| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
| |
ed(4) and ep(4) have been removed. fxp(4) remains popular in older
systems, but isn't as future proof as em(4).
Reviewed by: bz, jhb
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D20311
Notes:
svn path=/head/; revision=347963
|
| |
|
|
|
|
|
|
| |
X-Found-With: r343112
MFC after: 1 month
Notes:
svn path=/head/; revision=343164
|
| |
|
|
|
|
|
|
|
|
|
|
| |
while processing not entirely correct jail.conf(5) file
having something like "ip4.addr = 127.0.0.1;" and no "ip4 = ...;"
so extrap variable stays NULL.
Reported by: marck
MFC after: 1 month
Notes:
svn path=/head/; revision=343112
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
node is set, allow setting security.bsd.unprivileged_proc_debug per-jail.
In part, this is needed to create jails in which the Address Sanitizer
(ASAN) fully works as ASAN utilizes libkvm to inspect the virtual address
space. Instead of having to allow unprivileged process debugging for the
entire system, allow setting it on a per-jail basis.
The sysctl node is still security.bsd.unprivileged_proc_debug and the
jail(8) param is allow.unprivileged_proc_debug. The sysctl code is now a
sysctl proc rather than a sysctl int. This allows us to determine setting
the flag for the corresponding jail (or prison0).
As part of the change, the dynamic allow.* API needed to be modified to
take into account pr_allow flags which may now be disabled in prison0.
This prevents conflicts with new pr_allow flags (like that of vmm(4)) that
are added (and removed) dynamically.
Also teach the jail creation KPI to allow differences for certain pr_allow
flags between the parent and child jail. This can happen when unprivileged
process debugging is disabled in the parent prison, but enabled in the
child.
Submitted by: Shawn Webb <lattera at gmail.com>
Obtained from: HardenedBSD (45b3625edba0f73b3e3890b1ec3d0d1e95fd47e1, deba0b5078cef0faae43cbdafed3035b16587afc, ab21eeb3b4c72f2500987c96ff603ccf3b6e7de8)
Relnotes: yes
Sponsored by: HardenedBSD and G2, Inc
Differential Revision: https://reviews.freebsd.org/D18319
Notes:
svn path=/head/; revision=341084
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
a list of configured non-wildcard jails with their parameters,
no matter running or not.
The option -e takes separator argument that is used
to separate printed parameters. It will be used with following
additions to system periodic scripts to differentiate parts
of directory tree belonging jails as opposed to host's.
MFC after: 1 month
Notes:
svn path=/head/; revision=340319
|
| |
|
|
|
|
|
|
| |
Reported by: maxim
Approved by: re (gjb)
Notes:
svn path=/head/; revision=339420
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
can see the dmesg buffer (this is the current behavior). When false (the
new default), dmesg will be unavailable to jailed users, whether root or
not.
The security.bsd.unprivileged_read_msgbuf sysctl still works as before,
controlling system-wide whether non-root users can see the buffer.
PR: 211580
Submitted by: bz
Approved by: re@ (kib@)
MFC after: 3 days
Notes:
svn path=/head/; revision=339409
|
| |
|
|
|
|
|
|
|
|
|
|
| |
However, for post-install configuration, bsdinstall
is not of much use. Point the user to bsdconfig instead.
Reviewed by: 0mp, bcr
Approved by: 0mp, bcr
Differential Revision: https://reviews.freebsd.org/D16751
Notes:
svn path=/head/; revision=338110
|
| |
|
|
|
|
|
|
|
| |
userspace jail(8) is redundant.
Differential Revision: D14791
Notes:
svn path=/head/; revision=337919
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
init-only parameters.
Compare string parameter values with strncmp, not memcmp.
PR: 230487
Reported by: Jason Mader
MFC after: 3 days
Notes:
svn path=/head/; revision=337867
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
created and before exec.start is called. [1]
- Bump __FreeBSD_version.
This allows to attach ZFS datasets and various other things to be
done before any command/service/rc-script is started in the new
jail.
PR: 228066 [1]
Reviewed by: jamie [1]
Submitted by: Stefan Grönke <stefan@gronke.net> [1]
Differential Revision: https://reviews.freebsd.org/D15330 [1]
Notes:
svn path=/head/; revision=337863
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a new sysctl(8) knob "security.jail.vmm_allowed",
by default this option is disable.
Submitted by: Shawn Webb <shawn.webb____hardenedbsd.org>
Reviewed by: jamie@ and myself.
Relnotes: Yes.
Sponsored by: HardenedBSD and G2, Inc.
Differential Revision: https://reviews.freebsd.org/D16057
Notes:
svn path=/head/; revision=337023
|
| |
|
|
|
|
|
|
|
|
|
|
| |
It allows locking or unlocking physical pages in memory within a jail
This allows running elasticsearch with "bootstrap.memory_lock" inside a jail
Reviewed by: jamie@
Differential Revision: https://reviews.freebsd.org/D16342
Notes:
svn path=/head/; revision=336868
|
| |
|
|
|
|
|
|
|
|
| |
Reviewed by: jamie
MFC after: 2 weeks
Relnotes: yes
Differential Revision: https://reviews.freebsd.org/D16371
Notes:
svn path=/head/; revision=336565
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
by doing most of the work in a new function prison_add_vfs in kern_jail.c
Now a jail-enabled filesystem need only mark itself with VFCF_JAIL, and
the rest is taken care of. This includes adding a jail parameter like
allow.mount.foofs, and a sysctl like security.jail.mount_foofs_allowed.
Both of these used to be a static list of known filesystems, with
predefined permission bits.
Reviewed by: kib
Differential Revision: D14681
Notes:
svn path=/head/; revision=333263
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Mainly focus on files that use BSD 2-Clause license, however the tool I
was using misidentified many licenses so this was mostly a manual - error
prone - task.
The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.
No functional change intended.
Notes:
svn path=/head/; revision=326276
|
| |
|
|
| |
Notes:
svn path=/head/; revision=325664
|
| |
|
|
|
|
|
| |
Sponsored by: Dell EMC Isilon
Notes:
svn path=/head/; revision=325188
|
| |
|
|
|
|
|
|
| |
Submitted by: Steve Kargl
MFC after: 3 days
Notes:
svn path=/head/; revision=324732
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
You may now optionally specify allow.noreserved_ports to prevent root
inside a jail from using privileged ports (less than 1024)
PR: 217728
Submitted by: Matt Miller <mattm916@pulsar.neomailbox.ch>
Reviewed by: jamie, cem, smh
Relnotes: yes
Differential Revision: https://reviews.freebsd.org/D10202
Notes:
svn path=/head/; revision=319611
|
| |
|
|
|
|
|
|
|
|
| |
but do it right this time.
Reported by: Kyle Evans <Kyle Evans>
MFC after: 3 days
Notes:
svn path=/head/; revision=316023
|
| |
|
|
|
|
|
|
|
| |
PR: 218154
Submitted by: Masahiro Konishi <mkonishi@sea.plala.or.jp>
MFC after: 3 days
Notes:
svn path=/head/; revision=316022
|
| |
|
|
|
|
|
|
| |
Reported by: clang static analyzer
MFC after: 2 weeks
Notes:
svn path=/head/; revision=310614
|
| |
|
|
|
|
|
|
|
|
| |
the config file's order in the non-parallel-start case.
PR: 209112
MFC after: 3 days
Notes:
svn path=/head/; revision=302856
|
| |
|
|
|
|
|
| |
Submitted by: Jimmy Olgeni
Notes:
svn path=/head/; revision=298888
|
| |
|
|
|
|
|
| |
No functional change.
Notes:
svn path=/head/; revision=298886
|
| |
|
|
|
|
|
| |
and how this affects the "jail_list" option in rc.conf.
Notes:
svn path=/head/; revision=298863
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
sysvmsg, sysvsem, and sysvshm, with the following bahavior:
inherit: allow full access to the IPC primitives. This is the same as
the current setup with allow.sysvipc is on. Jails and the base system
can see (and moduly) each other's objects, which is generally considered
a bad thing (though may be useful in some circumstances).
disable: all no access, same as the current setup with allow.sysvipc off.
new: A jail may see use the IPC objects that it has created. It also
gets its own IPC key namespace, so different jails may have their own
objects using the same key value. The parent jail (or base system) can
see the jail's IPC objects, but not its keys.
PR: 48471
Submitted by: based on work by kikuchan98@gmail.com
MFC after: 5 days
Notes:
svn path=/head/; revision=298585
|
| |
|
|
|
|
|
|
|
| |
linux.* parameters when linux emulation is loaded.
MFC after: 5 days
Notes:
svn path=/head/; revision=298584
|
| |
|
|
|
|
|
|
| |
PR: 208663
MFC after: 3 days
Notes:
svn path=/head/; revision=298562
|
| |\
| |
| |
| |
| |
| |
| | |
Sponsored by: The FreeBSD Foundation
Notes:
svn path=/projects/release-pkg/; revision=296318
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
These are no longer needed after the recent 'beforebuild: depend' changes
and hooking DIRDEPS_BUILD into a subset of FAST_DEPEND which supports
skipping 'make depend'.
Sponsored by: EMC / Isilon Storage Division
Notes:
svn path=/head/; revision=295989
|
| |\|
| |
| |
| |
| |
| |
| | |
Sponsored by: The FreeBSD Foundation
Notes:
svn path=/projects/release-pkg/; revision=295639
|
| | |
| |
| |
| |
| |
| |
| | |
by a domain squatter.
Notes:
svn path=/head/; revision=295468
|
| |/
|
|
|
|
|
| |
Sponsored by: The FreeBSD Foundation
Notes:
svn path=/projects/release-pkg/; revision=294447
|
| |
|
|
|
|
|
|
|
|
|
| |
handled by ifconfig, and it was doing it wrong when the paramater included
extra ifconfig options.
PR: 205926
MFC after: 5 days
Notes:
svn path=/head/; revision=294196
|
| |
|
|
| |
Notes:
svn path=/head/; revision=294183
|
| |
|
|
|
|
|
|
|
|
|
| |
Unfortunately filemon/meta mode tracks all indirect dependencies here
since ld(1) is reading libelf when linking in libkvm. Churn would be
reduced if this was able to be limited to direct dependencies.
Sponsored by: EMC / Isilon Storage Division
Notes:
svn path=/head/; revision=291558
|
| |
|
|
|
|
|
|
|
|
| |
arc lint is helpful
Reviewed By: allanjude, wblock, #manpages, chris@bsdjunk.com
Differential Revision: https://reviews.freebsd.org/D3337
Notes:
svn path=/head/; revision=289677
|
| |
|
|
|
|
|
|
|
|
| |
PR: 201752
Reviewed by: bcr
MFC after: 3 days
Sponsored by: Essen FreeBSD Hackathon
Notes:
svn path=/head/; revision=285869
|
| |
|
|
|
|
|
|
|
|
|
| |
linprocfs(5).
Differential Revision: D2846
Submitted by: Nikolai Lifanov <lifanov@mail.lifanov.com>
Reviewed by: jamie
Notes:
svn path=/head/; revision=285685
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
jail.conf parameters. This flag disallows redefinition of the parameter.
"name" and/or "jid" are automatically defined in jail.conf by using
the jail names at the front of jail parameter definitions. However,
one could override them by using a variable with the same name like
$name = "foo". This confused the parser and could end up with SIGSEGV.
Note that this change also affects a case when all of parameters are
defined in the command line arguments, not in jail.conf. Specifically,
"jail -c name=j1 name=j2" no longer works. This should be harmless.
PR: 196574
Reviewed by: jamie
Differential Revision: https://reviews.freebsd.org/D3017
Notes:
svn path=/head/; revision=285279
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
in jail.conf. The following did not work correctly:
A="A_${B}_C_${D}"
B="BBBBB"
D="DDDD_${E}_FFFFF"
E="EEEEE"
PR: 189139
Reviewed by: jamie
Differential Revision: https://reviews.freebsd.org/D3018
Notes:
svn path=/head/; revision=285261
|
| |\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Off by default, build behaves normally.
WITH_META_MODE we get auto objdir creation, the ability to
start build from anywhere in the tree.
Still need to add real targets under targets/ to build packages.
Differential Revision: D2796
Reviewed by: brooks imp
Notes:
svn path=/head/; revision=284345
|
| | |
| |
| |
| | |
Notes:
svn path=/projects/bmake/; revision=284172
|
| | |\
| |/
|/|
| | |
Notes:
svn path=/projects/bmake/; revision=283595
|
| | |\
| | |
| | |
| | | |
Notes:
svn path=/projects/bmake/; revision=274683
|
| | |\ \
| | | |
| | | |
| | | | |
Notes:
svn path=/projects/bmake/; revision=270164
|
| | | | |
| | | |
| | | |
| | | | |
Notes:
svn path=/projects/bmake/; revision=266219
|
| | | | |
| | | |
| | | |
| | | | |
Notes:
svn path=/projects/bmake/; revision=265802
|
