FORTIFY_SOURCE feature of libssp, thus checking the size of arguments to
various string and memory copy and set functions (as well as a few system
calls and other miscellany) where known at function entry. RedHat has
evidently built all "core system packages" with this option for some time.
This option should be used at the top of Makefiles (or Makefile.inc where
this is used for subdirectories) but after any setting of LIB.
This is only useful for userland code, and cannot be used in libc or in
any code which includes the libc internals, because it overrides certain
libc functions with macros. Some effort has been made to make USE_FORT=yes
work correctly for a full-system build by having the bsd.sys.mk logic
disable the feature where it should not be used (libc, libssp iteself,
the kernel) but no attempt has been made to build the entire system with
USE_FORT and doing so will doubtless expose numerous bugs and misfeatures.
Adjust the system build so that all programs and libraries that are setuid,
directly handle network data (including serial comm data), perform
authentication, or appear likely to have (or have a history of having)
data-driven bugs (e.g. file(1)) are built with USE_FORT=yes by default,
with the exception of libc, which cannot use USE_FORT and thus uses
only USE_SSP by default. Tested on i386 with no ill results; USE_FORT=no
per-directory or in a system build will disable if desired.
Bug fixes:
- Fix crash reported by Scott Ellis on current-users@.
- Fix race conditions in enforcing the Veriexec rename and remove
policies. These are NOT security issues.
- Fix memory leak in rename handling when overwriting a monitored
file.
- Fix table deletion logic.
- Don't prevent query requests if not in learning mode.
KPI updates:
- fileassoc_table_run() now takes a cookie to pass to the callback.
- veriexec_table_add() was removed, it is now done internally. As a
result, there's no longer a need for VERIEXEC_TABLESIZE.
- veriexec_report() was removed, it is now internal.
- Perform sanity checks on the entry type, and enforce default type
in veriexec_file_add() rather than in veriexecctl.
- Add veriexec_flush(), used to delete all Veriexec tables, and
veriexec_dump(), used to fill an array with all Veriexec entries.
New features:
- Add a '-k' flag to veriexecctl, to keep the filenames in the kernel
database. This allows Veriexec to produce slightly more accurate
logs under certain circumstances. In the future, this can be either
replaced by vnode->pathname translation, or combined with it.
- Add a VERIEXEC_DUMP ioctl, to dump the entire Veriexec database.
This can be used to recover a database if the file was lost.
Example usage:
# veriexecctl dump > /etc/signatures
Note that only entries with the filename kept (that is, were loaded
with the '-k' flag) will be dumped.
Idea from Brett Lymn.
- Add a VERIEXEC_FLUSH ioctl, to delete all Veriexec entries. Sample
usage:
# veriexecctl flush
- Add a 'veriexec_flags' rc(8) variable, and make its default have
the '-k' flag. On systems using the default signatures file
(generaetd from running 'veriexecgen' with no arguments), this will
use additional 32kb of kernel memory on average.
- Add a '-e' flag to veriexecctl, to evaluate the fingerprint during
load. This is done automatically for files marked as 'untrusted'.
Misc. stuff:
- The code for veriexecctl was massively simplified as a result of
eliminating the need for VERIEXEC_TABLESIZE, and now uses a single
pass of the signatures file, making the loading somewhat faster.
- Lots of minor fixes found using the (still under development)
Veriexec regression testsuite.
- Some of the messages Veriexec prints were improved.
- Various documentation fixes.
All relevant man-pages were updated to reflect the above changes.
Binary compatibility with existing veriexecctl binaries is maintained.
device controllers, and more specifically raid controllers.
Add a new sensor type, ENVSYS_DRIVE, to report drive status. From OpenBSD.
Add bio and sysmon support to mfi(4). This allow userland to query
status for drives and logical volumes attached to a mfi(4) controller. While
there fix some debug printfs in mfi so they compile.
Add bio(4) to amd64 and i386 GENERIC.
- NetBSD's "newfs" doesn't accept a second (non-option) argument.
Patch provided by Jeff Ito in PR bin/36241.
- Use "sd0" instead of "rp0" because NetBSD's doesnt have a disk driver
called "rp".
- Use "/dev/rst0" instead of "/dev/rst8". With NetBSD's device numbering
scheme a system would have to have 9 tape drives to get "/dev/rst8".
print out the values of the bytes that do not match.
Add comment explaining that there is no documented rationale for the
check.
fsck_msdos checks that several bytes are equal in the primary and
backup bootblock. There is no documented rationale. The kernel does
not enforce this when mounting a filesystem. I have a FAT32
filesystem on my disk (mounted as /share) which fails this check, but
is accepted by both Windows XP and NetBSD. My volume differs in bytes
71-81. The primary contains "SHARE " and the backup NUL bytes.
Further, fsck_msdos does not have code to repair the mismatch. As a
result such filesystems can be used not checked.
- pass WARNS=4 and lint
- use size_t/time_t where appropriate
- get/setprogname()
- before executing rc.shutdown, set the real user id to 0, because shutdown
scripts may depend on it (for example su depends on being root).
- use warn instead of perror, and make sure we use the right errno.
Also pass "-ppax" in an attempt to get improved performance,
but this doesn't really work in the typical case, because the
install ramdisk image contains a version of pax(1) that doesn't
support the -M flag. (MAKEDEV detects the failure and falls back
to using mknod(8) as usual.)
always print an error message. If bootable and -v flag was
specified, print a success message. If -v flag was specified
more than once, also try to decode more information from
the PBR.
Input from dsl and bad.
Removes a load of code that is easier done as a script.
Whenever init exits, use a different error number. Since it is difficult
for init to output messages when /dev/console is absent, having the exit
code reported by the kernel panic gives a chance of identifying the fault.
Also exit if MAKEDEV fails to create /dev/console.
archs) and add wedges for them. Similar to the kernel options
DKWEDGE_AUTODISCOVER and DKWEDGE_METHOD_BSDLABEL, and actually reusing
most of that code.
This means, for example, you can plug a sparc64 disk into an i386, run
this tool and mount the partitions (provided your kernel has the FFS_EI
option).
MAKEDEV, MAKEDEV.subr and MAKEDEV.local in the set of files that are
copied if they exist.
Now booting an INSTALL kernel with an embedded ramdisk correctly creates
/dev again, fixing a problem introduced when MAKEDEV.subr was created a
few days ago.
ffs_checkver() and later use it in the switch statement, just
use ffs_checkver.
* Remove unneded <sys/queue.h> header.
* Remove LFS from fstypes, it was never used.
* Increase SBCOUNT to 128, works faster.
* Remove unneded casts.
* (-F mode) close fd when the scan has finished or if pread() failed.
* (-F mode) print total size of file.
Here the bitmaps are written as
CLRI or BITS with c_count <= 512
ADDR* for the remaining blocks
Remove the bitmap handling from getfile(), remove xtrmap() and xtrmapskip().
Add new function getbitmap() modeled after getfile() that does bitmap
allocation, bitmap expansion and sets maxino.
Reviewed by: Manuel Bouyer <bouyer@netbsd.org>
* Replaced atoi() with parse_int().
* Use an enum for ACTION_* instead of #define.
* Use strdup() or asnprintf() instead of strlcpy() to avoid truncation.
* pread() returns ssize_t not int.
* Suppress "unused parameter" warnings.
* verify_disklabel(): Pass the correct size to disklabel_scan().
* verify_ffs():
* Don't indicate success if pread() fails.
* Check the amount of bytes read.
* Don't cast buf to (struct fs *), it's not aligned.
* eliminate_cores(): No need for a temporary variable.
logical operation, rather than compliment, as in praise, the magic
number of the disk.
There are probably other instances of this in the tree. We should fix
them.
also (and ICMP is implied) and that other types are blocked.
Point to pf(4) and pfil man pages.
Based on discussion in January 2006 on tech-kern. (This has been
in my tree for around 11 months.)
This part of my work to change this (and related to use) pfil (instead
of ipf). That is done back then but needs some testing.
sysctl.7. Remove the list of MIBs from sysctl.8 so we don't have to
maintain duplicate information, as proposed by YAMAMOTO Takashi on
tech-userlevel. Also remove references to header files from sysctl.8.
The numeric constants remain documented, they are still needed in some
cases. See the discussion on tech-userlevel. ("mib list in sysctl.8")
OK by YAMAMOTO Takashi.
in entries for Veriexec.
This has been requested for a long time, most recently by Brad Harder.
Thanks a lot to Michael van Elst for the patch, done during the latest
hackathon.
Obviously, this breaks the already unstable Veriexec ABI, but that's
it. Some cool additions are planned to be introduced, and this just
makes it so that NetBSD 4.0 users will be able to easily use them as
well.
This also removes the fingerprint type name limit, so relevant code
was adjusted.
Thoroughly tested (even uncovered a bug in proplib! thanks for fixing
that cube@!). Documentation updated.
The progress bar will now travel from 0 to 20% during pass 1, from 20%
to 95% during pass 2, and from 95% to 100% during passes 3, 4, and 5.
Previously, the progress bar was not displayed at all during pass 1,
slowly traveled from 0 to about 50% during pass 2, and then very rapidly
traveled from 50% to 100% during passes 3, 4, and 5.
Note that fsck_ffs is the only user of fsck/progress.{c,h}.
Also, add ioctls SIOCGIFADDRPREF/SIOCSIFADDRPREF to get/set preference
numbers for addresses. Make ifconfig(8) set/display preference
numbers.
To activate source-address selection policies in your kernel, add
'options IPSELSRC' to your kernel configuration.
Miscellaneous changes in support of source-address selection:
1 Factor out some common code, producing rt_replace_ifa().
2 Abbreviate a for-loop with TAILQ_FOREACH().
3 Add the predicates on IPv4 addresses IN_LINKLOCAL() and
IN_PRIVATE(), that are true for link-local unicast
(169.254/16) and RFC1918 private addresses, respectively.
Add the predicate IN_ANY_LOCAL() that is true for link-local
unicast and multicast.
4 Add IPv4-specific interface attach/detach routines,
in_domifattach and in_domifdetach, which build #ifdef
IPSELSRC.
See in_getifa(9) for a more thorough description of source-address
selection policy.
1. don't print the program name in the message [syslog does it]
2. no extraneous \n [syslog takes care of it]
3. quote strings as `%s' [we are using syslog]
4. use %m instead of error = %d
and -host flags, which is useful for displaying/flushing ARP entries:
# route -n show -inet -llinfo -host
Routing table
Internet:
Destination Gateway Flags
169.254.1.119 link#1 UH
169.254.230.110 00:02:6f:21:e6:6e UH
# route -n flush -inet -llinfo -host
169.254.1.119 done
169.254.230.110 0.2.6f.21.e6.6e done
169.254.237.70 done
# route -n show -inet -llinfo -host
Routing table
#
This will help me address bin/11079, "dhclient may require arp and sed".
Extract common code from flushroutes() and show(), creating
parse_show_opts().
While I'm here, make small cosmetic changes to flushroutes().
"execute a command" ioctl that takes a dictionary as an argument
(specifying the command and arguments) and returns a dictionary
with the results (error code, optional error message, optional
result data).
- Define and implement a "get-properties" command for DRVCTLCOMMAND
that returns the properties dictionary of the specified device.
- Add a -p flag to drvctl(8) to fetch and display the properties of
the specified device.
This is a great example of how to use prop_dictionary_sendrecv_ioctl().
tls