right now. new address-of-packed-member and format-overflow
warnings have new GCC_NO_ADDR_OF_PACKED_MEMBER amd
GCC_NO_FORMAT_OVERFLOW variables to remove these warnings.
apply to a bunch of the tree. mostly, these are real bugs that
should be fixed, but in many cases, only by removing the 'packed'
attribute from some structure that doesn't really need it. (i
looked at many different ones, and while perhaps 60-80% were
already properly aligned, it wasn't clear to me that the uses
were always coming from sane data vs network alignment, so it
doesn't seem safe to remove packed without careful research for
each affect struct.) clang already warned (and was not erroring)
for many of these cases, but gcc picked up dozens more.
the user choose to not abort, skip to the next header instead of trying
to use it.
This allowed me to recover files from a corrupt dump, instead of
getting a segfault.
function for resolving paths.
Make pathadj() no longer warn about symlinks. Symlinks in /dev are
regularly used in several places like LVM . The warning was also
only visible when calling a mount_* command directly as mount(8)
itself would resolve the path witout warning before passing it to
a mount_* command.
Previously, the best reference was pckbd.4. This does not make much
sense to read if you are on, say, an evbarm device with only USB.
wsconsctl.8 contained a vaguer description of supported language names,
which isn't very useful because you can't pass full language names
to the command. Point readers to wskbd.4 instead.
Note in the wskbd.4 page that while all layouts are generally supported
by pckbd(4) and ukbd(4), older keyboard interfaces might only support
a subset.
add them as signed valaues, rather than unsigned (which is how we keep them
in memory). This causes them be serialized in base-10 (rather than base-16,
which is the default for unsigned). This behavior is documented in
prop_number(3). Fixes t_gpt::backup_2part unit test.
This way, whenever /etc/security runs infrequently (daily), or the
operator manually issues rndctl -S, we ensure that all samples taken
during the entire boot are hashed together in the seed for the next
boot.
This should be infrequent enough that it's unlikely to enable the
iterative-guessing attacks that we try to mitigate by not frequently
consolidating entropy.
Go back to the book's order, now that writing to /dev/random
guarantees to consolidate entropy -- this way the _next_ boot is no
less secure than the current boot, in the event that entropy sources
like interrupt timings provided any security that we just don't know
how to measure honestly.
Make sure to open the old seed to overwrite and the new seed to write
anew first so that we can determine whether the medium is read-only
before accepting the file's entropy estimate.
- Teach rndctl to load the seed, but treat it as zero entropy, if the
medium is read-only or if the update fails.
- Teach rndctl to accept `-i' flag instructing it to ignore the
entropy estimate in the seed.
- Teach /etc/rc.d/random_seed to:
(a) assume nonlocal file systems are unsafe, and use -i, but
(b) assume / is safe, even if it is nonlocal.
If the medium is nonwritable, leave it to rndctl to detect that.
(Could use statvfs and check for ST_LOCAL in rndctl, I guess, but I
already implemented it this way.)
Treating nonlocal / as safe is a compromise: it's up to the operator
to secure the network for (e.g.) nfs mounts, but that's true whether
we're talking entropy or not -- if the adversary has access to the
network that you've mounted / from, they can do a lot more damage
anyway; this reduces warning fatigue for diskless systems, e.g. test
racks.
