exports.5: Typo: "auomatically" => "automatically"
Fixes: 9d975e47d5a3 ("exports.5: Clarify that exported dirs should be local mount points")
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 7521dc5dce35159add70003340e1555456721a2d)
mdo.1: Document group-related and fine-grained control functionalities
This is a manual page update describing the functionality that was added
to mdo(1) in commit 3ca1e69028ac ("mdo(1): Add support and shortcuts for
fully specifying users and groups"). Please either refer to that commit
or the new manual page's content for more information.
While here:
- Add to the introduction a description of process credentials and some
specific vocabulary that is used throughout the page, as well as the
relationship between mdo(1) and mac_do(4).
- Update the HISTORY section.
- Add AUTHORS and SECURITY CONSIDERATIONS sections.
Reviewed by: ziaee
MFC after: 1 minute
Sponsored by: The FreeBSD Foundation
Sponsored by: Google LLC (GSoC 2025)
Co-authored-by: Kushagra Srivastava <kushagra1403 at gmail.com>
[3 lines not shown]
mdo(1): Avoid calling getgroups() in some unnecessary cases
If the basis for supplementary groups are the current ones, we do not
need to fetch them when they are to be replaced entirely (which we
already have been doing), as in the '!start_from_current_groups' case,
but specifically also when they are not going to be touched at all.
This change in passing makes the modified code block's comment saying
that SETCREDF_SUPP_GROUPS need not be set here correct.
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D53771
(cherry picked from commit b92b1b47583036bd02e656564ff22c92b8949077)
setcred(): Fix 32-bit compatibility copy-in
For 32-bit processes on 64-bit architectures, a difference of 'int'
pointers was wrongly used as a number of bytes to copy in a memcpy()
used to internally construct a 64-bit 'struct setcred' from the 32-bit
variant, leading to copying only part of the 32-bit structure, and thus
to requesting credentials with garbage IDs except for the real and
effective user IDs.
This bug was spotted by jhb@, who produced a slightly more invasive fix
in D53757 (a switch to using CP() on all fields). In the interest of
minimizing the diff for possible inclusion in 15.0, the commit here just
limits itself to fixing the number of bytes to copy.
Tested successfully on a VM with 32-bit mdo(1) (and in passing also
tested that the same executable on a kernel without this change exhibits
the bug in practice, in the form of setcred() failing with EINVAL).
Reported by: jhb
[7 lines not shown]
kern: RACCT: Keep process credentials alive via references
In system calls changing process credentials, on RACCT, calls to
racct_proc_ucred_changed() must be issued on the new credentials.
Currently, this is done after the new credentials have been installed on
the process via proc_set_cred() or proc_set_cred_enforce_proc_lim(),
which modifies 'p_ucred'. Only the process lock guarantees that the new
credentials pointed to by 'p_ucred' cannot themselves be concurrently
modified, which would cause their 'struct ucred' to potentially lose its
last reference from the process before the call to
racct_proc_ucred_changed(), which needs one.
For better code understandability and to avoid errors in future
modifications, stop relying on proc_set_cred*() storing the passed
'struct ucred' in the process 'p_ucred' and on the process lock to avoid
the reference taken by proc_set_cred*() to vanish. Instead, ensure that
a reference is held when racct_proc_ucred_changed() is called.
As racct_proc_ucred_changed() is actually passed explicit pointers to
[26 lines not shown]
setpgid(): Fix space before TAB in herald comment
No functional change.
With this tiny change, all the file becomes whitespace-clean.
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
(cherry picked from commit d05ab93913f340c5590eafa4cc09cc84aa86282e)
racct: Simplify skipping idle process in the throttling daemon
In racctd(), commit c72188d85a79 ("racct: Improve handling of the pcpu
resource") added a superfluous test to skip the idle process when
computing the resource usage and checking for limits, consisting of
a comparison of the considered process' pointer with that of the process of
the first CPU's idle thread. The P_IDLEPROC flag introduced in commit
33be1632047c ("racct: Fix accounting of CPU time for the system idle
process") is sufficient and simpler for this purpose.
In the second loop throttling processes based on their %CPU usage, the
test excluding processes not in PRS_NORMAL was not consistent with that
of the first loop (which tests for the idle process also). This had no
practical consequences except a superfluous call to
racct_pcpu_available() as the RACCT_PCTCPU counter stays at 0 on the
idle process (because of the first loop). Factor out the test in the
new racct_proc_to_skip() function.
No functional change intended.
[7 lines not shown]
kern: Fix credentials leaks on RACCT but no RCTL
Affected system calls: setuid(), setreuid(), setresuid(), jail_attach(),
setloginclass().
In these system calls, the crhold() calls that, on RACCT, make the
just-installed process credentials survive a concurrent change of the
same credentials just after PROC_UNLOCK() were not matched by
a corresponding crfree() when RCTL is off. In fact, in that latter
case, they are simply not necessary, so wrap them with '#ifdef RCTL'
stances. 'kern_rctl.c' causes a compile error if RACCT is not defined
but RCTL is, so ease reading by not nesting '#ifdef's.
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D53456
(cherry picked from commit f4315ff8b3fee71eb0098864a84618f2f8ba85d5)
proc_set_cred(): Allow 'newcred' to have multiple references
This is an extension needed by next commit, where some additional
reference is kept on the credentials to be set on a process in order to
keep these credentials alive even after the process lock is released (an
intervening reset of process credentials could release the reference
that the process holds).
Only 'cr_users' is incremented, as the reference (counted in 'cr_ref')
comes from the caller, who passes it to the process.
Reviewed by: kib, markj
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D53636
(cherry picked from commit 5d46d11772c3280fd1c8ae09f20ce6c57f631c30)
setcred(): Fix RACCT resource accounting on credentials change
When credentials are changed, we need to adjust the sum of resources
associated to the initial and new process' user IDs (and old and new
login classes and jails, but setcred() does not change them) for them to
stay consistent.
PR: 290352
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D53457
(cherry picked from commit 2be5127c4a31bacac9b4158395bfa844f6033626)
vm_domainset: Ensure round-robin works properly
All iterators that rely on an object's 'struct domainset_ref' (field
'domain' on 'struct vm_object'), which is the case for page allocations
with objects, are used with the corresponding object locked for writing,
so cannot lose concurrent iterator index's increases even if those are
made without atomic operations. The only offender was thread stack
allocation, which has just been fixed in commit 3b9b64457676 ("vm: Fix
iterator usage in vm_thread_stack_create()").
However, the interleaved policy would still reset the iterator index
when restarting, losing track of the next domain to allocate from when
applying round-robin, which all allocation policies do if allocation
from the first domain fails.
Fix this last round-robin problem by not resetting the shared index at
iterator's phase init on DOMAINSET_POLICY_INTERLEAVE.
Add an assertion to check that, when passed, an object is write-locked
[21 lines not shown]
sys/rpc: UNIX auth: Do not log on bogus AUTH_SYS messages
Remove the printf() stances added in commit d4cc791f3b2e ("sys/rpc: UNIX
auth: Fix OOB reads on too short message").
Even if it can be helpful to know why an authentication message is
rejected, printing explanatory messages on each request attempt is
a remote log filler that could be triggered by accident, and the generic
RPC code generally does not do that. These printf() calls should be
restored only after some limiting or configuration mechanism is devised.
MFC with: d4cc791f3b2e ("sys/rpc: UNIX auth: Fix OOB reads on too short message")
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 2110ae0ef9d6ca8cf52b29fcaf926c4343f56826)
racct: Fix accounting of CPU time for the system idle process
- Add a flag which cleanly indicates that a given process is the system
idle process.
- Modify racctd() to skip over the idle proc when aggregating CPU time
and other metrics which don't apply to the idle thread.
- Remove handling for idle threads from racct_getpcpu().
PR: 269097
Reviewed by: olce, kib
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D50073
(cherry picked from commit 33be1632047c05dbfcc139476e05f49c3a86d560)
sys/rpc: UNIX auth: Use AUTH_SYS_MAX_{GROUPS,HOSTNAME} as limits (2/2)
Remove local defines from 'svc_auth_unix.c' and use the new limit
macros instead.
Reviewed by: rmacklem
MFC after: 2 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D52963
(cherry picked from commit e665c0f6f7a611d25d9d7e7f64d98c84b3a92820)
sys/rpc: UNIX auth: Fix OOB reads on too short message
In the inline version (_svcauth_unix()), fix multiple possible OOB reads
when the credentials part of a request is too short to contain mandatory
fields or with respect to the hostname length or number of groups it
advertises. The previously existing check was arriving too late and
relied on possibly wrong data coming from earlier OOB reads.
While here, use 'uint32_t' as the length/size type, as it is more than
enough and removes the need for conversions, explicit or implicit.
While here, factor out setting 'stat' to AUTH_BADCRED and then jumping
to 'done' on error, through the new 'badcred' label. While here,
through comments, refer to what the non-inline version is doing
(xdr_authunix_parms() in 'authunix_prot.c') and the reasons.
Reviewed by: rmacklem
Fixes: dfdcada31e79 ("Add the new kernel-mode NFS Lock Manager.")
MFC after: 2 days
Sponsored by: The FreeBSD Foundation
[3 lines not shown]
sys/rpc: UNIX auth: Style: Remove unnecessary headers, minor changes
MFC after: 2 days
Sponsored by: The FreeBSD Foundation
(cherry picked from commit a4105a5d4e179aa1ef661ee45d6008e83fefd2a7)
sys/rpc: UNIX auth: Support XDR_FREE
xdr_authunix_parms() does not allocate any auxiliary memory, so we can
simply support XDR_FREE by just returning TRUE.
Although there are currently no callers passing XDR_FREE, this makes us
immune to such a change in a way that doesn't cost more but is more
constructive than a mere KASSERT().
Suggested by: rmacklem
MFC after: 2 days
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 4ae70c3ea498e06676040ee99254d261e29ae82e)
sys/rpc: UNIX auth: Use AUTH_SYS_MAX_{GROUPS,HOSTNAME} as limits (1/2)
Consistently with the XDR_INLINE() variant of xdr_authunix_parms()
(_svcauth_unix() in 'svc_auth_unix.c'), reject messages with credentials
having a machine name length in excess of AUTH_SYS_MAX_HOSTNAME or more
than AUTH_SYS_MAX_GROUPS supplementary groups, which do not conform to
RFC 5531. This is done mainly because we cannot store excess groups
anyway, even if at odds with the robustness principle ("be liberal in
what you accept").
While here, make sure the current code is immune to AUTH_SYS_MAX_GROUPS
changing value (in future RFCs?) even if that seems improbable.
Reviewed by: rmacklem
Fixes: dfdcada31e79 ("Add the new kernel-mode NFS Lock Manager.")
MFC after: 2 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D52962
(cherry picked from commit b119ef0f6a81eb32b0e1cd0075cec499543e7ddd)
sys/rpc: Define AUTH_SYS_MAX_{GROUPS,HOSTNAME}
As, respectively, the maximum number of "supplementary" groups and the
maximum hostname size allowed in the credentials structure for AUTH_SYS
(aka, AUTH_UNIX).
Will be used in subsequent commits.
Reviewed by: rmacklem
MFC after: 2 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D52961
(cherry picked from commit f7c4f800cc0b4fac1c99cda8e22d46b67592f9fa)
sys/rpc: UNIX auth: Fix OOB accesses, notably writes on decode
When the received authentication message had more than XU_NGROUPS, we
would write group IDs beyond the end of cr_groups[] in the 'struct
xucred' being filled (as 'ngroups_max' is always greater than
XU_NGROUPS).
For robustness, prevent various OOB accesses that would result from
a change of value of XU_NGROUPS or a 'struct xucred' with an invalid
'cr_ngroups' field, even if these cases are unlikely.
Reviewed by: rmacklem
Fixes: dfdcada31e79 ("Add the new kernel-mode NFS Lock Manager.")
MFC after: 2 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D52960
(cherry picked from commit 47e9c81d4f1324674c624df02a51ad3a72aa7444)
tftpd: explicitly set egid after dropping supplemental groups
tftpd seems to be the last program in base that implicitly relies on
setgroups() to set the egid. This is a security landmine in portable
software as most operating systems don't behave this way, so do an
explicit setgid() in case the kernel doesn't set it already.
While we're here, FreeBSD's setgroups() has supported nominally clearing
all supplemental groups since 1997. It still leaves the egid in our
cr_groups[0] because we don't have an out-of-band way to store the egid,
and on other systems it'll clear the supplemental group entirely as one
would want.
Reviewed by: allanjude (previous version), des, olce
Differential Revision: https://reviews.freebsd.org/D51149
(cherry picked from commit 5138a20765c76cdc8f245d3d7caeffe9a9011bb2)
uma_core: Rely on domainset iterator to wait on M_WAITOK
Commit 8b987a77691d ("Use per-domain keg locks.") removed the need to
lock the keg entirely, replacing it with per-domain keg locks. In
particular, it removed the need to hold a lock over waiting for a domain
to grow free memory.
Simplify the code of keg_fetch_slab() and uma_prealloc() by removing the
M_WAITOK -> M_NOWAIT downgrade and the local call to vm_wait_doms()
(which used to necessitate temporary dropping the keg lock) which the
iterator machinery already handles on M_WAITOK (and compatibly with
vm_domainset_iter_ignore() at that, although that does not matter now).
Reviewed by: bnovkov, markj
Tested by: bnovkov
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D52441
(cherry picked from commit 781802df7a2bfe224ef17596d56cf83c49517655)
sys/rpc: UNIX auth: Rename 'ngroups' => 'supp_ngroups' for clarity
MFC after: 2 days
Sponsored by: The FreeBSD Foundation
(cherry picked from commit bda3b61512b2597d4c77d2b9c9074b844dec0405)
Two minor conflicts, due to missing comments added in commit
be1f7435ef21 ("kern: start tracking cr_gid outside of cr_groups[]")
which will not be MFCed, were solved by adding these comments.
kern: adopt the cr_gid macro for cr_groups[0] more widely
A future change may split cr_gid out of cr_groups[0] so that there's a
cleaner separation between the supplemental groups and the effective
group. Do the mechanical conversion where we can, and drop some
comments where we need further work because some assumptions about
cr_gid == cr_groups[0] have been made.
This should not be a functional change, but downstreams and other
out-of-tree code are advised to investigate their usage of cr_groups
sooner rather than later, as a future change will render assumptions
about these two being equivalent harmful.
Reviewed by: asomers, kib, olce
Differential Revision: https://reviews.freebsd.org/D51153
(cherry picked from commit 46c07316f90628a82dd461376ccff64a81254325)
This was MFCed to ease application of further commits.
[7 lines not shown]
libsa: smbios: Detect less-than-64-bit platforms via __SIZEOF_SIZE_T__
What we really want here is to know if pointers can refer to 64-bit
addresses, regardless of whether they also hold other information (such
as capabilities in CHERI). __SIZEOF_SIZE_T__ is probably the closest
indication to that piece of information, so let's use it. __ILP32__
wasn't wrong in practice though, as we don't support 32-bit CHERI
hardware (and likely never will).
Consistently with this change, test whether we can actually address the
64-bit SMBIOS's structure table by converting the end address to
'size_t' and checking whether its value is preserved.
Suggested by: jhb (for the __ILP32__ => __SIZEOF_SIZE_T__ part)
Reviewed by: jhb, imp
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D49318
(cherry picked from commit d3bfcd66409befc2d545e5449963b41c25c369a9)
