openbsd
6 years agoconsistent macros;
jmc [Mon, 13 Aug 2018 05:54:13 +0000 (05:54 +0000)]
consistent macros;

6 years agorevert compat.[ch] section of the following change. It causes
djm [Mon, 13 Aug 2018 02:41:05 +0000 (02:41 +0000)]
revert compat.[ch] section of the following change. It causes
double-free under some circumstances.

--

date: 2018/07/31 03:07:24;  author: djm;  state: Exp;  lines: +33 -18;  commitid: f7g4UI8eeOXReTPh;
fix some memory leaks spotted by Coverity via Jakub Jelen in bz#2366
feedback and ok dtucker@

6 years agoAdd administrative options to LACP trunk implementation.
ccardenas [Sun, 12 Aug 2018 23:50:31 +0000 (23:50 +0000)]
Add administrative options to LACP trunk implementation.

The trunk driver now has a new ioctl (SIOCxTRUNKOPTS), which for now only
has options for LACP:
* Mode - Active or Passive (default Active)
* Timeout - Fast or Slow (default Slow)
* System Priority - 1(high) to 65535(low) (default 32768/0x8000)
* Port Priority - 1(high) to 65535(low) (default 32768/0x8000)
* IFQ Priority - 0 to NUM_QUEUES (default 6)

At the moment, ifconfig only has options for lacpmode and lacptimeout
plumbed as those are the immediate need.

The approach taken for the options was to make them on a "trunk" vs a
"port" as what's typically seen on various NOSes (JunOS, NXOS, etc...)
as it's uncommon for a host to have one link "Passive" and the other
"Active" in a given trunk.

Just like on a NOS, when applying lacpmode or lacptimeout, the settings
are immediately applied to all existing ports in the trunk and to all
future ports brought into the trunk.

Tested by many on a plethora of NIC drivers and switches.

Ok remi@

6 years agoChange ber_write_elements() to return ssize_t instead of int.
rob [Sun, 12 Aug 2018 22:04:09 +0000 (22:04 +0000)]
Change ber_write_elements() to return ssize_t instead of int.

ok claudio@

6 years agobetter diagnosics on alg list assembly errors; ok deraadt@ markus@
djm [Sun, 12 Aug 2018 20:19:13 +0000 (20:19 +0000)]
better diagnosics on alg list assembly errors; ok deraadt@ markus@

6 years agoDrop reference to dmabuf "file" as fnew() returns one that has two
kettenis [Sun, 12 Aug 2018 19:05:37 +0000 (19:05 +0000)]
Drop reference to dmabuf "file" as fnew() returns one that has two
references.

ok visa@, deraadt@

6 years agoMake ifconfig's -joinlist command work as advertised.
stsp [Sun, 12 Aug 2018 18:33:55 +0000 (18:33 +0000)]
Make ifconfig's -joinlist command work as advertised.
ok deraadt phessler

6 years agoReally overwrite the major of com(4) instead of the hardcoded 12.
kettenis [Sun, 12 Aug 2018 18:32:18 +0000 (18:32 +0000)]
Really overwrite the major of com(4) instead of the hardcoded 12.
Should have been part of the earlier commit that unified armv7 and arm64.

6 years agoAdd retguard macros for arm64 asm and apply them in the straightforward
mortimer [Sun, 12 Aug 2018 17:15:10 +0000 (17:15 +0000)]
Add retguard macros for arm64 asm and apply them in the straightforward
cases in kernel and libc.
ok deraadt@

6 years agoAdd retguard for arm64.
mortimer [Sun, 12 Aug 2018 17:07:00 +0000 (17:07 +0000)]
Add retguard for arm64.
ok deraadt@

6 years agoRefactor retguard to make adding additional arches easier.
mortimer [Sun, 12 Aug 2018 16:59:31 +0000 (16:59 +0000)]
Refactor retguard to make adding additional arches easier.

6 years agoadd missing markup;
jmc [Sun, 12 Aug 2018 12:40:25 +0000 (12:40 +0000)]
add missing markup;

6 years agoHeydar Aliyev, Baku, Azerbaijan is GYD, not BAK
deraadt [Sun, 12 Aug 2018 02:55:45 +0000 (02:55 +0000)]
Heydar Aliyev, Baku, Azerbaijan is GYD, not BAK

6 years agosync
deraadt [Sat, 11 Aug 2018 23:18:39 +0000 (23:18 +0000)]
sync

6 years agoMake legacy interrupts work in more cases.
kettenis [Sat, 11 Aug 2018 22:47:27 +0000 (22:47 +0000)]
Make legacy interrupts work in more cases.

6 years agoUse IORT table to map requester ID into MSI sideband data.
kettenis [Sat, 11 Aug 2018 20:46:48 +0000 (20:46 +0000)]
Use IORT table to map requester ID into MSI sideband data.

6 years agoNuke stray/pointless 'volatile' for local var.
krw [Sat, 11 Aug 2018 18:37:21 +0000 (18:37 +0000)]
Nuke stray/pointless 'volatile' for local var.

6 years agoGet rid of PLEDGE_STAT, which was a hack used for unveil.
beck [Sat, 11 Aug 2018 16:16:07 +0000 (16:16 +0000)]
Get rid of PLEDGE_STAT, which was a hack used for unveil.
We use UNVEIL_INSPECT instead in the unveil flags for the same
purpose, and now add traversed vnodes of a path with UNVEIL_INSPECT
instead of with 0 flags and voodoo in unveil_flagmatch. This
allows us to uncontort the logic of unveil_flagmatch a bunch.
helpful review and ok from semarie@

6 years agoRefactor the nearly identical benchmark loops into a single loop.
cheloha [Sat, 11 Aug 2018 16:07:36 +0000 (16:07 +0000)]
Refactor the nearly identical benchmark loops into a single loop.

Move all of the benchmark code -- loop initialization, the loops, and
the report printing -- into a new function, benchmark().  Eliminates
lots of duplicate code.

Regressions to 1.20 caught by tb@ and inoguchi@.  Tweaked by tb@.

ok tb@, jsing@

6 years agoMatch "ARMH0011".
kettenis [Sat, 11 Aug 2018 16:04:49 +0000 (16:04 +0000)]
Match "ARMH0011".

6 years agoMake GICv3 redistributor support actually work and add ITS support.
kettenis [Sat, 11 Aug 2018 16:02:33 +0000 (16:02 +0000)]
Make GICv3 redistributor support actually work and add ITS support.

6 years agodon't need 61 keys anymore
deraadt [Sat, 11 Aug 2018 15:43:44 +0000 (15:43 +0000)]
don't need 61 keys anymore

6 years agoBump MAXCPUS from 8 to 24.
kettenis [Sat, 11 Aug 2018 14:00:33 +0000 (14:00 +0000)]
Bump MAXCPUS from 8 to 24.

ok jsg@

6 years agoFix a couple of bugs in the ITS support code:
kettenis [Sat, 11 Aug 2018 11:16:43 +0000 (11:16 +0000)]
Fix a couple of bugs in the ITS support code:

- Don't dereference sc_prop if we're not handling an LPI.  Fixes a crash
  on qemu when emulating a GICv3 without ITS (and therefore no LPIs(.

- Use the true IPL when calculating the priority of an LPI.  The old
  code used a variable that still had the IPL_MPSAFE flag in it.

- Write to the right GITS_BASERn instead of ialways writing to GITS_BASER0.

- Flush the cache after initializing/modifying the in-memory tables.  The
  GICv3 on the SynQuacer isn't fully coherent and only supports the
  "non-shareable" attribute for its in-memory tables.  So we have to flush
  the cache to the point of coherency to guarentee that the GIC sees our
  changes to those tables.  Throw in a full memory barrier for good measure.

Also add support for the SynQuacer pre-ITS.

ok jsg@, patrick@

6 years agoactually s/unveil/pledge on err(3), I missed it on previous commit.
mestre [Sat, 11 Aug 2018 11:04:26 +0000 (11:04 +0000)]
actually s/unveil/pledge on err(3), I missed it on previous commit.

6 years agothe only fs access kdump(1) needs is to the tracefile which by default is
mestre [Sat, 11 Aug 2018 11:01:37 +0000 (11:01 +0000)]
the only fs access kdump(1) needs is to the tracefile which by default is
ktrace.out unless argument -f is used. We can just unveil(2) that file with read
permissions before the pledge(2) call.

OK deraadt@

6 years agolook(1) will access /usr/share/dict/words to look for the string we want, or it
mestre [Sat, 11 Aug 2018 11:00:34 +0000 (11:00 +0000)]
look(1) will access /usr/share/dict/words to look for the string we want, or it
may access another file instead if we mention it via argument. In order to know
which file to unveil(2) we need to push down pledge(2) a little bit after
getopt(3) and now that we know the name of the file we can unveil(2) it only
with read permissions.

OK deraadt@

6 years agoJust like in mesg(1) in biff(1) we just need to push down pledge(2) a little
mestre [Sat, 11 Aug 2018 10:59:34 +0000 (10:59 +0000)]
Just like in mesg(1) in biff(1) we just need to push down pledge(2) a little
bit to get the tty name. After this we can unveil(2) the tty with rw access in
order to stat(2)/chmod(2) it, once this is done we can put back the same
pledge(2) just right afterwards.

OK deraadt@

6 years agoAdd comment explaining why we read basic MCS set only from beacon/probereq.
stsp [Sat, 11 Aug 2018 10:58:39 +0000 (10:58 +0000)]
Add comment explaining why we read basic MCS set only from beacon/probereq.
requested by mpi@

6 years agothis one was my fault, when an error occurrs on mesg(1) it must exit with error
mestre [Sat, 11 Aug 2018 10:58:39 +0000 (10:58 +0000)]
this one was my fault, when an error occurrs on mesg(1) it must exit with error
values >1 since the return value 1 is used to indicate that messages have been
disallowed. while here also s/unveil/pledge on err(3).

OK tb@ kn@ deraadt@

6 years agoUse MAXCPUS as the number of elements for the array of per-cpu data.
kettenis [Sat, 11 Aug 2018 10:42:42 +0000 (10:42 +0000)]
Use MAXCPUS as the number of elements for the array of per-cpu data.

ok jsg@, patrick@

6 years agoUse MAXCPUS as the number of elements for the array of per-cpu data.
kettenis [Sat, 11 Aug 2018 10:41:08 +0000 (10:41 +0000)]
Use MAXCPUS as the number of elements for the array of per-cpu data.
Fixes machines with more than 8 cores.

ok jsg@, patrick@

6 years agoFix problems ofthe ifconfig argument parser with "ifconfig <if> join".
benno [Sat, 11 Aug 2018 09:18:49 +0000 (09:18 +0000)]
Fix problems ofthe ifconfig argument parser with "ifconfig <if> join".
Due to the way the parsing works, you cannot have an option that
accepts strings as argument or no argument, without side effects: for
example "join <nwid>" could only join networks that did not have a
nwid identical to another ifconfig option, i.e. "join mtu" or "join
join" would not work.

Solve this by making join always require an nwid. Listing all the
configured nwids for auto-join is moved to the new option "joinlist".
Removing _all_ auto-join configuration is moved to "-joinlist".

deraadt@ likes it and ok phessler@ stsp@

6 years agoPrevent server side overflow for message id in snmp header.
rob [Sat, 11 Aug 2018 04:31:57 +0000 (04:31 +0000)]
Prevent server side overflow for message id in snmp header.

ok sthen@, tb@

6 years agohandle the non-portable GNU-style \[charNN], \[charNNN] character
schwarze [Fri, 10 Aug 2018 22:12:40 +0000 (22:12 +0000)]
handle the non-portable GNU-style \[charNN], \[charNNN] character
escape sequences, used for example in the groff_char(7) manual page

6 years agoThe groff man-ext macros define fonts CB, CI, and CR,
schwarze [Fri, 10 Aug 2018 20:40:43 +0000 (20:40 +0000)]
The groff man-ext macros define fonts CB, CI, and CR,
and some groff manual pages actually use them in .ft requests.
It's easy enough to handle these .ft requests in mandoc, too.

6 years agosync
deraadt [Fri, 10 Aug 2018 20:27:18 +0000 (20:27 +0000)]
sync

6 years agocrank to 6.4-beta
deraadt [Fri, 10 Aug 2018 20:27:01 +0000 (20:27 +0000)]
crank to 6.4-beta

6 years agoSimplify server key exchange signature verification.
jsing [Fri, 10 Aug 2018 17:52:35 +0000 (17:52 +0000)]
Simplify server key exchange signature verification.

Everything can go through the EVP_Verify* code path.

ok inoguchi@ tb@

6 years agoSimplify server kex exchange signature generation.
jsing [Fri, 10 Aug 2018 17:44:16 +0000 (17:44 +0000)]
Simplify server kex exchange signature generation.

Everything can go through the single EVP_Sign* code path.

ok inoguchi@ tb@

6 years agoAdd glue to EVP_md5_sha1() so that it can be used with EVP_Sign* and
jsing [Fri, 10 Aug 2018 17:30:29 +0000 (17:30 +0000)]
Add glue to EVP_md5_sha1() so that it can be used with EVP_Sign* and
EVP_Verify*.

ok tb@

6 years agoAdd missing include to X25519 synopsis.
jsing [Fri, 10 Aug 2018 17:28:48 +0000 (17:28 +0000)]
Add missing include to X25519 synopsis.

6 years agoIn typical swiss-army style, various modes and options cause
deraadt [Fri, 10 Aug 2018 17:15:22 +0000 (17:15 +0000)]
In typical swiss-army style, various modes and options cause
different unveils.  Joint work with beck and florian.
Let us know if you hit any corner cases.

6 years agodelete volatile intended to silence whiny old compilers around vfork.
deraadt [Fri, 10 Aug 2018 17:03:26 +0000 (17:03 +0000)]
delete volatile intended to silence whiny old compilers around vfork.
This variable is only used in the parent context so there is no issue.
ok kettenis

6 years agoBump boot loader versions for softraid passphrase handling change.
jsing [Fri, 10 Aug 2018 16:43:54 +0000 (16:43 +0000)]
Bump boot loader versions for softraid passphrase handling change.

6 years agoRetry on incorrect passphrase for softraid crypto boot.
jsing [Fri, 10 Aug 2018 16:41:35 +0000 (16:41 +0000)]
Retry on incorrect passphrase for softraid crypto boot.

Historically, the softraid crypto support in the boot loaders has only
given one attempt to provide the correct passphrase. There were a
few reasons for this, including the fact that pkcs5_pbkdf2() allows an
empty passphrase and that returning EPERM allowed for another attempt.

With the event of KARL and the need for bsd.booted with hibernate resumption,
this becomes much more of an issue - if you get the passphrase wrong you
fail to resume. There are also other situations like using /etc/boot.conf
to switch serial console, but an incorrect passphrase results in the config
not being read. Also, bcrypt_pbkdf() does not permit empty passphrases.

This reworks the softraid crypto support in the boot loaders so that it
loops requesting a valid passphrase until one is provided, or an empty
passphrase is entered (at which point it will abort).

ok mortimer@ tb@

6 years agoRun the wycheproof ECDSA test vectors against libcrypto.
jsing [Fri, 10 Aug 2018 16:22:58 +0000 (16:22 +0000)]
Run the wycheproof ECDSA test vectors against libcrypto.

Skip the ecdsa_webcrypto_test.json vectors for the time being, as these
likely need some extra glue.

6 years agoRun the X25519 wycheproof test vectors against libcrypto.
jsing [Fri, 10 Aug 2018 16:18:55 +0000 (16:18 +0000)]
Run the X25519 wycheproof test vectors against libcrypto.

6 years agoRework regress so that it is easier to add additional test types.
jsing [Fri, 10 Aug 2018 16:14:40 +0000 (16:14 +0000)]
Rework regress so that it is easier to add additional test types.

6 years agoUse a table rather than a switch when converting strings to NIDs.
jsing [Fri, 10 Aug 2018 16:12:19 +0000 (16:12 +0000)]
Use a table rather than a switch when converting strings to NIDs.

This will make it easier to extend.

6 years agoAdd a regress test that checks file descriptor allocation across fork.
jsing [Fri, 10 Aug 2018 15:58:16 +0000 (15:58 +0000)]
Add a regress test that checks file descriptor allocation across fork.

In particular, this checks the behaviour of kqueue fds being closed and
reallocated across a fork.

6 years agoUpdate fd_freefile when filtering/closing kqueue descriptors in fdcopy().
jsing [Fri, 10 Aug 2018 15:53:49 +0000 (15:53 +0000)]
Update fd_freefile when filtering/closing kqueue descriptors in fdcopy().

Prior to r1.153 of kern_descrip.c, the kqueue descriptors were removed
using fdremove(), which reset fd_freefile as appropriate. The new code
simply avoids adding the descriptor to the new table, however this means
that fd_freefile can be left with an incorrect value, resulting in a file
descriptor allocation "hole". Restore the previous behavour by lowering
fd_freefile as appropriate when dropping descriptors.

Issue found via golang regress tests.

ok deraadt@ mpi@ visa@

6 years agoAnother place where we should handle AS_SET better. aspath_lenmatch()
claudio [Fri, 10 Aug 2018 11:15:53 +0000 (11:15 +0000)]
Another place where we should handle AS_SET better. aspath_lenmatch()
should count through AS_SET boundaries, in other words the path
1 2 3 { 4 3 5 } 3 3 7 has an as-seq count of 4, before it was just 2.
OK benno@

6 years agoMake the AS_SET handling for source-as even simpler. It is enough to only
claudio [Fri, 10 Aug 2018 11:13:01 +0000 (11:13 +0000)]
Make the AS_SET handling for source-as even simpler. It is enough to only
extract the rightmost AS of a segment if the segment is not an AS_SET.
Then if we hit the final segment as will contain the last aggregator AS.
This fixes a possible issue with a path like 1 2 3 { 4 5 } { 6 7 } which
should match for source-as 3.
OK benno@

6 years agoZap bits in host_v4(), use mask parameter
kn [Fri, 10 Aug 2018 09:54:06 +0000 (09:54 +0000)]
Zap bits in host_v4(), use mask parameter

This avoids a duplicate strrchr() call and makes the function consistent
with host_v6() regarding mask handling.

While here, use the destination's size in memcpy instead of hardcoding its
type.

OK sashan

6 years agoImplement the roff(7) .nop (no operation) request.
schwarze [Fri, 10 Aug 2018 04:41:21 +0000 (04:41 +0000)]
Implement the roff(7) .nop (no operation) request.
Examples of manual pages (ab)using it
include groff(7), chem(1), groff_mom(7), and groff_hdtbl(7).

6 years agoThe script that cooks up PuTTY format host keys does not understand
dtucker [Fri, 10 Aug 2018 01:35:49 +0000 (01:35 +0000)]
The script that cooks up PuTTY format host keys does not understand
the new key format so convert back to old format to create the PuTTY
key and remove it once done.

6 years agoimprove
djm [Fri, 10 Aug 2018 00:44:01 +0000 (00:44 +0000)]
improve

6 years agoDescribe pubkey format, prompted by bz#2853
djm [Fri, 10 Aug 2018 00:42:29 +0000 (00:42 +0000)]
Describe pubkey format, prompted by bz#2853

While I'm here, describe and link to the remaining local PROTOCOL.*
docs that weren't already mentioned (PROTOCOL.key, PROTOCOL.krl and
PROTOCOL.mux)

6 years agofix numbering
djm [Fri, 10 Aug 2018 00:27:15 +0000 (00:27 +0000)]
fix numbering

6 years agoImprove handling of source-as when an AS_SET is rightmost. In that case
claudio [Thu, 9 Aug 2018 21:12:33 +0000 (21:12 +0000)]
Improve handling of source-as when an AS_SET is rightmost. In that case
use the rightmost AS from the previous AS path segment. As suggested in
rfc6472. Also fix a long standing bug of AS 42 >< 4242 matching 43 - 4241
instead of 1-41 and 4243 and upwards. Last but not least pass the filter_as
struct to as_compare since that will make it easier to implement as-sets.
OK benno@, OK job@ on a previous version

6 years agoDrop support for guessing an old-style class A, B, or C netmask from
schwarze [Thu, 9 Aug 2018 19:48:44 +0000 (19:48 +0000)]
Drop support for guessing an old-style class A, B, or C netmask from
a bare dot-notation IP address by counting trailing zero octets.
Instead, assume -host when neither -net nor -netmask nor -prefixlen is
given.  Error out when -net is requested but no netmask is specified.
This removes the last use of the IN_CLASS* macros from this program.
OK claudio@ kn@, and many agreed with the general direction during g2k18.

6 years agoThe game is playable without the need to access any files therefore we can
mestre [Thu, 9 Aug 2018 17:51:22 +0000 (17:51 +0000)]
The game is playable without the need to access any files therefore we can
effectively disable all fs access by dropping "rpath wpath cpath" from
pledge(2) right at the beginning of the program.

"looks right" tb@

6 years agoIf somebody asks "man 3 chmod",
schwarze [Thu, 9 Aug 2018 17:23:21 +0000 (17:23 +0000)]
If somebody asks "man 3 chmod",
don't respond with the lie: "No entry for chmod in the manual."
Instead, say "No entry for chmod in section 3 of the manual."
Came up after a question from kn@; OK kn@.

6 years agoRemove redundant "kq == kn->kn_kq" checks. The lists kq_knhash and
visa [Thu, 9 Aug 2018 15:02:45 +0000 (15:02 +0000)]
Remove redundant "kq == kn->kn_kq" checks. The lists kq_knhash and
kq_knlist are dedicated to a single kqueue instance, which makes
the filtering by kn_kq unnecessary.

OK kettenis@, mpi@

6 years agoHook up the rasops text emulation functions so we only write out
patrick [Thu, 9 Aug 2018 14:43:17 +0000 (14:43 +0000)]
Hook up the rasops text emulation functions so we only write out
the characters that changed, and only when they change.  This
replaces writing out the whole framebuffer every 100ms with a
partial update mechanism.  Now the system stays responsive and
does not slow down anymore due to the periodic update.

6 years agocorrect sizeof to use correct buffer, rather than another buffer (which
deraadt [Thu, 9 Aug 2018 14:30:28 +0000 (14:30 +0000)]
correct sizeof to use correct buffer, rather than another buffer (which
was the same size)

6 years agoImplement out-of-band interrupt support in the bwfm(4) SDIO backend.
patrick [Thu, 9 Aug 2018 14:23:50 +0000 (14:23 +0000)]
Implement out-of-band interrupt support in the bwfm(4) SDIO backend.

6 years agoMake imxesdhc(4) pass per-function cookies to the SD/MMC bus.
patrick [Thu, 9 Aug 2018 13:53:30 +0000 (13:53 +0000)]
Make imxesdhc(4) pass per-function cookies to the SD/MMC bus.

ok kettenis@

6 years agoAllow passing per-function cookies through the SD/MMC bus to SDIO
patrick [Thu, 9 Aug 2018 13:52:36 +0000 (13:52 +0000)]
Allow passing per-function cookies through the SD/MMC bus to SDIO
devices.  This allows SDIO device drivers to read information from
the ACPI or FDT tables.

ok kettenis@

6 years agoCorrect the bitmask that returns the function count. We missed a bit
patrick [Thu, 9 Aug 2018 13:50:15 +0000 (13:50 +0000)]
Correct the bitmask that returns the function count.  We missed a bit
and thus only supported 4 functions instead of 8.

ok kettenis@

6 years agoWhile softreconfig is running set the poll timeout to 0 so that the
claudio [Thu, 9 Aug 2018 12:54:06 +0000 (12:54 +0000)]
While softreconfig is running set the poll timeout to 0 so that the
runner makes progress and does not get hold back by poll sleeping at
the same time fds are still serviced first if they have data pending.

6 years agoSynopsys Designeware PCIe IP isn't 100% ECAM compliant. It doesn't handle
kettenis [Thu, 9 Aug 2018 12:25:38 +0000 (12:25 +0000)]
Synopsys Designeware PCIe IP isn't 100% ECAM compliant.  It doesn't handle
type 0 configuration requests correctly which results in devices on bus 0
appearing multiple times.  Fix this by adding a quirk and match the
appropriate compatible string.

ok jsg@, patrick@

6 years agoMake two very internal functions static. They are used to merge an
claudio [Thu, 9 Aug 2018 12:21:03 +0000 (12:21 +0000)]
Make two very internal functions static. They are used to merge an
AS_PATH with a AS4_PATH and are therefor fairly special.

6 years agoDefine __HAVE_ACPI on arm64 and __HAVE_FDT on arm64, armv7 and octeon
patrick [Thu, 9 Aug 2018 12:19:32 +0000 (12:19 +0000)]
Define __HAVE_ACPI on arm64 and __HAVE_FDT on arm64, armv7 and octeon
so that we can include firmware-dependant code in generic drivers to be
able to extract metadata information like MAC addresses and out-of-band
interrupts from the ACPI/FDT tables.

ok kettenis@

6 years agoWhoops, didn't mean to commit this.
nicm [Thu, 9 Aug 2018 09:54:22 +0000 (09:54 +0000)]
Whoops, didn't mean to commit this.

6 years agoBump the UTF-8 character array up to 18 to allow for more combining
nicm [Thu, 9 Aug 2018 09:53:44 +0000 (09:53 +0000)]
Bump the UTF-8 character array up to 18 to allow for more combining
characters (some languages use up to five). This size doesn't make as
much difference now that UTF-8 goes into an extended cell. GitHub issue
1430.

6 years agoregen
kettenis [Thu, 9 Aug 2018 09:03:54 +0000 (09:03 +0000)]
regen

6 years agoASMedia ASM1184e PCIe switch.
kettenis [Thu, 9 Aug 2018 09:03:12 +0000 (09:03 +0000)]
ASMedia ASM1184e PCIe switch.

6 years agoCurrently, attempting to move an immovable lo(4) to a new rdomain will fail
akoshibe [Thu, 9 Aug 2018 03:35:19 +0000 (03:35 +0000)]
Currently, attempting to move an immovable lo(4) to a new rdomain will fail
with an EPERM, but the target rdomain will still be created.

Move the check for an lo(4)'s if_index/if_rdomain to before the creation of a
nonexisting target routing table.

ok benno@ claudio@ mpi@

6 years agoRemove the port id check entirely. We don't do anything with the port
jmatthew [Thu, 9 Aug 2018 01:41:48 +0000 (01:41 +0000)]
Remove the port id check entirely.  We don't do anything with the port
id after that, so it seems like a silly reason to reject a target.

ok dlg@ deraadt@

6 years agolockspool only plays with files in _PATH_MAILDIR, so unveil that path.
deraadt [Wed, 8 Aug 2018 22:59:33 +0000 (22:59 +0000)]
lockspool only plays with files in _PATH_MAILDIR, so unveil that path.

6 years agomestre and I can find no reason why the pledge has "unix". Disable
deraadt [Wed, 8 Aug 2018 22:57:12 +0000 (22:57 +0000)]
mestre and I can find no reason why the pledge has "unix".  Disable
that and start listening for failure reports.

6 years agontpd unveils the cert.pem "r" file (which is passed-over-socket to the
deraadt [Wed, 8 Aug 2018 22:56:42 +0000 (22:56 +0000)]
ntpd unveils the cert.pem "r" file (which is passed-over-socket to the
constraints process), and /usr/sbin/ntpd "x" to perform fork+exec operations.

6 years agopledge with "unveil" at the top, so that the various modes can unveil
deraadt [Wed, 8 Aug 2018 22:55:14 +0000 (22:55 +0000)]
pledge with "unveil" at the top, so that the various modes can unveil
the files they inspect a little later.

6 years agoUse unveil(2) in the helper process to disallow access to other files
ratchov [Wed, 8 Aug 2018 22:31:43 +0000 (22:31 +0000)]
Use unveil(2) in the helper process to disallow access to other files
than the devices specified with -f and -q options.

ok deraadt@

6 years agoSupport DMA coherent devices that attach to mainbus(4) as well.
kettenis [Wed, 8 Aug 2018 20:57:53 +0000 (20:57 +0000)]
Support DMA coherent devices that attach to mainbus(4) as well.

ok patrick@

6 years agoFix the ITLinesNumber mask and bump the number of supprted redistributors
kettenis [Wed, 8 Aug 2018 20:56:49 +0000 (20:56 +0000)]
Fix the ITLinesNumber mask and bump the number of supprted redistributors
up to 24.

ok patrick@

6 years agoadd unveil(2) to ctfconv(1)
mestre [Wed, 8 Aug 2018 20:15:17 +0000 (20:15 +0000)]
add unveil(2) to ctfconv(1)

Once we know what the input file is, usually /bsd.gdb, we can unveil it in read
mode. If we also define as argument an output file we can additionally unveil
that one with write/create permissions.

We don't need to care about calling unveil(NULL, NULL) since we can call
pledge(2) and reduce the permissions down the road depending on the code path.

"reads OK" jasper@, "put it in if works" mpi@
prodded by deraadt@

6 years agoadd unveil(2) to mixerctl(1)
mestre [Wed, 8 Aug 2018 19:35:47 +0000 (19:35 +0000)]
add unveil(2) to mixerctl(1)

after we know what is the mixer device to be used, either through MIXERDEVICE
env var, the argument passed or by default /dev/mixer then we can unveil it in
read/write mode, then if opening fails we reduce unveil to only read mode.

Once open(2) succeeds then we can disable fs access by calling unveil(NULL, NULL)
since all further operations occur on fds.

A cleaner solution would be to just call pledge("audio") after open(2) but
currently the ioctls used are not whitelisted in pledge(2), ratchov@ will
investigate a better way to do this

OK ratchov@

6 years agoSome unsigned long to unsigned int cleanup from recent ber (type) changes.
rob [Wed, 8 Aug 2018 18:50:38 +0000 (18:50 +0000)]
Some unsigned long to unsigned int cleanup from recent ber (type) changes.

ok claudio@

6 years agoUnveil the special files needed for reading AML tables, and the
deraadt [Wed, 8 Aug 2018 18:46:04 +0000 (18:46 +0000)]
Unveil the special files needed for reading AML tables, and the
directory for placement.  We can only protect the directory case,
since the file_prefix+sig+id case is too large to enumerate.

6 years agoAfter authentication is complete, unveil login.conf "r" (to discover
deraadt [Wed, 8 Aug 2018 18:32:51 +0000 (18:32 +0000)]
After authentication is complete, unveil login.conf "r" (to discover
login tweaks), and walk the path (would could be $PATH, or not) adding
an unveil "x" to each possible executable which execvpe() could later
be tried by execvpe.
It would be great if we could do some unveil before authentication, but
I failed to determine all the possibilities.
Some problem reports by bluhm, tb, florian, and others during development
In snaps for about 3 weeks.
ok florian

6 years agotypo: macro-generates wrappers -> macro-generated wrappers
tb [Wed, 8 Aug 2018 18:21:02 +0000 (18:21 +0000)]
typo: macro-generates wrappers -> macro-generated wrappers

6 years agoAn early pledge takes away many risk factors during spool opening/parsing.
deraadt [Wed, 8 Aug 2018 17:52:46 +0000 (17:52 +0000)]
An early pledge takes away many risk factors during spool opening/parsing.
This is worthwhile keeping, so add "unveil" to defer unveil(2) calls.
After various special cases are handled (including files which are anywhere
in the filesystem), unveil() to the specific file only.

6 years agoIn netproc process, unveil to only expose the CA file.
deraadt [Wed, 8 Aug 2018 17:47:44 +0000 (17:47 +0000)]
In netproc process, unveil to only expose the CA file.
ok florian

6 years agoifconfig cannot be pledged because of its overwhelming amount of
florian [Wed, 8 Aug 2018 17:26:52 +0000 (17:26 +0000)]
ifconfig cannot be pledged because of its overwhelming amount of
used ioctls. Furthermore due to the way the command line parser is
written it is difficult to apply the traditional first initialize then
pledge pattern.

unveil(2) gives us a different approach:
By veiling everything with unveil("/", "") and then locking down
unveil with unveil(NULL, NULL) we remove all filesystem access from
ifconfig kind of like giving a regular user a chroot without any
files.

OK deraadt

6 years agotabs are ok at start of line, but internally space seperation is the norm
deraadt [Wed, 8 Aug 2018 15:30:29 +0000 (15:30 +0000)]
tabs are ok at start of line, but internally space seperation is the norm

6 years agounveil dev.db "r" for devname(), /dev "r", and in the non-sysctl case
deraadt [Wed, 8 Aug 2018 14:38:31 +0000 (14:38 +0000)]
unveil dev.db "r" for devname(), /dev "r", and in the non-sysctl case
some kernel memory/symbol files.

6 years agoIn the early pledge, add "unveil" to permit changes a little later on.
deraadt [Wed, 8 Aug 2018 14:35:38 +0000 (14:35 +0000)]
In the early pledge, add "unveil" to permit changes a little later on.
If kernel variables are being watched unveil /dev/mem, /dev/kmem, and
/dev/ksyms.  If testing AF_UNIX, unveil that patch.  The next pledge
removes "unveil", then tcpbench is largely filesystem restricted.