MAC/do: Add consistency tests
Test that:
1. Concurrent changes to different parameters on the same jail are
independent/atomic.
2. Inheritance works.
3. Relaxing only parent jail rules does not leak to a subjail thanks to
sequential consistency.
4. Sysctl knobs and jail parameters stay consistent.
Some of these tests may be extended in the future with several layers of
jails (there is only a single subjail currently).
Reviewed by: bapt
MFC after: 1 month
Sponsored by: The FreeBSD Foundation
Pull Request: https://ron-dev.freebsd.org/FreeBSD/src/pulls/38
MAC/do: Tests: Add support for exec paths, jail parameters, subjails
And also allow configuration of the mdo(1) executable path.
This commit only contains new or modified infrastructure. No functional
change intended at this point.
Reviewed by: bapt
MFC after: 1 month
Sponsored by: The FreeBSD Foundation
Pull Request: https://ron-dev.freebsd.org/FreeBSD/src/pulls/38
MAC/do: Tests: Quote the source directory
In a standard test suite installation, this is not necessary, but be
bullet-proof to custom ones, however improbable.
Reviewed by: bapt
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Pull Request: https://ron-dev.freebsd.org/FreeBSD/src/pulls/38
MAC/do: Tests: Fix copyrights
No comma needed after a single year. Add SPDX.
Reviewed by: bapt
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Pull Request: https://ron-dev.freebsd.org/FreeBSD/src/pulls/38
MAC/do: Tests: Remove shebang lines
They are automatically added by <bsd.test.mk>.
Reviewed by: bapt
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Pull Request: https://ron-dev.freebsd.org/FreeBSD/src/pulls/38
mac_do.4: Document executable paths, default jail values and consistency
While here, fix the bug of mentioning 'enable' as a possible value for
the 'mac.do' jail parameter whereas it is 'new' instead.
Reviewed by: bapt
MFC after: 1 month
Sponsored by: The FreeBSD Foundation
Pull Request: https://ron-dev.freebsd.org/FreeBSD/src/pulls/38
MAC/do: Update copyright
Update years for the Foundation.
While here, remove the initial '/*-' which has been useless for a long
time.
While here, add a missing space on bapt@'s copyright line (approved by
him).
Reviewed by: bapt
MFC after: 1 month
Sponsored by: The FreeBSD Foundation
Pull Request: https://ron-dev.freebsd.org/FreeBSD/src/pulls/38
MAC/do: Do not skip blanks when parsing executable paths
The kind of tolerance we apply to parsing rules, whose format we have
defined, cannot be applied to paths since blank characters are allowed
there.
There is still the limitation that no escape character is currently
supported, and so it is not possible to configure a path having a ':'
character.
Reviewed by: bapt
Fixes: 9818224174c4 ("MAC/do: Executable paths feature (GSoC 2025's final state)")
MFC after: 1 month
Sponsored by: The FreeBSD Foundation
Pull Request: https://ron-dev.freebsd.org/FreeBSD/src/pulls/38
MAC/do: Serialize installing/modifying some jail's configuration
See the immediately preceding commit for explanations on what this is
fixing.
When setting 'mac.do' to 'inherit' on a jail with 'mac.do.rules' and
'mac.do.exec_paths' also specified in the same call, ensure that the
check that these passed parameters are the same as those to be inherited
is atomic with respect to enabling the inheritance (i.e., removing the
jail's 'struct conf' object). (See previous commit "MAC/do: Fix the
recent logic to set jail parameters, make it more tolerant" as for why
this check exists.)
Because we currently only modify a single configuration object per
transaction, we introduce the parse_and_commit_conf() wrapper around
parse_and_set_conf() to remove duplicated code that would ensue from
calling the latter directly, namely, releasing the 'mac_do_rwl' lock and
freeing the old configuration object (if any).
[9 lines not shown]
MAC/do: Support for atomically modifying configurations
As mentioned in previous commits "MAC/do: parse_and_set_conf(): Require
the model configuration" and "MAC/do: Sequential consistency for
configuration retrieval", the introduction of the "executable path"
feature, more fundamentally, the fact that there is now more than one
per-jail parameter and that parameters can be independently modified or
copied, causes an atomicity problem in case of concurrent accesses to of
a jail's applicable configuration.
Partially modifying a configuration is indeed akin to
a read-modify-write operation, where the read is either to the current
or an inherited configuration. More precisely, once pointed to by
a jail, a configuration object is immutable, and changing the jail's
configuration means making the jail point to another configuration
object. To change a jail's configuration, a new configuration object is
thus built, and if only some parameters have been explicitly specified,
those that have not been are set by copying the corresponding values
from an existing configuration object (in case of partial modification
[34 lines not shown]
MAC/do: Sequential consistency for configuration retrieval
Since the inception of mac_do(4), find_conf(), used to retrieve the
applicable configuration, has been weakly consistent with respect to
concurrent modifications to configuration inheritance that influence its
result (and it has been sequentially consistent with respect to other
configuration modifications, which the initial executable paths feature
and introduction of implicit parameters broke and which will be fixed in
a subsequent commit).
Indeed, find_conf() climbs the jail tree to find an applicable
configuration, which is not an atomic operation. It examines the
current jail's configuration pointer for each browsed jail, which does
not prevent concurrent modifications of the configuration pointer for
jails below or above it. Modifications above the current jail are not
a problem, since if climbing needs to continue (i.e., the current jail
inherits), these modifications will be seen if performed before that
check (and may or may not be seen if performed after that check).
However, modifications below the current jail impair sequential
[48 lines not shown]
MAC/do: Comment to explain the main invariant for configurations
Once visible, configuration structures must *never* change.
Spell that out in a comment to help future readers/contributors
understand the design.
Reviewed by: bapt
MFC after: 1 month
Sponsored by: The FreeBSD Foundation
Pull Request: https://ron-dev.freebsd.org/FreeBSD/src/pulls/38
MAC/do: Allocate only one default configuration
When mac_do(4) is loaded, all jails get the same default configuration
(disabled, with only one allowed executable path: '/usr/bin/mdo').
Share it between all jails instead of creating a separate copy for each.
Reviewed by: bapt
Fixes: 9818224174c4 ("MAC/do: Executable paths feature (GSoC 2025's final state)")
MFC after: 1 month
Sponsored by: The FreeBSD Foundation
Pull Request: https://ron-dev.freebsd.org/FreeBSD/src/pulls/38
MAC/do: Visually separate some file sections
With additional empty lines.
No functional change (intended).
Reviewed by: bapt
MFC after: 1 month
Sponsored by: The FreeBSD Foundation
Pull Request: https://ron-dev.freebsd.org/FreeBSD/src/pulls/38
MAC/do: Fix reporting of "mac.do" post-"executable paths"
In mac_do_jail_get(), computation of 'jsys' had not been updated to take
into account executable paths.
Reviewed by: bapt
Fixes: 9818224174c4 ("MAC/do: Executable paths feature (GSoC 2025's final state)")
MFC after: 1 month
Sponsored by: The FreeBSD Foundation
Pull Request: https://ron-dev.freebsd.org/FreeBSD/src/pulls/38
MAC/do: Configuration: Fix default values: Remove jail creation method
mac_do_jail_create() would create a default configuration on the
just-created jail, erroneously causing mac_do_jail_set() to then
retrieve it and use it as a model when determining the default values
for not-specified parameters, instead of using the configuration
applicable to the parent jail.
Setting a default configuration in mac_do_jail_create() had been done as
a kind of defensive measure to prevent a created jail not to have
a configuration (effectively making it inherit from an ancestor jail,
which is a security hazard except if explicitly requested). However,
this measure was never really effective (osd_jail_call(PR_METHOD_CREATE)
in kern_jail_set() calls the PR_PETHOD_CREATE methods in an unspecified
order, and stops at the first error), so we are forced to rely in any
case on the fact that an error in a PR_METHOD_CREATE or PR_METHOD_SET
method leads to stopping the jail creation process (which is the case
today; see kern_jail_set()).
[5 lines not shown]
MAC/do: Fix the recent logic to set jail parameters, make it more tolerant
The logic introduced in the initial commit for the "executable paths"
feature did not match the specification we discussed in that specifying
an empty value (for rules or executable paths) on "mac.do" being "new"
would be treated as an absence of value and trigger a copy from the
currently applicable configuration, instead of being an override that
deactivates mac_do(4) in the jail. Fix that by distinguishing both
cases.
More generally, a non-explicitly specified parameter is set to the same
value it has in the currently applicable configuration (that of the
closest ancestor jail that has one; 'prison0' (the host) always has
one), with an exception in the disable case.
On disable (explicit: "mac.do" to "disable", implicit: no parameters
passed, or at least one is empty), now accept parameters with
a non-empty value as long as at least one of them is empty (which alone
is enough to disable mac_do(4)). If no parameters are passed, both are
[24 lines not shown]
sound: Fix lock order reversal in dsp_poll()
chn_poll() may hold both rdch and wrch channel locks while calling
chn_trigger(rdch). chn_trigger() switches the lock order from
"channel -> dsp dev" to "dsp dev -> channel" by temporarily dropping
the channel lock before acquiring the dsp lock.
However, only rdch was unlocked during the transition while wrch
remained locked. Since wrch is also a channel lock and witness had
already established the lock order requirement:
dsp dev -> channel
witness reports a lock order reversal when pcm_lock() is acquired while
wrch is still held.
Avoid holding rdch and wrch simultaneously during chn_trigger()
lock-order switching by only keeping the channel locks when needed.
[9 lines not shown]
compat/linprocfs: Update /proc/partitions output
Linux /proc/partitions reports the major/minor pair, the device size in
1K blocks, and the device name. linprocfs still printed obsolete
statistics columns and reported the size in bytes.
Update linprocfs_dopartitions() to emit the Linux-style header and
report provider sizes in 1K blocks.
Signed-off-by: Shunchao Hu <ankohuu at gmail.com>
Reviewed by: des
MFC after: 2 weeks
Pull Request: https://github.com/freebsd/freebsd-src/pull/2126
Closes: https://github.com/freebsd/freebsd-src/pull/2126
(cherry picked from commit 5f5cc3c67ae8a4d9a27e750bef98a9ce1a6b2cf5)
compat/linprocfs: Fix auxv sbuf leak
linprocfs_doauxv() allocates an automatic sbuf before validating
whether the requested read can be satisfied.
When the computed auxv read length exceeds IOSIZE_MAX, or when the
buffer length is too big, the function returns early without
releasing the sbuf.
Route these early exits through a shared cleanup path so the sbuf is
always deleted after sbuf_new_auto() succeeds.
Signed-off-by: Shunchao Hu <ankohuu at gmail.com>
Reviewed by: des, spmzt, zlei, aokblast
MFC after: 2 weeks
Pull Request: https://github.com/freebsd/freebsd-src/pull/2118
(cherry picked from commit 16aa49f6d1bbe70cd3e851139eb63d566de49b12)
vmm: Add missing AVX instructions for AVX512 in cpuid stdext
Reported by: Tom <freebsd at fizz.buzz>
Reviewed by: markj
Tested by: Tom <freebsd at fizz.buzz>
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D56021
(cherry picked from commit e6eba5076929d0b193c9c94b2658c7e8f5da0669)
libc: Fix cxa_thread_atexit{,nothr} test.
After patch 9d26b82, we don't provide recursive call protection anymore.
Therefore, to pass the test, we adjust the testcase by protecting on
caller and the testcase is to make sure the dtors is properly handled.
Reported by: siva
Reviewed by: kib
Approved by: markj (mentor)
Fixes: 9d26b82826d9 ("libc: Fix dtor order in __cxa_thread_atexit")
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D55893
(cherry picked from commit c25976f0a9a3a102ce47b45c19b2c93e8069433b)
libc: Fix dtor order in __cxa_thread_atexit
The thread_local variable may creates another thread_local variable
inside its dtor. This new object is immediately be registered in
__cxa_thread_atexit() and need to be freed before processing another
variable.
This fixes the libcxx test thread_local_destruction_order.pass.cpp.
Reported by: kib
Approved by: lwhsu (mentor)
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D55826
(cherry picked from commit 9d26b82826d9962d5085bc5d9df7f8a762c57602)
kern_time: Honor the precise option when counting diff
When preecise option is used, the true elapsed time should also use the
precise timer.
This fixes the test case sleep_for.signals.pass.cpp in libcxx.
Reviewed by: kib, imp
Approved by: lwhsu (mentor)
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D55824
(cherry picked from commit 728ae49a6b81edb3eec5ab70a63bb83db8f5dce5)
MAC/do: parse_and_set_conf(): Require the model configuration
This change is a prerequisite for the next change in caller
mac_do_jail_set(), which for semantic correctness needs to rely on
a stable model configuration.
The two other callers already call find_conf() to retrieve the
applicable configuration, so for these a second call to find_conf() can
be saved.
However, this does not fix (actually, makes slightly worse) an atomicity
problem when multiple threads concurrently change some jail's
configuration (or the configuration inherited by a jail), which has
existed since the introduction of executable paths due to being able to
change only rules or executable paths independently (and the possibility
of not specifying them and having them copied from the currently
applicable configuration). Before tackling it in later commits, we
first focus on fixing the semantics of configuration changes in the very
next patches.
[5 lines not shown]
