in the future in a backward compatible (API and ABI) way.
The cap_rights_t represents capability rights. We used to use one bit to
represent one right, but we are running out of spare bits. Currently the new
structure provides place for 114 rights (so 50 more than the previous
cap_rights_t), but it is possible to grow the structure to hold at least 285
rights, although we can make it even larger if 285 rights won't be enough.
The structure definition looks like this:
struct cap_rights {
uint64_t cr_rights[CAP_RIGHTS_VERSION + 2];
};
The initial CAP_RIGHTS_VERSION is 0.
The top two bits in the first element of the cr_rights[] array contain total
number of elements in the array - 2. This means if those two bits are equal to
0, we have 2 array elements.
The top two bits in all remaining array elements should be 0.
The next five bits in all array elements contain array index. Only one bit is
used and bit position in this five-bits range defines array index. This means
there can be at most five array elements in the future.
To define new right the CAPRIGHT() macro must be used. The macro takes two
arguments - an array index and a bit to set, eg.
#define CAP_PDKILL CAPRIGHT(1, 0x0000000000000800ULL)
We still support aliases that combine few rights, but the rights have to belong
to the same array element, eg:
#define CAP_LOOKUP CAPRIGHT(0, 0x0000000000000400ULL)
#define CAP_FCHMOD CAPRIGHT(0, 0x0000000000002000ULL)
#define CAP_FCHMODAT (CAP_FCHMOD | CAP_LOOKUP)
There is new API to manage the new cap_rights_t structure:
cap_rights_t *cap_rights_init(cap_rights_t *rights, ...);
void cap_rights_set(cap_rights_t *rights, ...);
void cap_rights_clear(cap_rights_t *rights, ...);
bool cap_rights_is_set(const cap_rights_t *rights, ...);
bool cap_rights_is_valid(const cap_rights_t *rights);
void cap_rights_merge(cap_rights_t *dst, const cap_rights_t *src);
void cap_rights_remove(cap_rights_t *dst, const cap_rights_t *src);
bool cap_rights_contains(const cap_rights_t *big, const cap_rights_t *little);
Capability rights to the cap_rights_init(), cap_rights_set(),
cap_rights_clear() and cap_rights_is_set() functions are provided by
separating them with commas, eg:
cap_rights_t rights;
cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_FSTAT);
There is no need to terminate the list of rights, as those functions are
actually macros that take care of the termination, eg:
#define cap_rights_set(rights, ...) \
__cap_rights_set((rights), __VA_ARGS__, 0ULL)
void __cap_rights_set(cap_rights_t *rights, ...);
Thanks to using one bit as an array index we can assert in those functions that
there are no two rights belonging to different array elements provided
together. For example this is illegal and will be detected, because CAP_LOOKUP
belongs to element 0 and CAP_PDKILL to element 1:
cap_rights_init(&rights, CAP_LOOKUP | CAP_PDKILL);
Providing several rights that belongs to the same array's element this way is
correct, but is not advised. It should only be used for aliases definition.
This commit also breaks compatibility with some existing Capsicum system calls,
but I see no other way to do that. This should be fine as Capsicum is still
experimental and this change is not going to 9.x.
Sponsored by: The FreeBSD Foundation
As promised, drop the option to make the older GNU patch
the default.
GNU patch is still being built but something drastic may
happen to it to it before Release.
Notable new features:
* Elliptic Curve Digital Signature Algorithm keys and signatures in
DNSSEC are now supported per RFC 6605. [RT #21918]
* Introduces a new tool "dnssec-verify" that validates a signed zone,
checking for the correctness of signatures and NSEC/NSEC3 chains.
[RT #23673]
* BIND now recognizes the TLSA resource record type, created to
support IETF DANE (DNS-based Authentication of Named Entities)
[RT #28989]
* The new "inline-signing" option, in combination with the
"auto-dnssec" option that was introduced in BIND 9.7, allows
named to sign zones completely transparently.
Approved by: delphij (mentor)
MFC after: 3 days
Sponsored by: DK Hostmaster A/S
address alignment of mappings.
- MAP_ALIGNED(n) requests a mapping aligned on a boundary of (1 << n).
Requests for n >= number of bits in a pointer or less than the size of
a page fail with EINVAL. This matches the API provided by NetBSD.
- MAP_ALIGNED_SUPER is a special case of MAP_ALIGNED. It can be used
to optimize the chances of using large pages. By default it will align
the mapping on a large page boundary (the system is free to choose any
large page size to align to that seems best for the mapping request).
However, if the object being mapped is already using large pages, then
it will align the virtual mapping to match the existing large pages in
the object instead.
- Internally, VMFS_ALIGNED_SPACE is now renamed to VMFS_SUPER_SPACE, and
VMFS_ALIGNED_SPACE(n) is repurposed for specifying a specific alignment.
MAP_ALIGNED(n) maps to using VMFS_ALIGNED_SPACE(n), while
MAP_ALIGNED_SUPER maps to VMFS_SUPER_SPACE.
- mmap() of a device object now uses VMFS_OPTIMAL_SPACE rather than
explicitly using VMFS_SUPER_SPACE. All device objects are forced to
use a specific color on creation, so VMFS_OPTIMAL_SPACE is effectively
equivalent.
Reviewed by: alc
MFC after: 1 month
This is the gsoc-2011 project to clean up and backport multibyte support
from other nvi forks in a form we can use.
USE_WIDECHAR is on unless building for the rescue crunchgen. This should
allow editing in the native locale encoding.
USE_ICONV depends on make.conf having 'WITH_ICONV=YES' for now. This
adds the ability to do things like edit a KOI8-R file while having $LANG
set to (say) en_US.UTF-8. iconv is used to transcode the characters for
display.
Other points:
* It uses gencat and catopen/etc instead of homegrown msg catalog stuff.
* A lot of stuff has been trimmed out, eg: the perl and tcl bindings which
we could never use in base anyway.
* It uses ncursesw when in widechar mode. This could be interesting.
GSoC info: http://www.google-melange.com/gsoc/proposal/review/google/gsoc2011/zy/1
Repo at: https://github.com/lichray/nvi2
Obtained from: Zhihao Yuan <lichray@gmail.com>
Formerly, a command like find dir1/dir2 -delete would delete everything
under dir1/dir2 but not dir1/dir2 itself.
When -L is not specified and "." can be opened, the fts(3) code underlying
find(1) is careful to avoid following symlinks or being dropped in different
locations by moving the directory fts is currently traversing. If a
problematic concurrent modification is detected, fts will not enter the
directory or abort. Files found in the search are returned via the current
working directory and a pathname not containing a slash.
For paranoia, find(1) verifies this when -delete is used. However, it is too
paranoid about the root of the traversal. It is already assumed that the
initial pathname does not refer to directories or symlinks that might be
replaced by untrusted users; otherwise, the whole traversal would be unsafe.
Therefore, it is not necessary to do the check for fts_level ==
FTS_ROOTLEVEL.
Deleting the pathnames given as arguments can be prevented without error
messages using -mindepth 1 or by changing directory and passing "." as
argument to find. This works in the old as well as the new version of find.
Tested by: Kurt Lidl
Reviewed by: jhb
components: apr-1.4.6 -> 1.4.8 and apr-util-1.4.1 -> 1.5.2.
This is a post point-zero bug-fix / fix-sharp-edges release, including
some workarounds for UTF-8 for people who haven't yet turned on WITH_ICONV.
The BSD-licensed patch(1) command has matured and it's behaviour
can be considered equivalent to the older version of GNU patch
in the tree.
The switch has been extensively tested [1] and only two ports
presented regressions, which have since been fixed.
For convenience a new WITH_GNU_PATCH option is available,
but it will likely be removed in the near future.
PR: 176313
Approved by: portmgr
structure is used, but they already have equal fields in the struct
newipsecstat, that was introduced with FAST_IPSEC and then was merged
together with old ipsecstat structure.
This fixes kernel stack overflow on some architectures after migration
ipsecstat to PCPU counters.
Reported by: Taku YAMAMOTO, Maciej Milewski
Properly handle input lines containing NUL characters such that pgets()
accurately fills the read buffer.
Callers of pgets() still mis-process the buffer contents if the read line
contains NUL characters, but this at least makes pgets() accurate.
Make it so that 'patch < FUBAR' and 'patch -i FUBAR' operate the same.
The former makes a copy of stdin, but was not accurately putting the
content of stdin into a temp file. This lead to the undercounting
the number of lines in hunks containing NUL characters when reading
from stdin. Thus resulting in "unexpected end of file in patch" errors.
- Reconnect with some minor modifications, in particular now selsocket()
internals are adapted to use sbintime units after recent'ish calloutng
switch.
In BSD, fgetln() available in libc but in Illumos the Solaris port had to
include it internally. It also seems to have caused problems [1].
Aid portability by using getline() instead.
Reference:
https://www.illumos.org/issues/3820 [1]
Submitted by: Johann 'Myrkraverk' Oskarsson <johann@myrkraverk.com>
Reviewed by: dds
MFC after: 2 weeks
This is actually a fully functional build except:
* All internal shared libraries are static linked to make sure there
is no interference with ports (and to reduce build time).
* It does not have the python/perl/etc plugin or API support.
* By default, it installs as "svnlite" rather than "svn".
* If WITH_SVN added in make.conf, you get "svn".
* If WITHOUT_SVNLITE is in make.conf, this is completely disabled.
To be absolutely clear, this is not intended for any use other than
checking out freebsd source and committing, like we once did with cvs.
It should be usable for small scale local repositories that don't
need the python/perl plugin architecture.
This checks that every node that has children specifies their register sizes.
This is not enabled by default, as the default sizes are sometimes required
(including by some DTS in the tree), but can help when writing new device
trees so that you can check that you actually meant the defaults.
Explicitly use GNU cpp for preprocessing.
Remove explicit debugging code.
Change some variable names to be less confusing.
Improve some comments.
Improve indentation.
PR: 162211
168785
MFC after: 2 weeks
to 999.99% CPU. It still won't be aligned if you have a multithreaded
process using more than 1000% CPU (e.g. idle process on an idle 12-way
system), but 100% is a common case.
Submitted by: Jeremy Chadwick (partial)
MFC after: 1 week
sockaddr_in6 structures. getnameinfo(3) does the same thing, but it is
also able to represent a scope zone id as described in the RFC 4007.
MFC after: 2 weeks
The option tells kdump to convert numeric UIDs and GIDs into user and
group names plus to convert times and dates into locallized versions.
This all needs opening various files at various occasions.
Make use of Capsicum to protect kdump(1), as it might be used to parse data
from untrusted sources:
- Sandbox kdump(1) using capability mode.
- Limit stdin descriptor (where opened file is moved to) to only
CAP_READ and CAP_FSTAT rights.
- Limit stdout descriptor to only CAP_WRITE, CAP_FSTAT and CAP_IOCTL.
Plus limit allowed ioctls to TIOCGETA only, which is needed for
isatty() to work.
- Limit stderr descriptor to only CAP_WRITE and CAP_FSTAT. In addition
if the -s option is not given, grant CAP_IOCTL right, but allow for
TIOCGWINSZ ioctl only, as we need screen width to dump the data.
- Before entering capability mode call catopen("libc", NL_CAT_LOCALE),
which opens message catalogs and caches data, so that strerror(3)
and strsignal(3) can work in a sandbox.
Sponsored by: The FreeBSD Foundation
Discussed with: rwatson
Rearrange the code so we don't call ioctl(TIOCGWINSZ) if the -s option is given,
as the result won't be used then.
Sponsored by: The FreeBSD Foundation
fclose() being skipped. Fix this by using boolean "&" and "|" instead of
short-cut operators "&&" and "||".
While here, increment the last part of the version string. The reason is
the fixed output file selection logic in pch.c, which was committed as
r250943, yesterday.
Reviewed by: pfg
Instead of using the file with the least order of path name components,
shortest filename and finally the shortest basename (with the search
stopping as soon as one of these conditions is true), the first filename
checked was used as the reference, and another filename was only selected
if all of the above comparisons are in favour of the latter file.
This was wrong, because filenames with path less components were only
considered, if both of the other conditions were true as well. In fact,
the first filename to be checked had good chances to be selected in the
end, since it only needed to be better with regard to any one of the
three criteria ...
Reviewed by: delphij@freebsd.org
Alexander Botero-Lowry
Born June 2, 1986 in Austin, Texas
Died August 24, 2012 in San Francisco, California
Thank you for your contributions, you will be
greatly missed.
kernel-based POSIX semaphore descriptors to userland via procstat(1) and
fstat(1):
- Change sem file descriptors to track the pathname they are associated
with and add a ksem_info() method to copy the path out to a
caller-supplied buffer.
- Use the fo_stat() method of shared memory objects and ksem_info() to
export the path, mode, and value of a semaphore via struct kinfo_file.
- Add a struct semstat to the libprocstat(3) interface along with a
procstat_get_sem_info() to export the mode and value of a semaphore.
- Teach fstat about semaphores and to display their path, mode, and value.
MFC after: 2 weeks
Alexander de nieuwe koning. Koningsdag is op 27 April.
On 30 April 2013 queen Beatrix resigned and crownprince Willem
Alexander became the new king. King's day is on 27 April.
MFC after: 1 week
- use const where appropriate
- use static where appropriate
- use explicit checks checks for error conditions
Reviewed by: sbruno
Approved by: cperciva (mentor)
Obtained by: DragonFlyBSD
info from a process core file.
So now one can run procstat(1) on a process core e.g. to get a list of
files opened by a process when it crashed:
root@lisa:/ # procstat -f /root/vi.core
PID COMM FD T V FLAGS REF OFFSET PRO NAME
658 vi text v r r-------- - - - /usr/bin/vi
658 vi ctty v c rw------- - - - /dev/pts/0
658 vi cwd v d r-------- - - - /root
658 vi root v d r-------- - - - /
658 vi 0 v c rw------- 11 3208 - /dev/pts/0
658 vi 1 v c rw------- 11 3208 - /dev/pts/0
658 vi 2 v c rw------- 11 3208 - /dev/pts/0
658 vi 3 v r r----n-l- 1 0 - /tmp/vi.0AYKz3Lps7
658 vi 4 v r rw------- 1 0 - /var/tmp/vi.recover/vi.GaGYsz
658 vi 5 v r rw------- 1 0 - -
PR: kern/173723
Suggested by: jhb
MFC after: 1 month
This compiler flag enforces that that people either mark variables
static or use an external declarations for the variable, similar to how
-Wmissing-prototypes works for functions.
Due to the fact that Yacc/Lex generate code that cannot trivially be
changed to not warn because of this (lots of yy* variables), add a
NO_WMISSING_VARIABLE_DECLARATIONS that can be used to turn off this
specific compiler warning.
Announced on: toolchain@
