Enforce root user group memberships.
The root user is allowed to be a member of builtin_administrators only.
(cherry picked from commit 429c8e8e7e1d26c6e4bf4f3b842732441b489911)
NAS-138776 / 26.04 / Enforce root user group memberships. (#17899)
The root user is allowed to be a member of builtin_administrators only.
This means:
- Cannot be removed from builtin_administrators
- Cannot be added to other groups
- Cannot (and should not) participate as a webshare user.
The positive side effect is that the root user will always have the
FULL_ADMIN role.
Includes CI tests (locally tested).
Backport requested since this is targeted to 25.10.2.
Move MK_REPRODUCIBLE_PATHS to bsd.opts.mk
In commit faeaa25f5624 MK_REPRODUCIBLE_PATHS was introduced, but some
ports that include bsd.debug.mk then started to fail with:
make: /usr/share/mk/bsd.debug.mk:19: Variable "MK_REPRODUCIBLE_PATHS" is undefined
in /usr/share/mk/bsd.lib.mk:525
in /wrkdirs/usr/ports/devel/libsysinfo/work/libsysinfo-0.0.3/Makefile:16
make: Fatal errors encountered -- cannot continue
This is because bsd.debug.mk includes bsd.opts.mk, not src.opts.mk. Move
the MK_REPRODUCIBLE_PATHS option to bsd.opts.mk to fix this.
Reviewed by: imp, emaste
Fixes: faeaa25f5624
emulators/wine: Streamline things a bit
Set CONFIGURE_ARGS, BINARY_ALIAS, and EXTRA_PATCHES using plain
assignment (=) instead of := since we do not have child ports any
longer.
On the way tweak white spaces around OPTIONS to be consistent with
the wine-devel port.
Merge tag 'kbuild-fixes-6.19-1' of git://git.kernel.org/pub/scm/linux/kernel/git/kbuild/linux
Pull Kbuild fixes from Nicolas Schier:
- Revert commit "scripts/clang-tools: Handle included .c files in
gen_compile_commands" which is reported to cause false entries for
some files.
- Fix compilation of dtb specified on command-line without make rule
- mcb: Add missing modpost build support
* tag 'kbuild-fixes-6.19-1' of git://git.kernel.org/pub/scm/linux/kernel/git/kbuild/linux:
mcb: Add missing modpost build support
kbuild: fix compilation of dtb specified on command-line without make rule
Revert "scripts/clang-tools: Handle included .c files in gen_compile_commands"
Merge tag 'mm-hotfixes-stable-2025-12-28-21-50' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
Pull misc fixes from Andrew Morton:
"27 hotfixes. 12 are cc:stable, 18 are MM.
There's a patch series from Jiayuan Chen which fixes some
issues with KASAN and vmalloc. Apart from that it's the usual
shower of singletons - please see the respective changelogs
for details"
* tag 'mm-hotfixes-stable-2025-12-28-21-50' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm: (27 commits)
mm/ksm: fix pte_unmap_unlock of wrong address in break_ksm_pmd_entry
mm/page_owner: fix memory leak in page_owner_stack_fops->release()
mm/memremap: fix spurious large folio warning for FS-DAX
MAINTAINERS: notify the "Device Memory" community of memory hotplug changes
sparse: update MAINTAINERS info
mm/page_alloc: report 1 as zone_batchsize for !CONFIG_MMU
mm: consider non-anon swap cache folios in folio_expected_ref_count()
rust: maple_tree: rcu_read_lock() in destructor to silence lockdep
[13 lines not shown]
[VPlan] Add BranchOnTwoConds, use for early exit plans. (#172750)
This PR introduces a new BranchOnTwoConds VPInstruction, that takes 2
boolean operands and must be placed in a block with 3 successors.
If condition I is true, branches to successor I, otherwise falls through
to check the next condition. If both conditions are false, branch to the
third successor.
This new branch recipe is used for early-exit loops, to simplify the
representation in VPlan initially, by avoid the need for splitting the
middle block early on, in a way that preserves the single-exit block
property of regions. All exits still go through the latch block, but
they can go to more than 2 successors.
This idea was part of one of the original proposals for how to model
early exits in VPlan, but at that point in time, there was no good way
to handle this during code-gen, and we went with the early split-middle
block approach initially.
[7 lines not shown]
HBSD: Disable SafeStack for the Unbound daemon
When Unbound is built with SafeStack, attempts to kill the running
daemon process with SIGTERM does not kill the process. Instead, the
daemon stops responding.
Signed-off-by: Shawn Webb <shawn.webb at hardenedbsd.org>
Reported-by: @northboot
issue: #110
MFC-to: 15-STABLE
(cherry picked from commit ee472934f961f24a1c4dee56e7bd8dbb0e50ce13)
Signed-off-by: Shawn Webb <shawn.webb at hardenedbsd.org>
