| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
| |
ipfilter options are erased and reset to default when ipfilter is
disabled. This results in nullifying options from rc.conf that were
previously set.
8d6feaaaa26f, which added this code, was incorrect as it was for a bug in
ipfilter 4.2.28 and no longer applies to ipfilter 5.1.2.
Fixes: 8d6feaaaa26f
MFC after: 1 day
|
| |
|
|
| |
MFC after: 1 day
|
| |
|
|
|
|
|
|
|
|
|
| |
This rc script exists solely to create a file, so have it explicitly
require FILESYSTEMS. In its current form, it was as likely as not to
end up running before cleanvar, which would undo its work.
MFC after: 3 days
Fixes: 384d976725a5 ("rc.d: Add precious_machine rc.conf knob to create /var/run/noshutdown")
Reviewed by: kib
Differential Revision: https://reviews.freebsd.org/D54119
|
| |
|
|
|
|
|
|
|
| |
Instead of having FILESYSTEMS require cleanvar, which doesn't really
make semantic sense, say that cleanvar needs to run before FILESYSTEMS.
MFC after: 3 days
Reviewed by: imp
Differential Revision: https://reviews.freebsd.org/D54118
|
| |
|
|
|
|
|
|
| |
This prevents dumping the memory layout of setugid processes.
MFC after: 3 days
Reviewed by: kib
Differential Revision: https://reviews.freebsd.org/D54033
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
As a safety precaution df381bec2d2b limits ippool hash table size to 1K.
This causes any legitimely large hash table to fail to load. The
htable_size_max ipf tuneable adjusts this but the adjustment is made
in the ipfilter rc script, invoked after the ippool script (because it
depends on ippool). Let's load the ipfilter_optionlist in ippool as well.
ipfilter_optionlist load will also occur in the ipfilter rc script in case
the user uses ipfilter without ippool.
Fixes: df381bec2d2b
MFC after: 3 days
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
In arch_fix_auxv(), remove local variable shadowing the argument,
remove write-only variable, and declare the loop variable.
The wrong patch was committed after series of local reverts and
re-apply.
Fixes: b2b3d2a962eb00005641546fbe672b95e5d0672a
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
|
| |
|
|
|
|
|
|
|
|
| |
Add guards against attempting to process a user data file with an empty
first line or contents.
PR: 290395
Reviewed by: bapt (earlier), dtxdf, markj
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D53239
|
| |
|
|
|
|
|
|
| |
No functional change intended.
Reviewed by: bapt, dtxdf, kevans
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D53238
|
| |
|
|
|
|
|
| |
Tested by: Timothy Pearson (tpearson_raptorengineering.com)
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D53801
|
| |
|
|
|
|
| |
- s/outout/output/
MFC after: 3 days
|
| |
|
|
|
|
|
| |
- s/environnement/environment/
- s/interger/integer/
MFC after: 3 days
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When an unprivileged user restarts a service using, e.g., sudo, the
service runs with the audit user ID set to that of the unprivileged
user. This can have surprising effects: for instance, a user that
restarts a jail that is running sshd will end up with their UID attached
to all audit logs associated with users who log in via that sshd
instance. (sshd will set the audit user, but this is disallowed in
jails by default.)
Add support for rc.conf directives which cause rc to override the audit
user. Specifically, make <name>_audit_user=foo cause the audit user to
be set to "foo" for service <name>. A plain audit_user=foo directive
causes all services to be started as foo.
Note, like other similar rc features, this feature is limited to rc
services which are run by executing a command. Shell functions can't be
wrapped this way.
Reviewed by: 0mp
MFC after: 2 weeks
Sponsored by: Modirum MDPay
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D53747
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When running an rc command, if the target rc script defines
<command>_cmd, e.g., start_cmd=..., then the run_rc_command() executes
that instead of $command. In general it's a shell function, and
"cpuset -l <n> <shell function>" doesn't work.
Moreover, it doesn't really make sense to run cpuset for anything other
than start_cmd.
Other optional isolation mechanisms (e.g., <name>_fib,
<name>_chroot) are only used when invoking $command directly as part of
the "start" command. Make <name>_cpuset consistent with everything else
by removing these extraneous cpuset invocations.
Reviewed by: 0mp
MFC after: 2 weeks
Sponsored by: Modirum MDPay
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D53746
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Specifically, make this code fit in fewer columns:
- deindent cases to conform to the usual style,
- use a local variable to minimize duplication in each case.
No functional change intended.
Reviewed by: 0mp, netchild
MFC after: 2 weeks
Sponsored by: Klara, Inc.
Sponsored by: Modirum MDPay
Differential Revision: https://reviews.freebsd.org/D53754
|
| |
|
|
|
|
|
|
|
|
|
| |
This updates the nuageinit man page by aligning mentions of the
cloud-config header line with the cloud-init documentation[0], removing
an unwanted "!" character.
[0] https://docs.cloud-init.io/en/latest/explanation/about-cloud-config.html#how-do-i-create-a-cloud-config-file
Signed-off-by: Jonathan Matthews <freebsd@hello.jonathanmatthews.com>
Differential Revision: https://reviews.freebsd.org/D53706
|
| |
|
|
|
|
|
| |
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Reviewed by: imp, markj, emaste
Differential Revision: https://reviews.freebsd.org/D53616
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This periodic script only makes sense if mandoc is installed, so move
it to the mandoc package like other periodic scripts.
/usr/libexec/makewhatis.local only exists for the enjoyment of this
script, and doesn't work without mandoc installed, so move that as
well.
This change moves files between packages so, until we have a proper
policy on how to handle this in release/stable branches, it should
not be MFC'd.
MFC after: never
Reviewed by: ziaee, manu
Sponsored by: https://www.patreon.com/bsdivy
Differential Revision: https://reviews.freebsd.org/D53609
|
| |
|
|
|
|
|
|
|
|
|
| |
Commit 9065390ddc7b moved atf to its own package, but mistakenly moved
the tests as well. Put the tests back into the test package.
Fixes: 9065390ddc7b ("packages: Remove the tests-dev package")
MFC after: 1 day
Reviewed by: emaste
Sponsored by: https://www.patreon.com/bsdivy
Differential Revision: https://reviews.freebsd.org/D53594
|
| |
|
|
|
|
|
|
|
| |
Files read by '.' cannot workout for themselves where they are
or what they are called, so set dot_dir and dot_file to pass
this information to them.
Reviewed by: obrien, stevek
Differential Revision: https://reviews.freebsd.org/D53476
|
| |
|
|
|
|
|
|
|
|
|
| |
Instead of sleeping after pwait returns, use its new -p option to
obtain the list of processes that still have not terminated.
MFC after: 3 days
PR: 290357
Fixes: 5953e7c98427 ("rc.subr: Move the sleep in wait_for_pids")
Reviewed by: 0mp, markj
Differential Revision: https://reviews.freebsd.org/D53294
|
| |
|
|
|
|
|
|
|
|
|
| |
This reverts commit 2347ca21d657121670e6e7246c6ac32efc996cac.
A fix has been implemented in 99560fe98c76 ("pfctl: Do not warn if there
is no Ethernet anchor").
Revert this commit to avoid having differences with upstream.
MFC after: 2 days
|
| |
|
|
|
|
|
|
|
| |
This reverts commit 67ade69eb6079887215db1fde86eba2fb8e2acf7.
A fix has been implemented in a943a96a50ba ("libpfctl: Fix displaying
deeply nested anchors").
Revert this commit to avoid having differences with upstream.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The blocklist daemon depends on a packet filter in order to block.
Add all supported packet filters to the REQUIRE line, not just pf, to
indicate rcorder(8) that it should start after the packet filter service
has started.
While here, change the mode of the rc file to include the executable
bit, just like the rest of the files in the rc.d source directory.
Reviewed by: 0mp
MFC after: 2 days
Differential Revision: https://reviews.freebsd.org/D53364
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
flua is a standalone third-party component that deserves its own
package. In particular, this means things can use flua without
having to depend on FreeBSD-utilities, which will be useful as
more base utilities use flua.
This saves ~500kB in FreeBSD-utilities for systems which don't
need flua.
MFC after: 3 days
Reviewed by: kevans
Sponsored by: https://www.patreon.com/bsdivy
Differential Revision: https://reviews.freebsd.org/D53161
|
| |
|
|
|
|
|
|
|
|
|
|
| |
It has been reported as PR 290478. In the meantime, just sweep under
the carpet.
It is worth noting that neither commit:
2347ca21d657 ("blocklist-helper: Silence a bogus pf warning")
nor this one will be upstreamed, as this is a FreeBSD-specific issue.
PR: 290478
MFC after: 2 days
|
| |
|
|
|
|
|
|
|
|
|
|
| |
bfb202c4554a addresses the CTRL-EVENT-SCAN-FAILED. Upstream d807e289d
caused FreeBSD regression in driver_bsd.c, which this rc.d patch
worked around. As of bfb202c4554a this workaround is no longer needed.
052211e08c0e implemented this change for wpa_supplicant but not for
hostapd.
Reported by: avg
MFC after: 3 days
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Allow umask to be configurable.
Being able to set the umask via an rc variable is useful when setting:
security.bsd.unprivileged_read_msgbuf=0
As it allows a user to configure:
dmesg_umask="066"
Without modifying the rc script, and preventing the contents of the
$dmesg_file (/var/run/dmesg.boot) from being publicly readable.
PR: 272552
Reviewed by: netchild
MFC after: 2 days
Differential Revision: https://reviews.freebsd.org/D53169
|
| |
|
|
|
|
| |
Reviewed by: emaste
MFC after: 2 days
Differential Revision: https://reviews.freebsd.org/D53168
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This more accurately reflects its purpose, and its contents, since
everything in the package is prefixed with "local-".
While here, add a message on upgrade about regenerating the config.
MFC after: 3 seconds
Requested by: des
Reviewed by: des
Sponsored by: https://www.patreon.com/bsdivy
Differential Revision: https://reviews.freebsd.org/D53056
|
| |
|
|
|
|
|
|
|
|
| |
Silence a bogus warning about (an ethernet) anchor not being found.
It has been reported as PR 280516. In the meantime, just sweep under
the carpet.
Approved by: emaste (mentor)
MFC after: 2 days
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Follow up upstream rename from blacklist to blocklist.
- Old names and rc scripts are still valid, but emitting an ugly warning
- Old firewall rules and anchor names should work, but emitting an ugly
warning
- Old MK_BLACKLIST* knobs are wired to the new ones
Although care has been taken not to break current configurations, this
is a large patch containing mostly duplicated code. If issues arise, it
will be swiftly reverted.
Reviewed by: ivy (pkgbase)
Approved by: emaste (mentor)
MFC after: 2 days
Relnotes: yes
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
sndiod is part of audio/sndio, so we should avoid referencing a port
utility from base.
We should also require NETWORKING for the service to start, since
virtual_oss can be configured to send audio through the network.
Sponsored by: The FreeBSD Foundation
MFC after: 1 day
Reviewed by: des, markj, emaste
Differential Revision: https://reviews.freebsd.org/D53019
|
| |
|
|
|
|
| |
Reviewed by: des
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D52954
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
After commit 900bc0206348, zpool depends on mountcritlocal. zpoolreguid
and zpoolupgrade depend on zpool and want to run before mountcritcycle,
so we have a pair of cycles.
Update zpoolreguid and zpoolupgrade to avoid this.
Reviewed by: des
MFC after: 3 days
Fixes: 900bc0206348 ("rc.d/zpool: change mountcritlocal dep from BEFORE to REQUIRE")
Differential Revision: https://reviews.freebsd.org/D52953
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Replace .if statements with CONFGROUPS.${MK_FOO} where possible,
and also sort and re-indent the file for readability.
A couple of more complicated sections don't work with CONFGROUPS.yes
yet, so leave those as they are for now.
MFC after: 1 week
Reviewed by: imp
Sponsored by: https://www.patreon.com/bsdivy
Differential Revision: https://reviews.freebsd.org/D52974
|
| |
|
|
|
|
|
|
|
| |
Disable if IPv6 is not supported, and instead of 10 seconds, default to
one more than the value of net.inet6.ip6.dad_count.
Fixes: 5ead817c3b7a ("rc: Teach netwait to wait for DAD")
Reviewed by: bz
Differential Revision: https://reviews.freebsd.org/D52905
|
| |
|
|
|
|
|
|
|
| |
Local tree pollution let this escape. *sigh*.
Pointy hat: kevans
Pointy hat: kevans
Pointy hat: kevans
Fixes: 9c7db0931d486ce ("flua: move lposix back into flua for now")
|
| |
|
|
|
|
|
| |
nuageinit largely already did this, but one spot was missed -- add the
necessary require() in to get the module loaded.
Fixes: b11a5709ec2b6 ("flua: kick out the remaining builtin modules")
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The real luaposix is structured differently, and our builtin version
tends to model that in its own special way. Build it back in until we
get the shlib model just right to unbreak nuageinit, among other things.
This is a partial revert of the below-referenced commit; the other two
modules are simple, though, and were accurately split out.
Reported by: markj
Fixes: b11a5709ec2b6 ("flua: kick out the remaining builtin modules")
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Bootstrap flua has some magic now to handle modules by building them in
and discovering them via linker sets. This is slightly cleaner than
always building them in and baking them into loadedlibs for both
bootstrap and system flua.
Adjust the stand build now that these three libs have their own new
homes.
Reviewed by: bapt, emaste
Differential Revision: https://reviews.freebsd.org/D51891
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This version builds every module into the flua binary itself, since all
of the bootstrap tools are built -DNO_SHARED. As a result, we also
cannot dlsym(), so we can't really discover the names of our newly
builtin modules. Instead, just build out a linker set with all of our
luaopen_*() functions to register everything up-front.
Building in all of the modules isn't strictly necessary, but it means
that we have an example of how to add a bootstrap module everywhere you
go and one doesn't need to consider whether bootstrap flua can use a
module when writing scripts. On my build machine, the consequence on
our binary size is an increase from around 1.6M -> 1.9M, which isn't
really that bad.
.lua modules can install into their usual path below $WORLDTMP/legacy
and we'll pick them up automagically by way of the ctor that sets up
LUA_PATH early on.
This re-lands bootstrap module support with a more sensible subset, and
after having verified that it cross-builds fine on macOS and Linux -- we
cannot do libfreebsd on !FreeBSD because it's more system header
dependant. We also need to bootstrap libmd to bring in libhash, and
libucl + libyaml.
Reviewed by: bapt, emaste (both previous version)
Differential Revision: https://reviews.freebsd.org/D51890
|
| |
|
|
|
|
|
| |
This reverts commit 1953a12ee2cde1afacb3e3f7612d89695c96e04f, because it
cannot work at all on macOS without more work, at a minimum. We use
linker sets for module discovery, but we don't have a version of this
that works for mach-o at the moment.
|
| |
|
|
|
| |
This reverts commit 80ada959004c4386880e47b11618f8abfc2d80e1, because
bootstrap flua is about to get backed out.
|
| |
|
|
|
| |
This reverts commit 31320402472394af57eb3a36bee7f944117ca0ed, because
bootstrap flua is about to get backed out.
|
| |
|
|
| |
Other systems don't have jail support, and we won't be using it anyways.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Bootstrap flua has some magic now to handle modules by building them in
and discovering them via linker sets. This is slightly cleaner than
always building them in and baking them into loadedlibs for both
bootstrap and system flua.
Adjust the stand build now that these three libs have their own new
homes.
Reviewed by: bapt, emaste
Differential Revision: https://reviews.freebsd.org/D51891
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This version builds every module into the flua binary itself, since all
of the bootstrap tools are built -DNO_SHARED. As a result, we also
cannot dlsym(), so we can't really discover the names of our newly
builtin modules. Instead, just build out a linker set with all of our
luaopen_*() functions to register everything up-front.
Building in all of the modules isn't strictly necessary, but it means
that we have an example of how to add a bootstrap module everywhere you
go and one doesn't need to consider whether bootstrap flua can use a
module when writing scripts. On my build machine, the consequence on
our binary size is an increase from around 1.6M -> 1.9M, which isn't
really that bad.
.lua modules can install into their usual path below $WORLDTMP/legacy
and we'll pick them up automagically by way of the ctor that sets up
LUA_PATH early on.
Reviewed by: bapt, emaste
Differential Revision: https://reviews.freebsd.org/D51890
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change simplifies integration of gdb python scripts with our kernel
debugging infrastructure. Rather than putting debugging scripts in
/usr/libexec/kgdb, move them to <path-to-kernel-debug-symbols>/gdb, and
add a kernel-gdb.py which automatically loads modules from that
directory. kernel-gdb.py will be automatically executed by kgdb when
loading kernel debug symbols (assuming a default configuration), so one
no longer needs to do anything to use these modules.
The change also adds a couple of new modules, vnet.py and pcpu.py, for
conveniently accessing VNET symbols and PCPU/DPCPU fields, respectively.
Note that these require a change to the kernel linker when accessing
symbols from a loadable kernel module.
sys/tools/gdb/README.txt describes the scheme in more detail and
provides some rudiementary documentation for the commands and functions
added by these modules. It should be updated when adding new features.
sys/tools/gdb/selftest.py can be used to do some primitive testing of
the modules. All it does is execute a number of gdb commands making use
of commands and functions added by these modules. The developer is
expected to verify that the commands complete without errors and that
the output looks sane.
Discussed with: kp, avg, jhb, glebius
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D50825
|
