bsdinstall: fix EFI boot entry creation
update_uefi_bootentry assumes that the caller sets FREEBSD_BOOTNAME and
mntpt, which isn't the case anymore. The result is that there is no
"FreeBSD" boot entry created/updated after install. Most machines manage
to boot from the removable media path (if the loader is installed there
too), but some don't.
Take the loader's path as an argument and rename the variable used in
the ZFS mirror loop so mntpt can be reused below.
Also mark nentries as a local variable so it doesn't leak out of the
function.
PR: 293385
Fixes: 494de51bc0074472d1b01604f085daea0844f240
MFC after: 2 days
Reviewed by: imp
Differential Revision: https://reviews.freebsd.org/D55469
[2 lines not shown]
divert: Use a better source identifier for netisr_queue_src() calls
These opaque IDs are used by netisr to distribute work among threads.
The mapping function is simply SourceID % numthreads, so using socket
addresses as source IDs isn't going to distribute packets well due to
alignment.
Use the divert socket's generation number instead, as that suits this
purpose much better.
unix: Set O_RESOLVE_BENEATH on fds transferred between jails
If a pair of jails with different filesystem roots is able to exchange
SCM_RIGHTS messages (e.g., using a unix socket in a shared nullfs
mount), a process in one jail can open a directory outside of the root
of the second jail and then pass the fd to that second jail, allowing
the receiving process to escape the jail chroot.
Address this using the new FD_RESOLVE_BENEATH flag. When externalizing
an SCM_RIGHTS message into the receiving process, automatically set this
flag on all new fds where a jail boundary is crossed. This ensures that
the receiver cannot do more than access files underneath the directory;
in particular, the received fd cannot be used to access vnodes not
accessible by the sender.
Approved by: so
Security: FreeBSD-SA-26:04.jail
Security: CVE-2025-15576
PR: 262179
[6 lines not shown]
file: Add a fd flag with O_RESOLVE_BENEATH semantics
The O_RESOLVE_BENEATH openat(2) flag restricts name lookups such that
they remain under the directory referenced by the dirfd. This commit
introduces an implicit version of the flag, FD_RESOLVE_BENEATH, stored
in the file descriptor entry. When the flag is set, any lookup relative
to that fd automatically has O_RESOLVE_BENEATH semantics. Furthermore,
the flag is sticky, meaning that it cannot be cleared, and it is copied
by dup() and openat().
File descriptors with FD_RESOLVE_BENEATH set may not be passed to
fchdir(2) or fchroot(2). Various fd lookup routines are modified to
return fd flags to the caller.
This flag will be used to address a case where jails with different root
directories and the ability to pass SCM_RIGHTS messages across the jail
boundary can transfer directory fds in such as way as to allow a
filesystem escape.
[8 lines not shown]
file: Qualify pointers to capsicum rights as const
File descriptor lookup routines typically take a set of capsicum rights
as input to the lookup, so that the fd's rights can be atomically
checked. This set should be qualified with const.
No functional change intended.
Approved by: so
Reviewed by: olce, oshogbo, brooks, kib
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D50419
(cherry picked from commit 5319cb21610ad947c56fd0cd4f18ef5b58bc8db7)
(cherry picked from commit 2060337c0937f08d9960d629eb59ce737339640c)
divert: Use a better source identifier for netisr_queue_src() calls
These opaque IDs are used by netisr to distribute work among threads.
The mapping function is simply SourceID % numthreads, so using socket
addresses as source IDs isn't going to distribute packets well due to
alignment.
Use the divert socket's generation number instead, as that suits this
purpose much better.
icmp6: clear csum_flags on mbuf reuse
When icmp6 sends an ICMPv6 message, it reuses the mbuf of the packet
that triggered the ICMPv6 message and prepends an IPv6 and ICMPv6
header. For a locally generated packet with checksum offloading, the
mbuf still has csum_flags set indicating that a SCTP/TCP/UDP checksum
has to be computed and inserted. Since this not the case anymore,
csum_flags need to be cleared.
PR: 293227
Reviewed by: kp, zlei, tuexen
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D55367
(cherry picked from commit ada4dc77577f7162353e8c2916ba5c258b6210f0)
ipfw: Use proper prototype for SYSINIT functions
The only possible return value of function ipfw_init() is 0. Make it
return void to match the prototype of SYSINIT.
MFC after: 1 week
(cherry picked from commit 1bba2194c8a960235f8eae36e7d3e96f347ce779)
(cherry picked from commit 745b6ca4ed933f9f4c1d314dc7b0aa31e8e9e0de)
bsdinstall.8: Minor maintenance
Replace CD-ROMs with "discs, USBs, or network boot environments"
to both modernize aesthetic and also nudge youths to think at scale.
Since I'm disrupting the flow of these lines anyway, expand the VM
acronym because I think this is one of the first manuals people will
be looking at.
Reset list alignment to seven characters. It was at 19 characters,
and that was not enough to align them all, wasting many extra lines
by crunching all the words over. Seven actually bought us some lines
from six due to avg item size. Tag SPDX.
MFC after: 3 days
Discussed with: ivy, zi
(cherry picked from commit 81d9e08a4df42079d5e163b5991d5d6f3a28d4f0)
ip6_mroute: Remove an unhelpful comment
ifnets already track if_allmulti() calls in the if_amcount field. That
field is older than the comment, so I'm not exactly sure what the intent
was; let's just remove it.
MFC after: 2 weeks
Sponsored by: Stormshield
Sponsored by: Klara, Inc.
(cherry picked from commit a45fb94801dffd414bdb1981def0e977ef0c774f)
ip6_mroute: Make MF6CFIND a regular function
This is more natural and corresponds more closely to the v4 multicast
routing code. No functional change intended.
Reviewed by: glebius
MFC after: 2 weeks
Sponsored by: Stormshield
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D54983
(cherry picked from commit b370fcc716b9cfd4d08e291f0009f02452c84d64)
siftr: refactor batch log processing
Refactoring to perform the batch processing of
log messaged in two phases. First cycling through a limited
number of collected packets, and only thereafter freeing
the processed packets. This prevents any chance of calling
free while in a critical / spinlocked section.
Reviewed By: tuexen
Sponsored by: NetApp, Inc.
Differential Revision: https://reviews.freebsd.org/D42949
(cherry picked from commit a95cd6e4870b79178860e03366c4327e533ecf1e)
ip_mroute: Make privilege checking more consistent
- The v6 socket option and ioctl handlers had no privilege checks at
all. The socket options, I believe, can only be reached via a raw
socket, but a jailed root user with a raw socket shouldn't be able to
configure multicast routing in a non-VNET jail. The ioctls can only
be used to fetch stats.
- Delete a bogus comment in X_mrt_ioctl(), one can issue multicast
routing ioctls against any socket. Note that the call path is
soo_ioctl()->rtioctl_fib()->mrt_ioctl().
I think all of the mroute privilege checks should be done within the
ip(6)_mroute code, but let's first make the v4 and v6 modules
consistent.
Reviewed by: glebius
MFC after: 2 weeks
Sponsored by: Stormshield
Sponsored by: Klara, Inc.
[3 lines not shown]
ip_mroute: Convert to using a regular mutex
The multicast routing code was using spin mutexes for packet counting,
but there is no reason to use them instead of regular mutexes, given
that none of this code runs in an interrupt context. Convert to using
default mutexes.
Reviewed by: glebius
MFC after: 2 weeks
Sponsored by: Stormshield
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D54603
(cherry picked from commit a265c8b4a5a7c8fdd33e27b8f74bd2a514f82c70)
ip_mroute: EVENTHANDLER_REGISTER does not fail
No functional change intended.
MFC after: 1 week
Sponsored by: Stormshield
Sponsored by: Klara, Inc.
(cherry picked from commit 0f1e1350704af555a4b30136f5f3d16db6f2dc51)
