FreeBSD source tree https://cgit-dev.freebsd.org/src-test/atom?h=main 2020-09-01T21:26:00Z 2020-09-01T21:26:00Z Mateusz Guzik mjg@FreeBSD.org 2020-09-01T21:26:00Z urn:sha1:e5ecee7440496904939e936501d0db93bed15415 2020-06-12T21:51:20Z Simon J. Gerraty sjg@FreeBSD.org 2020-06-12T21:51:20Z urn:sha1:66d8bce379a92708003f3329ec66cbef6f118954 v_writecount can actually be < 0 for text, so check for v_writecount > 0 Reviewed by: stevek MFC after: 1 week 2020-02-26T14:26:36Z Pawel Biernacki kaktus@FreeBSD.org 2020-02-26T14:26:36Z urn:sha1:7029da5c36f2d3cf6bb6c81bf551229f416399e8 r357614 added CTLFLAG_NEEDGIANT to make it easier to find nodes that are still not MPSAFE (or already are but aren’t properly marked). Use it in preparation for a general review of all nodes. This is non-functional change that adds annotations to SYSCTL_NODE and SYSCTL_PROC nodes using one of the soon-to-be-required flags. Mark all obvious cases as MPSAFE. All entries that haven't been marked as MPSAFE before are by default marked as NEEDGIANT Approved by: kib (mentor, blanket) Commented by: kib, gallatin, melifaro Differential Revision: https://reviews.freebsd.org/D23718 2020-01-07T04:29:34Z Mateusz Guzik mjg@FreeBSD.org 2020-01-07T04:29:34Z urn:sha1:478368ca410fbfe4ec98e187cae6317bf3d29498 There was only one consumer and it was using it incorrectly. It is given an equivalent hack. Reviewed by: jeff Differential Revision: https://reviews.freebsd.org/D23037 2020-01-03T22:29:58Z Mateusz Guzik mjg@FreeBSD.org 2020-01-03T22:29:58Z urn:sha1:b249ce48ea5560afdcff57e72a9880b7d3132434 Filesystems which want to use it in limited capacity can employ the VOP_UNLOCK_FLAGS macro. Reviewed by: kib (previous version) Differential Revision: https://reviews.freebsd.org/D21427 2019-05-17T19:27:07Z Stephen J. Kiernan stevek@FreeBSD.org 2019-05-17T19:27:07Z urn:sha1:942886743b18da416fd96e85787a49a8e160e060 We need to make the find_veriexec_file() function available publicly, so rename it to mac_veriexec_metadata_find_file_info() and make it non-static. Bump the version of the veriexec device interface so user space will know the labelized version of fingerprint loading is available. Approved by: sjg Obtained from: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D20295 2019-05-17T18:13:43Z Stephen J. Kiernan stevek@FreeBSD.org 2019-05-17T18:13:43Z urn:sha1:6cbc970317d395ce13073a81793b6218661f3080 MAC_VERIEXEC_CHECK_PATH_SYSCALL per-MAC policy system call. When we are checking the status of the fingerprint on a vnode using the per-MAC-policy syscall, we do not need an exclusive lock on the vnode. Even if there is more than one thread requesting the status at the same time, the worst we can end up doing is processing the file more than once. This can potentially be improved in the future with offloading the fingerprint evaluation to a separate thread and blocking until the update completes. But for now the race is acceptable. Obtained from: Juniper Networks, Inc. MFC after: 1 week 2019-05-17T18:09:48Z Stephen J. Kiernan stevek@FreeBSD.org 2019-05-17T18:09:48Z urn:sha1:ed377cf415612cd333322ac31a9c13b4c482e909 be restricted when veriexec is enforced. Add mpo_system_check_sysctl method to mac_veriexec which does this. Obtained from: Juniper Networks, Inc. MFC after: 1 week 2019-05-17T18:06:24Z Stephen J. Kiernan stevek@FreeBSD.org 2019-05-17T18:06:24Z urn:sha1:3d53cd0fbbbefd7ec5a49fd5675a573d865738e7 are different types across architectures by using %ju and typecasting to uintmax_t, where appropriate. Obtained from: Juniper Networks, Inc. MFC after: 1 week 2019-05-17T17:50:01Z Stephen J. Kiernan stevek@FreeBSD.org 2019-05-17T17:50:01Z urn:sha1:3da3012ace35d97e4e41ae256e63119786c36596 mac_veriexec_get_executable_flags(). Only try locking/unlocking if the caller has not already acquired the process lock. Obtained from: Juniper Networks, Inc. MFC after: 1 week