, do things more directly by only building it on
i386/amd64 and having it always on. This is how we handle other
options that are relevant only for a few architectures.
2014-10-16 00:33:06 +00:00
delphij
edc7ea3a5d Import HyperV Key-Value Pair (KVP) driver and daemon code by Microsoft,
many thanks for their continued support of FreeBSD.

While I'm there, also implement a new build knob, WITHOUT_HYPERV to
disable building and installing of the HyperV utilities when necessary.

The HyperV utilities are only built for i386 and amd64 targets.

This is a stable/10 candidate for inclusion with 10.1-RELEASE.

Submitted by:	Wei Hu <weh microsoft com>
MFC after:	1 week
2014-09-13 02:15:31 +00:00
imp
2118f42afd Use src.opts.mk in preference to bsd.own.mk except where we need stuff
from the latter.
2014-05-06 04:22:01 +00:00
bapt
1951f8498f Rename WITHOUT_DMA into WITHOUT_DMAGENT to avoid confusion
Requested by:	ian
2014-02-22 13:05:23 +00:00
bapt
44c7fbcbb3 Import Dragonfly Mail Agent into base system
It is a small and lightweight Mail Transport Agent.
It accepts mails from locally installed Mail User Agents (MUA) and delivers the
mails either locally or to a remote destination. Remote delivery includes
several features like TLS/SSL support, SMTP authentication and NULLCLIENT.

Make dma conditional to new WITHOUT_DMA option and make it respect WITHOUT_MAIL

Reviewed by:	peter
Discussed with:	emaste, bz, peter
2014-02-21 07:26:49 +00:00
pjd
1073fb03ac Please welcome casperd daemon. It (and its services) will be responsible for
giving access to functionality that is not available in capability mode
sandbox. The functionality can be precisely restricted.

Start with the following services:
- system.dns - provides API compatible to:
	- gethostbyname(3),
	- gethostbyname2(3),
	- gethostbyaddr(3),
	- getaddrinfo(3),
	- getnameinfo(3),
- system.grp - provides getgrent(3)-compatible API,
- system.pwd - provides getpwent(3)-compatible API,
- system.random - allows to obtain entropy from /dev/random,
- system.sysctl - provides sysctlbyname(3-compatible API.

Sponsored by:	The FreeBSD Foundation
2013-12-02 08:21:28 +00:00
jmmv
a1626fee63 Build and install the atf tests.
Reviewed by:	freebsd-testing
Approved by:	rpaulo (mentor)
2013-11-08 14:33:41 +00:00
jmmv
627bb4f0bd Subsume the functionality of MK_ATF into MK_TESTS.
There is no reason to keep the two knobs separate: if tests are
enabled, the ATF libraries are required; and if tests are disabled,
the ATF libraries are not necessary.  Keeping the two just serves
to complicate the build.

Reviewed by:	freebsd-testing
Approved by:	rpaulo (mentor)
2013-11-08 14:24:47 +00:00
des
1fb35847da By popular demand, move freebsd-version(1) from /libexec to /bin.
Approved by:	re (gjb)
2013-10-09 20:47:20 +00:00
des
8984ced46c Introduce the /libexec/freebsd-version script, which is intended to be
used by auditing tools to determine the userland patch level when it
differs from what `uname -r` reports.  This can happen when the system
is kept up-to-date using freebsd-update and the last SA did not touch
the kernel, or when a new kernel has been installed but the system has
not yet rebooted.

Approved by:	re (glebius)
2013-10-07 10:26:38 +00:00
marcel
8412efbea8 Add ATF to the build. This is may be a bit rought around the egdes,
but committing it helps to get everyone on the same page and makes
sure we make progress.

Tinderbox breakages that are the result of this commit are entirely
the committer's fault -- in other words: buildworld testing on amd64
only.

Credits follow:

Submitted by:	Garrett Cooper <yanegomi@gmail.com>
Sponsored by:	Isilon Systems
Based on work by:	keramida@
Thanks to:	gnn@, mdf@, mlaier@, sjg@
Special thanks to:	keramida@
2012-10-22 01:18:41 +00:00
ed
879c7d2730 Add a new library: libulog.
One of the things I really want to do, is to get rid of the limitations
of our current utmp(5) mechanism:

- It only allows 8 byte TTY device names.
- The hostname only allows 16 bytes of storage.

I'm not a big fan of <utmpx.h>, but I think we should at least try to
add parts of it. Unfortunately we cannot implement <utmpx.h>, because we
miss various fields, such as ut_id, ut_pid, etc. The API provided by
libulog shares some similarities with <utmpx.h>, so it shouldn't be too
hard to port these applications eventually. In most simple cases, it
should just be a matter of removing the ulog_ prefix everywhere.

As a bonus, it also implements a function called ulog_login_pseudo(),
which allows unprivileged applications to write log entries, provided
they have a valid file descriptor to a pseudo-terminal master device.

libulog will allow a smoother transition to a new file format by adding
a library interface to deal with utmp/wtmp/lastlog files. I initially
thought about adding the functionality to libutil, but because I'm not
planning on keeping this library around forever, we'd better keep it
separated.

Next items on the todo list:

1. Port applications in the base system (and ports) to libulog, instead
   of letting them use <utmp.h>.
2. Remove <utmp.h>, implement <utmpx.h> and reimplement this library on
   top.
3. Port as many applications as possible back to <utmpx.h>.
2009-12-03 15:48:24 +00:00
remko
dcd2780b1c Do the first step in removing lukemftpd from the base system. Disconnect
it from the build.

If you are using the FTP daemon, please consider using the port ftp/tnftpd
which is the same FTP server, but newer and might have more/better
functionality.

This results in us providing only one ftp daemon by default.

Reviewed by:	bz
Approved by:	imp (mentor, implicit)
MFC after:	3 days
Silence from:	obrien
2009-09-03 16:34:20 +00:00
dougb
8af28beff7 Per the man page:
The makekey utility has been deprecated and will be removed in a future
release of FreeBSD.

Actually removing it was approved back on 10/29/2007 by re (kensmith) but
I dropped the ball on actually removing it. It's doubtful that it's become
more relevant/useful in the intervening time.
2009-05-26 00:07:02 +00:00
sam
9c3d2ffcdf add new build knobs and jigger some existing controls to improve
control over the result of buildworld and installworld; this especially
helps packaging systems such as nanobsd

Reviewed by:	various (posted to arch)
MFC after:	1 month
2008-09-21 22:02:26 +00:00
ed
126d9ed063 Remove the now unneeded pt_chown utility.
Before we had a posix_openpt() that allocated PTY's with proper
permissions in place, we used this set-uid utility to change the
ownership of PTY slave devices to the real user ID of the process. This
utility was used to implement grantpt().

In my first designs of the MPSAFE TTY layer, I replaced this by adding
an ioctl() called TIOCGRANTPT, which was used to change the ownership.
I left the pt_chown utility, because older C libraries needed it to work
properly.

After some discussions back in June I changed the PTY code to set
permissions properly upon creation. Fortunately the previous grantpt()
implementation changed permissions by hand when pt_chown is not
installed, which always succeeds. This means grantpt() still works
properly, even though the set-uid utility is missing.

I've done tests with FreeBSD 5.2.1, FreeBSD 6.3 and FreeBSD 7.0 jails.
All of them still work if I remove pt_chown.

Reviewed by:	philip (ex-mentor)
2008-08-24 10:01:22 +00:00
yar
64d3637d56 Add a hackish knob to skip rtld, NO_RTLD. In conjunction with
src/Makefile.inc1 rev. 1.590, it can allow installing a world
cross-built for a different arch over the live system.  The procedure
is more or less as follows:

	cp -R /rescue /rescue.old
	make installkernel TARGET_ARCH=foo
	make -DNO_RTLD installworld TARGET_ARCH=foo
	     ^^^^^^^^^
	PATH=/rescue.old
	chflags noschg /libexec/ld-elf.so.1
	cp /usr/obj/foo/usr/src/libexec/rtld/ld-elf.so.1 /libexec
	chflags schg /libexec/ld-elf.so.1
	<ditto for ld-elf32.so.1 if installing for amd64>
	reboot
2007-10-31 11:19:32 +00:00
mlaier
83807ec50d Link pf 4.1 to the build:
- move ftp-proxy from libexec to usr.sbin
 - add tftp-proxy
 - new altq mtag link

Approved by:	re (kensmith)
2007-07-03 12:46:08 +00:00
ru
388e590f95 Reimplementation of world/kernel build options. For details, see:
http://lists.freebsd.org/pipermail/freebsd-current/2006-March/061725.html

The src.conf(5) manpage is to follow in a few days.

Brought to you by:	imp, jhb, kris, phk, ru (all bugs are mine)
2006-03-17 18:54:44 +00:00
nectar
a23214e059 Remove rexecd(8), a server that implements a particularly insecure
method of executing commands remotely.  There are no rexec clients in
the FreeBSD tree, and the client function rexec(3) is present only in
libcompat.  It has been documented as "obsolete" since 4.3BSD, and its
use has been discouraged in the man page for over 10 years.
2005-06-10 20:52:36 +00:00
obrien
06fef1a964 Enable lukemftpd for 6.0-RELEASE. 2005-05-16 17:12:23 +00:00
ru
860c6fe96a Install rlogind(8). Pointy hat is available on request. 2005-03-03 15:59:32 +00:00
trhodes
792676bbc2 Wrap BSD r* commands in NO_RCMDS.
Change NO_RCMDNS to NO_RCMDS and do the switch in bsd.compat.mk.

Discussed with: ru, nectar
2005-03-02 11:53:22 +00:00
ru
8f0a058ccf The only user of this utility (share/man/man0) was removed 2+ years ago. 2005-02-09 19:50:45 +00:00
ru
74176cc161 NODOCCOMPRESS -> NO_DOCCOMPRESS
NOINFO -> NO_INFO
NOINFOCOMPRESS -> NO_INFOCOMPRESS
NOLINT -> NO_LINT
NOPIC -> NO_PIC
NOPROFILE -> NO_PROFILE
2004-12-21 09:33:47 +00:00
bz
4b83c5852a Add knob NO_NIS (fka NO_YP_LIBC) and make world compileable when set.
If turned on  no NIS support and related programs will be built.

Lost parts rediscovered by:	Danny Braniss <danny at cs.huji.ac.il>
PR:		bin/68303
No objections:	des, gshapiro, nectar
Reviewed by:	ru
Approved by:	rwatson (mentor)
MFC after:	2 weeks
2004-11-13 20:40:32 +00:00
des
a4c12f8006 Switch from BIND 8 to BIND 9.
Submitted by:	(in part) dougb@, trhodes@
Reviewed by:	dougb@, trhodes@, re@
MFC after:	5 days
2004-09-21 19:01:48 +00:00
obrien
536504fc3c Commit a crude hack so we get sparc64 snapshots working again with a
stable ld.so.  We need to revisit the rtld-elf/sparc64/rtld_start.S
rev. 1.5 and rtld-elf/sparc64/rtld_machdep.h rev. 1.5, which was
suppose to allow stock Binutils 2.13 (and later) to be used.
2004-06-17 16:08:20 +00:00
obrien
0ac1bd72be Fall out from Binutils 2.15: don't bulid the ld.so on Sparc64. 2004-06-17 03:04:24 +00:00
mlaier
6be47b725d Link pf to the build and install:
This adds the former ports registered groups: proxy and authpf as well as
the proxy user. Make sure to run mergemaster -p in oder to complete make
installworld without errors.

This also provides the passive OS fingerprints from OpenBSD (pf.os) and an
example pf.conf.

For those who want to go without pf; it provides a NO_PF knob to make.conf.

__FreeBSD_version will be bumped soon to reflect this and to be able to
change ports accordingly.

Approved by:	bms(mentor)
2004-03-08 22:03:29 +00:00
ru
6593bb80ea - Build things in pure dictionary order (see sort(1)).
- Unify the conditional assignments section so that architectural
  exclusions come first, then options and !options, sorted by the
  option name, also in directory order, then architecture specific
  sections, sorted by the architecture name, with i386 being a
  traditional exception.

Prodded by:	bde
2004-01-16 15:23:19 +00:00
markm
d6aec2b6d6 Very big makeover in the way telnet, telnetd and libtelnet are built.
Previously, there were two copies of telnet; a non-crypto version
that lived in the usual places, and a crypto version that lived in
crypto/telnet/. The latter was built in a broken manner somewhat akin
to other "contribified" sources. This meant that there were 4 telnets
competing with each other at build time - KerberosIV, Kerberos5,
plain-old-secure and base. KerberosIV is no longer in the running, but
the other three took it in turns to jump all over each other during a
"make buildworld".

As the crypto issue has been clarified, and crypto _calls_ are not
a problem, crypto/telnet has been repo-copied to contrib/telnet,
and with this commit, all telnets are now "contribified". The contrib
path was chosen to not destroy history in the repository, and differs
from other contrib/ entries in that it may be worked on as "normal"
BSD code. There is no dangerous crypto in these sources, only a
very weak system less strong than enigma(1).

Kerberos5 telnet and Secure telnet are now selected by using the usual
macros in /etc/make.conf, and the build process is unsurprising and
less treacherous.
2003-07-16 20:59:15 +00:00
peter
469c0a1ad7 Do not exclude amd64 from rtld-elf builds.
Approved by:  re  (safe amd64 support commits)
2003-05-24 17:38:45 +00:00
des
e5d2d778eb Retire the useless NOSECURE knob.
Approved by:	re (scottl)
2003-05-19 15:52:01 +00:00
markm
64cd7ea15d Allow a NOPIC "make world" to complete.
OK'ed by:	re(scottl)
2003-05-11 18:48:29 +00:00
peter
10cba42d09 Exclude rtld-elf for amd64. More porting is still needed.
Approved by:  re (scottl)
2003-05-08 06:37:12 +00:00
markm
ee63e7dc15 Turn MAKE_KERBEROS5 into NO_KERBEROS by negating the logic. Some extra
cleanups were necessary in release/Makefile, and the tinderbox code
was syntax checked, not run checked.
2003-05-05 07:58:44 +00:00
ru
0deec148ba Build non-crypto telnet(1) and telnetd(8) if NO_OPENSSL is defined.
Submitted by:	Marius Strobl <marius@alchemy.franken.de>
2003-05-01 19:38:15 +00:00
ru
13592a9888 Don't clobber Kerberos5 telnet(1) and telnetd(8) with non-crypto versions. 2003-04-30 07:24:35 +00:00
imp
2bde9db9c2 Add back # accidentally deleted in 1.54 2003-04-27 06:16:52 +00:00
imp
733bde7ebe This is no longer needed after tw is gone.
Approved by: re@ (scottl)
2003-04-27 05:43:42 +00:00
jmallett
a33543dd92 Implement POSIX grantpt(3) functionality, and add a pt_chown utility (akin
to Solaris, it is in /usr/libexec) to perform the handing over of tty nodes
to the user being granted the pty.

Submitted by:	Ryan Younce <ryany@pobox.com>
Reviewed by:	security-officer@, standards@, mike@
2003-01-02 20:44:41 +00:00
obrien
5a20d2febf [DAIVD O'BRIEN's OPINION]
Head off what I think is an abuse of the TRB, and disable lukemftpd.
2002-11-12 17:31:12 +00:00