mac_seeotheruids: allow specificgid to be a list of groups
The specificgid functionality has historically allowed only a single
group to be exempt, but in practice one might want a few services to
be exempt for reasons. From a security perspective, we probably don't
want to encourage unrelated users to be grouped together solely for
this purpose, as that creates one point of shared access that could be
used for nefarious purposes.
Normalize the group list as we do cr_groups to allow for linear matching
rather than quadratic, we just need to account for the differences in
FreeBSD 15.0+ where cr_groups is entirely supplementary groups vs.
earlier versions, where cr_groups[0] is the egid and the rest is
sorted.
Reviewed by: csjp, des (earlier version)
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D56592
geom manuals: Clarify units
The gpart manual says that sizes are specified in blocks, unless an SI
unit suffix is provided. This confuses new operators because GEOM uses
binary bytes, a large difference at modern storage pool sizes. Rewrite
suffixes in all GEOM manuals to consistently clarify this, matching what
we and the rest of the industry have been doing in other documentation.
While here, use non-breaking spaces between numbers and units, unless
they are already written with a hyphen.
MFC after: 3 days
Reviewed by: fuz
Reported by: bbaovanc <bbaovanc at bbaovanc.com>
Differential Revision: https://reviews.freebsd.org/D56534
(cherry picked from commit 975e3605ebb15cbaf5a25c1c9d1f51aed41291d0)
Fix memory corruption bugs in BSM record parsing
fetch_newgroups_tok(3): clamp group count to AUDIT_MAX_GROUPS before the
loop to prevent a stack buffer overflow when a crafted record specifies
more than 16 groups.
fetch_execarg_tok(3), fetch_execenv_tok(3): add a bounds check at the
top of the string-walking loop to prevent an out-of-bounds read when the
previous string's nul byte is the last byte of the record buffer.
fetch_sock_unix_tok(3): clamp the memchr search length to the number of
bytes remaining in the buffer to prevent an out-of-bounds read on short
tokens. Also clamp slen to sizeof(path) to prevent a one-byte overflow
when no nul byte is found within the path data.
fetch_socket_tok: fix copy-paste error where the remote address was
written into l_addr instead of r_addr.
Previously reported by: @haginara
[12 lines not shown]
pf: Document broadcast/multicast forwarding through route-to
pf_route() and pf_route6() forward broadcast and multicast traffic
when a route-to rule matches, without any check against the output
interface's broadcast domain. This is a deliberate property of the
route option code path, but it is not documented and the workaround
is non-obvious.
Document the behavior in pf.conf(5) with example block-out rules on
the target interface, scoped with the received-on qualifier so that
only forwarded traffic is dropped while the router's own broadcast
and multicast traffic continues to pass.
Add regression tests covering the full broadcast/multicast and
forwarded/local matrix on both IPv4 and IPv6.
Reviewed by: glebius, kp
Approved by: kp (mentor)
MFC after: 1 week
[2 lines not shown]
ctld: Move the pidfile handle out to a global variable
This ensures it will be destroyed (removing the associated pidfile)
anytime the process exits, including from exit(3) calls. This fixes
a few places that would "leak" the pidfile on certain errors.
This also removes the need for some convoluted logic where
configuration objects would hand-off ownership of the pidfile handle
from the old configuration to the new configuration.
Reviewed by: asomers
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D56527
ctld: Ports without a portal group are not dummy ports
The default implementation of is_dummy should return false. Only
portal group ports should possibly return true.
PR: 293076
Reported by: Ken J. Thomson <thomsonk at yandex.com>
Fixes: 6acc7afa34aa ("ctld: Convert struct port to a hierarchy of C++ classes")
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D56524
kern: mac: sprinkle a bit of const correctness
mpc_name and mpc_fullname are string literals in correct usage, so they
should really be const instead.
mpc_ops aren't typically const, but the framework shouldn't be doing
anything to clobber it; thus, good to constify it as a reminder.
Switch to using a slightly more semantically correct `void **` in the
fastpath bits while we're here, since we only do arithmetic on the outer
layer of pointer and compare the inner to a pointer-typed (NULL).
Reviewed by: bapt
Differential Revision: https://reviews.freebsd.org/D55702
kern: vfs: add MAC checks for mount/unmount/update
The unmount check is straightforward and only really needs the
struct mount and flags used, in case a MAC policy wants to reject
force-unmounts or do special handling for FSID-based unmounts.
The mount check offers as much information as I think might be of
interest to a MAC policy: the vnode to be mounted on, vfsconf, and
applicable mount options. XNU also has a later version that just takes
a struct mount for everything that VFS_MOUNT() has to offer, but my
draft policy doesn't need any of that. It also doesn't really need the
unmount check, but it seems reasonable to add it while I'm here.
The update check similarly passes the flags/options for the operation,
along with the struct mount and label.
Reviewed by: kib, olce
Differential Revision: https://reviews.freebsd.org/D55601
powerpc aim64: Return vm_paddr_t from moea64_bootstrap_alloc
Consistently use vm_paddr_t for the type returned from
moea64_bootstrap_alloc and avoid temporarily smuggling it via a
pointer. Instead, be explicit in the places that assume a 1:1
mapping.
Effort: CHERI upstreaming
Reviewed by: kib
Sponsored by: AFRL, DARPA
Pull Request: https://github.com/freebsd/freebsd-src/pull/2068
gve: Convert a couple of structure members from vm_offset_t to char *
Effort: CHERI upstreaming
Reviewed by: kib
Sponsored by: AFRL, DARPA
Pull Request: https://github.com/freebsd/freebsd-src/pull/2068
sf_buf_kva: Return a pointer instead of a vm_offset_t
This removes the need for several casts to pointer in callers.
Effort: CHERI upstreaming
Reviewed by: kib
Sponsored by: AFRL, DARPA
Pull Request: https://github.com/freebsd/freebsd-src/pull/2068
pmap_map: Use void * for the return value instead of vm_offset_t
Effort: CHERI upstreaming
Reviewed by: kib
Sponsored by: AFRL, DARPA
Pull Request: https://github.com/freebsd/freebsd-src/pull/2068
PHYS_TO_DMAP: Return a void * instead of a vm_offset_t
Add a new PHYS_TO_DMAP_ADDR that still returns an address for use in
places that only need an address and not a pointer.
Effort: CHERI upstreaming
Reviewed by: kib
Sponsored by: AFRL, DARPA
Pull Request: https://github.com/freebsd/freebsd-src/pull/2068