[llvm][AddressSanitizer] option for applying AddressSanitizer to specific address spaces (#167770)
For some backends, e.g., BPF, it is desirable to only sanitize memory
belonging to specific address spaces. More specifically, it is sometimes
desirable to only apply address sanitization for arena memory belonging
to address space 1. However, AddressSanitizer currently does not support
selectively sanitizing address spaces. Add a new option to select which
address spaces to apply AddressSanitizer to.
No functional change for existing targets (namely AMD GPU) that hardcode
which address spaces to sanitize
rc.subr: Support setting the audit user when starting services
When an unprivileged user restarts a service using, e.g., sudo, the
service runs with the audit user ID set to that of the unprivileged
user. This can have surprising effects: for instance, a user that
restarts a jail that is running sshd will end up with their UID attached
to all audit logs associated with users who log in via that sshd
instance. (sshd will set the audit user, but this is disallowed in
jails by default.)
Add support for rc.conf directives which cause rc to override the audit
user. Specifically, make <name>_audit_user=foo cause the audit user to
be set to "foo" for service <name>. A plain audit_user=foo directive
causes all services to be started as foo.
Note, like other similar rc features, this feature is limited to rc
services which are run by executing a command. Shell functions can't be
wrapped this way.
[5 lines not shown]
rc.subr: Remove misguided cpuset usage
When running an rc command, if the target rc script defines
<command>_cmd, e.g., start_cmd=..., then the run_rc_command() executes
that instead of $command. In general it's a shell function, and
"cpuset -l <n> <shell function>" doesn't work.
Moreover, it doesn't really make sense to run cpuset for anything other
than start_cmd.
Other optional isolation mechanisms (e.g., <name>_fib,
<name>_chroot) are only used when invoking $command directly as part of
the "start" command. Make <name>_cpuset consistent with everything else
by removing these extraneous cpuset invocations.
Reviewed by: 0mp
MFC after: 2 weeks
Sponsored by: Modirum MDPay
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D53746
kevent: Hold the knlist mutex when invoking f_event(NOTE_FORK)
In general f_event is supposed to be called with the knlist mutex held,
so lock it earlier to follow this protocol. Also make sure that the
update to kn_fflags is synchronized.
Lock the kqueue itself earlier in the case where the knote is activated,
to avoid locking and unlocking the kqueue twice.
PR: 291005
Reported by: Qiu-ji Chen <chenqiuji666 at gmail.com>
Reviewed by: kib
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D53762
rc.subr: Try to make svjc option handling a bit easier to read
Specifically, make this code fit in fewer columns:
- deindent cases to conform to the usual style,
- use a local variable to minimize duplication in each case.
No functional change intended.
Reviewed by: 0mp, netchild
MFC after: 2 weeks
Sponsored by: Klara, Inc.
Sponsored by: Modirum MDPay
Differential Revision: https://reviews.freebsd.org/D53754
setaudit: Add an update mode
By default, setaudit(8) overwrites the whole audit session state. For
the purpose of overwriting only a single field, e.g., the audit user,
this is inconvenient. Add -U to accomodate this case: when specified,
setaudit(8) will first fetch the current session state block and then
will only overwrite those fields specified on the command line.
Reviewed by: csjp
MFC after: 2 weeks
Sponsored by: Modirum MDPay
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D53672
[flang][NFC] Strip trailing whitespace from tests (6 of N)
Only the fortran source files in flang/test/Lower/PowerPC and some in
flang/test/Lower have been modified. The other files in the directory
will be cleaned up in subsequent commits
[ASan] Make most tests run under internal shell on Darwin
This patch fixes most of the ASan tests that were failing on Darwin when
running under the internal shell. There are still a couple left that
are more interesting cases that I'll do in a follow up patch. The
tests that still need to be done:
```
TestCases/Darwin/duplicate_os_log_reports.cpp
TestCases/Darwin/dyld_insert_libraries_reexec.cpp
TestCases/Darwin/interface_symbols_darwin.cpp
```
Reviewers: thetruestblue, fhahn, vitalybuka, DanBlackwell, ndrewh
Reviewed By: DanBlackwell
Pull Request: https://github.com/llvm/llvm-project/pull/168545
NAS-138584 / 26.04 / Unify Docker registry mirrors handling (#17577)
Unify Docker registry mirrors handling by consolidating secure and
insecure mirrors into a single 'registry_mirrors' field across models
and database schema.
---
Docker has 2 lists for the registry mirrors.
`registry-mirrors` where it can contain both insecure and secure
mirrors.
This is the list that queries **IN DEFINED ORDER**.
`insecure-registries` where you list the registries that docker can
expect failures on TLS or are plain http.
Given the following mirrors:
- https://my.public.secure.mirror
- http://my.local.insecure.mirror
[20 lines not shown]
16891 fix unused label and drop -Wno-unused-label
Reviewed by: Andy Fiddaman <illumos at fiddaman.net>
Reviewed by: Dan McDonald <danmcd at edgecast.io>
Approved by: Gordon Ross <gordon.w.ross at gmail.com>
Clarify error message about user homedir path
This commit clarifies the error message we generate when a user
tries to create a local account with a public key while their
home directory is set to /var/empty.
dns/aardvark-dns: add new port
Authoritative dns server for A/AAAA container records. Forwards other
request to host's /etc/resolv.conf. It's mostly intended to be used
with netavark which launch it automatically if both are installed.
Sponsored by: tipi.work
[clang][BPF] Turn on AddressSanitizer pass (#167766)
The BPF LLVM target currently doesn't support turning on the
AddressSanitizer pass, either for userspace ASAN or KASAN. Enable the
KASAN option for the BPF target in anticipation of a KASAN
implementation for BPF.
[llvm][AddressSanitizer][BPF] add default shadow mapping offset for BPF target (#167768)
The AddressSanitizer transform does not have a default offset registered
for the shadow map. Set the default shadow map offset for BPF be
dynamically set by the KASAN implementation.
[llvm][AddressSanitizer] option for specifying the address space of the shadow map (#167772)
The AddressSanitizer transform currently defaults to placing the shadow
map in address space 0, but it is desirable for some targets (namely
BPF) to select a different address space for the map. Add a compilation
option for specifying the address space of the target.