| Age | Commit message (Collapse) | Author |
|---|
|
pledge for a new execve image immediately upon start. Also introduces
"error" which makes violations return -1 ENOSYS instead of killing the
program ("error" may not be handed to a setuid/setgid program, which
may be missing/ignoring syscall return values and would continue with
inconsistant state)
Discussion with many
florian has used this to improve the strictness of a daemon
|
|
sufficiently and at least one horrific security hole was the result.
ok deraadt@ beck@
|
|
okay bluhm@, deraadt@
|
|
libc and man page parts to come.
ok guenther
|
|
The syscall is marked NOLOCK and only FUTEX_WAIT grabs the KERNEL_LOCK()
because of PCATCH and the signal nightmare.
Serialization of threads is currently done with a global & exclusive
rwlock.
Note that the current implementation still use copyin(9) which is not
guaranteed to be atomic. Committing now such that remaining issues can
be addressed in-tree.
With inputs from guenther@, kettenis@ and visa@.
ok deraadt@, visa@
|
|
and four libc major versions ago
ok sthen@ jsing@ deraadt@ jca@
|
|
ok deraadt@
|
|
|
|
a flags argument
ok guenther sthen
|
|
ok guenther sthen
|
|
|
|
getlogin_r() API; keep existing syscall as getlogin59 for temporary compat.
ok kettenis@ deraadt@
|
|
behind all other threads in the process by temporarily lowering its priority.
This isn't optimal but it is the easiest way to guarantee that we make
progress when we're waiting on an other thread to release a lock. This
results in significant improvements for processes that suffer from lock
contention, most notably firefox. Unfortunately this means that sched_yield(2)
needs to grab the kernel lock again.
All the hard work was done by mpi@, based on observations of the behaviour
of the BFS scheduler diff by Michal Mazurek.
ok deraadt@
|
|
as osendsyslog for a while. The three argument variant is the only
one that will stay.
input kettenis@; OK deraadt@
|
|
passing LOG_CONS
ok millert kettenis beck
|
|
thrkill(2), rolling the kill(2) syscall number with the ABI change to
avoid breaking binaries during during the transition. thrkill(2) includes
a 'tcb' argument that eliminates the need for locking in pthread_kill()
and simplifies pthread_cancel(). Switch __stack_smash_handler() to use
thrkill(2) and explicitly unblock SIGABRT.
Minor bump to both libc and libpthread: make sure you install a new kernel!
ok semarie@
|
|
suspect everyone has upgraded through the approx week-long window since
SOCK_DNS became available and the libc resolver started using them.
|
|
SS_DNS tagged socket which has limited functionality (for example, you
cannot accept on them...) The libc resolver will switch to using these,
therefore pledge can identify a DNS transaction better.
ok tedu guenther kettenis beck and others
|
|
strict than anticipated. It allows a programmer to pledge/promise/covenant
that their program will operate within an easily defined subset of the
Unix environment, or it pays the price.
|
|
as Theo is seeing vnode-related panics on several architectures in the
codepath that implements mmap(2).
|
|
|
|
necessary
ok deraadt@ jsing@
|
|
which results in tame() code placements being much more recognizeable.
tame() can be moved to unistd.h and does not need cpp symbols to turn the
bits on and off. The resulting API is a bit unexpected, but simplifies the
mapping to enabling bits in the kernel substantially.
vague ok's from various including guenther doug semarie
|
|
The path will not be modified and this reduces casts. Discussed with many.
ok deraadt@
|
|
The pathlist is a whitelist of dirs and files; anything else returns ENOENT.
Recommendation is to use a narrowly defined list. Also add TAME_FATTR, which
permits explicit change operations against "struct stat" fields. Some
other TAME_ flags are refined slightly.
Not cranking libc now, since nothing commited in base uses this and the
timing is uncomfortable for others. Discussed with many; thanks for a
few bug fixes from semarie, doug, guenther.
ok guenther
|
|
memory for lazy binding
ok deraadt@
|
|
operating model". This is the kernel component; various changes should
proceed in-tree for a while before userland programs start using it.
ok miod, discussions and help from many
|
|
syscalls.master where the file is generated from. Fix this by removing
it from syscalls.master so it doesn't come back.
From Nicolas Bedos.
|
|
|
|
Tests on a 4-core CPU show setjmp(3) run four times as fast under load.
discussed on tech@ some time ago, now by kettenis and guenther, ok deraadt
|
|
ok guenther
|
|
|
|
|
|
OK guenther@
|
|
No functional change as pid_t is defined as int32_t.
OK miod@
|
|
discussion, help and ok guenther@
|
|
when creating them: pipe2(), dup3(), accept4(), MSG_CMSG_CLOEXEC,
SOCK_CLOEXEC. Includes SOCK_NONBLOCK support.
ok matthew@
|
|
a message up into syslogd's /dev/log interface. This will be used to make
syslog_r work during file descriptor exhaustion, or inside sandboxes which
prohibit socket, connect, sendto, etc.
The system call is being added about a week before the library and daemon
changes.
ok guenther tedu miod matthew
|
|
A little while back, guenther moved user credentials to a per-process
property, but also kept a per-thread cache that would remain stable
for the duration of a thread's system call. These system calls now
only access the thread's cached credentials, so they're safe to run
without the kernel lock.
ok kettenis, guenther
|
|
ok matthew@
|
|
buffersize is enforced strictly, this supplies sufficient entropy
payload to act as seed material. Discourage general use of this
API, but lock down this function name as the go-to for userland
PRNG seeding. Improve documentation.
ok miod matthew
|
|
I accepted that he's right (again) to seperate this out from heavy
sysctl API and this will simply a variety of things. Functionname
is not used by anyone in the ports tree, so we guess we can use it.
Shocking that no application has a function called this.
ok matthew & others who pushed him to start this early on
|
|
lock for PCATCH and ktrace(CSW) handling
ok kettenis@
|
|
|
|
Provide a declaration for userspace
Fix the kernel's sanity check on the buflen argument
lack of prototype pointed out by sthen@ and landry@
ok kettenis@ otto@
|
|
so COMPAT_O51 can go. The complete ABI role means COMPAT_O53 can
be removed as well.
ok jsing@ tedu@
|
|
members to 64bit types. Assign new syscall numbers for (almost
all) the syscalls that involve the affected types, including anything
with time_t, timeval, itimerval, timespec, rusage, dirent, stat,
or kevent arguments. Add a d_off member to struct dirent and replace
getdirentries() with getdents(), thus immensely simplifying and
accelerating telldir/seekdir. Build perl with -DBIG_TIME.
Bump the major on every single base library: the compat bits included
here are only good enough to make the transition; the T32 compat
option will be burned as soon as we've reached the new world are
are happy with the snapshots for all architectures.
DANGER: ABI incompatibility. Updating to this kernel requires extra
work or you won't be able to login: install a snapshot instead.
Much assistance in fixing userland issues from deraadt@ and tedu@
and build assistance from todd@ and otto@
|
|
ok matthew@ millert@
|
|
ok guenther matthew
|
|
records. From FreeBSD via otto@, with tweaks suggested by guenther@.
Commite on behalf of otto@ who is not around, to ride the libc minor bump.
Causes a librthread minor bump as well (new syscall).
|
