HardenedBSD/src 4434bf0usr.sbin/pkg HardenedBSD.pkgbase.conf HardenedBSD.pkgbase.tor.conf

HBSD: Use a special URL for Cross-DSO CFI pkgbase

Signed-off-by:  Shawn Webb <shawn.webb at hardenedbsd.org>
DeltaFile
+1-1usr.sbin/pkg/HardenedBSD.pkgbase.conf
+1-1usr.sbin/pkg/HardenedBSD.pkgbase.tor.conf
+2-22 files

HardenedBSD/src 19a5a3e. RELNOTES UPDATING, sys/sys param.h

Merge remote-tracking branch 'origin/hardened/current/master' into hardened/current/cross-dso-cfi
DeltaFile
+9-0RELNOTES
+7-0UPDATING
+1-1sys/sys/param.h
+17-13 files

HardenedBSD/src ef6144a. RELNOTES UPDATING, sys/sys param.h

Merge branch 'freebsd/current/main' into hardened/current/master
DeltaFile
+9-0RELNOTES
+7-0UPDATING
+1-1sys/sys/param.h
+17-13 files

HardenedBSD/src 039fedc. RELNOTES

RELNOTES: Add an entry for recent "nocto" changes
DeltaFile
+9-0RELNOTES
+9-01 files

HardenedBSD/src 1b832d5. UPDATING

UPDATING: Add an entry for commits 171f66b0c2ca and 8e2a90ac8089
DeltaFile
+7-0UPDATING
+7-01 files

HardenedBSD/src d8c5c51sys/sys param.h

param.h: Bump __FreeBSD_version for NFS api changes

Commits 171f66b0c2ca and 8e2a90ac8089 changed the internal
api between nfscommon.ko and the other nfs modules.
Bump __FreeBSD_version to 1500049 for this.

All NFS related modules must be rebuilt from up-to-date
sources.
DeltaFile
+1-1sys/sys/param.h
+1-11 files

HardenedBSD/src 367e6edsbin/pfctl pfctl_parser.c pf_print_state.c, sys/fs/nfs nfs_commonacl.c

Merge remote-tracking branch 'origin/hardened/current/master' into hardened/current/cross-dso-cfi
DeltaFile
+51-79sbin/pfctl/pfctl_parser.c
+51-0sys/fs/nfsclient/nfs_clstate.c
+16-18sbin/pfctl/pf_print_state.c
+12-0sys/fs/nfsclient/nfs_clvnops.c
+1-1sbin/pfctl/pfctl_parser.h
+1-1sys/fs/nfs/nfs_commonacl.c
+132-992 files not shown
+134-998 files

HardenedBSD/src 1fe7310sbin/pfctl pfctl_parser.c pf_print_state.c, sys/fs/nfs nfs_commonacl.c

Merge branch 'freebsd/current/main' into hardened/current/master
DeltaFile
+51-79sbin/pfctl/pfctl_parser.c
+51-0sys/fs/nfsclient/nfs_clstate.c
+16-18sbin/pfctl/pf_print_state.c
+12-0sys/fs/nfsclient/nfs_clvnops.c
+1-1sbin/pfctl/pfctl_parser.h
+1-1sys/fs/nfs/nfs_commonacl.c
+132-992 files not shown
+134-998 files

HardenedBSD/src 6e715a9sys/dev/gve gve_main.c gve_rx_dqo.c, sys/fs/nullfs null_vnops.c

Merge branch 'freebsd/14-stable/main' into hardened/14-stable/master
DeltaFile
+171-0tests/sys/kern/jail_lookup_root.c
+30-11sys/kern/vfs_lookup.c
+27-3sys/dev/gve/gve_main.c
+18-10sys/fs/nullfs/null_vnops.c
+21-6sys/kern/sys_process.c
+15-11sys/dev/gve/gve_rx_dqo.c
+282-4113 files not shown
+384-8119 files

HardenedBSD/src 5b2c576usr.sbin/hbsd-update hbsd-update

HBSD: apply BSD.hardened.dist during hbsd-update

This change will apply /etc/mtree/BSD.hardened.dist during
an update managed by hbsd-update

Sample:

root at jail# hbsd-update -n -o
hbsd-v1500001-3f796753a145c0884c39405fd59276475fbb5943
/tmp/tmp.7nLXlPboge/update.tar                         454 MB  483 kBps 16m02s
root:   permissions (0710, 0700, modified)
etc/syslog.d:
        permissions (0755, 0700, modified)
etc/rc.conf.d:
        permissions (0755, 0700, modified)
unbound:
        permissions (0755, 0700, modified)
root:   permissions (0700, 0710, modified)
etc/syslog.d:

    [15 lines not shown]
DeltaFile
+8-0usr.sbin/hbsd-update/hbsd-update
+8-01 files

HardenedBSD/src 8b6dbabrelease/packages hardenedbsd.ucl

HBSD: Fix HardenedBSD pkgbase UCL template

Signed-off-by:  Shawn Webb <shawn.webb at hardenedbsd.org>
(cherry picked from commit 069400b6fdac4001e13613564fe900bc3a2f5a44)
Signed-off-by: Shawn Webb <shawn.webb at hardenedbsd.org>
DeltaFile
+0-17release/packages/hardenedbsd.ucl
+0-171 files

HardenedBSD/src 015804blibexec/rtld-elf rtld.c

HBSD: Fix the RTLD hardening regression

The RTLD wasn't actually calling sysctlbyname due to recent changes
regarding libsys. To fix this, we now embed our own version of
sysctlbyname into the RTLD.

Signed-off-by:  Shawn Webb <shawn.webb at hardenedbsd.org>
(cherry picked from commit 323b8378538f7cb830f7ca573a954f8162dd5d23)
Signed-off-by: Shawn Webb <shawn.webb at hardenedbsd.org>
DeltaFile
+34-1libexec/rtld-elf/rtld.c
+34-11 files

HardenedBSD/src def848dusr.sbin/hbsd-update hbsd-update

HBSD: Do not delete the boot environment if it already exists

If the creation of the boot environment fails due to it already
existing, do not delete the boot environment. Instead, just exit.

Signed-off-by:  Shawn Webb <shawn.webb at hardenedbsd.org>
MFC-to:         14-STABLE
(cherry picked from commit d7dbbf7bf52a6c7e262f09d3ea3c291136449ee6)
Signed-off-by: Shawn Webb <shawn.webb at hardenedbsd.org>
DeltaFile
+5-1usr.sbin/hbsd-update/hbsd-update
+5-11 files

HardenedBSD/src d25f150usr.sbin/hbsd-update hbsd-update

HBSD: Check whether BSD.hardened.dist exists

We want to make sure that the mtree file exists before trying to apply
it.

Signed-off-by:  Shawn Webb <shawn.webb at hardenedbsd.org>
MFC-to:         14-STABLE
X-MFC-with:     ea0c19533e04a8839c267ffddd8fa37d08f19d7a
(cherry picked from commit 1a16765c8a2b6e0815751f50083abda677260c40)
Signed-off-by: Shawn Webb <shawn.webb at hardenedbsd.org>
DeltaFile
+8-6usr.sbin/hbsd-update/hbsd-update
+8-61 files

HardenedBSD/src 2eb8a07sys/kern kern_prot.c

HBSD: Disable security.bsd.see_jail_proc by default

Do not allow unprivileged users to see processes not in their own jails.

Signed-off-by:  Shawn Webb <shawn.webb at hardenedbsd.org>
MFC-to:         14-STABLE
(cherry picked from commit 6c7e20a94fde03e38e0599dd051728f7e23685df)
Signed-off-by: Shawn Webb <shawn.webb at hardenedbsd.org>
DeltaFile
+4-0sys/kern/kern_prot.c
+4-01 files

HardenedBSD/src 5c0eb43sbin/pfctl pfctl_parser.c pfctl_parser.h

pfctl: Move AF-specific mask logic from callers into set_ipmask()

Instead of doing the same dance with every caller, check for user provided
mask or address familiy specific maximum inside the function itself.

Feedback and OK claudio

Obtained from:  OpenBSD, kn <kn at openbsd.org>, c04427dd30
Sponsored by:   Rubicon Communications, LLC ("Netgate")
DeltaFile
+19-16sbin/pfctl/pfctl_parser.c
+1-1sbin/pfctl/pfctl_parser.h
+20-172 files

HardenedBSD/src eb6c221sbin/pfctl pfctl_parser.c

pfctl: Zap bits in host_v4(), use mask parameter

This avoids a duplicate strrchr() call and makes the function consistent
with host_v6() regarding mask handling.

While here, use the destination's size in memcpy instead of hardcoding its
type.

OK sashan

Obtained from:  OpenBSD, kn <kn at openbsd.org>, a7ede25358
Sponsored by:   Rubicon Communications, LLC ("Netgate")
DeltaFile
+4-5sbin/pfctl/pfctl_parser.c
+4-51 files

HardenedBSD/src a59e796sbin/pfctl pfctl_parser.c

pfctl: Zap v4mask and v6mask in host()

Simply defer checks whether a mask has been specified to where it's set in
host_*(); this is to reduce address family specific code.

OK sashan

Obtained from:  OpenBSD, kn <kn at openbsd.org>, 17e25e9423
Sponsored by:   Rubicon Communications, LLC ("Netgate")
DeltaFile
+9-13sbin/pfctl/pfctl_parser.c
+9-131 files

HardenedBSD/src e790bcdsbin/pfctl pfctl_parser.c

pfctl: Use error label in host_if()

This brings it in line with host() and host_dns().

OK sashan miko

Obtained from:  OpenBSD, kn <kn at openbsd.org>, d127311405
Sponsored by:   Rubicon Communications, LLC ("Netgate")
DeltaFile
+5-8sbin/pfctl/pfctl_parser.c
+5-81 files

HardenedBSD/src b728aaasbin/pfctl pfctl_parser.c

pfctl: Simplify getaddrinfo() error handling

`error' is not used so drop it and jump to the end.

OK sashan

Obtained from:  OpenBSD, kn <kn at openbsd.org>, da7f49d74e
Sponsored by:   Rubicon Communications, LLC ("Netgate")
DeltaFile
+4-7sbin/pfctl/pfctl_parser.c
+4-71 files

HardenedBSD/src 5d9877bsbin/pfctl pfctl_parser.c

pfctl: Simplify host()

Get rid of the `cont' flag, zap obvious comments, add error label.

OK benno sashan

Obtained from:  OpenBSD, kn <kn at openbsd.org>, a98f6f5f17
Sponsored by:   Rubicon Communications, LLC ("Netgate")
DeltaFile
+12-26sbin/pfctl/pfctl_parser.c
+12-261 files

HardenedBSD/src 7b82e36sbin/pfctl pfctl_parser.c

pfctl: Use strtonum in host()

This is simpler than checking three cases for `q' and gives nicer error
messages. While here, use `v6mask' as maximum netmask instead of hardcoding
it.

OK sashan

Obtained from:  OpenBSD, kn <kn at openbsd.org>, e351e6cba3
Sponsored by:   Rubicon Communications, LLC ("Netgate")
DeltaFile
+6-5sbin/pfctl/pfctl_parser.c
+6-51 files

HardenedBSD/src 466ac79sbin/pfctl pf_print_state.c pfctl_parser.c

pfctl: Move duplicate code into new helper print_addr_str()

This simply puts the wiggle around inet_ntop() from four into one location.

OK benno

Obtained from:  OpenBSD, kn <kn at openbsd.org>, 88d4e2f324
Sponsored by:   Rubicon Communications, LLC ("Netgate")
DeltaFile
+16-18sbin/pfctl/pf_print_state.c
+1-8sbin/pfctl/pfctl_parser.c
+1-0sbin/pfctl/pfctl.h
+18-263 files

HardenedBSD/src 50e733fsys/fs/nfs nfs_commonacl.c nfs_var.h, sys/fs/nfsclient nfs_clstate.c nfs_clvnops.c

nfscl: Use delegation ACE when mounted with nocto

For NFSv4.1/4.2, there is an ACE in the delegation reply.
Without this patch, this ACE is ignored by the NFSv4 client.

This patch enables use of the ACE to avoid the need for
Access RPCs when the "nocto" option is specified.
This requires a NFSv4.1/4.2 server that does not reply
with a bogus ACE that is too generous w.r.t. access permissions.
Note that the recent commit 0d51adee3072 added use of the NFSv4
ACL for generation of the ACE in the reply.  This patch might be
needed for this client change to work correctly if NFSv4 ACLs are
being used on the NFSv4.1/4.2 exported file systems.

This only affects NFSv4 mounts with the "nocto" mount option
and only if NFSv4 servers are issuing delegations with ACEs
that specify access.  Some NFSv4 servers, such as the Linux
knfsd reply with ACEs that do not allow any access, so this
patch has no effect for them.
DeltaFile
+51-0sys/fs/nfsclient/nfs_clstate.c
+12-0sys/fs/nfsclient/nfs_clvnops.c
+1-1sys/fs/nfs/nfs_commonacl.c
+1-0sys/fs/nfs/nfs_var.h
+65-14 files

HardenedBSD/src fc03742share/man/man4 gve.4, sys/dev/gve gve_main.c gve_rx_dqo.c

gve: Add support for 4k RX Buffers when using DQO queue formats

This change adds support for using 4K RX Buffers when using DQO queue
formats when a boot-time tunable flag is set to true by the user.
When this flag is enabled, the driver will use 4K RX Buffer size either
when HW LRO is enabled or mtu > 2048.

Signed-off-by: Vee Agarwal <veethebee at google.com>

Reviewed by:    markj, ziaee
MFC after:      2 weeks
Differential Revision:  https://reviews.freebsd.org/D50786

(cherry picked from commit 71702df6126226b31dc3ec66459388e32b993be1)
DeltaFile
+27-3sys/dev/gve/gve_main.c
+15-11sys/dev/gve/gve_rx_dqo.c
+20-0sys/dev/gve/gve.h
+8-0share/man/man4/gve.4
+6-2sys/dev/gve/gve_dqo.h
+4-1sys/dev/gve/gve_adminq.c
+80-171 files not shown
+84-177 files

HardenedBSD/src c6e0defsys/dev/gve gve.h

gve: Relax a static assertion

It's okay if MCLBYTES is larger than the default receive buffer size.

Fixes:  71702df61262 ("gve: Add support for 4k RX Buffers when using DQO queue formats")

(cherry picked from commit 3b4bc5d70e1c2066fcb6e8535941258c88999fa2)
DeltaFile
+1-1sys/dev/gve/gve.h
+1-11 files

HardenedBSD/src 3feafabsys/fs/nullfs null_vnops.c, sys/fs/unionfs union_vnops.c

namei: Make stackable filesystems check harder for jail roots

Suppose a process has its cwd pointing to a nullfs directory, where the
lower directory is also visible in the jail's filesystem namespace.
Suppose that the lower directory vnode is moved out from under the
nullfs mount.  The nullfs vnode still shadows the lower vnode, and
dotdot lookups relative to that directory will instantiate new nullfs
vnodes outside of the nullfs mountpoint, effectively shadowing the lower
filesystem.

This phenomenon can be abused to escape a chroot, since the nullfs
vnodes instantiated by these dotdot lookups defeat the root vnode check
in vfs_lookup(), which uses vnode pointer equality to test for the
process root.

Fix this by extending nullfs and unionfs to perform the same check,
exploiting the fact that the passed componentname is embedded in a
nameidata structure to avoid changing the VOP_LOOKUP interface.  That
is, add a flag to indicate that containerof can be used to get the full

    [9 lines not shown]
DeltaFile
+30-11sys/kern/vfs_lookup.c
+18-10sys/fs/nullfs/null_vnops.c
+21-0sys/fs/unionfs/union_vnops.c
+1-10sys/kern/vfs_cache.c
+4-1sys/sys/namei.h
+74-325 files

HardenedBSD/src 3230a62sys/compat/freebsd32 freebsd32_misc.c, sys/kern sys_process.c

ptrace: Rename the internal command range constants

No functional change intended.

Reviewed by:    kib
MFC after:      2 weeks
Differential Revision:  https://reviews.freebsd.org/D50866

(cherry picked from commit ee609560ad2a5fa7cacf06a3879987e118588625)
DeltaFile
+4-4sys/sys/ptrace.h
+1-1sys/compat/freebsd32/freebsd32_misc.c
+1-1sys/kern/sys_process.c
+6-63 files

HardenedBSD/src 5396386sys/sys namei.h

namei: clear internal flags in NDREINIT()

same as it is done for NDRESTART()

Fixes:  e05e33041c252
Reported and tested by: pho
Reviewed by:    markj
Sponsored by:   The FreeBSD Foundation

(cherry picked from commit 58b2bd33aff71c0268d99d63e9c83f6544d3beb3)
DeltaFile
+1-0sys/sys/namei.h
+1-01 files

HardenedBSD/src 031cd54sys/kern vfs_cache.c

vfs cache: Add NAMEILOOKUP to the whitelist of fastpath lookup flags

Otherwise the lockless name lookup path is inadvertently disabled since
NAMEILOOKUP isn't recognized.

Reviewed by:    olce, kib
Fixes:          7587f6d4840f ("namei: Make stackable filesystems check harder for jail roots")
Differential Revision:  https://reviews.freebsd.org/D50532

(cherry picked from commit f4158953007f557061d91f99d2374d48d8376cc6)
DeltaFile
+1-1sys/kern/vfs_cache.c
+1-11 files