#
fdafd315 |
|
24-Nov-2023 |
Warner Losh <imp@FreeBSD.org> |
sys: Automated cleanup of cdefs and other formatting Apply the following automated changes to try to eliminate no-longer-needed sys/cdefs.h includes as well as now-empty blank lines in a row. Remove /^#if.*\n#endif.*\n#include\s+<sys/cdefs.h>.*\n/ Remove /\n+#include\s+<sys/cdefs.h>.*\n+#if.*\n#endif.*\n+/ Remove /\n+#if.*\n#endif.*\n+/ Remove /^#if.*\n#endif.*\n/ Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/types.h>/ Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/param.h>/ Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/capsicum.h>/ Sponsored by: Netflix
|
#
685dc743 |
|
16-Aug-2023 |
Warner Losh <imp@FreeBSD.org> |
sys: Remove $FreeBSD$: one-line .c pattern Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/
|
#
4d846d26 |
|
10-May-2023 |
Warner Losh <imp@FreeBSD.org> |
spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch up to that fact and revert to their recommended match of BSD-2-Clause. Discussed with: pfg MFC After: 3 days Sponsored by: Netflix
|
#
0fe74ae6 |
|
26-Dec-2020 |
Jamie Gritton <jamie@FreeBSD.org> |
jail: Consistently handle the pr_allow bitmask Return a boolean (i.e. 0 or 1) from prison_allow, instead of the flag value itself, which is what sysctl expects. Add prison_set_allow(), which can set or clear a permission bit, and propagates cleared bits down to child jails. Use prison_allow() and prison_set_allow() in the various jail.allow.* sysctls, and others that depend on thoe permissions. Add locking around checking both pr_allow and pr_enforce_statfs in prison_priv_check().
|
#
f488d5b7 |
|
18-Nov-2020 |
Mariusz Zaborski <oshogbo@FreeBSD.org> |
Add CTLFLAG_MPSAFE to the suser_enabled sysctl. Pointed out by: mjg
|
#
05e1e482 |
|
18-Nov-2020 |
Mariusz Zaborski <oshogbo@FreeBSD.org> |
jail: introduce per jail suser_enabled setting The suser_enable sysctl allows to remove a privileged rights from uid 0. This change introduce per jail setting which allow to make root a normal user. Reviewed by: jamie Previous version reviewed by: kevans, emaste, markj, me_igalic.co Discussed with: pjd Differential Revision: https://reviews.freebsd.org/D27128
|
#
21fe9441 |
|
18-Nov-2020 |
Mariusz Zaborski <oshogbo@FreeBSD.org> |
Fix style nits.
|
#
a459a6cf |
|
25-Aug-2020 |
Mateusz Guzik <mjg@FreeBSD.org> |
vfs: respect PRIV_VFS_LOOKUP in vaccess_smr Reported by: novel
|
#
95275911 |
|
30-Jul-2020 |
Mateusz Guzik <mjg@FreeBSD.org> |
Further depessimize priv_check_cred_vfs_generation
|
#
63619b6d |
|
04-Jun-2020 |
Kyle Evans <kevans@FreeBSD.org> |
vfs: add restrictions to read(2) of a directory [2/2] This commit adds the priv(9) that waters down the sysctl to make it only allow read(2) of a dirfd by the system root. Jailed root is not allowed, but jail policy and superuser policy will abstain from allowing/denying it so that a MAC module can fully control the policy. Such a MAC module has been written, and can be found at: https://people.freebsd.org/~kevans/mac_read_dir-0.1.0.tar.gz It is expected that the MAC module won't be needed by many, as most only need to do such diagnostics that require this behavior as system root anyways. Interested parties are welcome to grab the MAC module above and create a port or locally integrate it, and with enough support it could see introduction to base. As noted in mac_read_dir.c, it is released under the BSD 2 clause license and allows the restrictions to be lifted for only jailed root or for all unprivileged users. PR: 246412 Reviewed by: mckusick, kib, emaste, jilles, cy, phk, imp (all previous) Reviewed by: rgrimes (latest version) Differential Revision: https://reviews.freebsd.org/D24596
|
#
7b2ff0dc |
|
13-Feb-2020 |
Mateusz Guzik <mjg@FreeBSD.org> |
Partially decompose priv_check by adding priv_check_cred_vfs_generation During buildkernel there are very frequent calls to priv_check and they all are for PRIV_VFS_GENERATION (coming from stat/fstat). This results in branching on several potential privileges checking if perhaps that's the one which has to be evaluated. Instead of the kitchen-sink approach provide a way to have commonly used privs directly evaluated.
|
#
8bdcfb10 |
|
13-Feb-2020 |
Mateusz Guzik <mjg@FreeBSD.org> |
Annotate suser_enabled as __read_mostly It is read a lot in priv code.
|
#
3e0178fb |
|
19-Dec-2018 |
Mateusz Guzik <mjg@FreeBSD.org> |
Check for probes enabled in priv_check_cred before evaluting the error. Sponsored by: The FreeBSD Foundation
|
#
cc426dd3 |
|
11-Dec-2018 |
Mateusz Guzik <mjg@FreeBSD.org> |
Remove unused argument to priv_check_cred. Patch mostly generated with cocinnelle: @@ expression E1,E2; @@ - priv_check_cred(E1,E2,0) + priv_check_cred(E1,E2) Sponsored by: The FreeBSD Foundation
|
#
b3079544 |
|
27-Nov-2018 |
Jamie Gritton <jamie@FreeBSD.org> |
In hardened systems, where the security.bsd.unprivileged_proc_debug sysctl node is set, allow setting security.bsd.unprivileged_proc_debug per-jail. In part, this is needed to create jails in which the Address Sanitizer (ASAN) fully works as ASAN utilizes libkvm to inspect the virtual address space. Instead of having to allow unprivileged process debugging for the entire system, allow setting it on a per-jail basis. The sysctl node is still security.bsd.unprivileged_proc_debug and the jail(8) param is allow.unprivileged_proc_debug. The sysctl code is now a sysctl proc rather than a sysctl int. This allows us to determine setting the flag for the corresponding jail (or prison0). As part of the change, the dynamic allow.* API needed to be modified to take into account pr_allow flags which may now be disabled in prison0. This prevents conflicts with new pr_allow flags (like that of vmm(4)) that are added (and removed) dynamically. Also teach the jail creation KPI to allow differences for certain pr_allow flags between the parent and child jail. This can happen when unprivileged process debugging is disabled in the parent prison, but enabled in the child. Submitted by: Shawn Webb <lattera at gmail.com> Obtained from: HardenedBSD (45b3625edba0f73b3e3890b1ec3d0d1e95fd47e1, deba0b5078cef0faae43cbdafed3035b16587afc, ab21eeb3b4c72f2500987c96ff603ccf3b6e7de8) Relnotes: yes Sponsored by: HardenedBSD and G2, Inc Differential Revision: https://reviews.freebsd.org/D18319
|
#
b19d66fd |
|
17-Oct-2018 |
Jamie Gritton <jamie@FreeBSD.org> |
Add a new jail permission, allow.read_msgbuf. When true, jailed processes can see the dmesg buffer (this is the current behavior). When false (the new default), dmesg will be unavailable to jailed users, whether root or not. The security.bsd.unprivileged_read_msgbuf sysctl still works as before, controlling system-wide whether non-root users can see the buffer. PR: 211580 Submitted by: bz Approved by: re@ (kib@) MFC after: 3 days
|
#
8a36da99 |
|
27-Nov-2017 |
Pedro F. Giffuni <pfg@FreeBSD.org> |
sys/kern: adoption of SPDX licensing ID tags. Mainly focus on files that use BSD 2-Clause license, however the tool I was using misidentified many licenses so this was mostly a manual - error prone - task. The Software Package Data Exchange (SPDX) group provides a specification to make it easier for automated tools to detect and summarize well known opensource licenses. We are gradually adopting the specification, noting that the tags are considered only advisory and do not, in any way, superceed or replace the license texts.
|
#
af3b2549 |
|
27-Jun-2014 |
Hans Petter Selasky <hselasky@FreeBSD.org> |
Pull in r267961 and r267973 again. Fix for issues reported will follow.
|
#
37a107a4 |
|
27-Jun-2014 |
Glen Barber <gjb@FreeBSD.org> |
Revert r267961, r267973: These changes prevent sysctl(8) from returning proper output, such as: 1) no output from sysctl(8) 2) erroneously returning ENOMEM with tools like truss(1) or uname(1) truss: can not get etype: Cannot allocate memory
|
#
3da1cf1e |
|
27-Jun-2014 |
Hans Petter Selasky <hselasky@FreeBSD.org> |
Extend the meaning of the CTLFLAG_TUN flag to automatically check if there is an environment variable which shall initialize the SYSCTL during early boot. This works for all SYSCTL types both statically and dynamically created ones, except for the SYSCTL NODE type and SYSCTLs which belong to VNETs. A new flag, CTLFLAG_NOFETCH, has been added to be used in the case a tunable sysctl has a custom initialisation function allowing the sysctl to still be marked as a tunable. The kernel SYSCTL API is mostly the same, with a few exceptions for some special operations like iterating childrens of a static/extern SYSCTL node. This operation should probably be made into a factored out common macro, hence some device drivers use this. The reason for changing the SYSCTL API was the need for a SYSCTL parent OID pointer and not only the SYSCTL parent OID list pointer in order to quickly generate the sysctl path. The motivation behind this patch is to avoid parameter loading cludges inside the OFED driver subsystem. Instead of adding special code to the OFED driver subsystem to post-load tunables into dynamically created sysctls, we generalize this in the kernel. Other changes: - Corrected a possibly incorrect sysctl name from "hw.cbb.intr_mask" to "hw.pcic.intr_mask". - Removed redundant TUNABLE statements throughout the kernel. - Some minor code rewrites in connection to removing not needed TUNABLE statements. - Added a missing SYSCTL_DECL(). - Wrapped two very long lines. - Avoid malloc()/free() inside sysctl string handling, in case it is called to initialize a sysctl from a tunable, hence malloc()/free() is not ready when sysctls from the sysctl dataset are registered. - Bumped FreeBSD version to indicate SYSCTL API change. MFC after: 2 weeks Sponsored by: Mellanox Technologies
|
#
d9fae5ab |
|
26-Nov-2013 |
Andriy Gapon <avg@FreeBSD.org> |
dtrace sdt: remove the ugly sname parameter of SDT_PROBE_DEFINE In its stead use the Solaris / illumos approach of emulating '-' (dash) in probe names with '__' (two consecutive underscores). Reviewed by: markj MFC after: 3 weeks
|
#
54366c0b |
|
25-Nov-2013 |
Attilio Rao <attilio@FreeBSD.org> |
- For kernel compiled only with KDTRACE_HOOKS and not any lock debugging option, unbreak the lock tracing release semantic by embedding calls to LOCKSTAT_PROFILE_RELEASE_LOCK() direclty in the inlined version of the releasing functions for mutex, rwlock and sxlock. Failing to do so skips the lockstat_probe_func invokation for unlocking. - As part of the LOCKSTAT support is inlined in mutex operation, for kernel compiled without lock debugging options, potentially every consumer must be compiled including opt_kdtrace.h. Fix this by moving KDTRACE_HOOKS into opt_global.h and remove the dependency by opt_kdtrace.h for all files, as now only KDTRACE_FRAMES is linked there and it is only used as a compile-time stub [0]. [0] immediately shows some new bug as DTRACE-derived support for debug in sfxge is broken and it was never really tested. As it was not including correctly opt_kdtrace.h before it was never enabled so it was kept broken for a while. Fix this by using a protection stub, leaving sfxge driver authors the responsibility for fixing it appropriately [1]. Sponsored by: EMC / Isilon storage division Discussed with: rstone [0] Reported by: rstone [1] Discussed with: philip
|
#
1e7df843 |
|
05-Jul-2013 |
Jamie Gritton <jamie@FreeBSD.org> |
Make the comments a little more clear about PRIV_KMEM_*, explicitly referring to /dev/[k]mem and noting it's about opening the files rather than actually reading and writing. Reviewed by: jmallett
|
#
c71e3362 |
|
05-Jul-2013 |
Jamie Gritton <jamie@FreeBSD.org> |
Add new privileges, PRIV_KMEM_READ and PRIV_KMEM_WRITE, used in opening /dev/kmem and /dev/mem (in addition to traditional file permission checks). PRIV_KMEM_READ is different from other PRIV_* checks in that it's allowed by default. Reviewed by: kib, mckusick
|
#
9b9ff7d3 |
|
19-May-2013 |
Pawel Jakub Dawidek <pjd@FreeBSD.org> |
Style nits.
|
#
9b1040a5 |
|
19-May-2013 |
Pawel Jakub Dawidek <pjd@FreeBSD.org> |
Use SDT_PROBE1() instead of SDT_PROBE().
|
#
5eb0d283 |
|
18-Dec-2012 |
Andrey Zonov <zont@FreeBSD.org> |
- Add sysctl to allow unprivileged users to call mlock(2)-family system calls and turn it on. - Do not allow to call them inside jail. [1] Pointed out by: trasz [1] Reviewed by: avg Approved by: kib (mentor) MFC after: 1 week
|
#
a7d5f7eb |
|
19-Oct-2010 |
Jamie Gritton <jamie@FreeBSD.org> |
A new jail(8) with a configuration file, to replace the work currently done by /etc/rc.d/jail.
|
#
79856499 |
|
22-Aug-2010 |
Rui Paulo <rpaulo@FreeBSD.org> |
Add an extra comment to the SDT probes definition. This allows us to get use '-' in probe names, matching the probe names in Solaris.[1] Add userland SDT probes definitions to sys/sdt.h. Sponsored by: The FreeBSD Foundation Discussed with: rwaston [1]
|
#
bcf11e8d |
|
05-Jun-2009 |
Robert Watson <rwatson@FreeBSD.org> |
Move "options MAC" from opt_mac.h to opt_global.h, as it's now in GENERIC and used in a large number of files, but also because an increasing number of incorrect uses of MAC calls were sneaking in due to copy-and-paste of MAC-aware code without the associated opt_mac.h include. Discussed with: pjd
|
#
73e416e3 |
|
03-Mar-2009 |
Robert Watson <rwatson@FreeBSD.org> |
Reduce the verbosity of SDT trace points for DTrace by defining several wrapper macros that allow trace points and arguments to be declared using a single macro rather than several. This means a lot less repetition and vertical space for each trace point. Use these macros when defining privilege and MAC Framework trace points. Reviewed by: jb MFC after: 1 week
|
#
6efcc2f2 |
|
26-Feb-2009 |
Robert Watson <rwatson@FreeBSD.org> |
Add static tracing for privilege checking: priv:kernel:priv_check:priv_ok fires for granted privileges priv:kernel:priv_check:priv_errr fires for denied privileges The first argument is the requested privilege number. The naming convention is a little different from the OpenSolaris equivilent because we can't have '-' in probefunc names, and our privilege namespace is different. MFC after: 1 week
|
#
d7f03759 |
|
19-Oct-2008 |
Ulf Lilleengen <lulf@FreeBSD.org> |
- Import the HEAD csup code which is the basis for the cvsmode work.
|
#
cecd8edb |
|
17-Sep-2008 |
Attilio Rao <attilio@FreeBSD.org> |
Remove the suser(9) interface from the kernel. It has been replaced from years by the priv_check(9) interface and just very few places are left. Note that compatibility stub with older FreeBSD version (all above the 8 limit though) are left in order to reduce diffs against old versions. It is responsibility of the maintainers for any module, if they think it is the case, to axe out such cases. This patch breaks KPI so __FreeBSD_version will be bumped into a later commit. This patch needs to be credited 50-50 with rwatson@ as he found time to explain me how the priv_check() works in detail and to review patches. Tested by: Giovanni Trematerra <giovanni dot trematerra at gmail dot com> Reviewed by: rwatson
|
#
b916b56b |
|
07-Mar-2008 |
Robert Watson <rwatson@FreeBSD.org> |
Add __FBSDID() tag. MFC after: 3 days Pointed out by: antoine
|
#
bc6eca24 |
|
02-Jul-2007 |
Robert Watson <rwatson@FreeBSD.org> |
Continue kernel privilege cleanup for 7.0: unstaticize suser_enabled and stop declaring it in systm.h -- it's used only in kern_priv.c and is not required elsewhere. Approved by: re (kensmith)
|
#
7251b786 |
|
16-Jun-2007 |
Robert Watson <rwatson@FreeBSD.org> |
Rather than passing SUSER_RUID into priv_check_cred() to specify when a privilege is checked against the real uid rather than the effective uid, instead decide which uid to use in priv_check_cred() based on the privilege passed in. We use the real uid for PRIV_MAXFILES, PRIV_MAXPROC, and PRIV_PROC_LIMIT. Remove the definition of SUSER_RUID; there are now no flags defined for priv_check_cred(). Obtained from: TrustedBSD Project
|
#
32f9753c |
|
11-Jun-2007 |
Robert Watson <rwatson@FreeBSD.org> |
Eliminate now-unused SUSER_ALLOWJAIL arguments to priv_check_cred(); in some cases, move to priv_check() if it was an operation on a thread and no other flags were present. Eliminate caller-side jail exception checking (also now-unused); jail privilege exception code now goes solely in kern_jail.c. We can't yet eliminate suser() due to some cases in the KAME code where a privilege check is performed and then used in many different deferred paths. Do, however, move those prototypes to priv.h. Reviewed by: csjp Obtained from: TrustedBSD Project
|
#
800c9408 |
|
06-Nov-2006 |
Robert Watson <rwatson@FreeBSD.org> |
Add a new priv(9) kernel interface for checking the availability of privilege for threads and credentials. Unlike the existing suser(9) interface, priv(9) exposes a named privilege identifier to the privilege checking code, allowing more complex policies regarding the granting of privilege to be expressed. Two interfaces are provided, replacing the existing suser(9) interface: suser(td) -> priv_check(td, priv) suser_cred(cred, flags) -> priv_check_cred(cred, priv, flags) A comprehensive list of currently available kernel privileges may be found in priv.h. New privileges are easily added as required, but the comments on adding privileges found in priv.h and priv(9) should be read before doing so. The new privilege interface exposed sufficient information to the privilege checking routine that it will now be possible for jail to determine whether a particular privilege is granted in the check routine, rather than relying on hints from the calling context via the SUSER_ALLOWJAIL flag. For now, the flag is maintained, but a new jail check function, prison_priv_check(), is exposed from kern_jail.c and used by the privilege check routine to determine if the privilege is permitted in jail. As a result, a centralized list of privileges permitted in jail is now present in kern_jail.c. The MAC Framework is now also able to instrument privilege checks, both to deny privileges otherwise granted (mac_priv_check()), and to grant privileges otherwise denied (mac_priv_grant()), permitting MAC Policy modules to implement privilege models, as well as control a much broader range of system behavior in order to constrain processes running with root privilege. The suser() and suser_cred() functions remain implemented, now in terms of priv_check() and the PRIV_ROOT privilege, for use during the transition and possibly continuing use by third party kernel modules that have not been updated. The PRIV_DRIVER privilege exists to allow device drivers to check privilege without adopting a more specific privilege identifier. This change does not modify the actual security policy, rather, it modifies the interface for privilege checks so changes to the security policy become more feasible. Sponsored by: nCircle Network Security, Inc. Obtained from: TrustedBSD Project Discussed on: arch@ Reviewed (at least in part) by: mlaier, jmg, pjd, bde, ceri, Alex Lyashkov <umka at sevcity dot net>, Skip Ford <skip dot ford at verizon dot net>, Antoine Brodin <antoine dot brodin at laposte dot net>
|