mestre [Sun, 5 Aug 2018 09:37:05 +0000 (09:37 +0000)]
Since -s argument is no longer checked, during reexec, the argv size then must
be shortened by 1.
OK florian@
mestre [Sun, 5 Aug 2018 09:33:13 +0000 (09:33 +0000)]
Remove cpath pledge(2) promise. We decided that not deleting the unix control
sockets cause no harm and this way we close another attack surface by not
allowing the daemon to create/delete any more files.
While here also scramble pledge promises to their canonical form.
OK florian@
nicm [Sun, 5 Aug 2018 08:59:30 +0000 (08:59 +0000)]
calloc the mode data instead of malloc and initialize everything.
jsg [Sun, 5 Aug 2018 08:54:43 +0000 (08:54 +0000)]
enable bio and softraid on arm64 ramdisk
jsg [Sun, 5 Aug 2018 08:54:05 +0000 (08:54 +0000)]
enable bio and softraid on armv7 ramdisk
mestre [Sun, 5 Aug 2018 08:41:28 +0000 (08:41 +0000)]
Remove now unused header which I forgot to commit on previous.
mestre [Sun, 5 Aug 2018 08:20:54 +0000 (08:20 +0000)]
Remove cpath pledge(2) promise. We decided that not deleting the unix control
sockets cause no harm and this way we close another attack surface by not
allowing the daemon to create/delete any more files.
OK florian@
mestre [Sun, 5 Aug 2018 08:16:24 +0000 (08:16 +0000)]
Remove cpath pledge(2) promise. We decided that not deleting the unix control
sockets cause no harm and this way we close another attack surface by not
allowing the daemon to create/delete any more files.
OK akoshibe@ florian@
mestre [Sun, 5 Aug 2018 08:10:35 +0000 (08:10 +0000)]
Revert back previous and remove cpath pledge(2) promise entirely. We decided
that not deleting the unix control sockets cause no harm and this way we close
another attack surface by not allowing the daemon to create/delete any more
files.
tweak and OK florian@
jmc [Sun, 5 Aug 2018 06:11:55 +0000 (06:11 +0000)]
document some more escapes which are hit by restricted mode,
and move the documentation of which are relevant to the restricted mode
(-r) description;
from kris katterjohn
while here, replace some Gt/Lt escapes;
kettenis [Sat, 4 Aug 2018 20:23:49 +0000 (20:23 +0000)]
Implement a few missing RK3288 clocks and implement resets.
schwarze [Sat, 4 Aug 2018 19:19:37 +0000 (19:19 +0000)]
fix a glitch in rev. 1.24: getline(3) returns ssize_t, not size_t;
pointed out by Andre Stoebe <as at nul not space>
schwarze [Sat, 4 Aug 2018 16:47:05 +0000 (16:47 +0000)]
obvious KNF: avoid '!' for tests of non-boolean variables,
__dead void usage, return from main and return is not a function,
err(1, NULL) after malloc failure, and garbage collect (void) casts
on functions that usually do not need return value checks
jsg [Sat, 4 Aug 2018 16:42:46 +0000 (16:42 +0000)]
avoid using a value uninitialised
ok kevlo@
beck [Sat, 4 Aug 2018 16:23:00 +0000 (16:23 +0000)]
Add regress test to ensure that chmod fails when unveiled with "r"
(problem noticed by semarie@ - fix forthcoming)
schwarze [Sat, 4 Aug 2018 16:14:03 +0000 (16:14 +0000)]
Use POSIX getline(3) rather than the non-standard and error-prone fgetln(3).
In part based on a diff from Lauri Tirkkonen <lotheac at iki dot fi>.
While here, significantly simplify sequential().
No objection when shown on tech@.
krw [Sat, 4 Aug 2018 16:09:00 +0000 (16:09 +0000)]
Oops. Missing chunk from previous 'secs' -> 'ui'.
krw [Sat, 4 Aug 2018 15:36:41 +0000 (15:36 +0000)]
Rename local variable 'secs' to 'ui' to be consistant with all other
uses of getuint64(). No change to executable.
kettenis [Sat, 4 Aug 2018 11:55:40 +0000 (11:55 +0000)]
The operating-points-v2 binding allows opp-microvolt to be a single cell
or three cells. Handle both cases, but ignore the minimum and maximum
values if they are provided in the case where we have three cells.
ok patrick@
mestre [Sat, 4 Aug 2018 11:07:14 +0000 (11:07 +0000)]
Revert back previous commit, we have decided that socket files don't cause any
harm if not deleted after the daemon is shutdown and at the same time we also
tackle another attack surface by not allowing the program to create/delete
any more files (by removing "cpath" promise from pledge(2)).
Discussion initiated by a question from deraadt@ OK florian@
florian [Sat, 4 Aug 2018 09:37:17 +0000 (09:37 +0000)]
Leave the control socket behind on shutdown. It doesn't hurt anyone.
On the other hand it is much more powerful to get rid of cpath; rad is
no longer allowed to change anything on the filesystem.
Triggered by mestre@'s work to fix unlinking in other daemons and a
question from deraadt@
OK mestre
florian [Sat, 4 Aug 2018 09:36:49 +0000 (09:36 +0000)]
Leave the control socket behind on shutdown. It doesn't hurt anyone.
On the other hand it is much more powerful to get rid of cpath; slaacd
has no filesystem access whatsoever.
Triggered by mestre@'s work to fix unlinking in other daemons and a
question from deraadt@
OK mestre
espie [Sat, 4 Aug 2018 09:01:56 +0000 (09:01 +0000)]
document AUTOCONF_ENV
jmc [Sat, 4 Aug 2018 06:10:05 +0000 (06:10 +0000)]
tweak previous;
deraadt [Sat, 4 Aug 2018 03:27:45 +0000 (03:27 +0000)]
sync
deraadt [Sat, 4 Aug 2018 03:23:08 +0000 (03:23 +0000)]
I can find no reason why portmap needs rpath after initialization.
djm [Sat, 4 Aug 2018 00:55:06 +0000 (00:55 +0000)]
invalidate dh->priv_key after freeing it in error path; avoids
unlikely double-free later. Reported by Viktor Dukhovni via
https://github.com/openssh/openssh-portable/pull/96
feedback jsing@ tb@
helg [Sat, 4 Aug 2018 00:08:53 +0000 (00:08 +0000)]
Uncomment no-longer-dead Xr.
helg [Fri, 3 Aug 2018 23:32:04 +0000 (23:32 +0000)]
Add man page for fuse_get_context(3).
kettenis [Fri, 3 Aug 2018 22:40:05 +0000 (22:40 +0000)]
Pass PCIe requester ID as sideband data here as well.
kettenis [Fri, 3 Aug 2018 22:18:13 +0000 (22:18 +0000)]
Let ahci(4) match on _CLS instead of _HID when attaching at acpi(4). Avoids
having to add many more _HID entries to the match table.
ok deraadt@, mlarkin@
kettenis [Fri, 3 Aug 2018 21:28:28 +0000 (21:28 +0000)]
Implement setting the CPU clock for Allwinner H3/H5 SoCs.
kettenis [Fri, 3 Aug 2018 21:07:34 +0000 (21:07 +0000)]
Also attach as a regulator if the FDT provides the fixed voltage value.
Restore fixed voltage at reboot time to prevent hangs after a warm reset
if DVFS is active.
jmc [Fri, 3 Aug 2018 20:09:48 +0000 (20:09 +0000)]
advertise slaacd.8;
jmc [Fri, 3 Aug 2018 19:54:11 +0000 (19:54 +0000)]
sort; ok florian
kettenis [Fri, 3 Aug 2018 18:36:01 +0000 (18:36 +0000)]
Implement single-stepping. Based on an earlier diff from drahn@.
Disable userland debug communication access while there.
ok patrick@
benno [Fri, 3 Aug 2018 17:57:21 +0000 (17:57 +0000)]
return is not a function and if (x) -> if (x != NULL)
From Ross L Richardson, thanks
ok millert@
benno [Fri, 3 Aug 2018 17:51:40 +0000 (17:51 +0000)]
fix error messages from earlier syntax change
From Ross L Richardson
ok millert@
benno [Fri, 3 Aug 2018 17:49:57 +0000 (17:49 +0000)]
correct an error message, from Ross L Richardson
ok millert@
benno [Fri, 3 Aug 2018 17:48:34 +0000 (17:48 +0000)]
document the default in the abscence of a certificate authority.
From Ross L Richardson
benno [Fri, 3 Aug 2018 17:46:57 +0000 (17:46 +0000)]
Document that domain certificate is optional.
From Ross L Richardson
deraadt [Fri, 3 Aug 2018 17:09:22 +0000 (17:09 +0000)]
Move pledge after getopt when we know whether the operation is reboot,
powerdown, halt, or singleuser. Before pledge, unveil access to
/dev/console, /etc/rc for singleuser entry, execute of /usr/bin/wall
to alert users, and creation of the fastboot and nologin files. Also
conditionally allow execute of halt, reboot, or the shell depending on mode.
Believe all scenarios were tested -- please exercise this one a bit.
kettenis [Fri, 3 Aug 2018 16:45:17 +0000 (16:45 +0000)]
Implement DVFS support.
ok patrick@
claudio [Fri, 3 Aug 2018 16:31:22 +0000 (16:31 +0000)]
Move nexthop and nexthop flags from the rde_aspath to struct prefix.
struct prefix will be slowly becomming the hub of the rib.
OK phessler@ job@
deraadt [Fri, 3 Aug 2018 16:02:53 +0000 (16:02 +0000)]
unveil _PATH_UTMP at startup. Time for a commentary:
There is a TOCTOU between unveil() and open() which should always be
considered, since a path is being supplied twice to the kernel. First
unveil()s define which paths remain in scope, then secondly open()s
try to access paths in scope. The unveil() generates a vnode
reservation against the final path resolution (including symbolic link
collapse). Before the open() occurs, root could replace the path with
symbolic traversal pointing elsewhere. Then open() will traverse a
path which fails to discover the reserved vnode, and thus fail with
ENOENT. The TOCTOU sequence doesn't succeed against the new path, it
*always fails*. (Unless the symlink resolves to another unveil'd
vnode object, but that is not new behaviour).
So once a process is running with veiled filesystem view, we can
consider such a symlink change action as PERMANENTLY visible to this
process and correctly contained to the scoped view, rather than the
previous behaviour of being TRANSIENT and global in view. So this is
not a real race, security implications will be narrow, and generally
the old symlink-race case is the less secure.
When we add this unveil+open TOCTOU scenario to a program, we should
consider who can perform such a symlink snap, and whether behaviour
change to the program is more disruptive than the risks prevented
through filesystem hiding. How does a program behave if a file
disappears due to active interference? Are users (and scripts) used
to operating in a racey best-effort way, and is the additional
strictness strangling their freedom to run shitty stuff?
A few general rules for base programs can avoid problems in this area:
don't en masse unveil argv[], then process argv[] in a second phase.
Don't unveil args which get placed into TZ, TERM, and some other
environment variables, unless you completely understand what libc is
doing.
deraadt [Fri, 3 Aug 2018 15:29:51 +0000 (15:29 +0000)]
We can only unveil if the prefix is a directory (the input paths, and the
output directory). If prefix isn't a directory, that would require
enumerating all prefix<sig>.<id> filenames and unveiling all of them
which isn't reasonable... for the file case can we identify whether it
starts start with '/' or not, and unveil '/' or '.' for "w"?
visa [Fri, 3 Aug 2018 15:19:44 +0000 (15:19 +0000)]
Improve synchronization between the parent and children. This fixes
a spurious test failure spotted by anton@ and eliminates sleeping
in the test.
Feedback and OK anton@
deraadt [Fri, 3 Aug 2018 15:14:18 +0000 (15:14 +0000)]
Move pledge to after getopt, when the finger program becomes known
(defaults to /usr/bin/finger, but can be redefined with -P option).
Then unveil that program for "x" (execution), and pledge as before.
No other filesystem accesses occur after that point.
deraadt [Fri, 3 Aug 2018 15:01:28 +0000 (15:01 +0000)]
pledge() a little later, after getopt operation, in case -f option changes
the filename. We can then unveil that file, pledge() as before, and proceed
to parsing.
deraadt [Fri, 3 Aug 2018 14:58:21 +0000 (14:58 +0000)]
sync
deraadt [Fri, 3 Aug 2018 14:47:56 +0000 (14:47 +0000)]
wrap long lines
deraadt [Fri, 3 Aug 2018 14:39:55 +0000 (14:39 +0000)]
unveil _PATH_DEVDB for devname(). All other filenames are opened
before unveil/pledge.
claudio [Fri, 3 Aug 2018 14:10:39 +0000 (14:10 +0000)]
Reshuffle the way bgpd does the softreload after filter changes.
Walk each rib at most once and push it from there to all RIBs or peers
that need the update. Makes the logic more streight and so easier to run
in background.
Tested by and OK phessler@
kevlo [Fri, 3 Aug 2018 13:37:08 +0000 (13:37 +0000)]
Enable mue(4).
Tested on Orange Pi Plus 2E (armv7) and Orange Pi PC 2 (arm64).
ok jsg@
florian [Fri, 3 Aug 2018 13:14:46 +0000 (13:14 +0000)]
Move dns settings to global options so that they don't need to be
repeated in every interface block - they can still be overwritten
on a per interface basis.
Pointed out by, tweaks & OK sthen
halex [Fri, 3 Aug 2018 11:21:27 +0000 (11:21 +0000)]
document that wpakey needs a preceeding nwid OR join specification
ok phessler@
phessler [Fri, 3 Aug 2018 10:52:45 +0000 (10:52 +0000)]
revert 1.133 and part of 1.131
the stack doesn't always fill in the paramaters correctly
reported by many
florian [Fri, 3 Aug 2018 09:11:56 +0000 (09:11 +0000)]
Account when the next nd6_timer_to is scheduled in nd6_timer()
otherwise nd6_llinfo_settimer() might wrongly assume that a timeout is
already scheduled earlier and not schedule one itself. This in turn
lead to the neighbor cache no longer updating because neighbor
solicitations were not send.
Observed by many.
OK kn
deraadt [Fri, 3 Aug 2018 06:57:34 +0000 (06:57 +0000)]
pledge() a little later, after getopt operation, when we know tty name.
We can then unveil the tty file, and pledge() as before. No other files
are accessed after that point in time.
deraadt [Fri, 3 Aug 2018 06:55:41 +0000 (06:55 +0000)]
unveil of _PATH_DEVDB "/var/run/dev.db" can be done before pledge for
use by ttyname, no other files are accessed after that.
espie [Fri, 3 Aug 2018 06:49:26 +0000 (06:49 +0000)]
actually heed localbase when looking for groff
espie [Fri, 3 Aug 2018 06:39:12 +0000 (06:39 +0000)]
reorg groff runner so that failures are handled better
do the logic for manpage formatting better, so that we can't miss things
simplify filenames, fullname always has a slash
espie [Fri, 3 Aug 2018 06:37:08 +0000 (06:37 +0000)]
- exit in case of exec error. Prevents code from continuing badly
- display error message on STDERR... better
- don't extract the code twice
kevlo [Fri, 3 Aug 2018 06:19:15 +0000 (06:19 +0000)]
- use memset() for for clearing hashtbl
- the switch case for IFM_100_TX was the same code as for IFM_1000_T so it
can be rolled into one.
From Michael W. Bombardieri
jmc [Fri, 3 Aug 2018 06:13:14 +0000 (06:13 +0000)]
tweak previous;
deraadt [Fri, 3 Aug 2018 04:47:56 +0000 (04:47 +0000)]
The first unveil userland commit!
unveil _PATH_LOGIN_CONF (/etc/login.conf) which is used by
login_getclass(3) and family before doing password encode. This
is the only filename used by the program during runtime, everything
else happens on stdin/stdout.
deraadt [Fri, 3 Aug 2018 04:19:34 +0000 (04:19 +0000)]
This does not need pledge "wpath"
beck [Fri, 3 Aug 2018 02:36:11 +0000 (02:36 +0000)]
ni_pledge flags are a uint64_t not an int - don't initialize with an int.
rob [Fri, 3 Aug 2018 01:51:28 +0000 (01:51 +0000)]
Place a limit on the number of elements in a ber sequence/set. This prevents
possible stack overflow due to recursion in ber_free_elements().
ok claudio@
kevlo [Fri, 3 Aug 2018 01:50:14 +0000 (01:50 +0000)]
Add mue(4), a driver for Microchip LAN75xx/LAN78xx 10/100/1000 USB Ethernet
adapters.
"go ahead commit it" deraadt@
nicm [Thu, 2 Aug 2018 18:35:21 +0000 (18:35 +0000)]
Log command arguments.
schwarze [Thu, 2 Aug 2018 17:10:26 +0000 (17:10 +0000)]
replace excessively wordy and fuzzy introduction
with a real HISTORY section;
OK jmc@ rob@
krw [Thu, 2 Aug 2018 16:30:01 +0000 (16:30 +0000)]
errno is never checked after a call to getuint64(). So there is no
point to getuint64() setting it to EINVAL when the user enters an
invalid value or aborts input with a ^D.
rob [Thu, 2 Aug 2018 15:34:07 +0000 (15:34 +0000)]
Grammar fix in comment.
ok deraadt@
rob [Thu, 2 Aug 2018 15:22:11 +0000 (15:22 +0000)]
Some wordsmithing. Comments and tweaks from deraadt, jmc, benno, and tb.
ok deraadt@
claudio [Thu, 2 Aug 2018 14:41:42 +0000 (14:41 +0000)]
Split out the rule skipping logic into own function and by doing so ensure
that both filter lists are treated the same way. This fixes an inconsistency
with ibgp and ebgp filters as used in the example config.
OK benno@ sthen@
benno [Thu, 2 Aug 2018 14:40:38 +0000 (14:40 +0000)]
According to code (and testing), each is optional but at least
one must be present.
From Ross L Richardson, thanks
ok sthen@
benno [Thu, 2 Aug 2018 14:39:26 +0000 (14:39 +0000)]
It's an "X.509 certificate" rather than a "TLS certificate".
As pointed out by sthen@, TLS isn't the only possible use.
From Ross L Richardson
ok shten@
benno [Thu, 2 Aug 2018 14:37:32 +0000 (14:37 +0000)]
its a X.509 certificate, consistency with acme-client.conf.5
From Ross L Richardson
ok sthen@
patrick [Thu, 2 Aug 2018 14:13:44 +0000 (14:13 +0000)]
Enable ssdfb(4) at I2C.
patrick [Thu, 2 Aug 2018 14:09:32 +0000 (14:09 +0000)]
Add I2C attachment code to ssdfb(4). The difference between the I2C
and SPI bus is simply how to let the chip know it's a command or data
transfer. Otherwise we push the very same bits.
mestre [Thu, 2 Aug 2018 13:05:34 +0000 (13:05 +0000)]
ntpd(8) has logic in place to delete its control socket on shutdown, but it
currently doesn't call the function control_cleanup to do so. The solution is
to simply call that function just before the program quits.
"sure" henning@
claudio [Thu, 2 Aug 2018 12:49:00 +0000 (12:49 +0000)]
Make a few more rde specific functions static.
claudio [Thu, 2 Aug 2018 12:46:02 +0000 (12:46 +0000)]
Make free_prefixsets() accept a NULL pointer. Makes it behave more like
all other free functions bgpd has.
nicm [Thu, 2 Aug 2018 11:56:12 +0000 (11:56 +0000)]
session_groups can be static also.
nicm [Thu, 2 Aug 2018 11:44:07 +0000 (11:44 +0000)]
Make key trees and some other bits static.
nicm [Thu, 2 Aug 2018 11:18:34 +0000 (11:18 +0000)]
Minor tidying.
claudio [Thu, 2 Aug 2018 09:46:35 +0000 (09:46 +0000)]
This brings the network code more in line with what regular update
processing does. It adds the prefix to Adj-RIB-In and if "log update" is
set it will also log the addition and removal of a prefix.
OK benno@
kettenis [Thu, 2 Aug 2018 09:45:17 +0000 (09:45 +0000)]
Add delay when increasing the voltage of a regulator that has a
"regulator-ramp-delay" property to guerantee that the target voltage has
been reached when regulator_set_voltage(9) returns.
ok patrick@
nicm [Thu, 2 Aug 2018 07:55:16 +0000 (07:55 +0000)]
Make display-panes block the client until a pane is chosen or it times out.
mestre [Thu, 2 Aug 2018 06:43:31 +0000 (06:43 +0000)]
Actually order the promises in their canonical form, missed that in my
previous commit.
heads up and OK tb@
mestre [Thu, 2 Aug 2018 06:28:35 +0000 (06:28 +0000)]
Currently when eigrpd(8) shuts down then its unix control socket is being
unlink(2)ed from eigrpe engine process, the problem is that this proc is
chrooted and therefore the socket will never be deleted.
In order to solve it we need to bring control_cleanup() function, which calls
unlink(2), into the main proc which is not chrooted. This is the way it's
already done for several other daemons we have in our base.
Additionally we also need to move the "cpath" pledge(2) promise from the child
process to the main process in order for the latter to be allowed to delete the
socket and while here shuffle the promises into their canonical form.
OK florian@ and benno@
beck [Thu, 2 Aug 2018 04:41:47 +0000 (04:41 +0000)]
Fix panic when we attempt to mess with "." but have a flags mismatch
so unveil_check_final returns an error - in this case we can't
just VOP_UNLOCK the parent we have to know we are dealing with "."
found by anton@ - thanks
beck [Thu, 2 Aug 2018 04:39:58 +0000 (04:39 +0000)]
Test messing with "." both when having . unveiled for an operation, and
with . veiled without the right flags for an operation, since these
come out of namei differently and . is the bane of the special
LOCKPARENT corner cases - this tests a panic found by anton@
brynet [Wed, 1 Aug 2018 20:33:53 +0000 (20:33 +0000)]
On AMD CPUs, If the LFENCE serialization MSR bit is already set, then
we don't need to uncondtionally set it.
Worksaround a suspected bug in newer Linux KVM, which may trigger a
#GP fault on writes to this MSR.
ok mlarkin@
mestre [Wed, 1 Aug 2018 17:17:42 +0000 (17:17 +0000)]
Fix segmentation fault on radiusd(8) when exiting.
If one of the configured modules doesn't have a secret setup then
module->secret == NULL which would call strlen(NULL), within freezero(3),
and that shouldn't happen, but in this case since the call is done it
segfaults and the daemon is not properly shutdown.
cluebat stick provided by semarie@, OK tb@ and deraadt@
schwarze [Wed, 1 Aug 2018 16:00:54 +0000 (16:00 +0000)]
Fix an off-by-one string read access that could happen if an empty
string argument preceded a string argument beginning with "--".
Found by Leah Neukirchen <leah at vuxu dot org> with -Wpointer-compare.
kettenis [Wed, 1 Aug 2018 15:55:50 +0000 (15:55 +0000)]
Fix various RK3399 clocks and add support for getting the clock frequency
of the clocks that we can set.
Assign clock rates (and parents) based on the "assigned-clocks" device tree
property, but only on RK3399 for now as the code for the other Rockchip SoCs
isn't quite ready yet.
Last but not least, fixup a mistake on the firmware for the Theobroma
Systems RK3399-Q7 module such that the "big" cluster uses BPLL as intended.
schwarze [Wed, 1 Aug 2018 15:39:47 +0000 (15:39 +0000)]
After rewriting the parse buffer from scratch, we also have to reset
the parse point to the beginning of the new buffer or we risk out
of bounds accesses. Bug found by Leah Neukirchen <leah at vuxu dot
org> with valgrind on Void Linux.
nicm [Wed, 1 Aug 2018 15:22:40 +0000 (15:22 +0000)]
Initialize new lineflag member.