| Age | Commit message (Collapse) | Author |
|---|
|
the priviledged parent cannot be pledged due to certain ioctls, but we
can use unveil(2) to lock down its access to the filesystem.
To be able to use hostnames/dns in tcpdump-like filter expressions,
we unveil /etc/{resolv.conf,hosts,services} "r", kept in sync with the
kernel bypass for pledge("dns")
Additionally, we need to unveil /dev/bpf "r" and the output log file
"rwc".
The unpriviledged child is pledged "stdio recvfd" and thus does not need
any unveils.
With feedback/testing from florian@, deraadt@
ok florian@ deraadt@
|
|
suspend logging until the log file has been moved out of the way, and
we have received either SIGHUP or SIGALRM.
ok florian@ deraadt@
|
|
stray reference to them.
|
|
Tolerance for up to 25 SIGSYS deliveries was added to init(8) soon after
the addition of sysctl(2) at CSRG, presumably to ease the transition to
the new ABI.
After 25 years of work the ABI transition is finally complete and we can
now safely remove this splint.
In general, we now have better practices and methods for helping userspace
across kernel ABI breaks.
ok deraadt@
|
|
|
|
Accept partition changes only if all succeed.
ok tb@ deraadt@
|
|
Problem noted and fix tested by jcs@.
ok otto@
|
|
otherwise the main process will keep sitting in the directory from
where slaacd was started which might for example prevent an unmount.
Problem first observed by dlg in ntpd(8).
Discussed with deraadt@
|
|
Unveil /etc/{resolv.conf,hosts,services} which keeps it in sync with
the kernel bypass for pledge("dns").
OK deraadt
pointed out by & OK stsp
|
|
ok deraadt
|
|
array that stores the option codes. Fixes the issue where it named
an incorrect option on error.
Found by Florian Kaiser
ok krw@
|
|
|
|
The trunk driver now has a new ioctl (SIOCxTRUNKOPTS), which for now only
has options for LACP:
* Mode - Active or Passive (default Active)
* Timeout - Fast or Slow (default Slow)
* System Priority - 1(high) to 65535(low) (default 32768/0x8000)
* Port Priority - 1(high) to 65535(low) (default 32768/0x8000)
* IFQ Priority - 0 to NUM_QUEUES (default 6)
At the moment, ifconfig only has options for lacpmode and lacptimeout
plumbed as those are the immediate need.
The approach taken for the options was to make them on a "trunk" vs a
"port" as what's typically seen on various NOSes (JunOS, NXOS, etc...)
as it's uncommon for a host to have one link "Passive" and the other
"Active" in a given trunk.
Just like on a NOS, when applying lacpmode or lacptimeout, the settings
are immediately applied to all existing ports in the trunk and to all
future ports brought into the trunk.
Tested by many on a plethora of NIC drivers and switches.
Ok remi@
|
|
ok deraadt phessler
|
|
|
|
|
|
Due to the way the parsing works, you cannot have an option that
accepts strings as argument or no argument, without side effects: for
example "join <nwid>" could only join networks that did not have a
nwid identical to another ifconfig option, i.e. "join mtu" or "join
join" would not work.
Solve this by making join always require an nwid. Listing all the
configured nwids for auto-join is moved to the new option "joinlist".
Removing _all_ auto-join configuration is moved to "-joinlist".
deraadt@ likes it and ok phessler@ stsp@
|
|
This avoids a duplicate strrchr() call and makes the function consistent
with host_v6() regarding mask handling.
While here, use the destination's size in memcpy instead of hardcoding its
type.
OK sashan
|
|
a bare dot-notation IP address by counting trailing zero octets.
Instead, assume -host when neither -net nor -netmask nor -prefixlen is
given. Error out when -net is requested but no netmask is specified.
This removes the last use of the IN_CLASS* macros from this program.
OK claudio@ kn@, and many agreed with the general direction during g2k18.
|
|
used ioctls. Furthermore due to the way the command line parser is
written it is difficult to apply the traditional first initialize then
pledge pattern.
unveil(2) gives us a different approach:
By veiling everything with unveil("/", "") and then locking down
unveil with unveil(NULL, NULL) we remove all filesystem access from
ifconfig kind of like giving a regular user a chroot without any
files.
OK deraadt
|
|
|
|
auto-join
with feedback from florian and stsp
ok florian@ phessler@ (on previous versions of the diff) stsp@
|
|
sockets cause no harm and this way we close another attack surface by not
allowing the daemon to create/delete any more files.
OK kn@
|
|
be shortened by 1.
OK florian@
|
|
|
|
uses of getuint64(). No change to executable.
|
|
On the other hand it is much more powerful to get rid of cpath; slaacd
has no filesystem access whatsoever.
Triggered by mestre@'s work to fix unlinking in other daemons and a
question from deraadt@
OK mestre
|
|
powerdown, halt, or singleuser. Before pledge, unveil access to
/dev/console, /etc/rc for singleuser entry, execute of /usr/bin/wall
to alert users, and creation of the fastboot and nologin files. Also
conditionally allow execute of halt, reboot, or the shell depending on mode.
Believe all scenarios were tested -- please exercise this one a bit.
|
|
ok phessler@
|
|
point to getuint64() setting it to EINVAL when the user enters an
invalid value or aborts input with a ^D.
|
|
Simply defer checks whether a mask has been specified to where it's set in
host_*(); this is to reduce address family specific code.
OK sashan
|
|
ok bru
|
|
Get rid of the `cont' flag, zap obvious comments, add error label.
OK benno sashan
|
|
This is simpler than checking three cases for `q' and gives nicer error
messages. While here, use `v6mask' as maximum netmask instead of hardcoding
it.
OK sashan
|
|
slaacctl(8).
OK florian@
|
|
If a router advertisement message with the MTU option is received on an
interface slaacd will set the specified MTU on that interface.
Lots of help from florian@. Thank you!
OK florian@
|
|
This simply puts the wiggle around inet_ntop() from four into one location.
OK benno
|
|
`error' is not used so drop it and jump to the end.
OK sashan
|
|
leaves old ones behind. The IPv6 RFCs don't seem to offer guidance on
what to do in this case. (RFC 5220 discusses related issues, but not
exactly this.)
It seems a bit harsh to just delete old addresses - a naive
implementation can easily lead to flip-flopping between two prefixes.
Instead set the preferred lifetime to 0 for all addresses on an
interface when the link goes down, thus marking addresses as
deprecated but still usable. When the link comes back send a router
solicitation. If we are still on the old network and receive a router
advertisement the preferred lifetime will increase and the addresses
will no longer be deprecated.
If we moved to a new network we will get new router advertisements and
form new addresses. The old ones will stay deprecated and the address
selection algorithm will prefer new addresses.
Problem reported by many.
testing & OK phessler
|
|
OK deraadt, phessler, jmc
|
|
We get notified when duplication is detected on the route socket. For
privacy addresses simply generate a new random address. If we have
soii enabled increase the dad counter on the prefix and generate a new
address. For eui64 addresses nothing can be done.
|
|
the way the man page says.
ok tb@
|
|
reality.
|
|
next option. Don't rely on truncated NULs being ignored because
NUL == DHO_PAD.
ok tb@
|
|
extra byte is always there. Even if the byte contains
innocuous data that isn't used. Eeven if a particular
level of optimization of a particular compiler avoids
it by processing things backwards. Bad.
So simplify and correct logic. Perhaps even proof the
code against future generations of clever compilers.
Pointed out by Brandon Falk. Thanks!
ok millert@ tb@
|
|
they are like that by default.
OK florian@
|
|
Tiny left over from 2003 when it was removed. Twist the logic by checking
for `show' and `test' to make it even simpler.
OK sashan henning
|
|
|
|
makes the code shorter and easier to read.
suggested by & OK claudio
|
|
sending all packets otherwise ping will wait forever to see all
answers - which might not arrive on lossy links.
Problem pointed out by, input & OK claudio
|
