examples: Update COPTFLAGS in make.conf
We've been using -O2 for about fifteen years.
Reported by: Jan Stary <hans at stare.cz>
MFC after: 1 week
(cherry picked from commit 2ab18d3286f5e1ea08cd86e234377b673245ec15)
auditd: Fix signal handling
Rewrite the main loop to use ppoll() instead of just blocking on read,
blocking the signals we care about when we aren't polling.
I didn't bother replacing alarm() with setitimer(); the alarm code
is dead anyway since there is no way for max_idletime to acquire a
non-zero value.
While here, avoid leaking the pid file and trigger descriptors to the
log child.
PR: 295840
MFC after: 1 week
Sponsored by: Klara, Inc.
Reviewed by: kevans
Differential Revision: https://reviews.freebsd.org/D57451
(cherry picked from commit 5bd78cfc800339fd7f3945498052d67553af9e3c)
audit: Add poll / select support
It was previously not possible to poll() or select() on the trigger
device, which made implementing proper signal handling in auditd
difficult.
MFC after: 1 week
Sponsored by: Klara, Inc.
Reviewed by: kevans, markj
Differential Revision: https://reviews.freebsd.org/D57457
(cherry picked from commit 0620c99d278b6a2fd6fe995f5bb365158e04ad7c)
audit: Replace TAILQ with STAILQ
This reduces the size of a trigger entry from 24 bytes to 16 (or from
12 bytes to 8 on 32-bit) with no additional complexity.
MFC after: 1 week
Sponsored by: Klara, Inc.
Reviewed by: kevans, emaste
Differential Revision: https://reviews.freebsd.org/D57464
(cherry picked from commit 77e894cb09affe828f4bc81b8e4751a7e22860de)
check-old-libs: Show information about packages
If pkg is installed, for each old library found to still be present,
check if any installed packages either provide or require the library,
and inform the user.
MFC after: 1 week
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D53977
(cherry picked from commit 8d9dff23f206cb86aed9857a985ed09cd38eb5ac)
auditd: Fix signal handling
Rewrite the main loop to use ppoll() instead of just blocking on read,
blocking the signals we care about when we aren't polling.
I didn't bother replacing alarm() with setitimer(); the alarm code
is dead anyway since there is no way for max_idletime to acquire a
non-zero value.
While here, avoid leaking the pid file and trigger descriptors to the
log child.
PR: 295840
MFC after: 1 week
Sponsored by: Klara, Inc.
Reviewed by: kevans
Differential Revision: https://reviews.freebsd.org/D57451
(cherry picked from commit 5bd78cfc800339fd7f3945498052d67553af9e3c)
examples: Update COPTFLAGS in make.conf
We've been using -O2 for about fifteen years.
Reported by: Jan Stary <hans at stare.cz>
MFC after: 1 week
(cherry picked from commit 2ab18d3286f5e1ea08cd86e234377b673245ec15)
audit: Replace TAILQ with STAILQ
This reduces the size of a trigger entry from 24 bytes to 16 (or from
12 bytes to 8 on 32-bit) with no additional complexity.
MFC after: 1 week
Sponsored by: Klara, Inc.
Reviewed by: kevans, emaste
Differential Revision: https://reviews.freebsd.org/D57464
(cherry picked from commit 77e894cb09affe828f4bc81b8e4751a7e22860de)
audit: Add poll / select support
It was previously not possible to poll() or select() on the trigger
device, which made implementing proper signal handling in auditd
difficult.
MFC after: 1 week
Sponsored by: Klara, Inc.
Reviewed by: kevans, markj
Differential Revision: https://reviews.freebsd.org/D57457
(cherry picked from commit 0620c99d278b6a2fd6fe995f5bb365158e04ad7c)
check-old-libs: Show information about packages
If pkg is installed, for each old library found to still be present,
check if any installed packages either provide or require the library,
and inform the user.
MFC after: 1 week
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D53977
(cherry picked from commit 8d9dff23f206cb86aed9857a985ed09cd38eb5ac)
vmm/arm64: Compile vmm_nvhe.c without SSP
This file implements a set of EL2 hypercall handlers and is used to
switch between guests and the host kernel when VHE is not in use. There
is no SSP runtime available there.
Reported by: Jenkins
Fixes: 8deebce931fa ("kernel: Enable -fstack-protector-strong by default")
(cherry picked from commit bed77cf7c213c3f93a0dc099e4b46c078495a328)
if_stf: Free entire mbuf chain on failure
Reported by: Yuxiang Yang, Yizhou Zhao, Ao Wang, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM-5.1 from Z.ai
Reviewed by: markj, bz, kp
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D57476
(cherry picked from commit 5a7f41e94b6d47e60e5d76dfb3a61ee2746700ca)
libalias: Serialize updates to the global instance list
libalias maintains a global list of all libalias handles. The list was
updated without any locking, but nothing prevents updates from running
concurrently.
MFC after: 1 week
(cherry picked from commit 2ff705f32a2033201a8f83f1ade5ddbc0460387d)
kernel: Enable -fstack-protector-strong by default
This extends stack canary use to all functions which define arrays on
the stack, not just those which operate on byte buffers. This option
would have made it harder to exploit SA-26:18.setcred and
SA-26:08.rpcsec_gss.
The change bloats the amd64 kernel text by about 350KB and increases the
number of covered functions from ~1500 to ~9000 (within the kernel
itself, i.e., not counting kernel modules).
Reviewed by: olce, olivier, emaste
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D56870
(cherry picked from commit 8deebce931fa9b469cf28a082038a64caf972602)
net: Fix handling of unmapped user pages in if_getgroup()
We cannot call copyout() while in a net epoch section, unless the user
memory is wired. Use the global ifnet lock to synchronize the accesses
instead.
Reported by: emaste
Reviewed by: zlei
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D57154
(cherry picked from commit 68004e56fdc22c11b4ec680e83309b4ea2bfe13a)
lagg: Handle a port count of zero
The sc_count check in lagg_transmit_ethernet() and
lagg_transmit_infiniband() is racy, as the lagg protocol handlers are
only synchronized by net_epoch. Handle a count of 0 in each protocol
handler where it's needed, namely in the RR and LB handlers.
Reported by: Yuxiang Yang, Yizhou Zhao, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM5.1 from Z.ai
Reviewed by: pouria, zlei
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D56942
(cherry picked from commit 49d90d9ddfc1ecda9ad9b6cb5565e5fbdcc14964)
ucode: Fix validation on Intel platforms
The check for the extended signature table was backwards, so we always
ignored it.
We should verify that the extended signature table fits within the total
image size.
Reviewed by: jrm, kib
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D57209
(cherry picked from commit 0beb172898499fff51eed4df3d9284cd1094afbb)
