FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=releng%2F12.2 2020-07-25T00:37:34Z 2020-07-25T00:37:34Z Mateusz Guzik mjg@FreeBSD.org 2020-07-25T00:37:34Z urn:sha1:2295126d7e1104ad862b090c6cd21cf8a69d2d99 devfs: introduce a per-dev lock to protect ->si_devsw 2020-02-09T22:15:35Z Kyle Evans kevans@FreeBSD.org 2020-02-09T22:15:35Z urn:sha1:c6c89ab952f9ffe895939a2621180acc99ae8b80 r357412: Provide O_SEARCH O_SEARCH is defined by POSIX [0] to open a directory for searching, skipping permissions checks on the directory itself after the initial open(). This is close to the semantics we've historically applied for O_EXEC on a directory, which is UB according to POSIX. Conveniently, O_SEARCH on a file is also explicitly undefined behavior according to POSIX, so O_EXEC would be a fine choice. The spec goes on to state that O_SEARCH and O_EXEC need not be distinct values, but they're not defined to be the same value. This was pointed out as an incompatibility with other systems that had made its way into libarchive, which had assumed that O_EXEC was an alias for O_SEARCH. This defines compatibility O_SEARCH/FSEARCH (equivalent to O_EXEC and FEXEC respectively) and expands our UB for O_EXEC on a directory. O_EXEC on a directory is checked in vn_open_vnode already, so for completeness we add a NOEXECCHECK when O_SEARCH has been specified on the top-level fd and do not re-check that when descending in namei. [0] https://pubs.opengroup.org/onlinepubs/9699919799/ r357461: namei: preserve errors from fget_cap_locked Most notably, we want to make sure we don't clobber any capabilities-related errors. This is a regression from r357412 (O_SEARCH) that was picked up by the capsicum tests. r357580: O_SEARCH test: drop O_SEARCH|O_RDWR local diff In FreeBSD's O_SEARCH implementation, O_SEARCH in conjunction with O_RDWR or O_WRONLY is explicitly rejected. In this case, O_RDWR was not necessary anyways as the file will get created with or without it. This was submitted upstream as misc/54940 and committed in rev 1.8 of the file. r357584: Record-only MFV of r357583: netbsd-tests: import upstreamed changes The changes in question originated in FreeBSD/head; no further action is required. r357636: MFV r357635: imnport v1.9 of the O_SEARCH tests The RCSID data was wrong, so this is effectively a record-only merge with correction of said data. No further changes should be needed in this area, as we've now upstreamed our local changes to this specific test. r357671: O_SEARCH test: mark revokex an expected fail on NFS The revokex test does not work when the scratch directory is created on NFS. Given the nature of NFS, it likely can never work without looking like a security hole since O_SEARCH would rely on the server knowing that the directory did have +x at the time of open and that it's OK for it to have been revoked based on POSIX specification for O_SEARCH. This does mean that O_SEARCH is only partially functional on NFS in general, but I suspect the execute bit getting revoked in the process is likely not common. r357688: MFV r357687: Import NFS fix for O_SEARCH tests The version that ended upstream was ultimately slightly different than the version committed here; notably, statvfs() is used but it's redefined appropriately to statfs() on FreeBSD since we don't provide the fstypename for the former interface. 2020-02-07T19:00:43Z Kyle Evans kevans@FreeBSD.org 2020-02-07T19:00:43Z urn:sha1:832c3b35ba16ec9b84d9f5bb52aac57b818de757 Generally, it's preferred that an application fork/setsid if it doesn't want to keep its controlling TTY, but it could be that a debugger is trying to steal it instead -- so it would hook in, drop the controlling TTY, then do some magic to set things up again. In this case, TIOCNOTTY is quite handy and still respected by at least OpenBSD, NetBSD, and Linux as far as I can tell. I've dropped the note about obsoletion, as I intend to support TIOCNOTTY as long as it doesn't impose a major burden. 2019-10-18T08:36:08Z Konstantin Belousov kib@FreeBSD.org 2019-10-18T08:36:08Z urn:sha1:7e643ec21411356107d913747c15a98e450fa20c devfs_vptocnp(): correct the component name when node is not at top. 2019-08-21T18:28:38Z Mark Johnston markj@FreeBSD.org 2019-08-21T18:28:38Z urn:sha1:5de05474a6611f5ae5d35bb001ba8807ad9f862b Avoid relying on header pollution from sys/refcount.h. 2018-11-26T14:01:05Z Mark Johnston markj@FreeBSD.org 2018-11-26T14:01:05Z urn:sha1:bd456943840133e10e02a48855165483be744016 Ensure that directory entry padding bytes are zeroed. 2018-11-21T06:36:15Z Konstantin Belousov kib@FreeBSD.org 2018-11-21T06:36:15Z urn:sha1:d869ba453ace24be9b5762f5d4a23ed91e7ee285 Add d_off support for multiple filesystems. 2018-10-04T23:55:03Z Brooks Davis brooks@FreeBSD.org 2018-10-04T23:55:03Z urn:sha1:9bc603bd20e6027adfef4e86ce31146eecf490f7 A case was missed in this commit which breaks sshing into a 32-bit sshd on a 64-bit system. Approved by: re (gjb) 2018-10-03T20:39:48Z Brooks Davis brooks@FreeBSD.org 2018-10-03T20:39:48Z urn:sha1:23f2e22802fcf2ec666a31c5727004107b596bd3 ioctl(2) commands only have meaning in the context of a file descriptor so translating them in the syscall layer is incorrect. The new handler users an accessor to retrieve/construct a pointer from the last member of the passed structure and relies on type punning to access the other member which requires no translation. Reviewed by: kib Approved by: re (rgrimes, gjb) Obtained from: CheriBSD Sponsored by: DARPA, AFRL Differential Review: https://reviews.freebsd.org/D17388 2018-05-04T20:54:27Z Jamie Gritton jamie@FreeBSD.org 2018-05-04T20:54:27Z urn:sha1:0e5c6bd43646821dc676a6db03b7175f2668ec88 by doing most of the work in a new function prison_add_vfs in kern_jail.c Now a jail-enabled filesystem need only mark itself with VFCF_JAIL, and the rest is taken care of. This includes adding a jail parameter like allow.mount.foofs, and a sysctl like security.jail.mount_foofs_allowed. Both of these used to be a static list of known filesystems, with predefined permission bits. Reviewed by: kib Differential Revision: D14681