This module allows controlled privilege escallation via mac labels
securely associated with a process via mac_veriexec.
There are over 700 PRIV_* but we can compress many of them into
a single GBL_* thus constraining the size of gbl labels.
The goal is to allow a daemon to run as an unprivileged process while
still being able a set of privileged operations needed.
We add APIs to libveriexec so that userland processes can check labels
and an exec_script API that allows a suitably labeled process to run
something like a python interpreter directly if necessary;
overcomming the 'indirect' flag applied to the interpreter.
Add -l option to sbin/veriexec to report labels.
Reviewed by: stevek
Sponsored by: Juniper Networks, Inc.
Differential Revision: https://reviews.freebsd.org/D41431
Remove leftover empty leading comments/blank lines that had been
spacers between $FreeBSD$ and the following content in config files
in src/etc.
Reviewed by: imp
Differential Revision: https://reviews.freebsd.org/D41548
default which was added in sendmail 8.15.2 (the config line predates
that 8.15.2 feature). This also alleviates the need for admins
to create the DH parameters file if they opt to use Diffie-Hellman.
PR: 248387
MFC after: 2 weeks
Unzip from FreeBSD has been ported to libarchive.
Change usr.bin/unzip to use bsdunzip from libarchive.
Differential Revision: https://reviews.freebsd.org/D41239
PR: 272845 (exp-run)
MFC after: 1 month
The mac_ipacl policy module enables fine-grained control over IP address
configuration within VNET jails from the base system.
It allows the root user to define rules governing IP addresses for
jails and their interfaces using the sysctl interface.
Requested by: multiple
Sponsored by: Google, Inc. (GSoC 2019)
MFC after: 2 months
Reviewed by: bz, dch (both earlier versions)
Differential Revision: https://reviews.freebsd.org/D20967
This better reflects the intent that this directory is indexed by kld
name and removes a conflict with D32128 which aims to split sysctl.conf.
Reviewed by: kevans imp
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D41043
For kernel modules loaded by scripts in /etc/rc.d and
/usr/local/etc/rc.d, if there is a file in /etc/sysctl.conf.d named <kld
name>.conf, then this will be loaded using the sysctl(8) utility. For
instance, sysctl variable changes for the pf kernel module would be
placed in the file /etc/sysctl.conf.d/pf.conf.
PR: 272129
Reviewed by: imp freebsd_igalic.co
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D40886
These are present (and empty) on a system installed post-GCC removal.
Reviewed by: imp
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D40878
Update its mtree entry.
Reviewed by: christos, markj
Fixes: 911f026039 dtrace: move kinst tests to common
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D40901
Migrate to OpenSSL 3.0 in advance of FreeBSD 14.0. OpenSSL 1.1.1 (the
version we were previously using) will be EOL as of 2023-09-11.
Most of the base system has already been updated for a seamless switch
to OpenSSL 3.0. For many components we've added
`-DOPENSSL_API_COMPAT=0x10100000L` to CFLAGS to specify the API version,
which avoids deprecation warnings from OpenSSL 3.0. Changes have also
been made to avoid OpenSSL APIs that were already deprecated in OpenSSL
1.1.1. The process of updating to contemporary APIs can continue after
this merge.
Additional changes are still required for libarchive and Kerberos-
related libraries or tools; workarounds will immediately follow this
commit. Fixes are in progress in the upstream projects and will be
incorporated when those are next updated.
There are some performance regressions in benchmarks (certain tests in
`openssl speed`) and in some OpenSSL consumers in ports (e.g. haproxy).
Investigation will continue for these.
Netflix's testing showed no functional regression and a rather small,
albeit statistically significant, increase in CPU consumption with
OpenSSL 3.0.
Thanks to ngie@ and des@ for updating base system components, to
antoine@ and bofh@ for ports exp-runs and port fixes/workarounds, and to
Netflix and everyone who tested prior to commit or contributed to this
update in other ways.
PR: 271615
PR: 271656 [exp-run]
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
The loop above is responsible for creating the actual directories,
whilst this one is just responsible for creating the corresponding
METALOG. Since DESTDIR already includes DISTBASE, this results in
creating a second set of roots (one per MTREES entry) within DISTBASE
whenever DISTBASE is non-empty, such as base/base, base/base/var,
base/base/usr, etc. in the distributeworld case. This is purely cosmetic
though as they won't appear in the METALOG.
This will help ensure that the change following this
one to support OpenSSL 3 is sane.
MFC after: 1 week
Reviewed by: emaste
Differential Revision: https://reviews.freebsd.org/D40297
One test is suitable to be hooked up to the build, so I've done this
here. The other test lives in tools/regression because failure is a
bit more subjective -- generally, one runs it for some unbounded amount
of time and observe if it eventually exits because two threads acquired
the same mutex.
Reviewed by: imp, mmel
Sponsored by: Stormshield
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D39668
This script's goal is to check the system for peripherals that needs
firmware and install the needed packages for them.
For now it only support pci subsystem and only video classes for AMD
and Intel GPUs.
Reviewed by: bapt
Sponsored by: Beckhoff Automation GmbH & Co. KG
Differential Revision: https://reviews.freebsd.org/D39825
These libraries are linked to directly by applications rather than
opened at runtime via dlopen().
Discussed with: oshogbo
Reviewed by: markj, emaste
Differential Revision: https://reviews.freebsd.org/D39245
We have FIDO/U2F support in the base system now, so reserve a group ID
for it (maching the security/u2f-devd port).
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D34341
Most ATM support was removed prior to FreeBSD 12. The netgraph support
was kept as it was less intrusive, but it is presumed to be unused.
Reviewed by: manu
Relnotes: yes
Sponsored by: DARPA
Differential Revision: https://reviews.freebsd.org/D38879
rc.d/hostid_save saves a UUID generated by rc.d/hostid in /etc/hostid.
Store the same UUID, without hyphens, in /etc/machine-id. The hypĥens
are removed with a shell function because hostid_save runs before file
systems are mounted so other tools may not be available yet.
This eliminates some duplication between hostid and machine-id and for
virtual machines machine-id now contains the UUID configured in the
hypervisor like it does on Linux.
Reviewed by: delphij
Discussed with: bapt
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D38811
The function that sets test case metadata is actually named ${tc}_head
rather than ${tc}, so add the suffix.
While we're here, hook the tests up to the infrastructure so that they
do get run.
Sponsored by: Klara, Inc.
* Drop <err.h>, which is unnecessary since we use libxo.
* As per POSIX, report an error if output fails.
* Fix some type mismatches.
* Use bool instead of int where appropriate.
* Avoid repeatedly checking for a null filename.
* Miscellaneous other tidying.
* Add tests (partly derived from work performed by SHENG-YI HONG <i19780219111@kimo.com>).
Sponsored by: Klara, Inc.
Reviewed by: kevans
Differential Revision: https://reviews.freebsd.org/D38496
timeout(1) is used by /etc/rc.d/zfskeys. Unfortunately, having
timeout(1) installed in /usr/bin causes problems when /usr is an
encrypted ZFS partition.
Implementing timeout(1) in sh(1) is not trivial. A more elegant solution
is to move timeout(1) to /bin so that it is available to early services
in the boot process.
PR: 265221
Reviewed by: allanjude, des, imp
Approved by: allanjude, des, imp
Reported by: Ivan <r4@sovserv.ru>
Fixes: 33ff39796f Add zfskeys rc.d script for auto-loading encryption keys
MFC after: 1 week
Relnotes: yes
Sponsored by: Modirum MDPay
Sponsored by: Klara Inc.
Differential Revision: https://reviews.freebsd.org/D38344
Checks basic forward to local address, also with presence of
a listener that matches original port (see aab8c844b9). Based
on non-ATF test case written by Pavel Polyakov.
Reviewed by: kp, melifaro
Differential revision: https://reviews.freebsd.org/D37960
The command to generate termcap.small doesn't use any pipes, so this
option is not needed. Using it also breaks cross-building on hosts
where /bin/sh does not support pipefail such as Linux hosts where
/bin/sh is dash.
Reviewed by: sobomax, imp
Sponsored by: DARPA
Differential Revision: https://reviews.freebsd.org/D37865
