openbsd
6 years agoReflect reality.
espie [Mon, 6 Aug 2018 18:20:47 +0000 (18:20 +0000)]
Reflect reality.
The infrastructure no longer uses -Dunsigned, but TRUSTED_PKG_PATH,
which narrows the source of unsigned package to a single place, and
thus is less hazardous.

6 years agoreplace the current log options
benno [Mon, 6 Aug 2018 17:31:31 +0000 (17:31 +0000)]
replace the current log options

 log updates|all

with

 log state changes
 log host checks
 log connection [errors]

The first two control the logging of host check results: either changes in host state only or
all checks.

The third option controls logging of connections in relay mode:
Either log all connections, or only errors.

Additionaly, errors will be logged with LOG_WARN and good connections
will be logged with LOG_INFO, so they can be differentiated in syslog.

ok and feedback from claudio@

6 years agoCorrect example file since reserved words cannot be used as macros. Not only
mestre [Mon, 6 Aug 2018 17:26:31 +0000 (17:26 +0000)]
Correct example file since reserved words cannot be used as macros. Not only
that, the macro used was password and if we changed it to something like
pass="secret" it would log it if the daemon was ran in verbose mode.

Hint and OK claudio@

6 years agoChange manpage example for reserved words since the macro used is to replace
mestre [Mon, 6 Aug 2018 17:25:11 +0000 (17:25 +0000)]
Change manpage example for reserved words since the macro used is to replace
a password and that way it would log it when the daemon is ran in verbose mode.

Hint and OK claudio@

6 years agoValidate the prefix sent in a network delete call before trying to delete
claudio [Mon, 6 Aug 2018 15:59:01 +0000 (15:59 +0000)]
Validate the prefix sent in a  network delete call before trying to delete
it. We should not trust this input too much as found by Pierre Emeriaud.
OK benno@

6 years agoFix debug message in ieee80211_auth_open(): s/reason/status/
stsp [Mon, 6 Aug 2018 14:28:13 +0000 (14:28 +0000)]
Fix debug message in ieee80211_auth_open(): s/reason/status/
Status codes and reason codes are separate things listed in distinct tables.
This debug message made me look at the wrong table and scratch my head.

6 years agomake ifconfig <if> join display the list of networks configured for
benno [Mon, 6 Aug 2018 11:42:18 +0000 (11:42 +0000)]
make ifconfig <if> join display the list of networks configured for
auto-join
with feedback from florian and stsp
ok florian@ phessler@ (on previous versions of the diff) stsp@

6 years agoRefactor ieee80211_add_ess():
stsp [Mon, 6 Aug 2018 11:28:01 +0000 (11:28 +0000)]
Refactor ieee80211_add_ess():

Drop ieee80211_add_ess's nwid parameter. Read nwid and length directly
from the ic to make it more obvious where this function is reading from.

nwids are binary data with an explicit length, so treat them as such
instead of treating them like strings.

ok florian phessler

6 years agoGive the FDT interrupt API a more generic naming by replacing the
patrick [Mon, 6 Aug 2018 10:52:30 +0000 (10:52 +0000)]
Give the FDT interrupt API a more generic naming by replacing the
arm_intr_* prefix with fdt_intr_*.

ok kettenis@

6 years agoDo not set nwid over and over again. We just found the ess by comparing
florian [Mon, 6 Aug 2018 09:34:17 +0000 (09:34 +0000)]
Do not set nwid over and over again. We just found the ess by comparing
the nwid. It will not have changed in the meantime.
OK stsp

6 years agoPass the stale timestamp to path_remove_stale() removes a asp->peer dereference
claudio [Mon, 6 Aug 2018 08:13:31 +0000 (08:13 +0000)]
Pass the stale timestamp to path_remove_stale() removes a asp->peer dereference

6 years agoReplace two asp->peer with prefix_peer(p) which is the same.
claudio [Mon, 6 Aug 2018 08:10:12 +0000 (08:10 +0000)]
Replace two asp->peer with prefix_peer(p) which is the same.

6 years agoAssign peer1 and peer2 early on and use them everywhere instead of aspX->peer.
claudio [Mon, 6 Aug 2018 08:06:49 +0000 (08:06 +0000)]
Assign peer1 and peer2 early on and use them everywhere instead of aspX->peer.

6 years agoRemove cpath pledge(2) promise. We decided that not deleting the unix control
mestre [Mon, 6 Aug 2018 06:30:06 +0000 (06:30 +0000)]
Remove cpath pledge(2) promise. We decided that not deleting the unix control
sockets cause no harm and this way we close another attack surface by not
allowing the daemon to create/delete any more files.

OK kn@

6 years agoDrop "rpath" from pledge(2) after ncurses initialization.
mestre [Mon, 6 Aug 2018 06:27:32 +0000 (06:27 +0000)]
Drop "rpath" from pledge(2) after ncurses initialization.

Discussed with and OK tb@
OK cheloha@ on previous version

6 years agoifconfig ioctl's that bring interfaces up the first time may issue
deraadt [Sun, 5 Aug 2018 23:19:49 +0000 (23:19 +0000)]
ifconfig ioctl's that bring interfaces up the first time may issue
firmware loads.  The namei operations are being performed are on behalf
of the kernel not process, so use BYPASSUNVEIL.
spotted by sthen, ok beck

6 years agoFix typo that caused us to misassign parents.
kettenis [Sun, 5 Aug 2018 21:05:17 +0000 (21:05 +0000)]
Fix typo that caused us to misassign parents.

ok patrick@

6 years agouse .Fl macro for command line options
schwarze [Sun, 5 Aug 2018 19:12:56 +0000 (19:12 +0000)]
use .Fl macro for command line options

6 years agowrong macro
schwarze [Sun, 5 Aug 2018 19:07:30 +0000 (19:07 +0000)]
wrong macro

6 years agoDecouple unveil from the pledge flags, by adding dedicated unveil flags
beck [Sun, 5 Aug 2018 14:23:57 +0000 (14:23 +0000)]
Decouple unveil from the pledge flags, by adding dedicated unveil flags
to the namei args. This fixes a bug where chmod would be allowed when
with only READ. This also allows some further cleanup of some awkward
things like PLEDGE_STAT that will follow
Lots of assistence from semarie@ - thanks!
ok semarie@

6 years agoRemove unnecessary NULL check from get_cert_by_subject since
bcook [Sun, 5 Aug 2018 14:17:12 +0000 (14:17 +0000)]
Remove unnecessary NULL check from get_cert_by_subject since
sk_BY_DIR_HASH_find already does it, removing ambiguity later in the function.

ok tb@

6 years agoPrevent a panic when reboot -q is used by making unveil_removevnode
beck [Sun, 5 Aug 2018 13:59:38 +0000 (13:59 +0000)]
Prevent a panic when reboot -q is used by making unveil_removevnode
sane.
ok kettenis@

6 years agoFix a memory leak in i2d_RSA_NET on failure of ASN1_STRING_set.
bcook [Sun, 5 Aug 2018 13:35:45 +0000 (13:35 +0000)]
Fix a memory leak in i2d_RSA_NET on failure of ASN1_STRING_set.

Found by Coverity.
Feedback and ok tb@

6 years agoremove duplicate installation of the SIGINT handler;
schwarze [Sun, 5 Aug 2018 13:32:25 +0000 (13:32 +0000)]
remove duplicate installation of the SIGINT handler;
from Martin Kopta <martin at kopta dot eu>

6 years agoIn RSA_padding_add_PKCS1_OAEP, dbmask needs to be freed on failure.
bcook [Sun, 5 Aug 2018 13:30:04 +0000 (13:30 +0000)]
In RSA_padding_add_PKCS1_OAEP, dbmask needs to be freed on failure.

ok tb@

6 years agoenable virtio pci attachment on armv7
jsg [Sun, 5 Aug 2018 13:20:58 +0000 (13:20 +0000)]
enable virtio pci attachment on armv7

6 years agoMention ioctls that don't work for the control device.
ratchov [Sun, 5 Aug 2018 11:46:31 +0000 (11:46 +0000)]
Mention ioctls that don't work for the control device.

ok jmc

6 years agoUse english words instead of file names.
ratchov [Sun, 5 Aug 2018 11:41:50 +0000 (11:41 +0000)]
Use english words instead of file names.

ok jmc

6 years agoFix memory leak in i2b_PVK in error handling.
bcook [Sun, 5 Aug 2018 11:19:25 +0000 (11:19 +0000)]
Fix memory leak in i2b_PVK in error handling.
Simplify parameter checks since this is only called from one place.
Found by Coverity, CID 183502.

ok beck@

6 years agoRemove obvious or repeating sentinces.
ratchov [Sun, 5 Aug 2018 10:31:49 +0000 (10:31 +0000)]
Remove obvious or repeating sentinces.

ok jmc

6 years agoSince -s argument is no longer checked, during reexec, the argv size then must
mestre [Sun, 5 Aug 2018 09:37:52 +0000 (09:37 +0000)]
Since -s argument is no longer checked, during reexec, the argv size then must
be shortened by 1.

OK florian@

6 years agoSince -s argument is no longer checked, during reexec, the argv size then must
mestre [Sun, 5 Aug 2018 09:37:05 +0000 (09:37 +0000)]
Since -s argument is no longer checked, during reexec, the argv size then must
be shortened by 1.

OK florian@

6 years agoRemove cpath pledge(2) promise. We decided that not deleting the unix control
mestre [Sun, 5 Aug 2018 09:33:13 +0000 (09:33 +0000)]
Remove cpath pledge(2) promise. We decided that not deleting the unix control
sockets cause no harm and this way we close another attack surface by not
allowing the daemon to create/delete any more files.

While here also scramble pledge promises to their canonical form.

OK florian@

6 years agocalloc the mode data instead of malloc and initialize everything.
nicm [Sun, 5 Aug 2018 08:59:30 +0000 (08:59 +0000)]
calloc the mode data instead of malloc and initialize everything.

6 years agoenable bio and softraid on arm64 ramdisk
jsg [Sun, 5 Aug 2018 08:54:43 +0000 (08:54 +0000)]
enable bio and softraid on arm64 ramdisk

6 years agoenable bio and softraid on armv7 ramdisk
jsg [Sun, 5 Aug 2018 08:54:05 +0000 (08:54 +0000)]
enable bio and softraid on armv7 ramdisk

6 years agoRemove now unused header which I forgot to commit on previous.
mestre [Sun, 5 Aug 2018 08:41:28 +0000 (08:41 +0000)]
Remove now unused header which I forgot to commit on previous.

6 years agoRemove cpath pledge(2) promise. We decided that not deleting the unix control
mestre [Sun, 5 Aug 2018 08:20:54 +0000 (08:20 +0000)]
Remove cpath pledge(2) promise. We decided that not deleting the unix control
sockets cause no harm and this way we close another attack surface by not
allowing the daemon to create/delete any more files.

OK florian@

6 years agoRemove cpath pledge(2) promise. We decided that not deleting the unix control
mestre [Sun, 5 Aug 2018 08:16:24 +0000 (08:16 +0000)]
Remove cpath pledge(2) promise. We decided that not deleting the unix control
sockets cause no harm and this way we close another attack surface by not
allowing the daemon to create/delete any more files.

OK akoshibe@ florian@

6 years agoRevert back previous and remove cpath pledge(2) promise entirely. We decided
mestre [Sun, 5 Aug 2018 08:10:35 +0000 (08:10 +0000)]
Revert back previous and remove cpath pledge(2) promise entirely. We decided
that not deleting the unix control sockets cause no harm and this way we close
another attack surface by not allowing the daemon to create/delete any more
files.

tweak and OK florian@

6 years agodocument some more escapes which are hit by restricted mode,
jmc [Sun, 5 Aug 2018 06:11:55 +0000 (06:11 +0000)]
document some more escapes which are hit by restricted mode,
and move the documentation of which are relevant to the restricted mode
(-r) description;

from kris katterjohn

while here, replace some Gt/Lt escapes;

6 years agoImplement a few missing RK3288 clocks and implement resets.
kettenis [Sat, 4 Aug 2018 20:23:49 +0000 (20:23 +0000)]
Implement a few missing RK3288 clocks and implement resets.

6 years agofix a glitch in rev. 1.24: getline(3) returns ssize_t, not size_t;
schwarze [Sat, 4 Aug 2018 19:19:37 +0000 (19:19 +0000)]
fix a glitch in rev. 1.24: getline(3) returns ssize_t, not size_t;
pointed out by Andre Stoebe <as at nul not space>

6 years agoobvious KNF: avoid '!' for tests of non-boolean variables,
schwarze [Sat, 4 Aug 2018 16:47:05 +0000 (16:47 +0000)]
obvious KNF: avoid '!' for tests of non-boolean variables,
__dead void usage, return from main and return is not a function,
err(1, NULL) after malloc failure, and garbage collect (void) casts
on functions that usually do not need return value checks

6 years agoavoid using a value uninitialised
jsg [Sat, 4 Aug 2018 16:42:46 +0000 (16:42 +0000)]
avoid using a value uninitialised
ok kevlo@

6 years agoAdd regress test to ensure that chmod fails when unveiled with "r"
beck [Sat, 4 Aug 2018 16:23:00 +0000 (16:23 +0000)]
Add regress test to ensure that chmod fails when unveiled with "r"
(problem noticed by semarie@ - fix forthcoming)

6 years agoUse POSIX getline(3) rather than the non-standard and error-prone fgetln(3).
schwarze [Sat, 4 Aug 2018 16:14:03 +0000 (16:14 +0000)]
Use POSIX getline(3) rather than the non-standard and error-prone fgetln(3).
In part based on a diff from Lauri Tirkkonen <lotheac at iki dot fi>.
While here, significantly simplify sequential().
No objection when shown on tech@.

6 years agoOops. Missing chunk from previous 'secs' -> 'ui'.
krw [Sat, 4 Aug 2018 16:09:00 +0000 (16:09 +0000)]
Oops. Missing chunk from previous 'secs' -> 'ui'.

6 years agoRename local variable 'secs' to 'ui' to be consistant with all other
krw [Sat, 4 Aug 2018 15:36:41 +0000 (15:36 +0000)]
Rename local variable 'secs' to 'ui' to be consistant with all other
uses of getuint64(). No change to executable.

6 years agoThe operating-points-v2 binding allows opp-microvolt to be a single cell
kettenis [Sat, 4 Aug 2018 11:55:40 +0000 (11:55 +0000)]
The operating-points-v2 binding allows opp-microvolt to be a single cell
or three cells.  Handle both cases, but ignore the minimum and maximum
values if they are provided in the case where we have three cells.

ok patrick@

6 years agoRevert back previous commit, we have decided that socket files don't cause any
mestre [Sat, 4 Aug 2018 11:07:14 +0000 (11:07 +0000)]
Revert back previous commit, we have decided that socket files don't cause any
harm if not deleted after the daemon is shutdown and at the same time we also
tackle another attack surface by not allowing the program to create/delete
any more files (by removing "cpath" promise from pledge(2)).

Discussion initiated by a question from deraadt@ OK florian@

6 years agoLeave the control socket behind on shutdown. It doesn't hurt anyone.
florian [Sat, 4 Aug 2018 09:37:17 +0000 (09:37 +0000)]
Leave the control socket behind on shutdown. It doesn't hurt anyone.
On the other hand it is much more powerful to get rid of cpath; rad is
no longer allowed to change anything on the filesystem.
Triggered by mestre@'s work to fix unlinking in other daemons and a
question from deraadt@
OK mestre

6 years agoLeave the control socket behind on shutdown. It doesn't hurt anyone.
florian [Sat, 4 Aug 2018 09:36:49 +0000 (09:36 +0000)]
Leave the control socket behind on shutdown. It doesn't hurt anyone.
On the other hand it is much more powerful to get rid of cpath; slaacd
has no filesystem access whatsoever.
Triggered by mestre@'s work to fix unlinking in other daemons and a
question from deraadt@
OK mestre

6 years agodocument AUTOCONF_ENV
espie [Sat, 4 Aug 2018 09:01:56 +0000 (09:01 +0000)]
document AUTOCONF_ENV

6 years agotweak previous;
jmc [Sat, 4 Aug 2018 06:10:05 +0000 (06:10 +0000)]
tweak previous;

6 years agosync
deraadt [Sat, 4 Aug 2018 03:27:45 +0000 (03:27 +0000)]
sync

6 years agoI can find no reason why portmap needs rpath after initialization.
deraadt [Sat, 4 Aug 2018 03:23:08 +0000 (03:23 +0000)]
I can find no reason why portmap needs rpath after initialization.

6 years agoinvalidate dh->priv_key after freeing it in error path; avoids
djm [Sat, 4 Aug 2018 00:55:06 +0000 (00:55 +0000)]
invalidate dh->priv_key after freeing it in error path; avoids
unlikely double-free later. Reported by Viktor Dukhovni via
https://github.com/openssh/openssh-portable/pull/96
feedback jsing@ tb@

6 years agoUncomment no-longer-dead Xr.
helg [Sat, 4 Aug 2018 00:08:53 +0000 (00:08 +0000)]
Uncomment no-longer-dead Xr.

6 years agoAdd man page for fuse_get_context(3).
helg [Fri, 3 Aug 2018 23:32:04 +0000 (23:32 +0000)]
Add man page for fuse_get_context(3).

6 years agoPass PCIe requester ID as sideband data here as well.
kettenis [Fri, 3 Aug 2018 22:40:05 +0000 (22:40 +0000)]
Pass PCIe requester ID as sideband data here as well.

6 years agoLet ahci(4) match on _CLS instead of _HID when attaching at acpi(4). Avoids
kettenis [Fri, 3 Aug 2018 22:18:13 +0000 (22:18 +0000)]
Let ahci(4) match on _CLS instead of _HID when attaching at acpi(4).  Avoids
having to add many more _HID entries to the match table.

ok deraadt@, mlarkin@

6 years agoImplement setting the CPU clock for Allwinner H3/H5 SoCs.
kettenis [Fri, 3 Aug 2018 21:28:28 +0000 (21:28 +0000)]
Implement setting the CPU clock for Allwinner H3/H5 SoCs.

6 years agoAlso attach as a regulator if the FDT provides the fixed voltage value.
kettenis [Fri, 3 Aug 2018 21:07:34 +0000 (21:07 +0000)]
Also attach as a regulator if the FDT provides the fixed voltage value.
Restore fixed voltage at reboot time to prevent hangs after a warm reset
if DVFS is active.

6 years agoadvertise slaacd.8;
jmc [Fri, 3 Aug 2018 20:09:48 +0000 (20:09 +0000)]
advertise slaacd.8;

6 years agosort; ok florian
jmc [Fri, 3 Aug 2018 19:54:11 +0000 (19:54 +0000)]
sort; ok florian

6 years agoImplement single-stepping. Based on an earlier diff from drahn@.
kettenis [Fri, 3 Aug 2018 18:36:01 +0000 (18:36 +0000)]
Implement single-stepping.  Based on an earlier diff from drahn@.
Disable userland debug communication access while there.

ok patrick@

6 years agoreturn is not a function and if (x) -> if (x != NULL)
benno [Fri, 3 Aug 2018 17:57:21 +0000 (17:57 +0000)]
return is not a function and if (x) -> if (x != NULL)
From Ross L Richardson, thanks
ok millert@

6 years agofix error messages from earlier syntax change
benno [Fri, 3 Aug 2018 17:51:40 +0000 (17:51 +0000)]
fix error messages from earlier syntax change
From Ross L Richardson
ok millert@

6 years agocorrect an error message, from Ross L Richardson
benno [Fri, 3 Aug 2018 17:49:57 +0000 (17:49 +0000)]
correct an error message, from Ross L Richardson
ok millert@

6 years agodocument the default in the abscence of a certificate authority.
benno [Fri, 3 Aug 2018 17:48:34 +0000 (17:48 +0000)]
document the default in the abscence of a certificate authority.
From Ross L Richardson

6 years agoDocument that domain certificate is optional.
benno [Fri, 3 Aug 2018 17:46:57 +0000 (17:46 +0000)]
Document that domain certificate is optional.
From Ross L Richardson

6 years agoMove pledge after getopt when we know whether the operation is reboot,
deraadt [Fri, 3 Aug 2018 17:09:22 +0000 (17:09 +0000)]
Move pledge after getopt when we know whether the operation is reboot,
powerdown, halt, or singleuser.  Before pledge, unveil access to
/dev/console, /etc/rc for singleuser entry, execute of /usr/bin/wall
to alert users, and creation of the fastboot and nologin files.  Also
conditionally allow execute of halt, reboot, or the shell depending on mode.
Believe all scenarios were tested -- please exercise this one a bit.

6 years agoImplement DVFS support.
kettenis [Fri, 3 Aug 2018 16:45:17 +0000 (16:45 +0000)]
Implement DVFS support.

ok patrick@

6 years agoMove nexthop and nexthop flags from the rde_aspath to struct prefix.
claudio [Fri, 3 Aug 2018 16:31:22 +0000 (16:31 +0000)]
Move nexthop and nexthop flags from the rde_aspath to struct prefix.
struct prefix will be slowly becomming the hub of the rib.
OK phessler@ job@

6 years agounveil _PATH_UTMP at startup. Time for a commentary:
deraadt [Fri, 3 Aug 2018 16:02:53 +0000 (16:02 +0000)]
unveil _PATH_UTMP at startup.  Time for a commentary:

There is a TOCTOU between unveil() and open() which should always be
considered, since a path is being supplied twice to the kernel.  First
unveil()s define which paths remain in scope, then secondly open()s
try to access paths in scope.  The unveil() generates a vnode
reservation against the final path resolution (including symbolic link
collapse).  Before the open() occurs, root could replace the path with
symbolic traversal pointing elsewhere.  Then open() will traverse a
path which fails to discover the reserved vnode, and thus fail with
ENOENT.  The TOCTOU sequence doesn't succeed against the new path, it
*always fails*.  (Unless the symlink resolves to another unveil'd
vnode object, but that is not new behaviour).

So once a process is running with veiled filesystem view, we can
consider such a symlink change action as PERMANENTLY visible to this
process and correctly contained to the scoped view, rather than the
previous behaviour of being TRANSIENT and global in view.  So this is
not a real race, security implications will be narrow, and generally
the old symlink-race case is the less secure.

When we add this unveil+open TOCTOU scenario to a program, we should
consider who can perform such a symlink snap, and whether behaviour
change to the program is more disruptive than the risks prevented
through filesystem hiding.  How does a program behave if a file
disappears due to active interference?  Are users (and scripts) used
to operating in a racey best-effort way, and is the additional
strictness strangling their freedom to run shitty stuff?

A few general rules for base programs can avoid problems in this area:
don't en masse unveil argv[], then process argv[] in a second phase.
Don't unveil args which get placed into TZ, TERM, and some other
environment variables, unless you completely understand what libc is
doing.

6 years agoWe can only unveil if the prefix is a directory (the input paths, and the
deraadt [Fri, 3 Aug 2018 15:29:51 +0000 (15:29 +0000)]
We can only unveil if the prefix is a directory (the input paths, and the
output directory).  If prefix isn't a directory, that would require
enumerating all prefix<sig>.<id> filenames and unveiling all of them
which isn't reasonable... for the file case can we identify whether it
starts start with '/' or not, and unveil '/' or '.' for "w"?

6 years agoImprove synchronization between the parent and children. This fixes
visa [Fri, 3 Aug 2018 15:19:44 +0000 (15:19 +0000)]
Improve synchronization between the parent and children. This fixes
a spurious test failure spotted by anton@ and eliminates sleeping
in the test.

Feedback and OK anton@

6 years agoMove pledge to after getopt, when the finger program becomes known
deraadt [Fri, 3 Aug 2018 15:14:18 +0000 (15:14 +0000)]
Move pledge to after getopt, when the finger program becomes known
(defaults to /usr/bin/finger, but can be redefined with -P option).
Then unveil that program for "x" (execution), and pledge as before.
No other filesystem accesses occur after that point.

6 years agopledge() a little later, after getopt operation, in case -f option changes
deraadt [Fri, 3 Aug 2018 15:01:28 +0000 (15:01 +0000)]
pledge() a little later, after getopt operation, in case -f option changes
the filename.  We can then unveil that file, pledge() as before, and proceed
to parsing.

6 years agosync
deraadt [Fri, 3 Aug 2018 14:58:21 +0000 (14:58 +0000)]
sync

6 years agowrap long lines
deraadt [Fri, 3 Aug 2018 14:47:56 +0000 (14:47 +0000)]
wrap long lines

6 years agounveil _PATH_DEVDB for devname(). All other filenames are opened
deraadt [Fri, 3 Aug 2018 14:39:55 +0000 (14:39 +0000)]
unveil _PATH_DEVDB for devname().   All other filenames are opened
before unveil/pledge.

6 years agoReshuffle the way bgpd does the softreload after filter changes.
claudio [Fri, 3 Aug 2018 14:10:39 +0000 (14:10 +0000)]
Reshuffle the way bgpd does the softreload after filter changes.
Walk each rib at most once and push it from there to all RIBs or peers
that need the update. Makes the logic more streight and so easier to run
in background.
Tested by and OK phessler@

6 years agoEnable mue(4).
kevlo [Fri, 3 Aug 2018 13:37:08 +0000 (13:37 +0000)]
Enable mue(4).
Tested on Orange Pi Plus 2E (armv7) and Orange Pi PC 2 (arm64).

ok jsg@

6 years agoMove dns settings to global options so that they don't need to be
florian [Fri, 3 Aug 2018 13:14:46 +0000 (13:14 +0000)]
Move dns settings to global options so that they don't need to be
repeated in every interface block - they can still be overwritten
on a per interface basis.
Pointed out by, tweaks & OK sthen

6 years agodocument that wpakey needs a preceeding nwid OR join specification
halex [Fri, 3 Aug 2018 11:21:27 +0000 (11:21 +0000)]
document that wpakey needs a preceeding nwid OR join specification

ok phessler@

6 years agorevert 1.133 and part of 1.131
phessler [Fri, 3 Aug 2018 10:52:45 +0000 (10:52 +0000)]
revert 1.133 and part of 1.131
the stack doesn't always fill in the paramaters correctly

reported by many

6 years agoAccount when the next nd6_timer_to is scheduled in nd6_timer()
florian [Fri, 3 Aug 2018 09:11:56 +0000 (09:11 +0000)]
Account when the next nd6_timer_to is scheduled in nd6_timer()
otherwise nd6_llinfo_settimer() might wrongly assume that a timeout is
already scheduled earlier and not schedule one itself. This in turn
lead to the neighbor cache no longer updating because neighbor
solicitations were not send.
Observed by many.
OK kn

6 years agopledge() a little later, after getopt operation, when we know tty name.
deraadt [Fri, 3 Aug 2018 06:57:34 +0000 (06:57 +0000)]
pledge() a little later, after getopt operation, when we know tty name.
We can then unveil the tty file, and pledge() as before.  No other files
are accessed after that point in time.

6 years agounveil of _PATH_DEVDB "/var/run/dev.db" can be done before pledge for
deraadt [Fri, 3 Aug 2018 06:55:41 +0000 (06:55 +0000)]
unveil of _PATH_DEVDB "/var/run/dev.db" can be done before pledge for
use by ttyname, no other files are accessed after that.

6 years agoactually heed localbase when looking for groff
espie [Fri, 3 Aug 2018 06:49:26 +0000 (06:49 +0000)]
actually heed localbase when looking for groff

6 years agoreorg groff runner so that failures are handled better
espie [Fri, 3 Aug 2018 06:39:12 +0000 (06:39 +0000)]
reorg groff runner so that failures are handled better
do the logic for manpage formatting better, so that we can't miss things
simplify filenames, fullname always has a slash

6 years ago- exit in case of exec error. Prevents code from continuing badly
espie [Fri, 3 Aug 2018 06:37:08 +0000 (06:37 +0000)]
- exit in case of exec error.  Prevents code from continuing badly
- display error message on STDERR... better
- don't extract the code twice

6 years ago- use memset() for for clearing hashtbl
kevlo [Fri, 3 Aug 2018 06:19:15 +0000 (06:19 +0000)]
- use memset() for for clearing hashtbl
- the switch case for IFM_100_TX was the same code as for IFM_1000_T so it
  can be rolled into one.

From Michael W. Bombardieri

6 years agotweak previous;
jmc [Fri, 3 Aug 2018 06:13:14 +0000 (06:13 +0000)]
tweak previous;

6 years agoThe first unveil userland commit!
deraadt [Fri, 3 Aug 2018 04:47:56 +0000 (04:47 +0000)]
The first unveil userland commit!

unveil _PATH_LOGIN_CONF (/etc/login.conf) which is used by
login_getclass(3) and family before doing password encode.  This
is the only filename used by the program during runtime, everything
else happens on stdin/stdout.

6 years agoThis does not need pledge "wpath"
deraadt [Fri, 3 Aug 2018 04:19:34 +0000 (04:19 +0000)]
This does not need pledge "wpath"

6 years agoni_pledge flags are a uint64_t not an int - don't initialize with an int.
beck [Fri, 3 Aug 2018 02:36:11 +0000 (02:36 +0000)]
ni_pledge flags are a uint64_t not an int - don't initialize with an int.

6 years agoPlace a limit on the number of elements in a ber sequence/set. This prevents
rob [Fri, 3 Aug 2018 01:51:28 +0000 (01:51 +0000)]
Place a limit on the number of elements in a ber sequence/set. This prevents
possible stack overflow due to recursion in ber_free_elements().

ok claudio@