rpe [Fri, 9 Oct 2015 18:30:54 +0000 (18:30 +0000)]
Exit autoinstall in case of an invalid choice.
OK krw@
bluhm [Fri, 9 Oct 2015 17:51:08 +0000 (17:51 +0000)]
Keep relayd test certificate names in sync with syslogd.
gilles [Fri, 9 Oct 2015 17:44:25 +0000 (17:44 +0000)]
upon smtpd restart, when scanning the offline queue, unlink 0-sized offline
messages as they are left-overs from an errored enqueue.
ok millert@, ok eric@
deraadt [Fri, 9 Oct 2015 17:18:20 +0000 (17:18 +0000)]
Have not come up with a great pattern for flock() yet. flock() is permitted
by "getpw" because libc getpw*/getgr* use open() of /var/run/ypbind.lock plus
flock() to detect YP running. The kernel observes this dance to "open up" the
YP door (ugliness should drive us to rewrite this mechanism from SunOS later).
however, flock is also used independently. Current users are
htpasswd mail skeyinit tmux authpf pwd_mkdb ldapd smtpd ypbind
login_token mail.local lockspool
Let's enable flock() for "cpath", and see if that helps these programs,
otherwise we'll try "wpath" next.
deraadt [Fri, 9 Oct 2015 17:09:06 +0000 (17:09 +0000)]
With nfs spool (fork + seteuid/setuid balony) support gone, it becomes
possible to pledge "stdio rpath wpath tty proc"
Noone uses this code anymore. This is a demonstration...
deraadt [Fri, 9 Oct 2015 17:07:21 +0000 (17:07 +0000)]
remove NFS spool support; it stands in the way of pledge(2)
bluhm [Fri, 9 Oct 2015 17:07:06 +0000 (17:07 +0000)]
Add tests for syslogd TLS accept and receive encrypted messages.
bluhm [Fri, 9 Oct 2015 16:58:25 +0000 (16:58 +0000)]
If syslogd is started with -S, it accepts TLS connections to receive
encrypted messages. The server certificates are taken from /etc/ssl
like relayd does.
OK benno@ beck@ deraadt@
sunil [Fri, 9 Oct 2015 16:47:14 +0000 (16:47 +0000)]
Convert fgetln(3) to getline(3).
Ok eric@ todd@ gilles@
bluhm [Fri, 9 Oct 2015 16:44:55 +0000 (16:44 +0000)]
A fork(2) is used in ttymsg() to delay the message to a tty if it
blocks. Fix the potential syslogd's death, add "proc" to pledge.
OK deraadt@
deraadt [Fri, 9 Oct 2015 16:29:17 +0000 (16:29 +0000)]
catch up to tame() -> pledge() rename
tedu [Fri, 9 Oct 2015 16:26:03 +0000 (16:26 +0000)]
pare down the readme so as to not imply we are tracking upstream.
nor do we much care about running this on dec ultrix anymore, etc...
ok deraadt
gilles [Fri, 9 Oct 2015 15:09:09 +0000 (15:09 +0000)]
if an error occurs during offline enqueuing after we've dropped group, then
attempt to ftruncate() the fp back to 0.
suggested and ok millert@, ok eric@
gilles [Fri, 9 Oct 2015 14:37:38 +0000 (14:37 +0000)]
turn our local enqueuer setgid _smtpq and restrict access to offline queue,
the enqueuer will revoke group and regain real gid right after mkstemp.
this would have prevented the symlink/hardlink attacks against offline, and
it will avoid having to deal with new ways users can mess with it.
ok eric@, ok millert@
kettenis [Fri, 9 Oct 2015 13:22:54 +0000 (13:22 +0000)]
Remove evil hack. I've never seen the printf fire, and xenocara no longer
contains any code that can manipulate the affected register directly.
ok jsg@
deraadt [Fri, 9 Oct 2015 12:20:18 +0000 (12:20 +0000)]
this cpp operates file using pledge "stdio rpath wpath cpath"
bluhm [Fri, 9 Oct 2015 12:07:32 +0000 (12:07 +0000)]
Tame syslogd privsep child with "stdio rpath unix inet recvfd".
With and OK deraadt@
deraadt [Fri, 9 Oct 2015 11:47:30 +0000 (11:47 +0000)]
oops, snuck into a syscalls sync; spotted by sthen
semarie [Fri, 9 Oct 2015 11:42:54 +0000 (11:42 +0000)]
regress pledge
add missing $OpenBSD$ header
semarie [Fri, 9 Oct 2015 11:38:39 +0000 (11:38 +0000)]
regress pledge: remove 'regenerate' target
semarie [Fri, 9 Oct 2015 11:38:05 +0000 (11:38 +0000)]
add "tty" regress for pledge
jmc [Fri, 9 Oct 2015 10:13:48 +0000 (10:13 +0000)]
correct Xr; from theo buehler
gilles [Fri, 9 Oct 2015 09:56:28 +0000 (09:56 +0000)]
if enhanced status class is not set, enhanced status code is never dumped
in disk envelope.
deraadt [Fri, 9 Oct 2015 07:54:28 +0000 (07:54 +0000)]
All commands seem to work fine with pledge "stdio" after the connect(),
direct source and symbol table inspection suggests it is good. The same
principle will likely apply to most of our network daemon *ctl programs,
since many are derived from ospfd. Still, each needs testing.
discussion about network daemons and ctl's has been mostly with renato
deraadt [Fri, 9 Oct 2015 07:39:56 +0000 (07:39 +0000)]
another tame(2), spotted by jmc
lum [Fri, 9 Oct 2015 07:27:56 +0000 (07:27 +0000)]
Fix line number bug when calling onlywind().
semarie [Fri, 9 Oct 2015 06:50:01 +0000 (06:50 +0000)]
hook pledge
semarie [Fri, 9 Oct 2015 06:44:13 +0000 (06:44 +0000)]
follow tame->pledge in regress
deraadt [Fri, 9 Oct 2015 06:10:57 +0000 (06:10 +0000)]
do not use weak; plus this dies next week
deraadt [Fri, 9 Oct 2015 05:55:58 +0000 (05:55 +0000)]
another stray )
deraadt [Fri, 9 Oct 2015 05:30:03 +0000 (05:30 +0000)]
shortcircuit TIOCGETA to directly return ENOTTY for non-ttys. It could
be called against a non-tty fd, so as to test "is this a tty". Discovered
by sthen and rob pierce at the same time.
deraadt [Fri, 9 Oct 2015 04:38:54 +0000 (04:38 +0000)]
oops, typo spotted in temporary .c file, by semarie
deraadt [Fri, 9 Oct 2015 04:13:34 +0000 (04:13 +0000)]
fix a gotcha in the connect refactoring, that could result in dropping
through and trying to bind failed v6 connects.
ok guenther
deraadt [Fri, 9 Oct 2015 03:54:53 +0000 (03:54 +0000)]
the ntp engine can run with "stdio inet proc". For many reasons,
including fork/exec cost, it would be better if constraints were
forked from the master process, which would then tell the ntp
engine. That would increase accuracy and security.
Lots of conversations with reyk and bcook
deraadt [Fri, 9 Oct 2015 03:50:40 +0000 (03:50 +0000)]
Once the constraint engine process is running, it only needs
"stdio inet". It took weeks to get to this point...
deraadt [Fri, 9 Oct 2015 02:44:22 +0000 (02:44 +0000)]
stardate 93370.16: a whitespace appears to have entered our quadrant...
deraadt [Fri, 9 Oct 2015 02:36:46 +0000 (02:36 +0000)]
multicast test backwards; noted by renato
deraadt [Fri, 9 Oct 2015 01:46:27 +0000 (01:46 +0000)]
sync
deraadt [Fri, 9 Oct 2015 01:37:06 +0000 (01:37 +0000)]
Change all tame callers to namechange to pledge(2).
deraadt [Fri, 9 Oct 2015 01:26:40 +0000 (01:26 +0000)]
tame -> pledge.
deraadt [Fri, 9 Oct 2015 01:24:57 +0000 (01:24 +0000)]
tame -> pledge conversion, in libc. I should crank libc, but am cheating
hoping things go well. The old symbol is faked via a stupid stub function,
until next major crank when it can be removed. I am expecting guenther
to scream at me.
deraadt [Fri, 9 Oct 2015 01:17:18 +0000 (01:17 +0000)]
Rename tame() to pledge(). This fairly interface has evolved to be more
strict than anticipated. It allows a programmer to pledge/promise/covenant
that their program will operate within an easily defined subset of the
Unix environment, or it pays the price.
deraadt [Fri, 9 Oct 2015 01:11:12 +0000 (01:11 +0000)]
sync
deraadt [Fri, 9 Oct 2015 01:10:27 +0000 (01:10 +0000)]
Rename tame() to pledge(). This fairly interface has evolved to be more
strict than anticipated. It allows a programmer to pledge/promise/covenant
that their program will operate within an easily defined subset of the
Unix environment, or it pays the price.
yasuoka [Thu, 8 Oct 2015 22:41:12 +0000 (22:41 +0000)]
After replacement alloca() with alloc(), out-of-heap happened when booting
on a large block size (32K) partition. Increase the HEAP_LIMIT from
0x90000 to 0xA0000.
try this, deraadt
guenther [Thu, 8 Oct 2015 20:13:45 +0000 (20:13 +0000)]
If getaddrinfo() succeeds, then don't try look ups with other flags, even
if the connect()s failed. In concert with some resolver fixes in libc,
this lets ntpd be tame()ed
problem isolated by theo, who had fun untangling the libc and libtls
behaviors to place blame for not being able to tame ntpd
ok beck@ deraadt@ jsing@
deraadt [Thu, 8 Oct 2015 17:29:43 +0000 (17:29 +0000)]
Expose a small set of multicast join operators under the request "mcast".
This will be used by a few daemons. If they lack this feature, then
they would need to operate without tame.
Discussed with renato
tedu [Thu, 8 Oct 2015 16:45:50 +0000 (16:45 +0000)]
add some tame calls. we may need a bunch of permissions to create files
and manipulate the tty for readpassphrase, but once we've parsed options
and have some idea of what's going to happen next, we can reduce down
quite a bit more. particular use case of "signify | patch" is limited to
feeding garbage to patch.
tedu [Thu, 8 Oct 2015 16:41:26 +0000 (16:41 +0000)]
stop trying to gift history files to the original owner. instead, don't
open history files that don't belong to us. probably much safer.
ok deraadt
kettenis [Thu, 8 Oct 2015 15:58:38 +0000 (15:58 +0000)]
Lock the page queues by turning uvm_lock_pageq() and uvm_unlock_pageq() into
mtx_enter() and mtx_leave() operations. Not 100% this won't blow up but
there is only one way to find out, and we need this to make progress on
further unlocking uvm.
prodded by deraadt@
tedu [Thu, 8 Oct 2015 15:54:59 +0000 (15:54 +0000)]
little cleanup from Michael McConville, mostly related to stale comments.
krw [Thu, 8 Oct 2015 14:50:38 +0000 (14:50 +0000)]
Refactor fileprefix() and filecopy() to use warn() instead of err()
to display error message, and to return error indications (NULL and
-1 respectively). Use the error indications in write_efisystem()
to unwind in the face of more error conditions. In other cases just
exit(1) to emulation current behaviour.
ok deraadt@
deraadt [Thu, 8 Oct 2015 14:49:27 +0000 (14:49 +0000)]
tame "stdio rpath wpath cpath proc exec". make is a shell, and appears
to only need these operations. Take note that "exec" is a 2-day old
tame request, so do get a new kernel before you update or risk getting
trapped.
tedu [Thu, 8 Oct 2015 14:46:05 +0000 (14:46 +0000)]
16 years after E801 memprobe was disabled, probably safe to delete it.
ok deraadt jung kettenis ratchov
visa [Thu, 8 Oct 2015 14:24:32 +0000 (14:24 +0000)]
Remove the sc_soft_req_cnt field because the number of tx requests is
already tracked in sc_sendq. Replace the sc_flush logic with a simple
Fetch-and-Add store that avoids an unnecessary IOBDMA transaction.
ok uebayasi@
jmc [Thu, 8 Oct 2015 14:09:34 +0000 (14:09 +0000)]
tweak previous;
eric [Thu, 8 Oct 2015 14:08:44 +0000 (14:08 +0000)]
fix conditionals
ok deraadt@
deraadt [Thu, 8 Oct 2015 14:02:09 +0000 (14:02 +0000)]
portmap's main process can be tame "stdio rpath inet proc"; proc is
for the callit interface needing to fork, and parent needing to wait.
that child can drop to "stdio rpath inet".
It is possible some libc/rpc codepath has not yet been figured out, but
commiting it is the best way to get it tested. Tested what I could myself,
but noone answered my call for testing...
mikeb [Thu, 8 Oct 2015 13:58:07 +0000 (13:58 +0000)]
Make sure that when trunk_port_ioctl is called to set a new
lladdr the trunk port is already on the list.
OK mpi
deraadt [Thu, 8 Oct 2015 13:55:56 +0000 (13:55 +0000)]
Handle case where no hint is passed in. Found as a crash of fdm by jturner@
deraadt [Thu, 8 Oct 2015 13:25:04 +0000 (13:25 +0000)]
setsockopt has a small list of options it can set. If we find ourselves
only in TAME_UNIX, stop trying after servicing SOL_SOCKET.
discussion with claudio
deraadt [Thu, 8 Oct 2015 13:21:06 +0000 (13:21 +0000)]
Only in TAME_ROUTE, allow ioctl SIOCGIFADDR/SIOCGIFFLAGS/SIOCGIFRDOMAIN,
because many routing daemon processes with this attribute need to fetch
that information to work.
discussed with claudio and renato
deraadt [Thu, 8 Oct 2015 13:17:06 +0000 (13:17 +0000)]
the -P flag overwrites files, so it needs tame "stdio rpath wpath cpath".
the remaining code paths can use tame "stdio rpath cpath". One again,
the "cpath" request says a path-based system call will be used to
"change" filesystem pathname layout, for instance any of O_CREAT, symlink,
rename, unlink...
krw [Thu, 8 Oct 2015 12:54:30 +0000 (12:54 +0000)]
Simpify some code by noting that DOSBBSECTOR is 0, so "if (n >
n+DOSBBSSECTOR) ..." is pointless, as is "n = n + DOSBBSECTOR;".
dlg [Thu, 8 Oct 2015 11:39:59 +0000 (11:39 +0000)]
if the mbuf has a valid flowid, use it instead of using siphash24
and a bunch of header fields we have to parse the mbuf for.
siphash24 is about 20% of the cost of sending a udp packet on a
trunk interface with tcpbench on my box. if there's a flowid set
we get all that back.
ok mpi@ mikeb@ sthen@
dlg [Thu, 8 Oct 2015 11:36:51 +0000 (11:36 +0000)]
use the state id to set a flowid on an mbuf.
ok mpi@ mikeb@ sthen@
dlg [Thu, 8 Oct 2015 11:36:15 +0000 (11:36 +0000)]
steal some padding in mbuf pkthdrs to store a flow id.
the flowid roughly identifies a flow or connection that the mbuf
is a part of, and can be used instead of hashing contents of the
packet (like src+dst mac and ip addresses) to decide which path a
packet should take.
ok mpi@ mikeb@ sthen@
mpi [Thu, 8 Oct 2015 11:12:43 +0000 (11:12 +0000)]
Local route entries are always UP now, missed in previous.
kettenis [Thu, 8 Oct 2015 10:25:24 +0000 (10:25 +0000)]
Implement set_pages_array_wb() and set_pages_array_wc() for powerpc. Since
powerpc doesn't actually implement write-combining fall back to uncached
mappings.
ok mpi@, jsg@
kettenis [Thu, 8 Oct 2015 10:20:14 +0000 (10:20 +0000)]
Add a per-page flag to indicate that all mappings of that page should be
uncached. To be used in the drm code.
ok mpi@
semarie [Thu, 8 Oct 2015 10:09:09 +0000 (10:09 +0000)]
allow a test to manage itself the tame(2) call.
mpi [Thu, 8 Oct 2015 09:51:00 +0000 (09:51 +0000)]
Unlock the softnet task.
ok dlg@, kettenis@
jsg [Thu, 8 Oct 2015 09:40:32 +0000 (09:40 +0000)]
fix an fd leak if socket connection fails; from Carlin Bingham
ok reyk@
jsg [Thu, 8 Oct 2015 09:32:13 +0000 (09:32 +0000)]
fix a typo; from Carlin Bingham
kettenis [Thu, 8 Oct 2015 09:21:26 +0000 (09:21 +0000)]
Call em_start() when we detect a link state change such that packets start
flowing again even if the send queue is currently full. Restores the fix
made by makeb@ in rev 1.263 which was lost in making the tx completion path
mpsafe.
ok mikeb@
mpi [Thu, 8 Oct 2015 08:41:58 +0000 (08:41 +0000)]
Use the radix API directly and get rid of the function pointers. There
is no point in keeping an unused level of abstraction.
ok mikeb@, claudio@
sthen [Thu, 8 Oct 2015 08:29:21 +0000 (08:29 +0000)]
add comment, suggested by reyk
sthen [Thu, 8 Oct 2015 08:17:30 +0000 (08:17 +0000)]
Link the result of each mps_getbulkreq() to the end of the previous list
and not the start of it. Fixes getbulk requests for multiple OIDs.
From Gerhard Roth, ok blambert@
sthen [Thu, 8 Oct 2015 07:26:34 +0000 (07:26 +0000)]
use correct return value for IP-MIB::ipForwarding, tweak/ok uebayasi@
jmc [Thu, 8 Oct 2015 07:22:02 +0000 (07:22 +0000)]
trailing whitespace;
deraadt [Thu, 8 Oct 2015 04:39:24 +0000 (04:39 +0000)]
Try again. Both -R and -p prevent use of tame, but other cases can use it.
deraadt [Thu, 8 Oct 2015 03:00:46 +0000 (03:00 +0000)]
sync
beck [Thu, 8 Oct 2015 02:42:58 +0000 (02:42 +0000)]
Rip the guts out of another gibbering horror of a time comparison function, and
mark it as #ifndef LIBRESSL_INTERNAL at least we don't use this.
ok jsing@
beck [Thu, 8 Oct 2015 02:29:11 +0000 (02:29 +0000)]
revert previous accidental commit
beck [Thu, 8 Oct 2015 02:26:31 +0000 (02:26 +0000)]
Spelling in comment
deraadt [Thu, 8 Oct 2015 00:07:20 +0000 (00:07 +0000)]
ah, fchflags. We will come back to this issue later
beck [Wed, 7 Oct 2015 23:33:38 +0000 (23:33 +0000)]
Add tls_peer_cert_notbefore and tls_peer_cert_notafter to expose peer certificate
validity times for tls connections.
ok jsing@
beck [Wed, 7 Oct 2015 23:25:45 +0000 (23:25 +0000)]
Allow us to get cipher and version even if there is not a peer certificate.
ok doug@
deraadt [Wed, 7 Oct 2015 20:26:16 +0000 (20:26 +0000)]
In theory, bgpd should be happy with tame "stdio unix route recvfd".
Let's hear from people's experiences by commiting it.
deraadt [Wed, 7 Oct 2015 20:25:40 +0000 (20:25 +0000)]
use new tame "route" feature when possible
deraadt [Wed, 7 Oct 2015 20:25:22 +0000 (20:25 +0000)]
use fatal() instead of err(); from benno
deraadt [Wed, 7 Oct 2015 19:52:54 +0000 (19:52 +0000)]
Split out routing sysctl's from tame "inet", and put them into the
new tame "route" request. Now routing daemons and tools (such as arp),
can narrowly ask for either feature. One thing remains available in
both cases -- support for getifaddr()'s, since libc and programs often
use that in close association with socket creation.
ok benno sthen beck, some discussion with renato
millert [Wed, 7 Oct 2015 19:25:42 +0000 (19:25 +0000)]
Use getline(3) rather than fgetln(3). OK gilles@
deraadt [Wed, 7 Oct 2015 18:29:35 +0000 (18:29 +0000)]
one simple free, ok mpi
another not so simple free, repaired by mpi
krw [Wed, 7 Oct 2015 18:02:06 +0000 (18:02 +0000)]
Add initial support for UEFI/GPT installs to install script. Original
diff from rpe@.
ok deraadt@ yasuoka@
deraadt [Wed, 7 Oct 2015 18:00:06 +0000 (18:00 +0000)]
use tame "stdio rpath tty", for ttyname(). from Rob Pierce, who chose to
do this using ktrace step by step. not the method i recommend, because
it requires 100% coverage via feature tests. better to read the code and
understand everything being called, then make decisions.
jmc [Wed, 7 Oct 2015 17:52:38 +0000 (17:52 +0000)]
"..." implies optional, so no need for []; from michael reed
semarie [Wed, 7 Oct 2015 17:27:35 +0000 (17:27 +0000)]
from previous commit: "ioctl" is used for grab ttyname(0)
with a function's name like that "tty" should be a better request (more strict)
pointed by and ok deraadt@
millert [Wed, 7 Oct 2015 16:53:00 +0000 (16:53 +0000)]
Be explicit that the user is responsible for freeing the line buffer
and show this in the example.
semarie [Wed, 7 Oct 2015 16:11:40 +0000 (16:11 +0000)]
enable tame(2) in who(1).
some refactor to grab ttyname(0) early and use it later.
gradually drop tame requests when no more needed.
"ioctl" is used for grab ttyname(0)
"rpath" is for -T and -u flag, that used stat(2) to get terminal status
initial patch from deraadt with help from guenther
ok deraadt@