kern: mac: add a prison_cleanup entry point
The MAC framework provides a lot of useful functionality that can be
configured per-jail without requiring the use of labels. Having another
entry point that we invoke just for general prison cleanup rather than
freeing the label is useful to allow a module that can otherwise work
off of a series of MAC entry points + sysctls for configuration to free
its per-jail configuration without having to bring in osd(9).
One such example in the wild is HardenedBSD's secadm, but some of my
own personal use had wanted it as well- it was simply overlooked in the
final version because my first policy made more sense with labels. On
that note, it's expected that prison_cleanup and prison_destroy_label
will effectively be mutually exclusive -- the former only used when
a label isn't needed, the latter when it is.
Note that prison_cleanup isn't perfectly symmetrical w.r.t.
prison_created: the latter takes a label as well, because it's called
later in jail setup and a better point for propagation than when the
[11 lines not shown]
sys/compat/freebsd32: Fix i386 compilation
The compile assertion now failing is due to the change '__int64_t' =>
'__int32_t' as the type of 'time32_t' on i386, which is the correct
value. The use of 'freebsd32.h' on i386 may seem strange, but it comes
from 'kern_umtx.c' including it unconditionally as it needs 'struct
umutex32'.
Fixes: 87632ddf67b0 ("openzfs sys/types32.h: use abi_compat.h for time32_t")
Sponsored by: The FreeBSD Foundation
sys: ELF: Rename SHN_FBSD_CACHED => SHN_FREEBSD_CACHED
All other FreeBSD-specific constants have FREEBSD fully spelled out in
their names. Be consistent.
No functional change (intended).
Reviewed by: kib
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D55224
security/libgcrypt: Fix Curve25519 key validation
Starting with version 1.12.0, libgcrypt was failing to validate
Curve25519 secret keys on FreeBSD-main. This resulted in failures such
as in the example below. Incorporate the patch from
https://dev.gnupg.org/T8094 to fix the problem.
% TEMP_GPG=$(mktemp -d)
% GNUPGHOME=$TEMP_GPG gpg --batch --import < ./test/openpgp4-secret-key.asc
gpg: keybox '/tmp/tmp.gkqFaMAlVu/pubring.kbx' created
gpg: /tmp/tmp.gkqFaMAlVu/trustdb.gpg: trustdb created
gpg: key 7E6ABE924645CC60: public key "Notmuch Test Suite (INSECURE!) <test_suite at notmuchmail.org>" imported
gpg: key 7E6ABE924645CC60: secret key imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: secret keys read: 1
gpg: secret keys imported: 1
[10 lines not shown]
timeout: Clean up
* Annotate logv() and fix format string bug.
* Don't reinvent str2sig(3).
* Reorganize kill_self() so we unblock signals as late as possible, and
use raise(2) instead of kill(2).
* Explicitly close unused pipe descriptors.
* Use correct type to collect result of read(2) and write(2).
* Compare return values to 0, not -1.
* Sort local variables according to style(9).
* Reduce unnecessary nesting.
[8 lines not shown]
diff: Tweak recursion tests
The -r flag is not required to compare two directories; it is only
required to compare them recursively, i.e. descend into their common
subdirectories. Adjust tests that use -r needlessly, and adjust the
dirloop test to verify that these two cases remain distinct.
MFC after: 1 week
Sponsored by: Klara, Inc.
Reviewed by: kevans
Differential Revision: https://reviews.freebsd.org/D55262
diff: Tweak range of -C and -U arguments
POSIX uses the terms “positive decimal integer” for -C and “non-negative
decimal integer” for -U, which translates into lower bounds of 1 for -C
and 0 for -U.
POSIX does not specify a minimum upper bound for either mode, but as of
5fc739eb5949 both our backends support context sizes up to and including
INT_MAX, so use that.
Having had the opportunity to consult the Unix System Test Suite, the
diff test cases found therein happen to precisely match these bounds.
While here, switch to using strtonum() to parse numerical arguments, and
try to be more consistent in how we report usage errors.
MFC after: 1 week
Sponsored by: Klara, Inc.
Reviewed by: kevans
Differential Revision: https://reviews.freebsd.org/D55261