guenther [Fri, 23 Oct 2015 04:44:41 +0000 (04:44 +0000)]
Loop the waitpid() on EINTR, and save and restore the disposition of
SIGINT and SIGQUIT with sigaction() instead of signal() so that all bits
are preserved.
ok deraadt@ millert@
guenther [Fri, 23 Oct 2015 04:39:24 +0000 (04:39 +0000)]
Merge the sigaction() and sigprocmask() overloads/wrappers from libpthread
into libc, and move pthread_sigmask() as well (just a trivial wrapper).
This provides consistent handling of SIGTHR between single- and multi-threaded
programs and is a step in the merge of all the libpthread overloads, providing
some ASM and Makefile bits that the other wrappers will need.
ok deraadt@ millert@
deraadt [Fri, 23 Oct 2015 03:44:59 +0000 (03:44 +0000)]
pledge "stdio rpath getpw proc exec id" at start, much like doas.
2 further pledges are possible, not as many as doas can do, because the
order of some su operations is a bit different. also it is trying
harder to please non-root nfs mounts?
deraadt [Fri, 23 Oct 2015 03:26:24 +0000 (03:26 +0000)]
With new pledge "ps" and "vminfo" requests, ps/top/w become possible.
dlg [Fri, 23 Oct 2015 03:16:19 +0000 (03:16 +0000)]
there's an extra argument to soreceive now.
found by teary students.
dlg [Fri, 23 Oct 2015 02:29:24 +0000 (02:29 +0000)]
pass the right sizes to free.
dtucker [Fri, 23 Oct 2015 02:22:01 +0000 (02:22 +0000)]
Update expected group sizes to match recent code changes.
dlg [Fri, 23 Oct 2015 02:08:37 +0000 (02:08 +0000)]
inline the hfsc_active TAILQ.
make cl_actc in hfsc_class a TAILQ rather than a pointer to a TAILQ
that gets allocated seaprately.
jsg [Fri, 23 Oct 2015 02:01:15 +0000 (02:01 +0000)]
include err.h for err() calls added with recent pledge commits.
dlg [Fri, 23 Oct 2015 01:53:02 +0000 (01:53 +0000)]
inline the hif_eligible TAILQ.
make hif_eligible in hfsc_if a TAILQ rather than a pointer to a
TAILQ that gets allocated separately.
"look ma, i saved 4 or 8 bytes"
mmcc [Fri, 23 Oct 2015 01:33:36 +0000 (01:33 +0000)]
Remove two comments listing functionless files. Trivial, no functional
change.
dlg [Fri, 23 Oct 2015 01:32:10 +0000 (01:32 +0000)]
counting packets in hif_packets in hfsc_if is redundant.
the ifqueue struct has the same information, and hif_packets is never
read separately. trim it.
dlg [Fri, 23 Oct 2015 01:19:04 +0000 (01:19 +0000)]
tweak the vnetid so it can be optional and therefore cleared/deleted.
the abstract vnetid is promoted to a uin32_t, and adds a SIOCDVNETID
ioctl so it can be cleared.
this is all because i set an assignment on implementing a virtual
network interface and the students got confused when vnetid 0 didnt
show up in ifconfig output.
the vnetid in the vxlan(4) protocol is optional, but the current
code confuses 0 with no vnetid being set. this makes it clear.
ok reyk@ who also simplified my diff
mmcc [Fri, 23 Oct 2015 01:14:07 +0000 (01:14 +0000)]
proto.h contains many function prototypes. It's apparently separate from
sh.h because the pdksh devs used a prototype generator (last run in
1992). Merging it into sh.h makes things clearer.
ok nicm@
deraadt [Fri, 23 Oct 2015 01:10:01 +0000 (01:10 +0000)]
Add 3 new pledge requests. "ps" exposes enough sysctl information for
ps-style programs (there are quite a few in the tree, including tmux).
"vminfo" exposes a bit more system operation information, which many
observation programs want (such as top). settime allows setting the system
time, and will be used to pledge-protect the last ntpd process.
dlg [Fri, 23 Oct 2015 01:02:46 +0000 (01:02 +0000)]
remove the pointer from hfsc_class structs back to hfsc_if.
you get to hfsc_class via a hfsc_if, so just pass the hfsc_if around
on the stack when we need it rather than following the pointer back.
most of this change is passing the hif on the stack.
ok mpi@ henning@
deraadt [Fri, 23 Oct 2015 01:00:16 +0000 (01:00 +0000)]
correct precedence; from Ilya Kaliman
deraadt [Fri, 23 Oct 2015 00:56:52 +0000 (00:56 +0000)]
Allow hw.ncpu sysctl (a few reasons showed up in my mailbox rapidly..)
deraadt [Fri, 23 Oct 2015 00:53:13 +0000 (00:53 +0000)]
crank libc major
deraadt [Fri, 23 Oct 2015 00:52:49 +0000 (00:52 +0000)]
Remove dnssocket() and dnsconnect(), since we decided to use a SOCK_DNS
flag instead.
ok guenther tedu semarie
deraadt [Fri, 23 Oct 2015 00:52:09 +0000 (00:52 +0000)]
Switch to using SOCK_DNS flag, rather than the dnssocket() and
dnssonnect() calls. Be a bit careful crossing over this, need a kernel
no older than Monday.
ok guenther tedu semarie
jsg [Fri, 23 Oct 2015 00:15:07 +0000 (00:15 +0000)]
replace pointer arithmetic and casts with offsetof
ok mpi@ bluhm@
jsg [Fri, 23 Oct 2015 00:08:57 +0000 (00:08 +0000)]
replace pointer arithmetic and casts with offsetof
ok dlg@ krw@
bmercer [Thu, 22 Oct 2015 23:56:30 +0000 (23:56 +0000)]
Add pledge support to login_yubikey. Much feedback and OK millert@
mmcc [Thu, 22 Oct 2015 23:55:51 +0000 (23:55 +0000)]
Cast ctype function arguments to unsigned char.
ok guenther@
renato [Thu, 22 Oct 2015 23:17:45 +0000 (23:17 +0000)]
Fix some bugs in the handling of the RTM_GET and RTM_CHANGE messages
found when running eigrpd(8) and ldpd(8) together.
benno [Thu, 22 Oct 2015 22:21:41 +0000 (22:21 +0000)]
document tid keyword.
found with and ok bluhm@
schwarze [Thu, 22 Oct 2015 22:05:42 +0000 (22:05 +0000)]
use the new function man_validate() here, too
schwarze [Thu, 22 Oct 2015 21:53:49 +0000 (21:53 +0000)]
move man(7) validation into the dedicated validation phase, too
schwarze [Thu, 22 Oct 2015 21:02:55 +0000 (21:02 +0000)]
If no output device was allocated because no file wanted to produce output,
refrain from dereferencing a NULL pointer during final deallocation.
Fixing a recent regression reported by czarkoff@
miod [Thu, 22 Oct 2015 18:54:41 +0000 (18:54 +0000)]
Build boot blocks with -msmall-data -msmall-text.
mpi [Thu, 22 Oct 2015 18:14:53 +0000 (18:14 +0000)]
Drop historical comment and an old '#if notyet'.
mpi [Thu, 22 Oct 2015 17:48:34 +0000 (17:48 +0000)]
Kill link_rtrequest(), introduce in 1990 to "fix" the result
of rt_getifa() when adding link level route from outside the
kernel.
ok claudio@
mpi [Thu, 22 Oct 2015 17:19:38 +0000 (17:19 +0000)]
Use only one refcounting mechanism for route entries.
ok bluhm@, dlg@, claudio@
mpi [Thu, 22 Oct 2015 16:49:26 +0000 (16:49 +0000)]
Only check for rt_ifp now that it is alays the same as rt_ifa->ifa_ifp.
ok millert@, bluhm@
mpi [Thu, 22 Oct 2015 16:44:54 +0000 (16:44 +0000)]
Make sure that the address matching the key (destination) of a route
entry is attached to this entry.
ok phessler@, bluhm@
mpi [Thu, 22 Oct 2015 16:33:32 +0000 (16:33 +0000)]
Use rt_ifp instead of rt_ifa->ifa_ifp.
ok bluhm@
mpi [Thu, 22 Oct 2015 16:32:41 +0000 (16:32 +0000)]
Kill dead code, ifa is specified and won't change.
ok bluhm@
reyk [Thu, 22 Oct 2015 15:55:18 +0000 (15:55 +0000)]
iked hereby pledges that it will run with restricted system
operations. This adds pledge(2) too all processes, including the iked
parent process; the existing privsep design has been improved for
better pledgeability. There haven't been any serious problems as it
was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd
passing). The control socket moved to an independent process to
remove some abilities from the cert process.
Committed in agreement with many but nobody was brave enough to OK it.
Better testing will happen with having it in the tree.
"It's the truth" deraadt@
"Let's see what happens" benno@
claudio [Thu, 22 Oct 2015 15:47:00 +0000 (15:47 +0000)]
Add a regress test for if_indextoname() and if_nametoindex()
jsing [Thu, 22 Oct 2015 15:38:05 +0000 (15:38 +0000)]
Another change that is needed to restore the previous behaviour of
ASN1_{GENERALIZED,UTC}TIME_set_string(), which allows it to be called
with a NULL pointer.
ok beck@
bluhm [Thu, 22 Oct 2015 15:37:47 +0000 (15:37 +0000)]
Inspired by satosin(), use inline functions to convert sockaddr dl.
Instead of casts they check wether the incoming object has the
expected type. So introduce satosdl() and sdltosa() in the kernel.
OK mpi@
mmcc [Thu, 22 Oct 2015 15:37:04 +0000 (15:37 +0000)]
Final removal of EXTERN.
ok nicm@
reyk [Thu, 22 Oct 2015 15:14:27 +0000 (15:14 +0000)]
Stop linking iked -static: It was inherited from isakmpd that is
-static for NFS-over-IPsec that might mount the libraries after /usr.
The benefit of linking iked dynamic outweighs the historic reason, eg.
to get full address space randomization and to benefit from libcrypto
updates, so we turn it into a dynamic binary.
OK deraadt@ naddy@
jsing [Thu, 22 Oct 2015 15:03:19 +0000 (15:03 +0000)]
Restore previous behaviour and allow
ASN1_{GENERALIZED,UTC,}TIME_set_string() to be called with a NULL pointer.
Found the hard way by @kinichiro on github.
ok beck@
pascal [Thu, 22 Oct 2015 14:53:00 +0000 (14:53 +0000)]
Add pledge(2) to some binutils that handle untrusted data. Most can do with
"stdio rpath", while objdump(1) also needs "tmppath" for objdump -i.
ok deraadt@, comments sthen@ kettenis@
jsing [Thu, 22 Oct 2015 14:10:55 +0000 (14:10 +0000)]
Extend tests to call ASN1_{GENERALIZED,UTC,}TIME_set_string() with a NULL
pointer - because, you know, you might want to set a string on a NULL
object. The previous implementation apparently allowed this as a way of
testing if the string was valid... probably because the *_check() functions
are only useable after the string has already been set.
jsing [Thu, 22 Oct 2015 14:01:19 +0000 (14:01 +0000)]
Fix case where we wanted to test ASN1_TIME_set_string() but were testing
ASN1_UTCTIME_set_string() twice instead.
jsing [Thu, 22 Oct 2015 13:58:47 +0000 (13:58 +0000)]
Fix case where we wanted to test ASN1_TIME_set_string() but were testing
ASN1_UTCTIME_set_string() twice instead.
mpi [Thu, 22 Oct 2015 13:30:29 +0000 (13:30 +0000)]
Do not pass an ``ia'' just to dereference ``ia_ifp''.
ok claudio@, bluhm@, jsg@
reyk [Thu, 22 Oct 2015 13:30:07 +0000 (13:30 +0000)]
Revert revision 1.282:
"Allow for empty blocks for peers. While this is bad style for permant
use, this is very nice to temporarily disable a peer option."
This broke the grammar by introducing shift/reduce errors.
OK phessler@
tedu [Thu, 22 Oct 2015 12:55:23 +0000 (12:55 +0000)]
use crypt_checkpass("password", NULL) to fake a login instead of bcrypt
tedu [Thu, 22 Oct 2015 12:52:15 +0000 (12:52 +0000)]
use crypt_checkpass to check password
tedu [Thu, 22 Oct 2015 12:43:26 +0000 (12:43 +0000)]
copying of the environment can be done later, as the user running
deraadt [Thu, 22 Oct 2015 12:34:25 +0000 (12:34 +0000)]
pledge "abort" left behind accidentally
tedu [Thu, 22 Oct 2015 12:32:33 +0000 (12:32 +0000)]
use crypt_checkpass instead of doing things the hard way with crypt.
deraadt [Thu, 22 Oct 2015 12:09:03 +0000 (12:09 +0000)]
setlocale() before pledge()... until we learn more
jsg [Thu, 22 Oct 2015 11:51:28 +0000 (11:51 +0000)]
remove some horrible iwm typedefs
ok stsp@
nicm [Thu, 22 Oct 2015 11:23:00 +0000 (11:23 +0000)]
If the pane is still on all_window_panes but not actually connected to
window or session (which can happen if it is killed during a command
sequence and something else has a reference), fall back to the best
effort. Fixes "tmux killw\; detach" for Rudis Muiznieks.
nicm [Thu, 22 Oct 2015 11:19:31 +0000 (11:19 +0000)]
Unzoom before -LRUD, reported by Andy Weidenbaum.
phessler [Thu, 22 Oct 2015 11:13:16 +0000 (11:13 +0000)]
If we receive an empty route message, log it and ignore it. Happens
occasionally on FreeBSD.
from Melissa Jenkins
OK claudio@, florian@, benno@
sobrado [Thu, 22 Oct 2015 11:03:43 +0000 (11:03 +0000)]
fix company name.
ok jmc@
sobrado [Thu, 22 Oct 2015 11:03:15 +0000 (11:03 +0000)]
fix spelling mess.
ok jmc@
sobrado [Thu, 22 Oct 2015 11:02:48 +0000 (11:02 +0000)]
improve indentation in list block.
ok jmc@
sobrado [Thu, 22 Oct 2015 11:01:49 +0000 (11:01 +0000)]
fix typo in unit of time.
ok jmc@
deraadt [Thu, 22 Oct 2015 11:01:43 +0000 (11:01 +0000)]
Further study shows "route" should allow all address families in NET_RT_DUMP
With benno
sobrado [Thu, 22 Oct 2015 11:01:14 +0000 (11:01 +0000)]
typo.
ok jmc@
nicm [Thu, 22 Oct 2015 11:00:51 +0000 (11:00 +0000)]
Log identify messages.
nicm [Thu, 22 Oct 2015 10:48:30 +0000 (10:48 +0000)]
This should not be changed.
mpi [Thu, 22 Oct 2015 10:46:26 +0000 (10:46 +0000)]
Do not dereference ``ifa_ifp'' when we already have an ``ifp'' pointer.
nicm [Thu, 22 Oct 2015 10:46:24 +0000 (10:46 +0000)]
Rename shutdown to exit.
renato [Thu, 22 Oct 2015 10:42:14 +0000 (10:42 +0000)]
The eigrpe process also needs to pledge "cpath" for unlinking the
control socket.
deraadt [Thu, 22 Oct 2015 10:35:23 +0000 (10:35 +0000)]
After some consideration, simply allow TIOCSCTTY in the "tty" pledge.
Discussion with nicm.
mpi [Thu, 22 Oct 2015 10:31:02 +0000 (10:31 +0000)]
Do not dereference ``ia_ifp'' when we already have an ``ifp'' pointer.
mpi [Thu, 22 Oct 2015 10:27:22 +0000 (10:27 +0000)]
Use rt_ifp as intended.
During s2k15 we fixed this ugly 20+ years loopback hack of having a
rt_ifp different than rt_ifa->ifa_ifp.
ok millert@, bluhm@
mpi [Thu, 22 Oct 2015 10:22:53 +0000 (10:22 +0000)]
Kill dead code missed in per-ifp counter removal.
ok millert@, bluhm@
deraadt [Thu, 22 Oct 2015 09:23:41 +0000 (09:23 +0000)]
document "id" request; from Gregor Best
gilles [Thu, 22 Oct 2015 08:46:31 +0000 (08:46 +0000)]
delivery to maildir needs pledge fattr
from Gregor Best <gbe@unobtanium.de>
jmc [Thu, 22 Oct 2015 08:35:18 +0000 (08:35 +0000)]
halex removed the -p restriction, so do not document it;
from kirill bychkov
deraadt [Thu, 22 Oct 2015 07:52:29 +0000 (07:52 +0000)]
at present the setpriority() syscall is considered fairly low risk and
placed in pledge "proc". pledge "stdio getpw proc", from Theo Buehler
guenther [Thu, 22 Oct 2015 05:30:18 +0000 (05:30 +0000)]
Add a regress for libc handling of SIGTHR
doug [Thu, 22 Oct 2015 05:28:42 +0000 (05:28 +0000)]
Pledge "stdio rpath tty" for hangman(6).
Patch submitted by Ricardo Mestre <serial@helheim.mooo.com>
ok semarie@
dlg [Thu, 22 Oct 2015 05:26:06 +0000 (05:26 +0000)]
rename ml_join to ml_enlist and expose it to the rest of the kernel.
deraadt [Thu, 22 Oct 2015 04:57:20 +0000 (04:57 +0000)]
pledge in doas. startup pledge "stdio rpath getpw proc exec id". 4
more times after that more attributes are dropped: "proc" after bsd
auth has spawned/received result from the login_* program; "getpw"
after the final getpwent lookup, "id" after the final uid changing,
and "rpath" after constructing getcwd. leaving only "exec", for the
ride into execve().
deraadt [Thu, 22 Oct 2015 04:08:17 +0000 (04:08 +0000)]
Until we understand the sitaution better, we should pledge() after
setlocale(), not before. Not just here, but probably everywhere?
mmcc [Thu, 22 Oct 2015 02:29:20 +0000 (02:29 +0000)]
Fix typo in comment. From Theo Buehler.
schwarze [Wed, 21 Oct 2015 23:49:05 +0000 (23:49 +0000)]
Move all mdoc(7) node validation done before child parsing
to the new separate validation pass, except for a tiny bit
needed by the parser which goes to the new mdoc_state() module;
cleaner, simpler, and surprisingly also shorter by 15 lines.
miod [Wed, 21 Oct 2015 19:02:22 +0000 (19:02 +0000)]
Reject too small bits value in BN_generate_prime_ex(), so that it does not risk
becoming negative in probable_prime_dh_safe(). Reported by Franck Denis who
noticed `openssl gendh 0' would segfault.
Fix adapted from OpenSSL RT#2701.
ok beck@ jsing@
jsing [Wed, 21 Oct 2015 16:45:13 +0000 (16:45 +0000)]
Use SSL_CTX_set_ecdh_auto() instead of rolling our own version.
ok gilles@
jsing [Wed, 21 Oct 2015 16:44:28 +0000 (16:44 +0000)]
Only enable SSL_VERIFY_PEER when the verify option is set on a listener.
Always enabling SSL_VERIFY_PEER unnecessarily increases the number of
messages/bytes in the TLS handshake and increases our attack surface,
since we request and then process client certificates.
ok gilles@
jsing [Wed, 21 Oct 2015 16:36:50 +0000 (16:36 +0000)]
In the case where len is not a multiple of sizeof(RC4_CHUNK) the RC4 code
will end up doing a read and write of up to 7 bytes beyond the specified
length. This is effectively a non-issue since we read and write back the
same data and due to alignment it is within a page boundary.
Regardless, avoid this by removing the "special" handling for the remaining
length and allow the standard (non-chunk) code to process the remaining
bytes, which does not result in overrun.
Reported by Pascal Cuoq <cuoq at trust-in-soft.com> - thanks!
ok beck@ miod@
bluhm [Wed, 21 Oct 2015 16:09:13 +0000 (16:09 +0000)]
Setting fcntl(F_SETOWN) for a pipe failed with inappropriate ioctl
for device. In sys_fcntl() the ioctl(TIOCSPGRP) is called, but the
pipe expects SIOCSPGRP. Sockets have a specal case for the same
reason, so adapt the special code for pipes.
OK millert@
millert [Wed, 21 Oct 2015 16:06:57 +0000 (16:06 +0000)]
Style fixes; from Ilya Kaliman
mmcc [Wed, 21 Oct 2015 15:47:41 +0000 (15:47 +0000)]
Remove a couple of unhelpful defines.
ok nicm@
mmcc [Wed, 21 Oct 2015 15:20:37 +0000 (15:20 +0000)]
Don't bother casting NULL.
ok nicm@
mmcc [Wed, 21 Oct 2015 14:31:28 +0000 (14:31 +0000)]
Assign pointer to NULL rather than 0.
ok nicm@
mmcc [Wed, 21 Oct 2015 14:30:43 +0000 (14:30 +0000)]
Penultimate commit to remove EXTERN.
ok nicm@
bluhm [Wed, 21 Oct 2015 14:03:07 +0000 (14:03 +0000)]
Do some cleanup in syslogd ttymsg(). Add a debug message when the
syslogd child calls fork(2) to delay blocked output.
OK benno@
nicm [Wed, 21 Oct 2015 13:14:36 +0000 (13:14 +0000)]
client_key_table was missing.
gsoares [Wed, 21 Oct 2015 11:33:03 +0000 (11:33 +0000)]
fix memory leak in error path
ok djm@