padlock.4: Update slightly for 64-bit hardware
- Change the document description to "Via and Zhaoxin CPU crypto driver"
- Add a HARDWARE section mentioning these in the hardware release note
This manual still needs desperate help, but just this little bit could
have saved a lot of confusion. I'd write more if I had information.
PR: 295517
Fixes: 14b8531c4ccb8 (Restore padlock_rng the the amd64 build)
MFC after: 3 days (to 15 only)
Reviewed by: bcr, asomers
Differential Revision: https://reviews.freebsd.org/D57920
periodic/security: Introduce $security_status_loginfail_ignore for 800.loginfail
Introduce a new variable "security_status_loginfail_ignore" to filter unwanted
login failure messages from the daily security checks.
Co-authored-by: Michael Osipov <michaelo at FreeBSD.org>
Co-authored-by: Joseph Mingrone <jrm at FreeBSD.org>
PR: 295191
Reviewed by: jrm
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D57671
(cherry picked from commit 6a7c8c92245562cfd9b900dedacab99a13d5ca86)
periodic/security: Introduce $security_status_loginfail_ignore for 800.loginfail
Introduce a new variable "security_status_loginfail_ignore" to filter unwanted
login failure messages from the daily security checks.
Co-authored-by: Michael Osipov <michaelo at FreeBSD.org>
Co-authored-by: Joseph Mingrone <jrm at FreeBSD.org>
PR: 295191
Reviewed by: jrm
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D57671
(cherry picked from commit 6a7c8c92245562cfd9b900dedacab99a13d5ca86)
nuageinit: validate set-name to prevent shell injection in variable names
Shell variable names cannot be safely quoted with shell_escape() —
only alphanumeric characters are valid. Add validation that set-name
only matches [a-zA-Z0-9]+; invalid values are rejected with a
warning and the rename is skipped entirely.
(cherry picked from commit 13fb6dbc738f4ba30e78a8fb21efa1382c520d33)
nuageinit: use single-quote shell escaping for hostname in rc.conf.d
The hostname value was written inside double quotes in
/etc/rc.conf.d/hostname. POSIX shell performs command substitution
inside double quotes, so a hostname containing $() or backticks would
be executed when the file is sourced (e.g., by rc(8)).
Switch to using the existing shell_escape() helper, which wraps values
in single quotes. In POSIX shell, single-quoted strings are completely
literal — no expansion or substitution of any kind is performed.
While the hostname is already validated to contain only
[a-zA-Z0-9.-], this change provides defense-in-depth so the output
format is safe regardless of future validation changes.
Reported by: Yazdan Soltani <yazdan.soltani at gmail.com>
(cherry picked from commit da3890fdccfa7d540ea746182248299b81f95345)
nuageinit: implement phone_home support
Posts instance data (hostname, instance_id, public keys) to a URL
using fetch(1). Supports:
- url: target URL
- post: list of data items to send, or 'all'
- tries: number of retry attempts (default 1)
(cherry picked from commit 58653bf4d0fb8ccd5de146d671ec101a1df0ede0)
nuageinit: implement MIME multipart user-data support
Add support for MIME multipart/mixed user-data, allowing a single
user-data blob to contain multiple parts with different content types.
(cherry picked from commit be711ade6f66506fb2cae9fd33b142ce910f0346)
nuageinit: implement ntp support
Add support for the 'ntp' cloud-config key which configures NTP
by writing /etc/ntp.conf with server and pool entries.
(cherry picked from commit 6d27d52ccd35d1980e99bc2fc4dae602334d28af)
nuageinit: implement ca_certs support
Add support for the 'ca_certs' cloud-config key which manages
CA certificates by writing them to /etc/ssl/certs/ and running
certctl rehash.
(cherry picked from commit b56f029add4825b21b2957f19ccfbb219a3f96cb)
nuageinit: implement ssh_authkey_fingerprints support
Add support for the 'ssh_authkey_fingerprints' cloud-config key
which logs SSH host key fingerprints to the console via ssh-keygen.
(cherry picked from commit d7984912385cc5a191547dc6c2d73acba25e2239)
pw: fix const qualification in unquote()
The unquote() function took a const char * parameter but modified the
string in-place (removing quote characters). Change the parameter to
char * and update callers that passed const char * to cast explicitly.
(cherry picked from commit 5f9c8f142d1702f5810618e02534054d28d22fa5)
nuageinit: implement mounts support
Add support for the 'mounts' cloud-config key which configures
mount points by appending entries to /etc/fstab and creating
the corresponding directories.
(cherry picked from commit 797dad91ff468a9bd6cd5d4f720eb4bbac1f454a)
nuageinit: implement resolv_conf support
Add support for the 'resolv_conf' cloud-config key which writes
directly to /etc/resolv.conf.
(cherry picked from commit 4662263c246fd9c31cf0f03089845140114445bc)
nuageinit: implement bootcmd support
Add support for the 'bootcmd' cloud-config directive, which allows
running commands very early in the boot process, before the hostname
is set and before the network is configured.
- nuageinit: bootcmd() function follows the same pattern as runcmd(),
writing commands to /var/cache/nuageinit/bootcmds instead of runcmds.
It is the first entry in the pre_network_calls table.
- rc.d/nuageinit: execute /var/cache/nuageinit/bootcmds immediately
after /usr/libexec/nuageinit completes, before unmounting the config
drive. This ensures bootcmd runs before NETWORKING per cloud-init spec.
(cherry picked from commit b9be7608cd13888a32815bfb2263e20855706969)
pw: fix uninitialized name pointer in pw_group_del
The 'name' variable could be left uninitialized if neither the
positional argument nor -n is supplied, leading to undefined
behavior when passed to getgroup().
(cherry picked from commit 13f4a37b536b60d559c766b3ec4f2d5d25279ea3)
nuageinit: implement manage_etc_hosts support
Add support for adding the instance hostname to /etc/hosts on the
127.0.0.1 and ::1 localhost lines, matching cloud-init's default
behaviour (manage_etc_hosts: true).
create a revolve_hostname helper to avoid code duplucation.
(cherry picked from commit ba58e8ad726318ed59b6cc5934435dbddbe23dac)