freebsd-skq/usr.sbin
jamie 33597fd138 In hardened systems, where the security.bsd.unprivileged_proc_debug sysctl
node is set, allow setting security.bsd.unprivileged_proc_debug per-jail.
In part, this is needed to create jails in which the Address Sanitizer
(ASAN) fully works as ASAN utilizes libkvm to inspect the virtual address
space. Instead of having to allow unprivileged process debugging for the
entire system, allow setting it on a per-jail basis.

The sysctl node is still security.bsd.unprivileged_proc_debug and the
jail(8) param is allow.unprivileged_proc_debug. The sysctl code is now a
sysctl proc rather than a sysctl int. This allows us to determine setting
the flag for the corresponding jail (or prison0).

As part of the change, the dynamic allow.* API needed to be modified to
take into account pr_allow flags which may now be disabled in prison0.
This prevents conflicts with new pr_allow flags (like that of vmm(4)) that
are added (and removed) dynamically.

Also teach the jail creation KPI to allow differences for certain pr_allow
flags between the parent and child jail. This can happen when unprivileged
process debugging is disabled in the parent prison, but enabled in the
child.

Submitted by:	Shawn Webb <lattera at gmail.com>
Obtained from:	HardenedBSD (45b3625edba0f73b3e3890b1ec3d0d1e95fd47e1, deba0b5078cef0faae43cbdafed3035b16587afc, ab21eeb3b4c72f2500987c96ff603ccf3b6e7de8)
Relnotes:	yes
Sponsored by:	HardenedBSD and G2, Inc
Differential Revision:	https://reviews.freebsd.org/D18319
2018-11-27 17:51:50 +00:00
..
ac
accton
acpi rcorder(8): add support for /etc/rc.resume, so it calls "rcorder -k resume" 2018-10-27 17:21:13 +00:00
adduser
amd Move amd.map to usr.sbin/amd/amd/ 2018-09-18 00:32:10 +00:00
ancontrol
apm
apmd Move apmd.conf to CONFS in usr.sbin/apmd which simplifies this nicely. 2018-07-26 16:51:23 +00:00
arp
audit
auditd Move OpenBSM to CONFS 2018-08-11 13:23:09 +00:00
auditdistd
auditreduce
authpf
autofs Add the "autoro" flag to /media. This makes it attempt to mount 2018-08-14 13:52:08 +00:00
bhyve Define AHCI_PORT_IDENT and increase by 1 the VTBLK_BLK_ID_BYTES 2018-11-20 22:21:19 +00:00
bhyvectl
bhyveload userboot: handle guest interpreter mismatches more intelligently 2018-09-01 02:23:45 +00:00
binmiscctl Improve the binmiscctl manual page 2018-07-20 22:50:21 +00:00
blacklistctl
blacklistd Move blacklistd.conf to usr.sbin/blacklistd/ 2018-07-31 16:39:38 +00:00
bluetooth Fix the install location of hcsecd.conf 2018-08-26 02:09:20 +00:00
boot0cfg Add a “skip_dsn” option to g_part's bootcode verb to prevent g_part_mbr 2018-11-27 14:58:19 +00:00
bootparamd
bsdconfig Fix dialog autosizing to accomodate for hline 2018-10-28 19:29:07 +00:00
bsdinstall Sort i18n messages in bsdinstall zfsboot 2018-10-28 22:09:18 +00:00
bsnmpd Extended pf(4) ioctl interface and pfctl(8) to allow bandwidths of 2018-08-22 19:38:48 +00:00
btxld
camdd Make timespecadd(3) and friends public 2018-07-30 15:46:40 +00:00
cdcontrol
chkgrp
chown Handle overflow of uid or gid in arguments for chown 2018-09-26 18:40:57 +00:00
chroot
ckdist
clear_locks
config config(8): Allow escape-quoted empty strings 2018-08-20 22:08:03 +00:00
cpucontrol cpucontrol(8): De-duplicate common update logic 2018-11-14 00:21:49 +00:00
crashinfo Support compressed crash dumps in crashinfo(8). 2018-07-23 18:08:56 +00:00
cron Move etc/crontab to usr.sbin/cron/cron/ 2018-09-06 14:55:54 +00:00
crunch send-pr: wave goodbye 2018-08-19 07:12:35 +00:00
ctladm
ctld
ctm Prepare move of ctm from base to a port (misc/ctm) by: 2018-11-14 08:45:48 +00:00
cxgbetool cxgbetool(8): Add a subaction (tcbrss <n>) that can be used with "pass" 2018-10-27 05:26:09 +00:00
daemon Cross-reference nohup(1) and daemon(8). 2018-11-09 13:47:06 +00:00
dconschat
devctl Create devctl freeze/thaw. 2018-08-23 05:05:47 +00:00
devinfo
diskinfo
dumpcis
editmap
edquota
eeprom
efibootmgr Make -a (to make the entry active) apply to creation of a new boot 2018-09-02 18:40:18 +00:00
efidp
efivar Fix pointer arithmetic botch. 2018-10-26 23:44:39 +00:00
etcupdate Cross-reference mergemaster(8) & etcupdate(8). 2018-11-27 10:31:29 +00:00
extattr
extattrctl
fdcontrol
fdformat
fdread
fdwrite
fifolog
flowctl
fmtree
freebsd-update freebsd-update: add a progress report for the "fetching files..." 2018-10-31 17:37:54 +00:00
fstyp Do not blindly include illumos kernel headers instead of user-space. 2018-08-02 18:55:55 +00:00
ftp-proxy
fwcontrol
getfmac
getpmac
gpioctl
gssd
gstat - Add CSV output to gstat via -C flag. 2018-08-21 11:22:49 +00:00
hyperv
i2c
ifmcstat
inetd Move inetd.conf to usr.sbin/inetd/ 2018-08-12 13:29:40 +00:00
iostat iostat: update man page for r277566 2018-08-20 13:42:22 +00:00
iovctl
ip6addrctl
ipfwpcap
iscsid
jail In hardened systems, where the security.bsd.unprivileged_proc_debug sysctl 2018-11-27 17:51:50 +00:00
jexec
jls
kbdcontrol
kbdmap
keyserv
kgmon
kgzip
kldxref kldxref: use appropriate Elf_Off type for offsets 2018-11-09 15:02:53 +00:00
lastlogin A single comma was missing to separate the "see also" items in 2018-10-20 17:22:04 +00:00
lpr Move hosts.lpd and printcap to usr.sbin/lpr/lpd/ 2018-09-20 09:21:05 +00:00
lptcontrol
mailstats
mailwrapper
makefs makefs: use FreeBSD brelse function signature 2018-07-26 13:33:10 +00:00
makemap
manctl
memcontrol
mergemaster Cross-reference mergemaster(8) & etcupdate(8). 2018-11-27 10:31:29 +00:00
mfiutil Make mfiutil show progress print out the elapsed time estimate in a 2018-10-13 02:21:23 +00:00
mixer
mld6query
mlx5tool
mlxcontrol
mount_smbfs
mountd mountd has no way to configure the listen queue depth; rather than add a new 2018-11-14 19:06:43 +00:00
moused Remove mse(4) from tree 2018-10-22 02:34:10 +00:00
mpsutil
mptable
mptutil
mtest
nandsim
nandtool
ndiscvt
ndp Update the "flag" for draft-ietf-6man-ipv6only-flag. 2018-11-03 18:03:24 +00:00
newsyslog newsyslog.conf: Restrict included files in default config to [!.]*.conf 2018-11-10 10:46:38 +00:00
nfscbd
nfsd nfsd: Factorize code 2018-11-04 06:39:01 +00:00
nfsdumpstate
nfsrevoke
nfsuserd Add missing endpwent() and endgrent() calls to nfsuserd(8). 2018-08-28 15:18:14 +00:00
ngctl Add blank line after each item in "ngctl ls -l" 2018-10-26 19:16:17 +00:00
nghook
nmtree
nologin
nscd Style cleanup. 2018-11-27 09:41:47 +00:00
ntp Fix typo introduced in r340439 - s/ETN/ETC/ 2018-11-14 18:38:27 +00:00
nvram
ofwdump
pc-sysinstall
pciconf Require write access when mmapping BAR. 2018-08-03 18:35:20 +00:00
periodic Fix daily mailq script for Postfix and daily_show_success="NO" 2018-11-11 00:39:20 +00:00
pkg Move pkg/FreeBSD.conf to usr.sbin/pkg/ 2018-07-31 16:42:03 +00:00
pmc Fix build with GCC 8.1. 2018-10-01 16:16:05 +00:00
pmcannotate
pmccontrol restore pmccontrol -L behavior on x86 2018-09-24 19:06:09 +00:00
pmcstat
pmcstudy
pnfsdscopymr Fix the err() arguments for a nfssvc(8) failure. 2018-08-08 20:30:12 +00:00
pnfsdsfile Document the new "-m" command line option for pnfsdsfile(8). 2018-07-01 17:51:52 +00:00
pnfsdskill Document the "-f" option added to pnfsdskill(8) by r336176. 2018-07-10 18:44:44 +00:00
pnpinfo
portsnap Now that the portsnap buildbox is generating the raw bits for INDEX-13, 2018-10-25 08:05:53 +00:00
powerd powerd: correct ifdef check for ppc 2018-06-27 01:28:09 +00:00
ppp Make ppp(8) buildable. 2018-09-19 07:09:55 +00:00
pppctl
praliases
praudit
prometheus_sysctl_exporter
pstat
pw pw: fix the checks in boolean_str() after r326738. Add related test 2018-10-21 14:23:56 +00:00
pwd_mkdb pwd_mkdb: retire -B and -L endianness options 2018-10-21 00:48:38 +00:00
quot
quotaon
rarpd
repquota
rip6query
rmt Fix missing files in METALOG with -DNO_ROOT 2018-06-29 21:15:17 +00:00
route6d Use the right variable when updating interface routes. 2018-08-08 20:15:40 +00:00
rpc.lockd
rpc.statd
rpc.umntall
rpc.yppasswdd
rpc.ypupdated
rpc.ypxfrd
rpcbind
rrenumd
rtadvctl
rtadvd Update the "flag" for draft-ietf-6man-ipv6only-flag. 2018-11-03 18:03:24 +00:00
rtprio
rtsold Minor style fixes around script execution. 2018-10-25 21:45:24 +00:00
rwhod capsicum: use a new capsicum helpers in tools 2018-11-04 19:24:49 +00:00
sa
sendmail
service
services_mkdb Add MPLS LSP-echo (RFC8029, March 2017) port. 2018-09-06 18:34:11 +00:00
sesutil
setfib
setfmac
setpmac
smbmsg
snapinfo
spi Add an example for displaying the manufacturer and size info from a 2018-06-23 23:08:25 +00:00
spkrtest
spray
syslogd Remove trailing slash in pathname so that valid METALOG is created in the 2018-08-25 20:19:16 +00:00
sysrc sysrc(8): Send error message to stderr (not stdout) 2018-07-16 18:53:17 +00:00
tcpdchk
tcpdmatch
tcpdrop Use uintptr_t alone when assigning to kvaddr_t variables. 2018-07-10 13:03:06 +00:00
tcpdump
tests
timed
traceroute
traceroute6
trpt
tzsetup In read_zones(), check if the file name actually fit in the buffer 2018-08-09 02:47:22 +00:00
uathload
uefisign Make uefisign(8) buildable. 2018-09-19 07:10:28 +00:00
ugidfw
uhsoctl Use correct type for IOCTL request argument. 2018-11-02 22:23:25 +00:00
unbound Check that /etc/resolv.conf exists before trying to read it. 2018-11-27 09:46:01 +00:00
usbconfig
usbdump
utx
vidcontrol vidcontrol(1): Fix a typo in the description of -f 2018-10-20 16:59:43 +00:00
vigr
vipw
wake
watch
watchdogd
wlandebug
wpa wpa_supplicant.8: Remove removed option 2018-07-28 23:59:36 +00:00
yp_mkdb
ypbind
ypldap
yppoll
yppush
ypserv
ypset
zic
zonectl
zzz
Makefile Move pmc* bits behind MK_PMC to fix WITHOUT_PMC build 2018-11-05 00:20:58 +00:00
Makefile.amd64
Makefile.arm
Makefile.arm64
Makefile.i386
Makefile.inc
Makefile.mips
Makefile.powerpc
Makefile.riscv Build ofwdump on riscv. 2018-07-24 20:20:17 +00:00
Makefile.sparc64