BSD Commit Log Search

Merge branch 'freebsd/14-stable/main' into hardened/14-stable/master

periodic: set _localbase for periodic scripts from within periodic.conf

Set _localbase variable from within /etc/defaults/periodic.conf
for use by periodic scripts.

This fixes e5d7100c09, no other functional changes intended.

Reported by:            gahr, otis
Reviewed by:            markj, gahr
MFC after:              2 weeks
Differential Revision:  https://reviews.freebsd.org/D47486

(cherry picked from commit c8b89c11a1181e900acb638cfde7a55e92553175)

Merge remote-tracking branch 'origin/hardened/current/master' into hardened/current/cross-dso-cfi

Merge branch 'hardened/current/periodic_chkfileperm2' into 'hardened/current/master'

HBSD: maintain secure file / directory permissions

See merge request hardenedbsd/HardenedBSD!99

HBSD: maintain secure file ownership and permissions

This change maintains secure file ownership and permissions through
the periodic utility. The file list is described by a mtree(8) specification,
and the mtree(8) utility is run at daily intervals. The mtree(8) utility
will detect files that don't match the specification, and adjust ownership
and permissions only when necessary.

The mtree(8) specification is only used by periodic for the time being,
but if necessary, it could be used in other contexts. It could also be
modified to suit the user's preferences as well.

Credit to lattera / shawn.webb for suggesting the use of mtree(8). It works
much better than the previous approach that has been abandoned in favor
of mtree(8)

Merge remote-tracking branch 'origin/hardened/current/master' into hardened/current/cross-dso-cfi

Merge branch 'freebsd/current/main' into hardened/current/master

periodic: set _localbase for periodic scripts from within periodic.conf

Set _localbase variable from within /etc/defaults/periodic.conf
for use by periodic scripts.

This fixes e5d7100c09, no other functional changes intended.

Reported by:            gahr, otis
Reviewed by:            markj, gahr
MFC after:              2 weeks
Differential Revision:  https://reviews.freebsd.org/D47486

Merge remote-tracking branch 'internal/hardened/current/master' into hardened/current/cross-dso-cfi

Conflicts:
        share/man/man5/src.conf.5 (unresolved)

Merge branch 'freebsd/14-stable/main' into hardened/14-stable/master

Merge branch 'freebsd/13-stable/main' into hardened/13-stable/master

periodic.conf: remove long deprecated security_daily_compat_var()

This function is documented to be gone in after 11. Time to remove this
compat shim.

PR:             275296
Reviewed by:    jrm (mentor)
MFC after:      1 month
Differential Revision:  https://reviews.freebsd.org/D44796

(cherry picked from commit aa48259f337100e79933d660fec8856371f761ed)

periodic.conf: remove long deprecated security_daily_compat_var()

This function is documented to be gone in after 11. Time to remove this
compat shim.

PR:             275296
Reviewed by:    jrm (mentor)
MFC after:      1 month
Differential Revision:  https://reviews.freebsd.org/D44796

(cherry picked from commit aa48259f337100e79933d660fec8856371f761ed)

Merge branch 'freebsd/current/main' into hardened/current/master

periodic.conf: remove long deprecated security_daily_compat_var()

This function is documented to be gone in after 11. Time to remove this
compat shim.

PR:             275296
Reviewed by:    jrm (mentor)
MFC after:      1 month
Differential Revision:  https://reviews.freebsd.org/D44796

Merge remote-tracking branch 'internal/hardened/current/master' into hardened/current/cross-dso-cfi

Conflicts:
        cddl/lib/libnvpair/Makefile (unresolved)
        share/man/man5/src.conf.5 (unresolved)

Merge remote-tracking branch 'origin/freebsd/14-stable/main' into hardened/14-stable/master

Conflicts:
        release/Makefile (unresolved)
        share/mk/src.opts.mk (unresolved)

periodic/daily/801.trim-zfs: Add a daily zfs trim script

As mentioned in zpoolprops(7), on some SSDs, it may not be desirable to
use ZFS autotrim because a large number of trim requests can degrade
disk performance; instead, the pool should be manually trimmed at
regular intervals.

Add a new daily periodic script for this purpose, 801.trim-zfs.  If
enabled (daily_trim_zfs_enable=YES; the default is NO), it will run a
'zpool trim' operation on all online pools, or on the pools listed in
'daily_trim_zfs_pools'.

The trim is not started if the pool is degraded (which matches the
behaviour of the existing 800.scrub-zfs script) or if a trim is already
running on that pool.  Having autotrim enabled does not inhibit the
periodic trim; it's sometimes desirable to run periodic trims even with
autotrim enabled, because autotrim can elide trims for very small
regions.


    [6 lines not shown]

Merge branch 'freebsd/current/main' into hardened/current/master

periodic/daily/801.trim-zfs: Add a daily zfs trim script

As mentioned in zpoolprops(7), on some SSDs, it may not be desirable to
use ZFS autotrim because a large number of trim requests can degrade
disk performance; instead, the pool should be manually trimmed at
regular intervals.

Add a new daily periodic script for this purpose, 801.trim-zfs.  If
enabled (daily_trim_zfs_enable=YES; the default is NO), it will run a
'zpool trim' operation on all online pools, or on the pools listed in
'daily_trim_zfs_pools'.

The trim is not started if the pool is degraded (which matches the
behaviour of the existing 800.scrub-zfs script) or if a trim is already
running on that pool.  Having autotrim enabled does not inhibit the
periodic trim; it's sometimes desirable to run periodic trims even with
autotrim enabled, because autotrim can elide trims for very small
regions.


    [4 lines not shown]

Merge branch 'freebsd/14-stable/main' into hardened/14-stable/master

Merge branch 'freebsd/13-stable/main' into hardened/13-stable/master

periodic: Make daily diff(1) output as small is possible

Make, by default, daily diff(1) ignore whitespace changes and the unified output
a context of zero (0) lines. This reduces output of unrelated lines in e-mails
delivered to root.

PR:             270266
Approved by:    jrm (mentor), karels
MFC after:      1 month
Relnotes:       yes
Differential Revision:  https://reviews.freebsd.org/D42762

(cherry picked from commit e2f6bafc3887c7752986526f3758525d24701fce)

periodic: Make daily diff(1) flags configurable with daily_diff_flags

PR:             270266
Approved by:    jrm (mentor), karels
MFC after:      1 month
Relnotes:       yes
Differential Revision:  https://reviews.freebsd.org/D42900

(cherry picked from commit 15e35d058cff847d1a7bc671fcf48b99f5d2f73b)

periodic: Make security diff(1) output as small is possible

Make, by default, security diff(1) produce a unified output with a context of
zero (0) lines. This reduces output of unrelated lines in e-mails delivered
to root.

PR:             270266
Approved by:    jrm (mentor), karels
MFC after:      1 month
Relnotes:       yes
Differential Revision:  https://reviews.freebsd.org/D43071

(cherry picked from commit 3aa71ea7c231a4e60a7e1b9b677e379e17432fc8)

periodic: Make daily diff(1) output as small is possible

Make, by default, daily diff(1) ignore whitespace changes and the unified output
a context of zero (0) lines. This reduces output of unrelated lines in e-mails
delivered to root.

PR:             270266
Approved by:    jrm (mentor), karels
MFC after:      1 month
Relnotes:       yes
Differential Revision:  https://reviews.freebsd.org/D42762

(cherry picked from commit e2f6bafc3887c7752986526f3758525d24701fce)

periodic: Make daily diff(1) flags configurable with daily_diff_flags

PR:             270266
Approved by:    jrm (mentor), karels
MFC after:      1 month
Relnotes:       yes
Differential Revision:  https://reviews.freebsd.org/D42900

(cherry picked from commit 15e35d058cff847d1a7bc671fcf48b99f5d2f73b)

periodic: Make security diff(1) output as small is possible

Make, by default, security diff(1) produce a unified output with a context of
zero (0) lines. This reduces output of unrelated lines in e-mails delivered
to root.

PR:             270266
Approved by:    jrm (mentor), karels
MFC after:      1 month
Relnotes:       yes
Differential Revision:  https://reviews.freebsd.org/D43071

(cherry picked from commit 3aa71ea7c231a4e60a7e1b9b677e379e17432fc8)

Merge remote-tracking branch 'origin/hardened/current/master' into hardened/current/cross-dso-cfi

Merge branch 'freebsd/current/main' into hardened/current/master