git: 1c5c7e61c85f - main - netlink: add attr parser utility functions

[Kristof Provost]

The branch main has been updated by kp:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=1c5c7e61c85fffa274119a69d69b3405848b9c82

commit 1c5c7e61c85fffa274119a69d69b3405848b9c82
Author: Kristof Provost 
AuthorDate: 2023-10-14 10:13:30 +
Commit: Kristof Provost 
CommitDate: 2023-10-17 06:47:46 +

netlink: add attr parser utility functions

 - nlattr_get_chara() to read a string into a char array, rather than to a 
char *
 - nlattr_get_bytes() to read an arbitrary (fixed length) byte sequence
 - nlattr_get_nested_ptr() to read a nested type to a struct foo *, rather 
than struct foo

Sponsored by:   Rubicon Communications, LLC ("Netgate")
Differential Revision:  https://reviews.freebsd.org/D42221
---
 sys/netlink/netlink_message_parser.c | 42 
 sys/netlink/netlink_message_parser.h |  6 ++
 2 files changed, 48 insertions(+)

diff --git a/sys/netlink/netlink_message_parser.c 
b/sys/netlink/netlink_message_parser.c
index 9ff5cdee40b4..48d712211a98 100644
--- a/sys/netlink/netlink_message_parser.c
+++ b/sys/netlink/netlink_message_parser.c
@@ -428,6 +428,23 @@ nlattr_get_ifpz(struct nlattr *nla, struct nl_pstate *npt, 
const void *arg, void
return (nlattr_get_ifp_internal(nla, npt, target, true));
 }
 
+int
+nlattr_get_chara(struct nlattr *nla, struct nl_pstate *npt, const void *arg, 
void *target)
+{
+   int maxlen = NLA_DATA_LEN(nla);
+   int target_size = (size_t)arg;
+   int len = strnlen((char *)NLA_DATA(nla), maxlen);
+
+   if (__predict_false(len >= maxlen) || __predict_false(len >= 
target_size)) {
+   NLMSG_REPORT_ERR_MSG(npt, "nla type %d size(%u) is not 
NULL-terminated or longer than %u",
+   nla->nla_type, maxlen, target_size);
+   return (EINVAL);
+   }
+
+   strncpy((char *)target, (char *)NLA_DATA(nla), target_size);
+   return (0);
+}
+
 int
 nlattr_get_string(struct nlattr *nla, struct nl_pstate *npt, const void *arg, 
void *target)
 {
@@ -457,6 +474,20 @@ nlattr_get_stringn(struct nlattr *nla, struct nl_pstate 
*npt, const void *arg, v
*((char **)target) = buf;
return (0);
 }
+
+int
+nlattr_get_bytes(struct nlattr *nla, struct nl_pstate *npt, const void *arg, 
void *target)
+{
+   size_t size = (size_t)arg;
+
+   if (NLA_DATA_LEN(nla) != size)
+   return (EINVAL);
+
+   memcpy(target, NLA_DATA(nla), size);
+
+   return (0);
+}
+
 int
 nlattr_get_nla(struct nlattr *nla, struct nl_pstate *npt, const void *arg, 
void *target)
 {
@@ -476,6 +507,17 @@ nlattr_get_nested(struct nlattr *nla, struct nl_pstate 
*npt, const void *arg, vo
return (error);
 }
 
+int
+nlattr_get_nested_ptr(struct nlattr *nla, struct nl_pstate *npt, const void 
*arg, void *target)
+{
+   const struct nlhdr_parser *p = (const struct nlhdr_parser *)arg;
+   int error;
+
+   /* Assumes target points to the beginning of the structure */
+   error = nl_parse_header(NLA_DATA(nla), NLA_DATA_LEN(nla), p, npt, 
*(void **)target);
+   return (error);
+}
+
 int
 nlf_get_ifp(void *src, struct nl_pstate *npt, void *target)
 {
diff --git a/sys/netlink/netlink_message_parser.h 
b/sys/netlink/netlink_message_parser.h
index 0242177fdd26..517f3ebd49f2 100644
--- a/sys/netlink/netlink_message_parser.h
+++ b/sys/netlink/netlink_message_parser.h
@@ -187,14 +187,20 @@ int nlattr_get_ifpz(struct nlattr *nla, struct nl_pstate 
*npt,
 const void *arg, void *target);
 int nlattr_get_ipvia(struct nlattr *nla, struct nl_pstate *npt,
 const void *arg, void *target);
+int nlattr_get_chara(struct nlattr *nla, struct nl_pstate *npt,
+const void *arg, void *target);
 int nlattr_get_string(struct nlattr *nla, struct nl_pstate *npt,
 const void *arg, void *target);
 int nlattr_get_stringn(struct nlattr *nla, struct nl_pstate *npt,
 const void *arg, void *target);
+int nlattr_get_bytes(struct nlattr *nla, struct nl_pstate *npt,
+const void *arg, void *target);
 int nlattr_get_nla(struct nlattr *nla, struct nl_pstate *npt,
 const void *arg, void *target);
 int nlattr_get_nested(struct nlattr *nla, struct nl_pstate *npt,
 const void *arg, void *target);
+int nlattr_get_nested_ptr(struct nlattr *nla, struct nl_pstate *npt,
+const void *arg, void *target);
 
 bool nlmsg_report_err_msg(struct nl_pstate *npt, const char *fmt, ...);
 

git: fad5734995e3 - main - netlink: descend into nested parsers when verifying

[Kristof Provost]

The branch main has been updated by kp:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=fad5734995e3fba428ce5e4131389c4fff0610ab

commit fad5734995e3fba428ce5e4131389c4fff0610ab
Author: Kristof Provost 
AuthorDate: 2023-10-14 12:47:35 +
Commit: Kristof Provost 
CommitDate: 2023-10-17 06:47:48 +

netlink: descend into nested parsers when verifying

When we verify that the attributes are correctly sorted we should also
try to verify the nested attribute parsers.

Reviewed by:melifaro
Sponsored by:   Rubicon Communications, LLC ("Netgate")
Differential Revision:  https://reviews.freebsd.org/D4
---
 sys/netlink/netlink_message_parser.h | 8 
 1 file changed, 8 insertions(+)

diff --git a/sys/netlink/netlink_message_parser.h 
b/sys/netlink/netlink_message_parser.h
index 517f3ebd49f2..c682973d3e33 100644
--- a/sys/netlink/netlink_message_parser.h
+++ b/sys/netlink/netlink_message_parser.h
@@ -289,6 +289,14 @@ nl_verify_parsers(const struct nlhdr_parser **parser, int 
count)
for (int j = 0; j < p->np_size; j++) {
MPASS(p->np[j].type > attr_type);
attr_type = p->np[j].type;
+
+   /* Recurse into nested objects. */
+   if (p->np[j].cb == nlattr_get_nested ||
+   p->np[j].cb == nlattr_get_nested_ptr) {
+   const struct nlhdr_parser *np =
+   (const struct nlhdr_parser *)p->np[j].arg;
+   nl_verify_parsers(&np, 1);
+   }
}
}
 #endif

git: 4f8f43b06ed0 - main - netlink: cope with growing requests

[Kristof Provost]

The branch main has been updated by kp:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=4f8f43b06ed07e96a250855488cc531799d5b78f

commit 4f8f43b06ed07e96a250855488cc531799d5b78f
Author: Kristof Provost 
AuthorDate: 2023-10-16 09:48:57 +
Commit: Kristof Provost 
CommitDate: 2023-10-17 06:47:52 +

netlink: cope with growing requests

If a request ends up growing beyong the initially allocated space the
netlink functions (such as snl_add_msg_attr_u32()) will allocate a
new buffer. This invalidates the header pointer we can have received
from snl_create_msg_request(). Always use the hdr returned by
snl_finalize_msg().

Reviewed by:melifaro
MFC after:  1 week
Sponsored by:   Rubicon Communications, LLC ("Netgate")
Differential Revision:  https://reviews.freebsd.org/D42223
---
 lib/libpfctl/libpfctl.c  |  6 +++---
 sbin/ifconfig/af_inet.c  |  6 +++---
 sbin/ifconfig/af_inet6.c |  2 +-
 sbin/ifconfig/ifconfig_netlink.c |  6 +++---
 sbin/route/route_netlink.c   |  8 
 sys/netlink/netlink_snl_generic.h|  2 +-
 tests/sys/netlink/test_snl_generic.c |  2 +-
 usr.sbin/arp/arp_netlink.c   | 12 ++--
 usr.sbin/ndp/ndp_netlink.c   | 12 ++--
 9 files changed, 28 insertions(+), 28 deletions(-)

diff --git a/lib/libpfctl/libpfctl.c b/lib/libpfctl/libpfctl.c
index 51276d8bb343..571fabae4359 100644
--- a/lib/libpfctl/libpfctl.c
+++ b/lib/libpfctl/libpfctl.c
@@ -194,7 +194,7 @@ pfctl_startstop(int start)
hdr = snl_create_genl_msg_request(&nw, family_id,
start ? PFNL_CMD_START : PFNL_CMD_STOP);
 
-   snl_finalize_msg(&nw);
+   hdr = snl_finalize_msg(&nw);
seq_id = hdr->nlmsg_seq;
 
snl_send_message(&ss, hdr);
@@ -1161,7 +1161,7 @@ pfctl_get_creators_nl(struct snl_state *ss, uint32_t 
*creators, size_t *len)
snl_init_writer(ss, &nw);
hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_GETCREATORS);
hdr->nlmsg_flags |= NLM_F_DUMP;
-   snl_finalize_msg(&nw);
+   hdr = snl_finalize_msg(&nw);
uint32_t seq_id = hdr->nlmsg_seq;
 
snl_send_message(ss, hdr);
@@ -1309,7 +1309,7 @@ pfctl_get_states_nl(struct snl_state *ss, 
pfctl_get_state_fn f, void *arg)
snl_init_writer(ss, &nw);
hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_GETSTATES);
hdr->nlmsg_flags |= NLM_F_DUMP;
-   snl_finalize_msg(&nw);
+   hdr = snl_finalize_msg(&nw);
uint32_t seq_id = hdr->nlmsg_seq;
 
snl_send_message(ss, hdr);
diff --git a/sbin/ifconfig/af_inet.c b/sbin/ifconfig/af_inet.c
index d9499d64ed13..5e3084165b33 100644
--- a/sbin/ifconfig/af_inet.c
+++ b/sbin/ifconfig/af_inet.c
@@ -355,7 +355,7 @@ in_delete_first_nl(if_ctx *ctx)
ifahdr->ifa_family = AF_INET;
ifahdr->ifa_index = ifindex;
 
-   if (!snl_finalize_msg(&nw) || !snl_send_message(ss, hdr))
+   if (! (hdr = snl_finalize_msg(&nw)) || !snl_send_message(ss, hdr))
return (EINVAL);
 
nlmsg_seq = hdr->nlmsg_seq;
@@ -386,7 +386,7 @@ in_delete_first_nl(if_ctx *ctx)
ifahdr->ifa_index = ifindex;
snl_add_msg_attr_ip4(&nw, IFA_LOCAL, &addr);
 
-   if (!snl_finalize_msg(&nw) || !snl_send_message(ss, hdr))
+   if (! (hdr = snl_finalize_msg(&nw)) || !snl_send_message(ss, hdr))
return (EINVAL);
memset(&e, 0, sizeof(e));
snl_read_reply_code(ss, hdr->nlmsg_seq, &e);
@@ -426,7 +426,7 @@ in_exec_nl(if_ctx *ctx, unsigned long action, void *data)
snl_add_msg_attr_u32(&nw, IFAF_VHID, pdata->vhid);
snl_end_attr_nested(&nw, off);
 
-   if (!snl_finalize_msg(&nw) || !snl_send_message(ctx->io_ss, hdr))
+   if (! (hdr = snl_finalize_msg(&nw)) || !snl_send_message(ctx->io_ss, 
hdr))
return (0);
 
struct snl_errmsg_data e = {};
diff --git a/sbin/ifconfig/af_inet6.c b/sbin/ifconfig/af_inet6.c
index bc4f77f6848d..fcd04139a8c1 100644
--- a/sbin/ifconfig/af_inet6.c
+++ b/sbin/ifconfig/af_inet6.c
@@ -488,7 +488,7 @@ in6_exec_nl(if_ctx *ctx, unsigned long action, void *data)
snl_add_msg_attr_u32(&nw, IFAF_VHID, pdata->vhid);
snl_end_attr_nested(&nw, off);
 
-   if (!snl_finalize_msg(&nw) || !snl_send_message(ctx->io_ss, hdr))
+   if (! (hdr = snl_finalize_msg(&nw)) || !snl_send_message(ctx->io_ss, 
hdr))
return (0);
 
struct snl_errmsg_data e = {};
diff --git a/sbin/ifconfig/ifconfig_netlink.c b/sbin/ifconfig/ifconfig_netlink.c
index a6f52ea2a7f0..826d199d3ccb 100644
--- a/sbin/ifconfig/ifconfig_netlink.c
+++ b/sbin/ifconfig/ifconfig_netlink.c
@@ -171,7 +171,7 @@ prepare_ifmap(struct snl_state *ss)
hdr->nlmsg_flags |= NLM_F_DUMP;
snl_reserve_msg_object(&nw, struct ifinfomsg);
 
-   if (!snl_finalize_msg(&nw) || !snl_send_message(ss, hdr))
+   if (! (hdr = snl_finalize_msg(&nw)) || !snl_send_m

Re: git: 74e4a8d208f0 - main - pmap: add pmap_kextract(9) man page

[Konstantin Belousov]

On Mon, Oct 16, 2023 at 03:54:32PM -0700, John Baldwin wrote:
> On 10/14/23 10:34 AM, Mitchell Horne wrote:
> > On 10/14/23 10:28, Konstantin Belousov wrote:
> > > On Fri, Oct 13, 2023 at 06:27:33PM +, Mitchell Horne wrote:
> > > > +.Pp
> > > > +.Fn vtophys
> > > > +is an alias for
> > > > +.Fn pmap_kextract
> > > > +and behaves identically.
> > > > +.Sh RETURN VALUES
> > > > +The
> > > > +.Fn pmap_kextract
> > > > +function will return the physical address
> > > > +.Pq Vt vm_paddr_t
> > > > +associated with the kernel virtual address
> > > and 'associated'?
> > > 
> > > The function returns address of physical memory mapped at the supplied
> > > kernel virtual address.
> > > 
> > 
> > Sure, this is more accurate.
> 
> I suggest tweaking this further just to be very explicit about the type
> of address being returned:
> 
> The
> .Fn pmap_kextract
> function returns the physical address of memory mapped at the
> kernel virtual address
> .Va va .
> 
> or some such.

There are two larger things that are worth adding to the man page, IMO.

1. pmap_kextract() is safe to be used from any context (in particular, it
   does not do any locking internally)

2. it is caller duty to ensure that the active mapping is alive and stable
   long enough for the answer to be useful

git: 7123222220aa - main - witness: Unconditionally initialize out-params for witness_save()

[Mark Johnston]

The branch main has been updated by markj:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=712320aa563dc16bf1989d335722e4ff57a6

commit 712320aa563dc16bf1989d335722e4ff57a6
Author: Mark Johnston 
AuthorDate: 2023-10-16 17:23:40 +
Commit: Mark Johnston 
CommitDate: 2023-10-17 13:05:45 +

witness: Unconditionally initialize out-params for witness_save()

As of LLVM 16, the -fsanitize-memory-param-retval option is set to true
by default, meaning that MSan will eagerly report uninitialized function
parameters and return values, even if they are not used.  A
witness_save()/witness_restore() call pair fails this test since
witness_save() may return before saving file and line number
information.

Modify witness_save() to initialize the out-params unconditionally; this
appears to be the only instance of the problem triggered when booting to
a login prompt, so let's just address it directly.

Sponsored by:   Klara, Inc.
Sponsored by:   Juniper Networks, Inc.
MFC after:  1 week
---
 sys/kern/subr_witness.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/sys/kern/subr_witness.c b/sys/kern/subr_witness.c
index d4ab085197f4..5b9f8afd9565 100644
--- a/sys/kern/subr_witness.c
+++ b/sys/kern/subr_witness.c
@@ -2362,6 +2362,10 @@ witness_save(struct lock_object *lock, const char 
**filep, int *linep)
struct lock_instance *instance;
struct lock_class *class;
 
+   /* Initialize for KMSAN's benefit. */
+   *filep = NULL;
+   *linep = 0;
+
/*
 * This function is used independently in locking code to deal with
 * Giant, SCHEDULER_STOPPED() check can be removed here after Giant

git: e5caed14067b - main - kmsan: Use __builtin_memset to initialize per-thread state

[Mark Johnston]

The branch main has been updated by markj:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=e5caed14067b40f1454d74e99789a28508d0eea3

commit e5caed14067b40f1454d74e99789a28508d0eea3
Author: Mark Johnston 
AuthorDate: 2023-10-16 19:37:19 +
Commit: Mark Johnston 
CommitDate: 2023-10-17 13:05:45 +

kmsan: Use __builtin_memset to initialize per-thread state

Accesses to KMSAN's TLS block are not instrumented, so there's no need
to use kmsan_memset().  No functional change intended.

MFC after:  1 week
Sponsored by:   Klara, Inc.
Sponsored by:   Juniper Networks, Inc.
---
 sys/kern/subr_msan.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sys/kern/subr_msan.c b/sys/kern/subr_msan.c
index 54948370a14a..f8fdcf478b79 100644
--- a/sys/kern/subr_msan.c
+++ b/sys/kern/subr_msan.c
@@ -452,7 +452,7 @@ kmsan_thread_alloc(struct thread *td)
sizeof(int));
mtd = malloc(sizeof(*mtd), M_KMSAN, M_WAITOK);
}
-   kmsan_memset(mtd, 0, sizeof(*mtd));
+   __builtin_memset(mtd, 0, sizeof(*mtd));
mtd->ctx = 0;
 
if (td->td_kstack != 0)

git: b6c653c97463 - main - kmsan: Set -fno-sanitize-memory-param-retval for now

[Mark Johnston]

The branch main has been updated by markj:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=b6c653c9746342b373af01979319b3cb123b2872

commit b6c653c9746342b373af01979319b3cb123b2872
Author: Mark Johnston 
AuthorDate: 2023-10-16 19:45:42 +
Commit: Mark Johnston 
CommitDate: 2023-10-17 13:05:45 +

kmsan: Set -fno-sanitize-memory-param-retval for now

As of LLVM 16, -fsanitize-memory-param-retval is the default.  It yields
significantly smaller code, but the KMSAN runtime interceptors need to
be updated to stop checking shadow state of parameters.  Apply a minimal
workaround for now.

MFC after:  3 days
Sponsored by:   Klara, Inc.
Sponsored by:   Juniper Networks, Inc.
---
 sys/conf/files   | 2 +-
 sys/conf/kern.pre.mk | 5 -
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/sys/conf/files b/sys/conf/files
index dc837eb02c06..8c3bdca61905 100644
--- a/sys/conf/files
+++ b/sys/conf/files
@@ -3872,7 +3872,7 @@ kern/subr_mchain.coptional libmchain
 kern/subr_memdesc.cstandard
 kern/subr_module.c standard
 kern/subr_msan.c   optional kmsan \
-   compile-with "${NORMAL_C:N-fsanitize*:N-fstack-protector*}"
+   compile-with 
"${NORMAL_C:N-fsanitize*:N-fno-sanitize*:N-fstack-protector*}"
 kern/subr_msgbuf.c standard
 kern/subr_param.c  standard
 kern/subr_pcpu.c   standard
diff --git a/sys/conf/kern.pre.mk b/sys/conf/kern.pre.mk
index 4d37cd4156f0..158175eb6899 100644
--- a/sys/conf/kern.pre.mk
+++ b/sys/conf/kern.pre.mk
@@ -122,8 +122,11 @@ SAN_CFLAGS+=   -DSAN_NEEDS_INTERCEPTORS 
-DSAN_INTERCEPTOR_PREFIX=kcsan \
 
 KMSAN_ENABLED!= grep KMSAN opt_global.h || true ; echo
 .if !empty(KMSAN_ENABLED)
+# Disable -fno-sanitize-memory-param-retval until interceptors have been
+# updated to work properly with it.
 SAN_CFLAGS+=   -DSAN_NEEDS_INTERCEPTORS -DSAN_INTERCEPTOR_PREFIX=kmsan \
-   -fsanitize=kernel-memory
+   -fsanitize=kernel-memory \
+   -fno-sanitize-memory-param-retval
 .endif
 
 KUBSAN_ENABLED!=   grep KUBSAN opt_global.h || true ; echo

git: a37e484d0497 - main - amd64: Zero-fill AP PCPU pages

[Mark Johnston]

The branch main has been updated by markj:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=a37e484d049758c70f2d61be0d28a115b6f2f01e

commit a37e484d049758c70f2d61be0d28a115b6f2f01e
Author: Mark Johnston 
AuthorDate: 2023-10-16 22:40:21 +
Commit: Mark Johnston 
CommitDate: 2023-10-17 13:12:08 +

amd64: Zero-fill AP PCPU pages

At least KMSAN relies on zero-initialization of AP PCPU regions, see
commit 4b136ef259ce.

Prior to commit af1c6d3f3013 these were allocated with allocpages() in
the amd64 pmap, which always returns zero-initialized memory.

Reviewed by:kib
Fixes:  af1c6d3f3013 ("amd64: do not leak pcpu pages")
MFC after:  3 days
Sponsored by:   Klara, Inc.
Sponsored by:   Juniper Networks, Inc.
Differential Revision:  https://reviews.freebsd.org/D42241
---
 sys/amd64/amd64/mp_machdep.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/sys/amd64/amd64/mp_machdep.c b/sys/amd64/amd64/mp_machdep.c
index ec4501c3aeed..d506ffada4b9 100644
--- a/sys/amd64/amd64/mp_machdep.c
+++ b/sys/amd64/amd64/mp_machdep.c
@@ -300,11 +300,12 @@ amd64_mp_alloc_pcpu(void)
m = NULL;
if (vm_ndomains > 1) {
m = vm_page_alloc_noobj_domain(
-   acpi_pxm_get_cpu_locality(cpu_apic_ids[cpu]), 0);
+   acpi_pxm_get_cpu_locality(cpu_apic_ids[cpu]),
+   VM_ALLOC_ZERO);
}
if (m == NULL)
 #endif
-   m = vm_page_alloc_noobj(0);
+   m = vm_page_alloc_noobj(VM_ALLOC_ZERO);
if (m == NULL)
panic("cannot alloc pcpu page for cpu %d", cpu);
pmap_qenter((vm_offset_t)&__pcpu[cpu], &m, 1);

git: 761ae1ce798a - main - ktrace: Handle uio_resid underflow via MSG_TRUNC

[Mark Johnston]

The branch main has been updated by markj:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=761ae1ce798add862d78728cc5ac5240ce7db779

commit 761ae1ce798add862d78728cc5ac5240ce7db779
Author: Mark Johnston 
AuthorDate: 2023-10-16 20:11:55 +
Commit: Mark Johnston 
CommitDate: 2023-10-17 13:12:19 +

ktrace: Handle uio_resid underflow via MSG_TRUNC

When recvmsg(2) is used with MSG_TRUNC on an atomic socket type (DGRAM
or SEQPACKET), soreceive_generic() and uipc_peek_dgram() may
intentionally underflow uio_resid so that userspace can find out how
many bytes it should have asked for.

If this happens, and KTR_GENIO is enabled, ktrgenio() will attempt to
copy in beyond the end of the output buffer's iovec.  In general this
will silently cause the ktrace operation to fail since it'll result in
EFAULT from uiomove().  Let's be more careful and make sure not to try
and copy more bytes than we have.

Fixes:  be1f485d7d6b ("sockets: add MSG_TRUNC flag handling for 
recvfrom()/recvmsg().")
Reported by:syzbot+30b4bb0c0bc0f53ac...@syzkaller.appspotmail.com
Reviewed by:kib
MFC after:  3 days
Sponsored by:   The FreeBSD Foundation
Differential Revision:  https://reviews.freebsd.org/D42099
---
 sys/kern/uipc_syscalls.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sys/kern/uipc_syscalls.c b/sys/kern/uipc_syscalls.c
index 2dad9d487290..c7c2e6544902 100644
--- a/sys/kern/uipc_syscalls.c
+++ b/sys/kern/uipc_syscalls.c
@@ -948,7 +948,8 @@ kern_recvit(struct thread *td, int s, struct msghdr *mp, 
enum uio_seg fromseg,
AUDIT_ARG_SOCKADDR(td, AT_FDCWD, fromsa);
 #ifdef KTRACE
if (ktruio != NULL) {
-   ktruio->uio_resid = len - auio.uio_resid;
+   /* MSG_TRUNC can trigger underflow of uio_resid. */
+   ktruio->uio_resid = MIN(len - auio.uio_resid, len);
ktrgenio(s, UIO_READ, ktruio, error);
}
 #endif

git: 8fd0ec53deaa - main - uiomove: Add some assertions

[Mark Johnston]

The branch main has been updated by markj:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=8fd0ec53deaad34383d4b344714b74d67105b258

commit 8fd0ec53deaad34383d4b344714b74d67105b258
Author: Mark Johnston 
AuthorDate: 2023-10-16 20:12:37 +
Commit: Mark Johnston 
CommitDate: 2023-10-17 13:12:19 +

uiomove: Add some assertions

Make sure that we don't try to copy with a negative resid.

Make sure that we don't walk off the end of the iovec array.

Reviewed by:kib
MFC after:  1 week
Sponsored by:   The FreeBSD Foundation
Differential Revision:  https://reviews.freebsd.org/D42098
---
 sys/amd64/amd64/uio_machdep.c | 6 ++
 sys/arm/arm/uio_machdep.c | 6 ++
 sys/arm64/arm64/uio_machdep.c | 6 ++
 sys/i386/i386/uio_machdep.c   | 6 ++
 sys/kern/subr_uio.c   | 5 +
 sys/powerpc/powerpc/uio_machdep.c | 5 +
 sys/riscv/riscv/uio_machdep.c | 6 ++
 7 files changed, 40 insertions(+)

diff --git a/sys/amd64/amd64/uio_machdep.c b/sys/amd64/amd64/uio_machdep.c
index f3e80addc92c..67e14d8e0d12 100644
--- a/sys/amd64/amd64/uio_machdep.c
+++ b/sys/amd64/amd64/uio_machdep.c
@@ -71,10 +71,16 @@ uiomove_fromphys(vm_page_t ma[], vm_offset_t offset, int n, 
struct uio *uio)
("uiomove_fromphys: mode"));
KASSERT(uio->uio_segflg != UIO_USERSPACE || uio->uio_td == curthread,
("uiomove_fromphys proc"));
+   KASSERT(uio->uio_resid >= 0,
+   ("%s: uio %p resid underflow", __func__, uio));
+
save = td->td_pflags & TDP_DEADLKTREAT;
td->td_pflags |= TDP_DEADLKTREAT;
mapped = false;
while (n > 0 && uio->uio_resid) {
+   KASSERT(uio->uio_iovcnt > 0,
+   ("%s: uio %p iovcnt underflow", __func__, uio));
+
iov = uio->uio_iov;
cnt = iov->iov_len;
if (cnt == 0) {
diff --git a/sys/arm/arm/uio_machdep.c b/sys/arm/arm/uio_machdep.c
index 07531f76217b..18661ebd1652 100644
--- a/sys/arm/arm/uio_machdep.c
+++ b/sys/arm/arm/uio_machdep.c
@@ -72,9 +72,15 @@ uiomove_fromphys(vm_page_t ma[], vm_offset_t offset, int n, 
struct uio *uio)
("uiomove_fromphys: mode"));
KASSERT(uio->uio_segflg != UIO_USERSPACE || uio->uio_td == curthread,
("uiomove_fromphys proc"));
+   KASSERT(uio->uio_resid >= 0,
+   ("%s: uio %p resid underflow", __func__, uio));
+
save = td->td_pflags & TDP_DEADLKTREAT;
td->td_pflags |= TDP_DEADLKTREAT;
while (n > 0 && uio->uio_resid) {
+   KASSERT(uio->uio_iovcnt > 0,
+   ("%s: uio %p iovcnt underflow", __func__, uio));
+
iov = uio->uio_iov;
cnt = iov->iov_len;
if (cnt == 0) {
diff --git a/sys/arm64/arm64/uio_machdep.c b/sys/arm64/arm64/uio_machdep.c
index f9e4e7a9547f..4fdcaf74890c 100644
--- a/sys/arm64/arm64/uio_machdep.c
+++ b/sys/arm64/arm64/uio_machdep.c
@@ -69,10 +69,16 @@ uiomove_fromphys(vm_page_t ma[], vm_offset_t offset, int n, 
struct uio *uio)
("uiomove_fromphys: mode"));
KASSERT(uio->uio_segflg != UIO_USERSPACE || uio->uio_td == curthread,
("uiomove_fromphys proc"));
+   KASSERT(uio->uio_resid >= 0,
+   ("%s: uio %p resid underflow", __func__, uio));
+
save = td->td_pflags & TDP_DEADLKTREAT;
td->td_pflags |= TDP_DEADLKTREAT;
mapped = false;
while (n > 0 && uio->uio_resid) {
+   KASSERT(uio->uio_iovcnt > 0,
+   ("%s: uio %p iovcnt underflow", __func__, uio));
+
iov = uio->uio_iov;
cnt = iov->iov_len;
if (cnt == 0) {
diff --git a/sys/i386/i386/uio_machdep.c b/sys/i386/i386/uio_machdep.c
index 07d71eac5db6..92e067b35bed 100644
--- a/sys/i386/i386/uio_machdep.c
+++ b/sys/i386/i386/uio_machdep.c
@@ -71,9 +71,15 @@ uiomove_fromphys(vm_page_t ma[], vm_offset_t offset, int n, 
struct uio *uio)
("uiomove_fromphys: mode"));
KASSERT(uio->uio_segflg != UIO_USERSPACE || uio->uio_td == curthread,
("uiomove_fromphys proc"));
+   KASSERT(uio->uio_resid >= 0,
+   ("%s: uio %p resid underflow", __func__, uio));
+
save = td->td_pflags & TDP_DEADLKTREAT;
td->td_pflags |= TDP_DEADLKTREAT;
while (n > 0 && uio->uio_resid) {
+   KASSERT(uio->uio_iovcnt > 0,
+   ("%s: uio %p iovcnt underflow", __func__, uio));
+
iov = uio->uio_iov;
cnt = iov->iov_len;
if (cnt == 0) {
diff --git a/sys/kern/subr_uio.c b/sys/kern/subr_uio.c
index 21a1f044db54..b0c4a256cd17 100644
--- a/sys/kern/subr_uio.c
+++ b/sys/kern/subr_uio.c
@@ -216,6 +216,8 @@ uiomove_faultflag(void *cp, int n, struct uio *uio, int 
nofault)
("uiomove: mode"));
KASSERT(uio->uio_segflg != UIO_USERSPACE || uio->uio_td == curthread,
("uiomove proc"));
+   KASSERT(uio

git: b5e7dbac756a - main - socket tests: Clean up the MSG_TRUNC regression tests a bit

[Mark Johnston]

The branch main has been updated by markj:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=b5e7dbac756afb49c58315c7081737b34a1d2dfd

commit b5e7dbac756afb49c58315c7081737b34a1d2dfd
Author: Mark Johnston 
AuthorDate: 2023-10-16 21:35:07 +
Commit: Mark Johnston 
CommitDate: 2023-10-17 13:12:36 +

socket tests: Clean up the MSG_TRUNC regression tests a bit

- Fix style.
- Move test case-specific code out of the shared function and into the
  individual test cases.
- Remove unneeded setting of SO_REUSEPORT.
- Avoid unnecessary copying.
- Use ATF_REQUIRE* instead of ATF_CHECK*.  The former cause test
  execution to stop after a failed assertion, which is what we want.
- Add a test case for AF_LOCAL/SOCK_SEQPACKET sockets.

MFC after:  1 week
---
 tests/sys/kern/socket_msg_trunc.c | 230 +-
 1 file changed, 128 insertions(+), 102 deletions(-)

diff --git a/tests/sys/kern/socket_msg_trunc.c 
b/tests/sys/kern/socket_msg_trunc.c
index a863705adbae..469b9e1503cd 100644
--- a/tests/sys/kern/socket_msg_trunc.c
+++ b/tests/sys/kern/socket_msg_trunc.c
@@ -25,143 +25,169 @@
  * SUCH DAMAGE.
  */
 
-#include 
-#include 
-#include 
+#include 
 #include 
 #include 
 #include 
+
 #include 
+
 #include 
+#include 
+#include 
 
 #include 
 
 static void
-check_recvmsg(const char *test_name)
+check_recvmsg(int cs, int ss, struct sockaddr *sa, const size_t sizes[],
+size_t nsizes)
 {
-   int ss, cs, rc;
-   struct sockaddr *sa;
-   struct sockaddr_in sin;
-   struct sockaddr_in6 sin6;
-   struct sockaddr_un saun;
-   int *sizes, sizes_count;
-   int one = 1;
-
-
-   if (!strcmp(test_name, "udp")) {
-   ss = socket(PF_INET, SOCK_DGRAM, 0);
-   ATF_CHECK(ss >= 0);
-   rc = setsockopt(ss, SOL_SOCKET, SO_REUSEPORT, &one, 
sizeof(one));
-   ATF_CHECK_EQ(0, rc);
-   bzero(&sin, sizeof(sin));
-   sin.sin_family = AF_INET;
-   sin.sin_len = sizeof(sin);
-   sin.sin_port = htons();
-   sin.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
-   sa = (struct sockaddr *)&sin;
-   rc = bind(ss, sa, sa->sa_len);
-   ATF_CHECK_EQ(0, rc);
-
-   cs = socket(PF_INET, SOCK_DGRAM, 0);
-   ATF_CHECK(cs >= 0);
-   int inet_sizes[] = {80, 255, 256, 1024, 4096, 9000};
-   sizes_count = sizeof(inet_sizes) / sizeof(int);
-   sizes = malloc(sizeof(inet_sizes));
-   memcpy(sizes, inet_sizes, sizeof(inet_sizes));
-
-   } else if (!strcmp(test_name, "udp6")) {
-   ss = socket(PF_INET6, SOCK_DGRAM, 0);
-   ATF_CHECK(ss >= 0);
-   rc = setsockopt(ss, SOL_SOCKET, SO_REUSEPORT, &one, 
sizeof(one));
-   ATF_CHECK_EQ(0, rc);
-   bzero(&sin6, sizeof(sin6));
-   sin6.sin6_family = AF_INET6;
-   sin6.sin6_len = sizeof(sin6);
-   sin6.sin6_port = htons();
-   const struct in6_addr in6loopback = IN6ADDR_LOOPBACK_INIT;
-   sin6.sin6_addr = in6loopback;
-   sa = (struct sockaddr *)&sin6;
-   rc = bind(ss, sa, sa->sa_len);
-   ATF_CHECK_EQ(0, rc);
-
-   cs = socket(PF_INET6, SOCK_DGRAM, 0);
-   ATF_CHECK(cs >= 0);
-   int inet_sizes[] = {80, 255, 256, 1024, 4096, 9000};
-   sizes_count = sizeof(inet_sizes) / sizeof(int);
-   sizes = malloc(sizeof(inet_sizes));
-   memcpy(sizes, inet_sizes, sizeof(inet_sizes));
-
-   } else if (!strcmp(test_name, "unix")) {
-   const char *PATH = "/tmp/test_check_recvmsg_socket";
-   ss = socket(PF_UNIX, SOCK_DGRAM, 0);
-   ATF_CHECK(ss >= 0);
-   rc = setsockopt(ss, SOL_SOCKET, SO_REUSEPORT, &one, 
sizeof(one));
-   ATF_CHECK_EQ(0, rc);
-   bzero(&saun, sizeof(saun));
-   saun.sun_family = AF_UNIX;
-   strcpy(saun.sun_path, PATH);
-   saun.sun_len = sizeof(saun);
-   sa = (struct sockaddr *)&saun;
-   unlink(PATH);
-   rc = bind(ss, sa, sa->sa_len);
-   ATF_CHECK_EQ(0, rc);
-
-   cs = socket(PF_UNIX, SOCK_DGRAM, 0);
-   ATF_CHECK(cs >= 0);
-   int unix_sizes[] = {80, 255, 256, 1024, 2000};
-   sizes_count = sizeof(unix_sizes) / sizeof(int);
-   sizes = malloc(sizeof(unix_sizes));
-   memcpy(sizes, unix_sizes, sizeof(unix_sizes));
-   } else
-   return;
-
char buf[4096];
+
memset(buf, 0xFF, sizeof(buf));
-   for (int i = 0; i < sizes_count; i++) {
-   int sz = sizes[i];
+   for (size_t i = 0; i < nsizes; i++) {
+   ssize_t rc;
+   size_t sz = sizes[i];
   

git: d8735eb7acc0 - main - socket tests: Add a regression test for ktrace+recv(MSG_TRUNC)

[Mark Johnston]

The branch main has been updated by markj:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=d8735eb7acc0613fd19f74a49d3bdcb7ed0e9b0e

commit d8735eb7acc0613fd19f74a49d3bdcb7ed0e9b0e
Author: Mark Johnston 
AuthorDate: 2023-10-16 22:23:36 +
Commit: Mark Johnston 
CommitDate: 2023-10-17 13:12:57 +

socket tests: Add a regression test for ktrace+recv(MSG_TRUNC)

MFC after:  1 week
---
 tests/sys/kern/socket_msg_trunc.c | 57 +++
 1 file changed, 57 insertions(+)

diff --git a/tests/sys/kern/socket_msg_trunc.c 
b/tests/sys/kern/socket_msg_trunc.c
index 469b9e1503cd..279170158643 100644
--- a/tests/sys/kern/socket_msg_trunc.c
+++ b/tests/sys/kern/socket_msg_trunc.c
@@ -27,11 +27,13 @@
 
 #include 
 #include 
+#include 
 #include 
 #include 
 
 #include 
 
+#include 
 #include 
 #include 
 #include 
@@ -182,12 +184,67 @@ ATF_TC_BODY(recv_trunc_afunix_seqpacket, tc)
ATF_REQUIRE(close(ss) == 0);
 }
 
+/*
+ * Exercise the case where ktrace was used to dump a truncated buffer.
+ */
+ATF_TC_WITHOUT_HEAD(recvmsg_trunc_ktrace_uio);
+ATF_TC_BODY(recvmsg_trunc_ktrace_uio, tc)
+{
+   struct ktr_header ktr;
+   struct msghdr msg;
+   struct iovec iov;
+   const char *tracepath;
+   char buf[128];
+   ssize_t nbytes;
+   int error, fd, sd[2];
+
+   tracepath = "ktrace";
+
+   error = socketpair(AF_UNIX, SOCK_DGRAM, 0, sd);
+   ATF_REQUIRE(error == 0);
+
+   memset(buf, 0, sizeof(buf));
+   nbytes = send(sd[0], buf, sizeof(buf), 0);
+   ATF_REQUIRE_MSG(nbytes >= 0, "send failed: %s", strerror(errno));
+   ATF_REQUIRE((size_t)nbytes == sizeof(buf));
+
+   fd = open(tracepath, O_RDWR | O_CREAT | O_TRUNC, 0644);
+   ATF_REQUIRE_MSG(fd >= 0, "open failed: %s", strerror(errno));
+   error = ktrace(tracepath, KTROP_SET, KTRFAC_GENIO, getpid());
+   ATF_REQUIRE_MSG(error == 0,
+   "ktrace(SET) failed: %s", strerror(errno));
+
+   iov.iov_base = buf;
+   iov.iov_len = sizeof(buf) - 1; /* truncate */
+   memset(&msg, 0, sizeof(msg));
+   msg.msg_iov = &iov;
+   msg.msg_iovlen = 1;
+   nbytes = recvmsg(sd[1], &msg, MSG_TRUNC);
+   ATF_REQUIRE_MSG(nbytes >= 0, "recvmsg failed: %s", strerror(errno));
+   ATF_REQUIRE((size_t)nbytes == sizeof(buf));
+   ATF_REQUIRE((msg.msg_flags & MSG_TRUNC) != 0);
+
+   error = ktrace(tracepath, KTROP_CLEARFILE, 0, getpid());
+   ATF_REQUIRE_MSG(error == 0,
+   "ktrace(CLEARFILE) failed: %s", strerror(errno));
+
+   nbytes = read(fd, &ktr, sizeof(ktr));
+   ATF_REQUIRE_MSG(nbytes >= 0, "read failed: %s", strerror(errno));
+   ATF_REQUIRE((size_t)nbytes == sizeof(ktr));
+   ATF_REQUIRE_MSG((ktr.ktr_type & ~KTR_TYPE) == KTR_GENIO);
+
+   ATF_REQUIRE(close(fd) == 0);
+   ATF_REQUIRE(close(sd[0]) == 0);
+   ATF_REQUIRE(close(sd[1]) == 0);
+}
+
 ATF_TP_ADD_TCS(tp)
 {
ATF_TP_ADD_TC(tp, recv_trunc_afinet_udp);
ATF_TP_ADD_TC(tp, recv_trunc_afinet6_udp);
ATF_TP_ADD_TC(tp, recv_trunc_afunix_dgram);
ATF_TP_ADD_TC(tp, recv_trunc_afunix_seqpacket);
+   ATF_TP_ADD_TC(tp, recvmsg_trunc_ktrace_uio);
 
return (atf_no_error());
 }

git: 4a3810075fd3 - main - bhyve: fix buffer overflow in QemuFwCfg

[Corvin Köhne]

The branch main has been updated by corvink:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=4a3810075fd307301d8b3f087efe7a61bc37199b

commit 4a3810075fd307301d8b3f087efe7a61bc37199b
Author: Corvin Köhne 
AuthorDate: 2023-10-16 08:52:21 +
Commit: Corvin Köhne 
CommitDate: 2023-10-17 13:57:28 +

bhyve: fix buffer overflow in QemuFwCfg

We're accessing one element of the newly allocated and the old directory
too much.

Reported by:a...@omniosce.org
Reviewed by:markj
Fixes:  6f9ebb3d0fed2b0ae604dd6daf17f1fe1d8df216 ("bhyve: 
add helper for adding fwcfg files")
MFC after:  1 week
Differential Revision:  https://reviews.freebsd.org/D42220
---
 usr.sbin/bhyve/qemu_fwcfg.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/usr.sbin/bhyve/qemu_fwcfg.c b/usr.sbin/bhyve/qemu_fwcfg.c
index 830cee730dbd..5b33dfab037d 100644
--- a/usr.sbin/bhyve/qemu_fwcfg.c
+++ b/usr.sbin/bhyve/qemu_fwcfg.c
@@ -365,7 +365,7 @@ qemu_fwcfg_add_file(const char *name, const uint32_t size, 
void *const data)
/* copy files above file_index to directory */
memcpy(&new_directory->files[file_index + 1],
&fwcfg_sc.directory->files[file_index],
-   (count - file_index) * sizeof(struct qemu_fwcfg_file));
+   (count - file_index - 1) * sizeof(struct qemu_fwcfg_file));
 
/* free old directory */
free(fwcfg_sc.directory);

git: 1ffcc2983834 - releng/14.0 - pmcstat: fix duplicate event allocation on CPU 0

[Mitchell Horne]

The branch releng/14.0 has been updated by mhorne:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=1ffcc2983834accfd21089daa116ec802e90e088

commit 1ffcc2983834accfd21089daa116ec802e90e088
Author: Mitchell Horne 
AuthorDate: 2023-09-27 16:37:46 +
Commit: Mitchell Horne 
CommitDate: 2023-10-17 14:11:13 +

pmcstat: fix duplicate event allocation on CPU 0

Commit b6e28991bf3a modified the allocation path for system scope PMCs
so that the event was allocated early for CPU 0. The reason is so that
the PMC's capabilities could be checked, to determine if pmcstat should
allocate the event on every CPU, or just on one CPU in each NUMA domain.
In the current scheme, there is no way to determine this information
without performing the PMC allocation.

This broke the established use-case of log analysis, and so
0aa150775179a was committed to fix the assertion. The result was what
appeared to be functional, but in normal counter measurement pmcstat was
silently allocating two counters for CPU 0.

This cuts the total number of counters that can be allocated from a CPU
in half. Additionally, depending on the particular hardware/event, we
might not be able to allocate the same event twice on a single CPU.

The simplest solution is to release the early-allocated PMC once we have
obtained its capabilities, and reallocate it later on. This restores the
event list logic to behave as it has for many years, and partially
reverts commit b6e28991bf3a.

Approved by:re (karels)
Reported by:alc, kevans
Reviewed by:jkoshy, ray
Sponsored by:   The FreeBSD Foundation
Differential Revision:  https://reviews.freebsd.org/D41978

(cherry picked from commit c362fe939f6fe52056fb7506be9e5cbd0a5ef60b)
(cherry picked from commit 5a2849bc3c60426039ff2aeef1d2b54940152927)
---
 usr.sbin/pmcstat/pmcstat.c | 19 +++
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/usr.sbin/pmcstat/pmcstat.c b/usr.sbin/pmcstat/pmcstat.c
index fd4be99f83c8..c36cee436e55 100644
--- a/usr.sbin/pmcstat/pmcstat.c
+++ b/usr.sbin/pmcstat/pmcstat.c
@@ -713,8 +713,16 @@ main(int argc, char **argv)
errx(EX_SOFTWARE, "ERROR: Out of memory.");
(void) strncpy(ev->ev_name, optarg, c);
*(ev->ev_name + c) = '\0';
+
libpmc_initialize(&npmc);
+
if (args.pa_flags & FLAG_HAS_SYSTEM_PMCS) {
+   /*
+* We need to check the capabilities of the
+* desired event to determine if it should be
+* allocated on every CPU, or only a subset of
+* them. This requires allocating a PMC now.
+*/
if (pmc_allocate(ev->ev_spec, ev->ev_mode,
ev->ev_flags, ev->ev_cpu, &ev->ev_pmcid,
ev->ev_count) < 0)
@@ -726,8 +734,14 @@ main(int argc, char **argv)
err(EX_OSERR, "ERROR: Cannot get pmc "
"capabilities");
}
-   }
 
+   /*
+* Release the PMC now that we have caps; we
+* will reallocate shortly.
+*/
+   pmc_release(ev->ev_pmcid);
+   ev->ev_pmcid = PMC_ID_INVALID;
+   }
 
STAILQ_INSERT_TAIL(&args.pa_events, ev, ev_next);
 
@@ -751,10 +765,7 @@ main(int argc, char **argv)
}
if (option == 's' || option == 'S') {
CPU_CLR(ev->ev_cpu, &cpumask);
-   pmc_id_t saved_pmcid = ev->ev_pmcid;
-   ev->ev_pmcid = PMC_ID_INVALID;
pmcstat_clone_event_descriptor(ev, &cpumask, 
&args);
-   ev->ev_pmcid = saved_pmcid;
CPU_SET(ev->ev_cpu, &cpumask);
}
 

git: 4bd1e1968494 - main - socket tests: Build fix

[Mark Johnston]

The branch main has been updated by markj:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=4bd1e19684945aa1fd3397b58613f5210fda9091

commit 4bd1e19684945aa1fd3397b58613f5210fda9091
Author: Mark Johnston 
AuthorDate: 2023-10-17 14:21:32 +
Commit: Mark Johnston 
CommitDate: 2023-10-17 14:22:11 +

socket tests: Build fix

Fixes:  d8735eb7acc0 ("socket tests: Add a regression test for 
ktrace+recv(MSG_TRUNC)")
Reported by:Jenkins
---
 tests/sys/kern/socket_msg_trunc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/sys/kern/socket_msg_trunc.c 
b/tests/sys/kern/socket_msg_trunc.c
index 279170158643..ff0499c4540d 100644
--- a/tests/sys/kern/socket_msg_trunc.c
+++ b/tests/sys/kern/socket_msg_trunc.c
@@ -231,7 +231,7 @@ ATF_TC_BODY(recvmsg_trunc_ktrace_uio, tc)
nbytes = read(fd, &ktr, sizeof(ktr));
ATF_REQUIRE_MSG(nbytes >= 0, "read failed: %s", strerror(errno));
ATF_REQUIRE((size_t)nbytes == sizeof(ktr));
-   ATF_REQUIRE_MSG((ktr.ktr_type & ~KTR_TYPE) == KTR_GENIO);
+   ATF_REQUIRE((ktr.ktr_type & ~KTR_TYPE) == KTR_GENIO);
 
ATF_REQUIRE(close(fd) == 0);
ATF_REQUIRE(close(sd[0]) == 0);

git: 22dc8609c565 - main - tcp: use signed IsLost() related accounting variables

[Richard Scheffenegger]

The branch main has been updated by rscheff:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=22dc8609c565456fda3de6ddc34e07af98f11203

commit 22dc8609c565456fda3de6ddc34e07af98f11203
Author: Richard Scheffenegger 
AuthorDate: 2023-10-17 14:07:23 +
Commit: Richard Scheffenegger 
CommitDate: 2023-10-17 14:37:09 +

tcp: use signed IsLost() related accounting variables

Coverity found that one safety check (kassert) was not
functional, as possible incorrect subtractions during
the accounting wouldn't show up as (invalid) negative
values.

Reported by: gallatin
Reviewed By: cc, #transport
Sponsored By: NetApp, Inc.
Differential Revision: https://reviews.freebsd.org/D42180
---
 sys/netinet/tcp_sack.c | 4 ++--
 sys/netinet/tcp_var.h  | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/sys/netinet/tcp_sack.c b/sys/netinet/tcp_sack.c
index 8647630bb6bc..589b0c424acb 100644
--- a/sys/netinet/tcp_sack.c
+++ b/sys/netinet/tcp_sack.c
@@ -888,10 +888,10 @@ tcp_free_sackholes(struct tcpcb *tp)
while ((q = TAILQ_FIRST(&tp->snd_holes)) != NULL)
tcp_sackhole_remove(tp, q);
tp->sackhint.sack_bytes_rexmit = 0;
-   tp->sackhint.sacked_bytes = 0;
tp->sackhint.delivered_data = 0;
-   tp->sackhint.lost_bytes = 0;
+   tp->sackhint.sacked_bytes = 0;
tp->sackhint.hole_bytes = 0;
+   tp->sackhint.lost_bytes = 0;
 
KASSERT(tp->snd_numholes == 0, ("tp->snd_numholes == 0"));
KASSERT(tp->sackhint.nexthole == NULL,
diff --git a/sys/netinet/tcp_var.h b/sys/netinet/tcp_var.h
index 11509a87c6e7..c6e24b187e0f 100644
--- a/sys/netinet/tcp_var.h
+++ b/sys/netinet/tcp_var.h
@@ -128,8 +128,8 @@ struct sackhint {
uint32_trecover_fs; /* Flight Size at the start of Loss 
recovery */
uint32_tprr_delivered;  /* Total bytes delivered using PRR */
uint32_tprr_out;/* Bytes sent during IN_RECOVERY */
-   uint32_thole_bytes; /* current number of bytes in 
scoreboard holes */
-   uint32_tlost_bytes; /* number of rfc6675 IsLost() bytes */
+   int32_t hole_bytes; /* current number of bytes in 
scoreboard holes */
+   int32_t lost_bytes; /* number of rfc6675 IsLost() bytes */
 };
 
 #define SEGQ_EMPTY(tp) TAILQ_EMPTY(&(tp)->t_segq)

git: 56279238b03a - main - geom_linux_lvm: Avoid removing from vg_list before inserting

[Mark Johnston]

The branch main has been updated by markj:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=56279238b03a0ccef245b22fff7679fe35cffccc

commit 56279238b03a0ccef245b22fff7679fe35cffccc
Author: Mark Johnston 
AuthorDate: 2023-10-17 14:25:38 +
Commit: Mark Johnston 
CommitDate: 2023-10-17 15:19:05 +

geom_linux_lvm: Avoid removing from vg_list before inserting

PR: 266693
Reported by:Robert Morris 
MFC after:  1 week
---
 sys/geom/linux_lvm/g_linux_lvm.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sys/geom/linux_lvm/g_linux_lvm.c b/sys/geom/linux_lvm/g_linux_lvm.c
index dddc3ae9184e..c63318fed729 100644
--- a/sys/geom/linux_lvm/g_linux_lvm.c
+++ b/sys/geom/linux_lvm/g_linux_lvm.c
@@ -512,7 +512,6 @@ g_llvm_free_vg(struct g_llvm_vg *vg)
LIST_REMOVE(lv, lv_next);
free(lv, M_GLLVM);
}
-   LIST_REMOVE(vg, vg_next);
free(vg, M_GLLVM);
 }
 
@@ -596,7 +595,8 @@ g_llvm_destroy(struct g_llvm_vg *vg, int force)
}
}
 
-   g_llvm_free_vg(gp->softc);
+   LIST_REMOVE(vg, vg_next);
+   g_llvm_free_vg(vg);
gp->softc = NULL;
g_wither_geom(gp, ENXIO);
return (0);

git: 6223d0b67af9 - main - linuxkpi: Handle direct-mapped addresses in linux_free_kmem()

[Mark Johnston]

The branch main has been updated by markj:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=6223d0b67af923f53d962a9bf594dc37004dffe8

commit 6223d0b67af923f53d962a9bf594dc37004dffe8
Author: Mark Johnston 
AuthorDate: 2023-10-17 14:26:18 +
Commit: Mark Johnston 
CommitDate: 2023-10-17 15:19:06 +

linuxkpi: Handle direct-mapped addresses in linux_free_kmem()

See the analysis in PR 271333.  It is possible for driver code to
allocate a page, store its address as returned by page_address(), then
call free_page() on that address.  On most systems that'll result in the
LinuxKPI calling kmem_free() with a direct-mapped address, which is not
legal.

Fix the problem by making linux_free_kmem() check the address to see
whether it's direct-mapped or not, and handling it appropriately.

PR: 271333, 274515
Reviewed by:hselasky, bz
Tested by:  trasz
MFC after:  1 week
Sponsored by:   The FreeBSD Foundation
Differential Revision:  https://reviews.freebsd.org/D40028
---
 sys/compat/linuxkpi/common/src/linux_page.c | 22 +++---
 1 file changed, 19 insertions(+), 3 deletions(-)

diff --git a/sys/compat/linuxkpi/common/src/linux_page.c 
b/sys/compat/linuxkpi/common/src/linux_page.c
index ce9ad34464bd..21e338acb089 100644
--- a/sys/compat/linuxkpi/common/src/linux_page.c
+++ b/sys/compat/linuxkpi/common/src/linux_page.c
@@ -145,6 +145,14 @@ linux_alloc_pages(gfp_t flags, unsigned int order)
return (page);
 }
 
+static void
+_linux_free_kmem(vm_offset_t addr, unsigned int order)
+{
+   size_t size = ((size_t)PAGE_SIZE) << order;
+
+   kmem_free((void *)addr, size);
+}
+
 void
 linux_free_pages(struct page *page, unsigned int order)
 {
@@ -163,7 +171,7 @@ linux_free_pages(struct page *page, unsigned int order)
 
vaddr = (vm_offset_t)page_address(page);
 
-   linux_free_kmem(vaddr, order);
+   _linux_free_kmem(vaddr, order);
}
 }
 
@@ -185,9 +193,17 @@ linux_alloc_kmem(gfp_t flags, unsigned int order)
 void
 linux_free_kmem(vm_offset_t addr, unsigned int order)
 {
-   size_t size = ((size_t)PAGE_SIZE) << order;
+   KASSERT((addr & PAGE_MASK) == 0,
+   ("%s: addr %p is not page aligned", __func__, (void *)addr));
 
-   kmem_free((void *)addr, size);
+   if (addr >= VM_MIN_KERNEL_ADDRESS && addr < VM_MAX_KERNEL_ADDRESS) {
+   _linux_free_kmem(addr, order);
+   } else {
+   vm_page_t page;
+
+   page = PHYS_TO_VM_PAGE(DMAP_TO_PHYS(addr));
+   linux_free_pages(page, order);
+   }
 }
 
 static int

git: ae5c3dfd3e75 - main - netinet tests: Add error handling tests for UDP with v4-mapped sockets

[Mark Johnston]

The branch main has been updated by markj:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=ae5c3dfd3e75bb287984947359d4f958aea505ec

commit ae5c3dfd3e75bb287984947359d4f958aea505ec
Author: Mark Johnston 
AuthorDate: 2023-10-17 14:29:42 +
Commit: Mark Johnston 
CommitDate: 2023-10-17 15:19:06 +

netinet tests: Add error handling tests for UDP with v4-mapped sockets

This provides a regression test for commit abca3ae7734f.

Add it to the existing v4-mapped address test file, and rename
accordingly.

Reviewed by:tuexen, karels, rrs
MFC after:  1 week
Sponsored by:   The FreeBSD Foundation
Differential Revision:  https://reviews.freebsd.org/D39216
---
 ObsoleteFiles.inc  |  3 +
 tests/sys/netinet/Makefile |  2 +-
 ...p6_v4mapped_bind_test.c => ip6_v4mapped_test.c} | 81 +++---
 3 files changed, 76 insertions(+), 10 deletions(-)

diff --git a/ObsoleteFiles.inc b/ObsoleteFiles.inc
index c3cc72351963..9e4be6b69312 100644
--- a/ObsoleteFiles.inc
+++ b/ObsoleteFiles.inc
@@ -51,6 +51,9 @@
 #   xargs -n1 | sort | uniq -d;
 # done
 
+# 20231006: rename tcp6_v4unmapped_bind_test
+OLD_FILES+=usr/tests/sys/netinet/tcp6_v4unmapped_bind_test
+
 # 20231005: Remove man page link for now gone net80211 function.
 OLD_FILES+=usr/share/man/man9/ieee80211_unref_node.9.gz
 
diff --git a/tests/sys/netinet/Makefile b/tests/sys/netinet/Makefile
index 144754acfbcc..44f76508bf5c 100644
--- a/tests/sys/netinet/Makefile
+++ b/tests/sys/netinet/Makefile
@@ -7,9 +7,9 @@ BINDIR= ${TESTSDIR}
 TESTS_SUBDIRS+=libalias
 
 ATF_TESTS_C=   ip_reass_test \
+   ip6_v4mapped_test \
so_reuseport_lb_test \
socket_afinet \
-   tcp6_v4mapped_bind_test \
tcp_connect_port_test \
tcp_md5_getsockopt
 
diff --git a/tests/sys/netinet/tcp6_v4mapped_bind_test.c 
b/tests/sys/netinet/ip6_v4mapped_test.c
similarity index 81%
rename from tests/sys/netinet/tcp6_v4mapped_bind_test.c
rename to tests/sys/netinet/ip6_v4mapped_test.c
index c7fc682d7ae7..d4c4ed526ab5 100644
--- a/tests/sys/netinet/tcp6_v4mapped_bind_test.c
+++ b/tests/sys/netinet/ip6_v4mapped_test.c
@@ -194,17 +194,15 @@ restore_portrange(void)
"failed while restoring value");
 }
 
-ATF_TC_WITH_CLEANUP(v4mapped);
-ATF_TC_HEAD(v4mapped, tc)
+ATF_TC_WITH_CLEANUP(tcp_v4mapped_bind);
+ATF_TC_HEAD(tcp_v4mapped_bind, tc)
 {
-
/* root is only required for sysctls (setup and cleanup). */
atf_tc_set_md_var(tc, "require.user", "root");
atf_tc_set_md_var(tc, "require.config", "allow_sysctl_side_effects");
atf_tc_set_md_var(tc, "descr",
"Check local port assignment with bind and mapped V4 addresses");
 }
-
 /*
  * Create a listening IPv4 socket, then connect to it repeatedly using a
  * bound IPv6 socket using a v4 mapped address.  With a small port range,
@@ -213,7 +211,7 @@ ATF_TC_HEAD(v4mapped, tc)
  * and then the connect would fail with EADDRINUSE.  Make sure we get
  * the right error.
  */
-ATF_TC_BODY(v4mapped, tc)
+ATF_TC_BODY(tcp_v4mapped_bind, tc)
 {
union {
struct sockaddr saddr;
@@ -315,17 +313,82 @@ ATF_TC_BODY(v4mapped, tc)
ATF_REQUIRE_MSG(i >= 1, "No successful connections");
ATF_REQUIRE_MSG(got_bind_error == true, "No expected bind error");
 }
+ATF_TC_CLEANUP(tcp_v4mapped_bind, tc)
+{
+   restore_portrange();
+}
 
-ATF_TC_CLEANUP(v4mapped, tc)
+ATF_TC(udp_v4mapped_sendto);
+ATF_TC_HEAD(udp_v4mapped_sendto, tc)
+{
+   atf_tc_set_md_var(tc, "descr",
+   "Validate sendto() with a v4-mapped address and a v6-only socket");
+}
+ATF_TC_BODY(udp_v4mapped_sendto, tc)
 {
+   struct addrinfo ai_hint, *aip;
+   struct sockaddr_in sin;
+   struct sockaddr_in6 sin6;
+   ssize_t n;
+   socklen_t salen;
+   int error, ls, s, zero;
+   short port;
+   char ch;
 
-   restore_portrange();
+   ls = socket(PF_INET, SOCK_DGRAM, 0);
+   ATF_REQUIRE(ls >= 0);
+
+   memset(&ai_hint, 0, sizeof(ai_hint));
+   ai_hint.ai_family = AF_INET;
+   ai_hint.ai_flags = AI_NUMERICHOST;
+   error = getaddrinfo("127.0.0.1", NULL, &ai_hint, &aip);
+   ATF_REQUIRE_MSG(error == 0, "getaddrinfo: %s", gai_strerror(error));
+   memcpy(&sin, aip->ai_addr, sizeof(sin));
+
+   error = bind(ls, (struct sockaddr *)&sin, sizeof(sin));
+   ATF_REQUIRE_MSG(error == 0, "bind: %s", strerror(errno));
+   salen = sizeof(sin);
+   error = getsockname(ls, (struct sockaddr *)&sin, &salen);
+   ATF_REQUIRE_MSG(error == 0,
+   "getsockname() for listen socket failed: %s", strerror(errno));
+   ATF_REQUIRE_MSG(salen == sizeof(struct sockaddr_in),
+   "unexpected sockaddr size");
+   port = sin.sin_port;
+
+   s = socket(PF_INET6, SOCK_DGRAM, 0);
+   ATF_REQUIRE(s >= 0);
+
+   memset(&ai

git: fd8b9c73a5a6 - main - bhyve: Use VMIO_SIOCSIFFLAGS instead of SIOCGIFFLAGS

[Mark Johnston]

The branch main has been updated by markj:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=fd8b9c73a5a63a7aa438a73951d7a535b4f25d9a

commit fd8b9c73a5a63a7aa438a73951d7a535b4f25d9a
Author: Jan Bramkamp 
AuthorDate: 2023-09-04 08:38:25 +
Commit: Mark Johnston 
CommitDate: 2023-10-17 15:24:11 +

bhyve: Use VMIO_SIOCSIFFLAGS instead of SIOCGIFFLAGS

Creating an IP socket to invoke the SIOCGIFFLAGS ioctl on is the only
thing preventing bhyve from working inside a bhyve jail with IPv4 and
IPv6 disabled restricting the jailed bhyve process to only access the
host network via a tap/vmnet device node.

PR: 273557
Fixes:  56be282bc999 ("bhyve: net_backends, automatically IFF_UP 
tap devices")
Reviewed by:markj
MFC after:  1 week
---
 usr.sbin/bhyve/net_backends.c | 52 ---
 1 file changed, 4 insertions(+), 48 deletions(-)

diff --git a/usr.sbin/bhyve/net_backends.c b/usr.sbin/bhyve/net_backends.c
index fa7cd9c81f46..99781cfdcbb6 100644
--- a/usr.sbin/bhyve/net_backends.c
+++ b/usr.sbin/bhyve/net_backends.c
@@ -42,9 +42,7 @@
 #include 
 
 #include 
-#if defined(INET6) || defined(INET)
 #include 
-#endif
 #include 
 #include 
 #define NETMAP_WITH_LIBS
@@ -180,17 +178,6 @@ SET_DECLARE(net_backend_set, struct net_backend);
  * The tap backend
  */
 
-#if defined(INET6) || defined(INET)
-static const int pf_list[] = {
-#if defined(INET6)
-   PF_INET6,
-#endif
-#if defined(INET)
-   PF_INET,
-#endif
-};
-#endif
-
 struct tap_priv {
struct mevent *mevp;
/*
@@ -222,11 +209,8 @@ tap_init(struct net_backend *be, const char *devname,
 {
struct tap_priv *priv = NET_BE_PRIV(be);
char tbuf[80];
-   int opt = 1;
-#if defined(INET6) || defined(INET)
-   struct ifreq ifrq;
-   int s;
-#endif
+   int opt = 1, up = IFF_UP;
+
 #ifndef WITHOUT_CAPSICUM
cap_rights_t rights;
 #endif
@@ -254,39 +238,11 @@ tap_init(struct net_backend *be, const char *devname,
goto error;
}
 
-#if defined(INET6) || defined(INET)
-   /*
-* Try to UP the interface rather than relying on
-* net.link.tap.up_on_open.
- */
-   bzero(&ifrq, sizeof(ifrq));
-   if (ioctl(be->fd, TAPGIFNAME, &ifrq) < 0) {
-   WPRINTF(("Could not get interface name"));
-   goto error;
-   }
-
-   s = -1;
-   for (size_t i = 0; s == -1 && i < nitems(pf_list); i++)
-   s = socket(pf_list[i], SOCK_DGRAM, 0);
-   if (s == -1) {
-   WPRINTF(("Could open socket"));
+   if (ioctl(be->fd, VMIO_SIOCSIFFLAGS, &up)) {
+   WPRINTF(("tap device link up failed"));
goto error;
}
 
-   if (ioctl(s, SIOCGIFFLAGS, &ifrq) < 0) {
-   (void)close(s);
-   WPRINTF(("Could not get interface flags"));
-   goto error;
-   }
-   ifrq.ifr_flags |= IFF_UP;
-   if (ioctl(s, SIOCSIFFLAGS, &ifrq) < 0) {
-   (void)close(s);
-   WPRINTF(("Could not set interface flags"));
-   goto error;
-   }
-   (void)close(s);
-#endif
-
 #ifndef WITHOUT_CAPSICUM
cap_rights_init(&rights, CAP_EVENT, CAP_READ, CAP_WRITE);
if (caph_rights_limit(be->fd, &rights) == -1)

git: 9ef7a491a423 - main - nmount(MNT_UPDATE): add optional generid fsid parameter

[Konstantin Belousov]

The branch main has been updated by kib:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=9ef7a491a4236810e50f0a2ee8d52f5c4bb02c64

commit 9ef7a491a4236810e50f0a2ee8d52f5c4bb02c64
Author: Konstantin Belousov 
AuthorDate: 2023-09-29 18:42:50 +
Commit: Konstantin Belousov 
CommitDate: 2023-10-17 16:40:12 +

nmount(MNT_UPDATE): add optional generid fsid parameter

to check looked up path against specific mounted filesystem.

Reviewed by:mjg
Tested by:  Andrew Gierth 
Sponsored by:   The FreeBSD Foundation
MFC after:  1 week
Differential revision:  https://reviews.freebsd.org/D42023
---
 sys/kern/vfs_mount.c | 19 +--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/sys/kern/vfs_mount.c b/sys/kern/vfs_mount.c
index 8364081585f8..aa4642c0ba8c 100644
--- a/sys/kern/vfs_mount.c
+++ b/sys/kern/vfs_mount.c
@@ -1313,9 +1313,10 @@ vfs_domount_update(
struct vnode *rootvp;
void *bufp;
struct mount *mp;
-   int error, export_error, i, len;
+   int error, export_error, i, len, fsid_up_len;
uint64_t flag;
gid_t *grps;
+   fsid_t *fsid_up;
bool vfs_suser_failed;
 
ASSERT_VOP_ELOCKED(vp, __func__);
@@ -1378,10 +1379,24 @@ vfs_domount_update(
VI_UNLOCK(vp);
VOP_UNLOCK(vp);
 
+   rootvp = NULL;
+
+   if (vfs_getopt(*optlist, "fsid", (void **)&fsid_up,
+   &fsid_up_len) == 0) {
+   if (fsid_up_len != sizeof(*fsid_up)) {
+   error = EINVAL;
+   goto end;
+   }
+   if (fsidcmp(&fsid_up, &mp->mnt_stat.f_fsid) != 0) {
+   error = ENOENT;
+   goto end;
+   }
+   vfs_deleteopt(*optlist, "fsid");
+   }
+
vfs_op_enter(mp);
vn_seqc_write_begin(vp);
 
-   rootvp = NULL;
MNT_ILOCK(mp);
if ((mp->mnt_kern_flag & MNTK_UNMOUNT) != 0) {
MNT_IUNLOCK(mp);

git: 21b8e363c4eb - main - automount: check for mounted-over autofs instances on flush

[Konstantin Belousov]

The branch main has been updated by kib:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=21b8e363c4eb24c0a5659101603cc08a86d87759

commit 21b8e363c4eb24c0a5659101603cc08a86d87759
Author: Andrew Gierth 
AuthorDate: 2023-07-10 15:09:56 +
Commit: Konstantin Belousov 
CommitDate: 2023-10-17 16:40:45 +

automount: check for mounted-over autofs instances on flush

PR: 272446
Reviewed by:kib
MFC after:  1 week
Differential revision: https://reviews.freebsd.org/D40961
---
 usr.sbin/autofs/automount.c | 16 
 1 file changed, 16 insertions(+)

diff --git a/usr.sbin/autofs/automount.c b/usr.sbin/autofs/automount.c
index 188bbc3a040f..cee647cb4e2c 100644
--- a/usr.sbin/autofs/automount.c
+++ b/usr.sbin/autofs/automount.c
@@ -260,6 +260,7 @@ static void
 flush_caches(void)
 {
struct statfs *mntbuf;
+   struct statfs statbuf;
int i, nitems;
 
nitems = getmntinfo(&mntbuf, MNT_WAIT);
@@ -274,6 +275,21 @@ flush_caches(void)
mntbuf[i].f_mntonname);
continue;
}
+   /*
+* A direct map mountpoint may have been mounted over, in
+* which case we can't MNT_UPDATE it. There's an obvious race
+* condition remaining here, but that has to be fixed in the
+* kernel.
+*/
+   if (statfs(mntbuf[i].f_mntonname, &statbuf) != 0) {
+   log_err(1, "cannot statfs %s", mntbuf[i].f_mntonname);
+   continue;
+   }
+   if (strcmp(statbuf.f_fstypename, "autofs") != 0) {
+   log_debugx("skipping %s, filesystem type is not autofs",
+   mntbuf[i].f_mntonname);
+   continue;
+   }
 
flush_autofs(mntbuf[i].f_mntonname);
}

git: 56c44bd92efa - main - automount(8): when flushing autofs, specify fsid

[Konstantin Belousov]

The branch main has been updated by kib:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=56c44bd92efa002b2185445878fc98172ae8c66f

commit 56c44bd92efa002b2185445878fc98172ae8c66f
Author: Konstantin Belousov 
AuthorDate: 2023-09-29 18:43:42 +
Commit: Konstantin Belousov 
CommitDate: 2023-10-17 16:40:50 +

automount(8): when flushing autofs, specify fsid

Which should avoid situation where flushed filesystem is not autofs,
because it was mounted over autofs mp.

Reported and tested by: Andrew "RhodiumToad" Gierth 

PR: 272446
Reviewed by:mjg
Sponsored by:   The FreeBSD Foundation
MFC after:  1 week
Differential revision:  https://reviews.freebsd.org/D42023
---
 usr.sbin/autofs/automount.c | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/usr.sbin/autofs/automount.c b/usr.sbin/autofs/automount.c
index cee647cb4e2c..6637e16c9129 100644
--- a/usr.sbin/autofs/automount.c
+++ b/usr.sbin/autofs/automount.c
@@ -229,7 +229,7 @@ mount_unmount(struct node *root)
 }
 
 static void
-flush_autofs(const char *fspath)
+flush_autofs(const char *fspath, const fsid_t *fsid)
 {
struct iovec *iov = NULL;
char errmsg[255];
@@ -242,6 +242,8 @@ flush_autofs(const char *fspath)
__DECONST(void *, "autofs"), (size_t)-1);
build_iovec(&iov, &iovlen, "fspath",
__DECONST(void *, fspath), (size_t)-1);
+   build_iovec(&iov, &iovlen, "fsid",
+   __DECONST(void *, fsid), sizeof(*fsid));
build_iovec(&iov, &iovlen, "errmsg",
errmsg, sizeof(errmsg));
 
@@ -291,7 +293,7 @@ flush_caches(void)
continue;
}
 
-   flush_autofs(mntbuf[i].f_mntonname);
+   flush_autofs(mntbuf[i].f_mntonname, &statbuf.f_fsid);
}
 }
 

git: 9b42d3e12ffc - main - mkimg: Ensure GPT Entry Array is at least 16k

[Warner Losh]

The branch main has been updated by imp:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=9b42d3e12ffc6896fcb4e60c1b239ddf60705831

commit 9b42d3e12ffc6896fcb4e60c1b239ddf60705831
Author: Warner Losh 
AuthorDate: 2023-10-17 17:14:14 +
Commit: Warner Losh 
CommitDate: 2023-10-17 17:14:23 +

mkimg: Ensure GPT Entry Array is at least 16k

UEFI v2.10 Section 5.3 documentes that the minimum reserved space after
the GPT header be at least 16kB. Enforce this minimum. Before, we'd only
set the number of entries to be the unpadded size. gpart's selective
enforcement of aspects of the GPT standard meant that these images would
work, but couldn't be changed (to add a partition or grow the size of a
partition). This ensures that gpart's overly picky standards don't cause
problems for people wishing to, for example, resize release images.

MFC after:  1 day (we want this in 14.0)
PR: 274312
Sponsored by:   Netflix
Reviewed by:emaste
Differential Revision:  https://reviews.freebsd.org/D42245
---
 sys/sys/disk/gpt.h  |  7 +++
 usr.bin/mkimg/gpt.c | 16 
 2 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/sys/sys/disk/gpt.h b/sys/sys/disk/gpt.h
index e48b13684814..596a5cba1681 100644
--- a/sys/sys/disk/gpt.h
+++ b/sys/sys/disk/gpt.h
@@ -82,6 +82,13 @@ struct gpt_hdr {
 CTASSERT(offsetof(struct gpt_hdr, padding) == 92);
 #endif
 
+/*
+ * The GPT standard (section 5.3 of UEFI standard version 2.10) requires
+ * we reserve at least 16k after the PMBR and the GPT header for the GPT
+ * Array Entries.
+ */
+#define GPT_MIN_RESERVED   16384
+
 struct gpt_ent {
gpt_uuid_t  ent_type;
gpt_uuid_t  ent_uuid;
diff --git a/usr.bin/mkimg/gpt.c b/usr.bin/mkimg/gpt.c
index 59c51a6a177b..ed3f008c394f 100644
--- a/usr.bin/mkimg/gpt.c
+++ b/usr.bin/mkimg/gpt.c
@@ -24,7 +24,7 @@
  * SUCH DAMAGE.
  */
 
-#include 
+#include 
 #include 
 #include 
 #include 
@@ -124,13 +124,21 @@ crc32(const void *buf, size_t sz)
return (crc ^ ~0U);
 }
 
+/*
+ * Return the number of sectors needed to store the partition table.
+ */
 static u_int
 gpt_tblsz(void)
 {
-   u_int ents;
+   u_int eps;  /* Entries per Sector */
 
-   ents = secsz / sizeof(struct gpt_ent);
-   return ((nparts + ents - 1) / ents);
+   /*
+* Count the number of sectors needed for the GPT Entry Array to store
+* the number of partitions defined for this image.  Enforce the 16kB
+* minimum space for the GPT Entry Array per UEFI v2.10 Section 5.3.
+*/
+   eps = secsz / sizeof(struct gpt_ent);
+   return (MAX(howmany(GPT_MIN_RESERVED, secsz), howmany(nparts, eps)));
 }
 
 static lba_t

git: 0c1adccd4c54 - internal/admin - Restore dteske's commit bit.

[John Baldwin]

The branch internal/admin has been updated by jhb:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=0c1adccd4c5467212f747d8a17f43c5774142035

commit 0c1adccd4c5467212f747d8a17f43c5774142035
Author: John Baldwin 
AuthorDate: 2023-10-17 17:46:35 +
Commit: John Baldwin 
CommitDate: 2023-10-17 17:46:35 +

Restore dteske's commit bit.

Approved by:core (jhb)
---
 access | 1 +
 1 file changed, 1 insertion(+)

diff --git a/access b/access
index 60d9d2003456..0ab30c444191 100644
--- a/access
+++ b/access
@@ -56,6 +56,7 @@ dim
 donner
 dougm
 dsl
+dteske
 emaste
 erj
 eugen

git: 2ee2890249ca - main - Makefile.inc1: remove ncurses/form from _prebuild_libs

[Ed Maste]

The branch main has been updated by emaste:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=2ee2890249ca359c1f5ee91f184eac13aec37a77

commit 2ee2890249ca359c1f5ee91f184eac13aec37a77
Author: Ed Maste 
AuthorDate: 2023-10-16 13:12:16 +
Commit: Ed Maste 
CommitDate: 2023-10-17 17:53:45 +

Makefile.inc1: remove ncurses/form from _prebuild_libs

As of d287d3282f43 libbsddialog has a built-in form implementation and
does not need a formw dependency.

This reverts commit 483a226238ed8949c6d280ae0757a0683962a74b.

Reported by:asiciliano
Sponsored by:   The FreeBSD Foundation
---
 Makefile.inc1 | 2 --
 1 file changed, 2 deletions(-)

diff --git a/Makefile.inc1 b/Makefile.inc1
index 67dce43e5228..68549d91598d 100644
--- a/Makefile.inc1
+++ b/Makefile.inc1
@@ -3038,7 +3038,6 @@ _prebuild_libs=   ${_kerberos5_lib_libasn1} \
${_lib_casper} \
lib/ncurses/tinfo \
lib/ncurses/ncurses \
-   lib/ncurses/form \
lib/libpam/libpam lib/libthr \
${_lib_libradius} lib/libsbuf lib/libtacplus \
lib/libgeom \
@@ -3075,7 +3074,6 @@ _lib_libradius=   lib/libradius
 .endif
 
 lib/ncurses/ncurses__L:lib/ncurses/tinfo__L
-lib/ncurses/form__L: lib/ncurses/ncurses__L
 
 .if ${MK_OFED} != "no"
 _prebuild_libs+= \

git: 07a56fafff56 - internal/admin - Add Jake Freeland - jfree@. Mentors: imp@ and markj@

[Sergio Carlavilla Delgado]

The branch internal/admin has been updated by carlavilla:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=07a56fafff56d3202d8150f3d304ec8d04b5e257

commit 07a56fafff56d3202d8150f3d304ec8d04b5e257
Author: Sergio Carlavilla Delgado 
AuthorDate: 2023-10-17 18:24:09 +
Commit: Sergio Carlavilla Delgado 
CommitDate: 2023-10-17 18:26:31 +

Add Jake Freeland - jfree@. Mentors: imp@ and markj@

Approved by:core (implicit)
---
 access  | 1 +
 mentors | 1 +
 2 files changed, 2 insertions(+)

diff --git a/access b/access
index 0ab30c444191..e599789b1796 100644
--- a/access
+++ b/access
@@ -77,6 +77,7 @@ hrs
 imp
 jah
 jamie
+jfree
 jhb
 jhibbits
 jilles
diff --git a/mentors b/mentors
index 407b3813c215..d9f57239184a 100644
--- a/mentors
+++ b/mentors
@@ -19,6 +19,7 @@ def   oshogbo
 dslbz
 gordon delphij Co-mentor: emaste
 jceel  trasz
+jfree  imp Co-mentor: markj
 jkhrwatson
 kadesaiken Co-mentor: scottl, ambrisko
 mjoras rstone

git: 7de582874eb9 - main - bhyve: Remove init_snapshot() and initialize static vars

[Mark Johnston]

The branch main has been updated by markj:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=7de582874eb9d08f3f87d11ed9e2b9ce8306db79

commit 7de582874eb9d08f3f87d11ed9e2b9ce8306db79
Author: Vitaliy Gusev 
AuthorDate: 2023-10-17 14:16:08 +
Commit: Mark Johnston 
CommitDate: 2023-10-17 18:26:51 +

bhyve: Remove init_snapshot() and initialize static vars

vCPU threads are starting before init_snapshot() is called. That can lead
to corruption of vcpu_lock userspace mutex (snapshot.c) and then VM hangs
in acquiring that mutex.

init_snapshot() initializes only static variables (mutex, cv) and that
code can be optimized and removed.

Fixes:  9a9a248964696 ("bhyve: init checkput before caph_enter")
Reviewed by:markj
MFC after:  1 week
Sponsored by:   vStack
---
 usr.sbin/bhyve/bhyverun.c |  3 ---
 usr.sbin/bhyve/snapshot.c | 21 +++--
 usr.sbin/bhyve/snapshot.h |  1 -
 3 files changed, 3 insertions(+), 22 deletions(-)

diff --git a/usr.sbin/bhyve/bhyverun.c b/usr.sbin/bhyve/bhyverun.c
index 0d7f58509244..8147dcd3872b 100644
--- a/usr.sbin/bhyve/bhyverun.c
+++ b/usr.sbin/bhyve/bhyverun.c
@@ -1021,9 +1021,6 @@ main(int argc, char *argv[])
setproctitle("%s", vmname);
 
 #ifdef BHYVE_SNAPSHOT
-   /* initialize mutex/cond variables */
-   init_snapshot();
-
/*
 * checkpointing thread for communication with bhyvectl
 */
diff --git a/usr.sbin/bhyve/snapshot.c b/usr.sbin/bhyve/snapshot.c
index 5f643c9ceb50..edce55c03eae 100644
--- a/usr.sbin/bhyve/snapshot.c
+++ b/usr.sbin/bhyve/snapshot.c
@@ -137,8 +137,9 @@ static const struct vm_snapshot_kern_info 
snapshot_kern_structs[] = {
 };
 
 static cpuset_t vcpus_active, vcpus_suspended;
-static pthread_mutex_t vcpu_lock;
-static pthread_cond_t vcpus_idle, vcpus_can_run;
+static pthread_mutex_t vcpu_lock = PTHREAD_MUTEX_INITIALIZER;
+static pthread_cond_t vcpus_idle = PTHREAD_COND_INITIALIZER;
+static pthread_cond_t vcpus_can_run = PTHREAD_COND_INITIALIZER;
 static bool checkpoint_active;
 
 /*
@@ -1395,22 +1396,6 @@ vm_do_checkpoint(struct vmctx *ctx, const nvlist_t *nvl)
 }
 IPC_COMMAND(ipc_cmd_set, checkpoint, vm_do_checkpoint);
 
-void
-init_snapshot(void)
-{
-   int err;
-
-   err = pthread_mutex_init(&vcpu_lock, NULL);
-   if (err != 0)
-   errc(1, err, "checkpoint mutex init");
-   err = pthread_cond_init(&vcpus_idle, NULL);
-   if (err != 0)
-   errc(1, err, "checkpoint cv init (vcpus_idle)");
-   err = pthread_cond_init(&vcpus_can_run, NULL);
-   if (err != 0)
-   errc(1, err, "checkpoint cv init (vcpus_can_run)");
-}
-
 /*
  * Create the listening socket for IPC with bhyvectl
  */
diff --git a/usr.sbin/bhyve/snapshot.h b/usr.sbin/bhyve/snapshot.h
index 179aafb6471d..8bebdafd6117 100644
--- a/usr.sbin/bhyve/snapshot.h
+++ b/usr.sbin/bhyve/snapshot.h
@@ -100,7 +100,6 @@ int vm_resume_devices(void);
 int get_checkpoint_msg(int conn_fd, struct vmctx *ctx);
 void *checkpoint_thread(void *param);
 int init_checkpoint_thread(struct vmctx *ctx);
-void init_snapshot(void);
 
 int load_restore_file(const char *filename, struct restore_state *rstate);
 

git: 2bb78b46e024 - main - ndp: fix timestamp display output

[Kristof Provost]

The branch main has been updated by kp:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=2bb78b46e02413483409fe73244995524b838b6e

commit 2bb78b46e02413483409fe73244995524b838b6e
Author: R. Christian McDonald 
AuthorDate: 2023-10-17 16:57:22 +
Commit: Kristof Provost 
CommitDate: 2023-10-17 17:01:38 +

ndp: fix timestamp display output

The current xo_format string is incorrect. This restores the display
format prior to libxo-ification work while also explicitly marking
tv_sec and tv_usec as encoded output only.

MFC after:  1 week
Reviewed by:kp
Sponsored by:   Rubicon Communications, LLC ("Netgate")
Differential Revision:  https://reviews.freebsd.org/D42269
---
 usr.sbin/ndp/ndp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/usr.sbin/ndp/ndp.c b/usr.sbin/ndp/ndp.c
index 1e3469d54228..b7bc25dd7aa4 100644
--- a/usr.sbin/ndp/ndp.c
+++ b/usr.sbin/ndp/ndp.c
@@ -1544,7 +1544,7 @@ ts_print(const struct timeval *tvp)
 
/* Default */
sec = (tvp->tv_sec + thiszone) % 86400;
-   xo_emit("{:tv_sec/%lld}{:tv_usec/%lld}%02d:%02d:%02d.%06u ",
+   xo_emit("{e:tv_sec/%lld}{e:tv_usec/%lld}{d:/%02d:%02d:%02d.%06u} ",
tvp->tv_sec, tvp->tv_usec,
sec / 3600, (sec % 3600) / 60, sec % 60, (u_int32_t)tvp->tv_usec);
 }

git: 6e281255ea35 - main - lltable: fix ddb show llentry l3_addr pretty printer

[Kristof Provost]

The branch main has been updated by kp:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=6e281255ea3574ca666e99c535a9b2734871ded8

commit 6e281255ea3574ca666e99c535a9b2734871ded8
Author: R. Christian McDonald 
AuthorDate: 2023-10-17 17:03:49 +
Commit: Kristof Provost 
CommitDate: 2023-10-17 17:03:49 +

lltable: fix ddb show llentry l3_addr pretty printer

The ddb commands for lltable do not produce useful l3_addr information.

This fixes the llentry pretty printer to correctly display the l3_addr

Reviewed by:kp
Sponsored by:   Rubicon Communications, LLC ("Netgate")
Differential Revision:  https://reviews.freebsd.org/D42253
---
 sys/net/if_llatbl.c | 39 +++
 1 file changed, 19 insertions(+), 20 deletions(-)

diff --git a/sys/net/if_llatbl.c b/sys/net/if_llatbl.c
index ef4f27dbb00c..fe5273cf19c0 100644
--- a/sys/net/if_llatbl.c
+++ b/sys/net/if_llatbl.c
@@ -1065,18 +1065,13 @@ lla_rt_output(struct rt_msghdr *rtm, struct rt_addrinfo 
*info)
 }
 
 #ifdef DDB
-struct llentry_sa {
-   struct llentry  base;
-   struct sockaddr l3_addr;
-};
-
 static void
-llatbl_lle_show(struct llentry_sa *la)
+llatbl_lle_show(struct llentry *lle)
 {
-   struct llentry *lle;
uint8_t octet[6];
+   sa_family_t af = AF_UNSPEC;
+   char l3_addr_fmt[] = " l3_addr=%s (af=%d)\n";
 
-   lle = &la->base;
db_printf("lle=%p\n", lle);
db_printf(" lle_next=%p\n", lle->lle_next.cle_next);
db_printf(" lle_lock=%p\n", &lle->lle_lock);
@@ -1097,33 +1092,37 @@ llatbl_lle_show(struct llentry_sa *la)
octet[0], octet[1], octet[2], octet[3], octet[4], octet[5]);
db_printf(" lle_timer=%p\n", &lle->lle_timer);
 
-   switch (la->l3_addr.sa_family) {
+   if (lle->lle_tbl) {
+   af = lle->lle_tbl->llt_af;
+   }
+
+   switch (af) {
 #ifdef INET
case AF_INET:
{
-   struct sockaddr_in *sin;
+   struct sockaddr_in sin;
char l3s[INET_ADDRSTRLEN];
 
-   sin = (struct sockaddr_in *)&la->l3_addr;
-   inet_ntoa_r(sin->sin_addr, l3s);
-   db_printf(" l3_addr=%s\n", l3s);
+   lltable_fill_sa_entry(lle, (struct sockaddr *)&sin);
+   (void) inet_ntop(af, &sin.sin_addr, l3s, sizeof(l3s));
+   db_printf(l3_addr_fmt, l3s, af);
break;
}
 #endif
 #ifdef INET6
case AF_INET6:
{
-   struct sockaddr_in6 *sin6;
+   struct sockaddr_in6 sin6;
char l3s[INET6_ADDRSTRLEN];
 
-   sin6 = (struct sockaddr_in6 *)&la->l3_addr;
-   ip6_sprintf(l3s, &sin6->sin6_addr);
-   db_printf(" l3_addr=%s\n", l3s);
+   lltable_fill_sa_entry(lle, (struct sockaddr *)&sin6);
+   (void) inet_ntop(af, &sin6.sin6_addr, l3s, sizeof(l3s));
+   db_printf(l3_addr_fmt, l3s, af);
break;
}
 #endif
default:
-   db_printf(" l3_addr=N/A (af=%d)\n", la->l3_addr.sa_family);
+   db_printf(l3_addr_fmt, "N/A", af);
break;
}
 }
@@ -1136,7 +1135,7 @@ DB_SHOW_COMMAND(llentry, db_show_llentry)
return;
}
 
-   llatbl_lle_show((struct llentry_sa *)addr);
+   llatbl_lle_show((struct llentry *)addr);
 }
 
 static void
@@ -1150,7 +1149,7 @@ llatbl_llt_show(struct lltable *llt)
 
for (i = 0; i < llt->llt_hsize; i++) {
CK_LIST_FOREACH(lle, &llt->lle_head[i], lle_next) {
-   llatbl_lle_show((struct llentry_sa *)lle);
+   llatbl_lle_show(lle);
if (db_pager_quit)
return;
}

git: 9dad3ed1d15c - stable/14 - cr_canseejailproc(): New privilege, no direct check for UID 0

[Mitchell Horne]

The branch stable/14 has been updated by mhorne:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=9dad3ed1d15c95c3eedb49c59e55bb25a7071250

commit 9dad3ed1d15c95c3eedb49c59e55bb25a7071250
Author: Olivier Certner 
AuthorDate: 2023-08-17 23:54:37 +
Commit: Mitchell Horne 
CommitDate: 2023-10-17 19:42:58 +

cr_canseejailproc(): New privilege, no direct check for UID 0

Use priv_check_cred() with a new privilege (PRIV_SEEJAILPROC) instead of
explicitly testing for UID 0 (the former has been the rule for almost 20
years).

As a consequence, cr_canseejailproc() now abides by the
'security.bsd.suser_enabled' sysctl and MAC policies.

Update the MAC policies Biba and LOMAC, and prison_priv_check() so that
they don't deny this privilege.  This preserves the existing behavior
(the 'root' user is not restricted, even when jailed, unless
'security.bsd.suser_enabled' is not 0) and is consistent with what is
done for the related policies/privileges (PRIV_SEEOTHERGIDS,
PRIV_SEEOTHERUIDS).

Reviewed by:emaste (earlier version), mhorne
MFC after:  2 weeks
Sponsored by:   Kumacom SAS
Differential Revision:  https://reviews.freebsd.org/D40626

(cherry picked from commit 7974ca1cdbee949f5e453eea112be265b425c407)
---
 sys/kern/kern_jail.c   | 1 +
 sys/kern/kern_prot.c   | 7 +--
 sys/security/mac_biba/mac_biba.c   | 1 +
 sys/security/mac_lomac/mac_lomac.c | 1 +
 sys/sys/priv.h | 1 +
 5 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c
index 39bdcaf5ef0e..57e6024a9939 100644
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@@ -3938,6 +3938,7 @@ prison_priv_check(struct ucred *cred, int priv)
 */
case PRIV_SEEOTHERGIDS:
case PRIV_SEEOTHERUIDS:
+   case PRIV_SEEJAILPROC:
 
/*
 * Jail implements inter-process debugging limits already, so
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index 19e0b78c6709..ed15cb566499 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -1426,9 +1426,12 @@ SYSCTL_INT(_security_bsd, OID_AUTO, see_jail_proc, 
CTLFLAG_RW,
 int
 cr_canseejailproc(struct ucred *u1, struct ucred *u2)
 {
-   if (u1->cr_uid == 0)
+   if (see_jail_proc || /* Policy deactivated. */
+   u1->cr_prison == u2->cr_prison || /* Same jail. */
+   priv_check_cred(u1, PRIV_SEEJAILPROC) == 0) /* Privileged. */
return (0);
-   return (!see_jail_proc && u1->cr_prison != u2->cr_prison ? ESRCH : 0);
+
+   return (ESRCH);
 }
 
 /*-
diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c
index 6948548503e1..5d66e2fd4b9b 100644
--- a/sys/security/mac_biba/mac_biba.c
+++ b/sys/security/mac_biba/mac_biba.c
@@ -1924,6 +1924,7 @@ biba_priv_check(struct ucred *cred, int priv)
 */
case PRIV_SEEOTHERGIDS:
case PRIV_SEEOTHERUIDS:
+   case PRIV_SEEJAILPROC:
break;
 
/*
diff --git a/sys/security/mac_lomac/mac_lomac.c 
b/sys/security/mac_lomac/mac_lomac.c
index 05bd0da06960..aa9abf458721 100644
--- a/sys/security/mac_lomac/mac_lomac.c
+++ b/sys/security/mac_lomac/mac_lomac.c
@@ -1702,6 +1702,7 @@ lomac_priv_check(struct ucred *cred, int priv)
 */
case PRIV_SEEOTHERGIDS:
case PRIV_SEEOTHERUIDS:
+   case PRIV_SEEJAILPROC:
break;
 
/*
diff --git a/sys/sys/priv.h b/sys/sys/priv.h
index 45cb5bab4275..a61de8d32fe0 100644
--- a/sys/sys/priv.h
+++ b/sys/sys/priv.h
@@ -105,6 +105,7 @@
 #definePRIV_CRED_SETRESGID 58  /* setresgid. */
 #definePRIV_SEEOTHERGIDS   59  /* Exempt bsd.seeothergids. */
 #definePRIV_SEEOTHERUIDS   60  /* Exempt bsd.seeotheruids. */
+#definePRIV_SEEJAILPROC61  /* Exempt from 
bsd.see_jail_proc. */
 
 /*
  * Debugging privileges.

git: 3ad322db8902 - stable/14 - New cr_bsd_visible(): Whether BSD policies deny seeing subjects/objects

[Mitchell Horne]

The branch stable/14 has been updated by mhorne:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=3ad322db8902da1c3d3669471e4e5738f980a849

commit 3ad322db8902da1c3d3669471e4e5738f980a849
Author: Olivier Certner 
AuthorDate: 2023-08-17 23:54:38 +
Commit: Mitchell Horne 
CommitDate: 2023-10-17 19:42:58 +

New cr_bsd_visible(): Whether BSD policies deny seeing subjects/objects

This is a new helper function that leverages existing code: It calls
successively cr_canseeotheruids(), cr_canseeothergids() and
cr_canseejailproc() (as long as the previous didn't deny access).  Will
be used in a subsequent commit.

Reviewed by:mhorne
MFC after:  2 weeks
Sponsored by:   Kumacom SAS
Differential Revision:  https://reviews.freebsd.org/D40627

(cherry picked from commit e4a7b4f99cfd4931468c0866da4ae8b49cf5badb)
---
 sys/kern/kern_prot.c | 19 +++
 sys/sys/proc.h   |  1 +
 2 files changed, 20 insertions(+)

diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index ed15cb566499..1e6073b554e4 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -1434,6 +1434,25 @@ cr_canseejailproc(struct ucred *u1, struct ucred *u2)
return (ESRCH);
 }
 
+/*
+ * Helper for cr_cansee*() functions to abide by system-wide security.bsd.see_*
+ * policies.  Determines if u1 "can see" u2 according to these policies.
+ * Returns: 0 for permitted, ESRCH otherwise
+ */
+int
+cr_bsd_visible(struct ucred *u1, struct ucred *u2)
+{
+   int error;
+
+   if ((error = cr_canseeotheruids(u1, u2)))
+   return (error);
+   if ((error = cr_canseeothergids(u1, u2)))
+   return (error);
+   if ((error = cr_canseejailproc(u1, u2)))
+   return (error);
+   return (0);
+}
+
 /*-
  * Determine if u1 "can see" the subject specified by u2.
  * Returns: 0 for permitted, an errno value otherwise
diff --git a/sys/sys/proc.h b/sys/sys/proc.h
index 3102cae7add0..8609bbd124ad 100644
--- a/sys/sys/proc.h
+++ b/sys/sys/proc.h
@@ -1163,6 +1163,7 @@ void  ast_sched(struct thread *td, int tda);
 void   ast_unsched_locked(struct thread *td, int tda);
 
 struct thread *choosethread(void);
+intcr_bsd_visible(struct ucred *u1, struct ucred *u2);
 intcr_cansee(struct ucred *u1, struct ucred *u2);
 intcr_canseesocket(struct ucred *cred, struct socket *so);
 intcr_canseeothergids(struct ucred *u1, struct ucred *u2);

git: e1153205a719 - stable/14 - Fix 'security.bsd.see_jail_proc' by using cr_bsd_visible()

[Mitchell Horne]

The branch stable/14 has been updated by mhorne:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=e1153205a719c6cb792cb2213a3737ee6b53d59c

commit e1153205a719c6cb792cb2213a3737ee6b53d59c
Author: Olivier Certner 
AuthorDate: 2023-08-17 23:54:38 +
Commit: Mitchell Horne 
CommitDate: 2023-10-17 19:42:58 +

Fix 'security.bsd.see_jail_proc' by using cr_bsd_visible()

As implemented, this security policy would only prevent seeing processes
in sub-jails, but would not prevent sending signals to, changing
priority of or debugging processes in these, enabling attacks where
unprivileged users could tamper with random processes in sub-jails in
particular circumstances (conflated UIDs) despite the policy being
enforced.

PR: 272092
Reviewed by:mhorne
MFC after:  2 weeks
Sponsored by:   Kumacom SAS
Differential Revision:  https://reviews.freebsd.org/D40628

(cherry picked from commit 5817169bc4a06a35aa5ef7f5ed18f6cb35037e18)
---
 sys/kern/kern_prot.c  | 25 +++--
 sys/netinet/in_prot.c |  4 +---
 2 files changed, 8 insertions(+), 21 deletions(-)

diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index 1e6073b554e4..648c067dc528 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -1471,11 +1471,7 @@ cr_cansee(struct ucred *u1, struct ucred *u2)
if ((error = mac_cred_check_visible(u1, u2)))
return (error);
 #endif
-   if ((error = cr_canseeotheruids(u1, u2)))
-   return (error);
-   if ((error = cr_canseeothergids(u1, u2)))
-   return (error);
-   if ((error = cr_canseejailproc(u1, u2)))
+   if ((error = cr_bsd_visible(u1, u2)))
return (error);
return (0);
 }
@@ -1536,9 +1532,7 @@ cr_cansignal(struct ucred *cred, struct proc *proc, int 
signum)
if ((error = mac_proc_check_signal(cred, proc, signum)))
return (error);
 #endif
-   if ((error = cr_canseeotheruids(cred, proc->p_ucred)))
-   return (error);
-   if ((error = cr_canseeothergids(cred, proc->p_ucred)))
+   if ((error = cr_bsd_visible(cred, proc->p_ucred)))
return (error);
 
/*
@@ -1653,10 +1647,9 @@ p_cansched(struct thread *td, struct proc *p)
if ((error = mac_proc_check_sched(td->td_ucred, p)))
return (error);
 #endif
-   if ((error = cr_canseeotheruids(td->td_ucred, p->p_ucred)))
-   return (error);
-   if ((error = cr_canseeothergids(td->td_ucred, p->p_ucred)))
+   if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred)))
return (error);
+
if (td->td_ucred->cr_ruid != p->p_ucred->cr_ruid &&
td->td_ucred->cr_uid != p->p_ucred->cr_ruid) {
error = priv_check(td, PRIV_SCHED_DIFFCRED);
@@ -1723,9 +1716,7 @@ p_candebug(struct thread *td, struct proc *p)
if ((error = mac_proc_check_debug(td->td_ucred, p)))
return (error);
 #endif
-   if ((error = cr_canseeotheruids(td->td_ucred, p->p_ucred)))
-   return (error);
-   if ((error = cr_canseeothergids(td->td_ucred, p->p_ucred)))
+   if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred)))
return (error);
 
/*
@@ -1815,9 +1806,7 @@ cr_canseesocket(struct ucred *cred, struct socket *so)
if (error)
return (error);
 #endif
-   if (cr_canseeotheruids(cred, so->so_cred))
-   return (ENOENT);
-   if (cr_canseeothergids(cred, so->so_cred))
+   if (cr_bsd_visible(cred, so->so_cred))
return (ENOENT);
 
return (0);
@@ -1847,7 +1836,7 @@ p_canwait(struct thread *td, struct proc *p)
 #endif
 #if 0
/* XXXMAC: This could have odd effects on some shells. */
-   if ((error = cr_canseeotheruids(td->td_ucred, p->p_ucred)))
+   if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred)))
return (error);
 #endif
 
diff --git a/sys/netinet/in_prot.c b/sys/netinet/in_prot.c
index 222e39c6bcd2..204f4f60456e 100644
--- a/sys/netinet/in_prot.c
+++ b/sys/netinet/in_prot.c
@@ -67,9 +67,7 @@ cr_canseeinpcb(struct ucred *cred, struct inpcb *inp)
if (error)
return (error);
 #endif
-   if (cr_canseeotheruids(cred, inp->inp_cred))
-   return (ENOENT);
-   if (cr_canseeothergids(cred, inp->inp_cred))
+   if (cr_bsd_visible(cred, inp->inp_cred))
return (ENOENT);
 
return (0);

git: f173bbdbc1f8 - stable/14 - cr_canseeotheruids(), cr_canseeothergids(): Man pages: Impacts of rename

[Mitchell Horne]

The branch stable/14 has been updated by mhorne:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=f173bbdbc1f8701d55db52be30b738395ab3c925

commit f173bbdbc1f8701d55db52be30b738395ab3c925
Author: Olivier Certner 
AuthorDate: 2023-08-17 23:54:39 +
Commit: Mitchell Horne 
CommitDate: 2023-10-17 19:42:58 +

cr_canseeotheruids(), cr_canseeothergids(): Man pages: Impacts of rename

When these functions were renamed 7 years ago, their man pages were not.
Rename the latter in accordance and fix the names inside them.  Fix
references to them as well.  Add the old man pages to the list of
obsolete files.

Reviewed by:mhorne
MFC after:  2 weeks
Sponsored by:   Kumacom SAS
Differential Revision:  https://reviews.freebsd.org/D40630

(cherry picked from commit c59ab75c04fa32bc6d292596ff5e4593a05a6b1b)
---
 ObsoleteFiles.inc  | 4 
 share/man/man9/Makefile| 4 ++--
 share/man/man9/cr_cansee.9 | 8 
 share/man/man9/{cr_seeothergids.9 => cr_canseeothergids.9} | 8 
 share/man/man9/{cr_seeotheruids.9 => cr_canseeotheruids.9} | 8 
 share/man/man9/p_candebug.9| 8 
 6 files changed, 22 insertions(+), 18 deletions(-)

diff --git a/ObsoleteFiles.inc b/ObsoleteFiles.inc
index 6f07b70494f8..6a5e4e39fc1e 100644
--- a/ObsoleteFiles.inc
+++ b/ObsoleteFiles.inc
@@ -51,6 +51,10 @@
 #   xargs -n1 | sort | uniq -d;
 # done
 
+# 20231013: Man pages renamed to match the actual functions
+OLD_FILES+=usr/share/man/man9/cr_seeothergids.9.gz
+OLD_FILES+=usr/share/man/man9/cr_seeotheruids.9.gz
+
 # 20230906: caroot bundle updated
 OLD_FILES+=usr/share/certs/trusted/E-Tugra_Certification_Authority.pem
 OLD_FILES+=usr/share/certs/trusted/E-Tugra_Global_Root_CA_ECC_v3.pem
diff --git a/share/man/man9/Makefile b/share/man/man9/Makefile
index eb670c924077..08ad811fa901 100644
--- a/share/man/man9/Makefile
+++ b/share/man/man9/Makefile
@@ -69,9 +69,9 @@ MAN=  accept_filter.9 \
counter.9 \
cpuset.9 \
cr_cansee.9 \
+   cr_canseeothergids.9 \
+   cr_canseeotheruids.9 \
critical_enter.9 \
-   cr_seeothergids.9 \
-   cr_seeotheruids.9 \
crypto.9 \
crypto_buffer.9 \
crypto_driver.9 \
diff --git a/share/man/man9/cr_cansee.9 b/share/man/man9/cr_cansee.9
index 8e058eb4e3e5..4824a231170b 100644
--- a/share/man/man9/cr_cansee.9
+++ b/share/man/man9/cr_cansee.9
@@ -50,9 +50,9 @@ variables
 and
 .Va security.bsd.see_other_uids ,
 as per the description in
-.Xr cr_seeothergids 9
+.Xr cr_canseeothergids 9
 and
-.Xr cr_seeotheruids 9
+.Xr cr_canseeotheruids 9
 respectively.
 .Sh RETURN VALUES
 This function returns zero if the object with credential
@@ -84,7 +84,7 @@ does not belong to the same jail as
 The MAC subsystem denied visibility.
 .El
 .Sh SEE ALSO
-.Xr cr_seeothergids 9 ,
-.Xr cr_seeotheruids 9 ,
+.Xr cr_canseeothergids 9 ,
+.Xr cr_canseeotheruids 9 ,
 .Xr mac 9 ,
 .Xr p_cansee 9
diff --git a/share/man/man9/cr_seeothergids.9 
b/share/man/man9/cr_canseeothergids.9
similarity index 94%
rename from share/man/man9/cr_seeothergids.9
rename to share/man/man9/cr_canseeothergids.9
index bd8eb5d2e9d9..79269533ae5c 100644
--- a/share/man/man9/cr_seeothergids.9
+++ b/share/man/man9/cr_canseeothergids.9
@@ -26,14 +26,14 @@
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
 .Dd November 11, 2003
-.Dt CR_SEEOTHERGIDS 9
+.Dt CR_CANSEEOTHERGIDS 9
 .Os
 .Sh NAME
-.Nm cr_seeothergids
+.Nm cr_canseeothergids
 .Nd determine visibility of objects given their group memberships
 .Sh SYNOPSIS
 .Ft int
-.Fn cr_seeothergids "struct ucred *u1" "struct ucred *u2"
+.Fn cr_canseeothergids "struct ucred *u1" "struct ucred *u2"
 .Sh DESCRIPTION
 This function determines the visibility of objects in the
 kernel based on the group IDs in the credentials
@@ -76,5 +76,5 @@ or
 .Er ESRCH
 otherwise.
 .Sh SEE ALSO
-.Xr cr_seeotheruids 9 ,
+.Xr cr_canseeotheruids 9 ,
 .Xr p_candebug 9
diff --git a/share/man/man9/cr_seeotheruids.9 
b/share/man/man9/cr_canseeotheruids.9
similarity index 94%
rename from share/man/man9/cr_seeotheruids.9
rename to share/man/man9/cr_canseeotheruids.9
index 2cefd0f9dc8e..80acc2d7a6ca 100644
--- a/share/man/man9/cr_seeotheruids.9
+++ b/share/man/man9/cr_canseeotheruids.9
@@ -26,14 +26,14 @@
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
 .Dd November 11, 2003
-.Dt CR_SEEOTHERUIDS 9
+.Dt CR_CANSEEOTHERUIDS 9
 .Os
 .Sh NAME
-.Nm cr_seeotheruids
+.Nm cr_canseeotheruids
 .Nd determine visibility of objects given their user credentials
 .Sh SYNOPSIS
 .Ft int
-.Fn cr_seeotheruids "struct ucred *u1" "struct ucred *u2"
+.Fn cr_canseeotheruids "struct ucred *u1" "struct ucred *u2"
 .Sh DESCRIPTION
 This function determines the visibility of objects in the
 kernel based on the real user I

git: ce4c78b612b1 - stable/14 - cr_canseejailproc(9): New man page

[Mitchell Horne]

The branch stable/14 has been updated by mhorne:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=ce4c78b612b1d933320ae794b50f85f60db2e1a0

commit ce4c78b612b1d933320ae794b50f85f60db2e1a0
Author: Olivier Certner 
AuthorDate: 2023-08-17 23:54:40 +
Commit: Mitchell Horne 
CommitDate: 2023-10-17 19:42:58 +

cr_canseejailproc(9): New man page

Reviewed by:pauamma_gundo.com, mhorne
MFC after:  2 weeks
Sponsored by:   Kumacom SAS
Differential Revision:  https://reviews.freebsd.org/D40631

(cherry picked from commit 29d863bb7ffc692998f21fa3e7a91afa1151cf1c)
---
 share/man/man9/Makefile|  1 +
 share/man/man9/cr_canseejailproc.9 | 81 ++
 2 files changed, 82 insertions(+)

diff --git a/share/man/man9/Makefile b/share/man/man9/Makefile
index 08ad811fa901..71a11a7cc6c0 100644
--- a/share/man/man9/Makefile
+++ b/share/man/man9/Makefile
@@ -69,6 +69,7 @@ MAN=  accept_filter.9 \
counter.9 \
cpuset.9 \
cr_cansee.9 \
+   cr_canseejailproc.9 \
cr_canseeothergids.9 \
cr_canseeotheruids.9 \
critical_enter.9 \
diff --git a/share/man/man9/cr_canseejailproc.9 
b/share/man/man9/cr_canseejailproc.9
new file mode 100644
index ..775c76722b05
--- /dev/null
+++ b/share/man/man9/cr_canseejailproc.9
@@ -0,0 +1,81 @@
+.\"
+.\" SPDX-License-Identifier: BSD-2-Clause
+.\"
+.\" Copyright (c) 2023 Olivier Certner 
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"notice, this list of conditions and the following disclaimer in the
+.\"documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE DEVELOPERS ``AS IS'' AND ANY EXPRESS OR
+.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+.\" IN NO EVENT SHALL THE DEVELOPERS BE LIABLE FOR ANY DIRECT, INDIRECT,
+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd August 18, 2023
+.Dt CR_CANSEEJAILPROC 9
+.Os
+.Sh NAME
+.Nm cr_canseejailproc
+.Nd determine if subjects may see entities in sub-jails
+.Sh SYNOPSIS
+.Ft int
+.Fn cr_canseejailproc "struct ucred *u1" "struct ucred *u2"
+.Sh DESCRIPTION
+.Bf -emphasis
+This function is internal.
+Its functionality is integrated into the function
+.Xr cr_bsd_visible 9 ,
+which should be called instead.
+.Ef
+.Pp
+This function checks if a subject associated to credentials
+.Fa u1
+is denied seeing a subject or object associated to credentials
+.Fa u2
+by a policy that requires both credentials to be associated to the same jail.
+This is a restriction to the baseline jail policy that a subject can see
+subjects or objects in its own jail or any sub-jail of it.
+.Pp
+This policy is active if and only if the
+.Xr sysctl 8
+variable
+.Va security.bsd.see_jail_proc
+is set to zero.
+.Pp
+As usual, the superuser (effective user ID 0) is exempt from this policy
+provided that the
+.Xr sysctl 8
+variable
+.Va security.bsd.suser_enabled
+is non-zero and no active MAC policy explicitly denies the exemption
+.Po
+see
+.Xr priv_check_cred 9
+.Pc .
+.Sh RETURN VALUES
+The
+.Fn cr_canseejailproc
+function returns 0 if the policy is disabled, both credentials are associated 
to
+the same jail, or if
+.Fa u1
+has privilege exempting it from the policy.
+Otherwise, it returns
+.Er ESRCH .
+.Sh SEE ALSO
+.Xr cr_bsd_visible 9 ,
+.Xr priv_check_cred 9
+.Sh AUTHORS
+This manual page was written by
+.An Olivier Certner Aq Mt olce.free...@certner.fr .

git: d9181d86c6ae - stable/14 - cr_bsd_visible(9): New man page

[Mitchell Horne]

The branch stable/14 has been updated by mhorne:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=d9181d86c6aed243927620b414a7c37b1ae613d7

commit d9181d86c6aed243927620b414a7c37b1ae613d7
Author: Olivier Certner 
AuthorDate: 2023-08-17 23:54:40 +
Commit: Mitchell Horne 
CommitDate: 2023-10-17 19:42:58 +

cr_bsd_visible(9): New man page

Reviewed by:bcr, pauamma_gundo.com
MFC after:  2 weeks
Sponsored by:   Kumacom SAS
Differential Revision:  https://reviews.freebsd.org/D40632

(cherry picked from commit 0d6bf73c4f20e6ed719c29c1b382d24bb0a81a2f)
---
 share/man/man9/Makefile |   1 +
 share/man/man9/cr_bsd_visible.9 | 117 
 2 files changed, 118 insertions(+)

diff --git a/share/man/man9/Makefile b/share/man/man9/Makefile
index 71a11a7cc6c0..c3c81719b7d2 100644
--- a/share/man/man9/Makefile
+++ b/share/man/man9/Makefile
@@ -68,6 +68,7 @@ MAN=  accept_filter.9 \
copy.9 \
counter.9 \
cpuset.9 \
+   cr_bsd_visible.9 \
cr_cansee.9 \
cr_canseejailproc.9 \
cr_canseeothergids.9 \
diff --git a/share/man/man9/cr_bsd_visible.9 b/share/man/man9/cr_bsd_visible.9
new file mode 100644
index ..bd676e6f5705
--- /dev/null
+++ b/share/man/man9/cr_bsd_visible.9
@@ -0,0 +1,117 @@
+.\"
+.\" SPDX-License-Identifier: BSD-2-Clause
+.\"
+.\" Copyright (c) 2023 Olivier Certner 
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"notice, this list of conditions and the following disclaimer in the
+.\"documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE DEVELOPERS ``AS IS'' AND ANY EXPRESS OR
+.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+.\" IN NO EVENT SHALL THE DEVELOPERS BE LIABLE FOR ANY DIRECT, INDIRECT,
+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd August 18, 2023
+.Dt CR_BSD_VISIBLE 9
+.Os
+.Sh NAME
+.Nm cr_bsd_visible
+.Nd determine if subjects may see entities according to BSD security policies
+.Sh SYNOPSIS
+.In sys/proc.h
+.Ft int
+.Fn cr_bsd_visible "struct ucred *u1" "struct ucred *u2"
+.Sh DESCRIPTION
+This function determines if a subject with credentials
+.Fa u1
+is denied seeing an object or subject associated to credentials
+.Fa u2
+by the following policies and associated
+.Xr sysctl 8
+knobs:
+.Bl -tag -width indent
+.It Va security.bsd.seeotheruids
+If set to 0, subjects cannot see other subjects or objects if they are not
+associated with the same real user ID.
+The corresponding internal function is
+.Xr cr_canseeotheruids 9 .
+.It Va security.bsd.seeothergids
+If set to 0, subjects cannot see other subjects or objects if they are not both
+a member of at least one common group.
+The corresponding internal function is
+.Xr cr_canseeothergids 9 .
+.It Va security.bsd.see_jail_proc
+If set to 0, subjects cannot see other subjects or objects that are not
+associated with the same jail as they are.
+The corresponding internal function is
+.Xr cr_canseejailproc 9 .
+.El
+.Pp
+As usual, the superuser (effective user ID 0) is exempt from any of these
+policies provided that the
+.Xr sysctl 8
+variable
+.Va security.bsd.suser_enabled
+is non-zero and no active MAC policy explicitly denies the exemption
+.Po
+see
+.Xr priv_check_cred 9
+.Pc .
+.Pp
+This function is intended to be used as a helper to implement
+.Xr cr_cansee 9
+and similar functions.
+.Sh RETURN VALUES
+This function returns zero if a subject with credentials
+.Fa u1
+may see a subject or object with credentials
+.Fa u2
+by the active above-mentioned policies, or
+.Er ESRCH
+otherwise.
+.Sh ERRORS
+.Bl -tag -width Er
+.It Bq Er ESRCH
+Credentials
+.Fa u1
+and
+.Fa u2
+do not have the same real user ID.
+.It Bq Er ESRCH
+Credentials
+.Fa u1
+and
+.Fa u2
+are not members of any common group
+.Po
+as determined by
+.Xr groupmember 9
+.Pc .
+.It Bq Er ESRCH
+Credentials
+.Fa u1
+and
+.Fa u2
+are not in the same jail.
+.El
+.Sh SEE ALSO
+.Xr cr_canseeotheruids 9 ,
+.Xr cr_canseeothergids 9 ,
+.Xr cr_canseejailproc 9 ,
+.Xr priv_check_cred 9 ,
+.Xr cr_cansee 9
+.Sh AUTH

git: ad1486b625ed - stable/14 - cr_canseeothergids(9): Revamp, mark as internal

[Mitchell Horne]

The branch stable/14 has been updated by mhorne:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=ad1486b625edbf190ba0d9c77d695560e75037cb

commit ad1486b625edbf190ba0d9c77d695560e75037cb
Author: Olivier Certner 
AuthorDate: 2023-08-17 23:54:41 +
Commit: Mitchell Horne 
CommitDate: 2023-10-17 19:42:58 +

cr_canseeothergids(9): Revamp, mark as internal

Significantly clarify.  Replace references to cr_canseeotheruids(9) by
ones to cr_bsd_visible(9).

Reviewed by:pauamma_gundo.com, mhorne
MFC after:  2 weeks
Sponsored by:   Kumacom SAS
Differential Revision:  https://reviews.freebsd.org/D40633

(cherry picked from commit 3fe9ea4d2d04d48a249b2e6161d416bb4d5b364e)
---
 share/man/man9/cr_canseeothergids.9 | 77 +++--
 1 file changed, 40 insertions(+), 37 deletions(-)

diff --git a/share/man/man9/cr_canseeothergids.9 
b/share/man/man9/cr_canseeothergids.9
index 79269533ae5c..f0c1e5c4e726 100644
--- a/share/man/man9/cr_canseeothergids.9
+++ b/share/man/man9/cr_canseeothergids.9
@@ -1,5 +1,6 @@
 .\"
 .\" Copyright (c) 2003 Joseph Koshy 
+.\" Copyright (c) 2023 Olivier Certner 
 .\"
 .\" All rights reserved.
 .\"
@@ -25,56 +26,58 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd November 11, 2003
+.Dd August 18, 2023
 .Dt CR_CANSEEOTHERGIDS 9
 .Os
 .Sh NAME
 .Nm cr_canseeothergids
-.Nd determine visibility of objects given their group memberships
+.Nd determine if subjects may see entities in a disjoint group set
 .Sh SYNOPSIS
 .Ft int
 .Fn cr_canseeothergids "struct ucred *u1" "struct ucred *u2"
 .Sh DESCRIPTION
-This function determines the visibility of objects in the
-kernel based on the group IDs in the credentials
+.Bf -emphasis
+This function is internal.
+Its functionality is integrated into the function
+.Xr cr_bsd_visible 9 ,
+which should be called instead.
+.Ef
+.Pp
+This function checks if a subject associated to credentials
 .Fa u1
-and
+is denied seeing a subject or object associated to credentials
 .Fa u2
-associated with them.
+by a policy that requires both credentials to have at least one group in 
common.
+For this determination, the effective and supplementary group IDs are used, but
+not the real group IDs, as per
+.Xr groupmember 9 .
 .Pp
-The visibility of objects is influenced by the
+This policy is active if and only if the
 .Xr sysctl 8
 variable
-.Va security.bsd.see_other_gids .
-If this variable is non-zero then all objects in the kernel
-are visible to each other irrespective of their group membership.
-If this variable is zero then the object with credentials
-.Fa u2
-is visible to the object with credentials
-.Fa u1
-if either
-.Fa u1
-is the super-user credential, or if at least one of
-.Fa u1 Ns 's
-group IDs is present in
-.Fa u2 Ns 's
-group set.
-.Sh SYSCTL VARIABLES
-.Bl -tag -width indent
-.It Va security.bsd.see_other_gids
-Must be non-zero if objects with unprivileged credentials are to be
-able to see each other.
-.El
+.Va security.bsd.see_other_gids
+is set to zero.
+.Pp
+As usual, the superuser (effective user ID 0) is exempt from this policy
+provided that the
+.Xr sysctl 8
+variable
+.Va security.bsd.suser_enabled
+is non-zero and no active MAC policy explicitly denies the exemption
+.Po
+see
+.Xr priv_check_cred 9
+.Pc .
 .Sh RETURN VALUES
-This function returns zero if the object with credential
+The
+.Fn cr_canseeothergids
+function returns 0 if the policy is disabled, the credentials share at least 
one
+common group, or if
 .Fa u1
-can
-.Dq see
-the object with credential
-.Fa u2 ,
-or
-.Er ESRCH
-otherwise.
+has privilege exempting it from the policy.
+Otherwise, it returns
+.Er ESRCH .
 .Sh SEE ALSO
-.Xr cr_canseeotheruids 9 ,
-.Xr p_candebug 9
+.Xr cr_bsd_visible 9 ,
+.Xr groupmember 9 ,
+.Xr priv_check_cred 9

git: 60cc4f16d4e9 - stable/14 - groupmember(9): Detail which groups are considered, simplify

[Mitchell Horne]

The branch stable/14 has been updated by mhorne:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=60cc4f16d4e91d9d37a4619d708cfe88ff093526

commit 60cc4f16d4e91d9d37a4619d708cfe88ff093526
Author: Olivier Certner 
AuthorDate: 2023-08-17 23:54:41 +
Commit: Mitchell Horne 
CommitDate: 2023-10-17 19:42:58 +

groupmember(9): Detail which groups are considered, simplify

Reviewed by:mhorne
MFC after:  2 weeks
Sponsored by:   Kumacom SAS
Differential Revision:  https://reviews.freebsd.org/D40634

(cherry picked from commit 75a45ca3b34062fe793ae326ad9da614a1a06df1)
---
 share/man/man9/groupmember.9 | 36 +---
 1 file changed, 21 insertions(+), 15 deletions(-)

diff --git a/share/man/man9/groupmember.9 b/share/man/man9/groupmember.9
index d447bf64c482..3a516622efce 100644
--- a/share/man/man9/groupmember.9
+++ b/share/man/man9/groupmember.9
@@ -1,5 +1,6 @@
 .\"
 .\" Copyright (C) 2001 Chad David . All rights reserved.
+.\" Copyright (C) 2023 Olivier Certner 
 .\"
 .\" Redistribution and use in source and binary forms, with or without
 .\" modification, are permitted provided that the following conditions
@@ -24,12 +25,12 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
 .\" DAMAGE.
 .\"
-.Dd July 9, 2001
+.Dd August 18, 2023
 .Dt GROUPMEMBER 9
 .Os
 .Sh NAME
 .Nm groupmember
-.Nd checks group set for a group ID
+.Nd checks if credentials mandate some group membership
 .Sh SYNOPSIS
 .In sys/param.h
 .In sys/ucred.h
@@ -38,21 +39,26 @@
 .Sh DESCRIPTION
 The
 .Fn groupmember
-function checks to see if the given
-.Fa gid
-is in the group set of the credentials.
+function checks if credentials
+.Fa cred
+indicate that the associated subject or object is a member of the group
+designated by the group ID
+.Fa gid .
 .Pp
-Its arguments are:
-.Bl -tag -width ".Fa cred"
-.It Fa gid
-The group ID to check for.
-.It Fa cred
-The credentials to search for the group in.
-.El
+Considered groups in
+.Fa cred
+are the effective and supplementary groups.
+The real group is not taken into account.
 .Sh RETURN VALUES
 If the
 .Fa gid
-is found, 1 is returned; otherwise, 0 is returned.
+is found, 1 is returned, otherwise 0.
+.Sh SEE ALSO
+.Xr getgroups 2
+.Xr setgroups 2
 .Sh AUTHORS
-This manual page was written by
-.An Chad David Aq Mt dav...@acns.ab.ca .
+This manual page was initially written by
+.An -nosplit
+.An Chad David Aq Mt dav...@acns.ab.ca
+and was revised by
+.An Olivier Certner Aq Mt olce.free...@certner.fr .

git: e04b81f8b76c - stable/14 - cr_canseeotheruids(9): Revamp, mark as internal

[Mitchell Horne]

The branch stable/14 has been updated by mhorne:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=e04b81f8b76ceb31abec1c739b42e70433047d3d

commit e04b81f8b76ceb31abec1c739b42e70433047d3d
Author: Olivier Certner 
AuthorDate: 2023-08-17 23:54:42 +
Commit: Mitchell Horne 
CommitDate: 2023-10-17 19:42:58 +

cr_canseeotheruids(9): Revamp, mark as internal

Significantly clarify.  Replace references to cr_canseeothergids(9) by
ones to cr_bsd_visible(9).

Reviewed by:bcr, mhorne
MFC after:  2 weeks
Sponsored by:   Kumacom SAS
Differential Revision:  https://reviews.freebsd.org/D40635

(cherry picked from commit 4ddd253b38dff872355cc1b5238b1bbfd380)
---
 share/man/man9/cr_canseeotheruids.9 | 73 ++---
 1 file changed, 36 insertions(+), 37 deletions(-)

diff --git a/share/man/man9/cr_canseeotheruids.9 
b/share/man/man9/cr_canseeotheruids.9
index 80acc2d7a6ca..230c5ea59b78 100644
--- a/share/man/man9/cr_canseeotheruids.9
+++ b/share/man/man9/cr_canseeotheruids.9
@@ -1,5 +1,6 @@
 .\"
 .\" Copyright (c) 2003 Joseph Koshy 
+.\" Copyright (c) 2023 Olivier Certner 
 .\"
 .\" All rights reserved.
 .\"
@@ -25,56 +26,54 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd November 11, 2003
+.Dd August 18, 2023
 .Dt CR_CANSEEOTHERUIDS 9
 .Os
 .Sh NAME
 .Nm cr_canseeotheruids
-.Nd determine visibility of objects given their user credentials
+.Nd determine if subjects may see entities with differing user ID
 .Sh SYNOPSIS
 .Ft int
 .Fn cr_canseeotheruids "struct ucred *u1" "struct ucred *u2"
 .Sh DESCRIPTION
-This function determines the visibility of objects in the
-kernel based on the real user IDs in the credentials
+.Bf -emphasis
+This function is internal.
+Its functionality is integrated into the function
+.Xr cr_bsd_visible 9 ,
+which should be called instead.
+.Ef
+.Pp
+This function checks if a subject associated to credentials
 .Fa u1
-and
+is denied seeing a subject or object associated to credentials
 .Fa u2
-associated with them.
+by a policy that requires both credentials to have the same real user ID.
 .Pp
-The visibility of objects is influenced by the
+This policy is active if and only if the
 .Xr sysctl 8
 variable
-.Va security.bsd.see_other_uids .
-If this variable is non-zero then all objects in the kernel
-are visible to each other irrespective of their user IDs.
-If this variable is zero then the object with credentials
-.Fa u2
-is visible to the object with credentials
-.Fa u1
-if either
-.Fa u1
-is the super-user credential, or if
-.Fa u1
-and
-.Fa u2
-have the same real user ID.
-.Sh SYSCTL VARIABLES
-.Bl -tag -width indent
-.It Va security.bsd.see_other_uids
-Must be non-zero if objects with unprivileged credentials are to be
-able to see each other.
-.El
+.Va security.bsd.see_other_uids
+is set to zero.
+.Pp
+As usual, the superuser (effective user ID 0) is exempt from this policy
+provided that the
+.Xr sysctl 8
+variable
+.Va security.bsd.suser_enabled
+is non-zero and no active MAC policy explicitly denies the exemption
+.Po
+see
+.Xr priv_check_cred 9
+.Pc .
 .Sh RETURN VALUES
-This function returns zero if the object with credential
+The
+.Fn cr_canseeotheruids
+function returns 0 if the policy is disabled, both credentials have the same
+real user ID, or if
 .Fa u1
-can
-.Dq see
-the object with credential
-.Fa u2 ,
-or
-.Er ESRCH
-otherwise.
+has privilege exempting it from the policy.
+Otherwise, it returns
+.Er ESRCH .
 .Sh SEE ALSO
-.Xr cr_canseeothergids 9 ,
-.Xr p_candebug 9
+.Xr cr_bsd_visible 9 ,
+.Xr priv_check_cred 9

git: 2ecbfdaecbd0 - stable/14 - cr_cansee(9): cr_bsd_visible() impacts, simplifications

[Mitchell Horne]

The branch stable/14 has been updated by mhorne:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=2ecbfdaecbd009d32b2453c7b2bd6c33656b92ef

commit 2ecbfdaecbd009d32b2453c7b2bd6c33656b92ef
Author: Olivier Certner 
AuthorDate: 2023-08-17 23:54:42 +
Commit: Mitchell Horne 
CommitDate: 2023-10-17 19:42:58 +

cr_cansee(9): cr_bsd_visible() impacts, simplifications

Remove references to cr_canseeothergids(9) and cr_canseeotheruids(9).
Defer to cr_bsd_visible() for controlling sysctl(8) variables.

Reviewed by:bcr, mhorne
MFC after:  2 weeks
Sponsored by:   Kumacom SAS
Differential Revision:  https://reviews.freebsd.org/D40636

(cherry picked from commit 82f9bc9ea8ed660c61050ad1d92f1a64108c7004)
---
 share/man/man9/cr_cansee.9 | 61 --
 1 file changed, 27 insertions(+), 34 deletions(-)

diff --git a/share/man/man9/cr_cansee.9 b/share/man/man9/cr_cansee.9
index 4824a231170b..d5cdfdd6f8e5 100644
--- a/share/man/man9/cr_cansee.9
+++ b/share/man/man9/cr_cansee.9
@@ -1,5 +1,6 @@
 .\"
 .\" Copyright (c) 2006 Ceri Davies 
+.\" Copyright (c) 2023 Olivier Certner 
 .\"
 .\" All rights reserved.
 .\"
@@ -23,43 +24,39 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd November 19, 2006
+.Dd August 18, 2023
 .Dt CR_CANSEE 9
 .Os
 .Sh NAME
 .Nm cr_cansee
 .Nd "determine visibility of objects given their user credentials"
 .Sh SYNOPSIS
-.In sys/param.h
-.In sys/systm.h
-.In sys/ucred.h
+.In sys/proc.h
 .Ft int
 .Fn cr_cansee "struct ucred *u1" "struct ucred *u2"
 .Sh DESCRIPTION
-This function determines the visibility of objects in the
-kernel based on the real user IDs and group IDs in the credentials
+This function determines if a subject with credential
 .Fa u1
-and
-.Fa u2
-associated with them.
+can see a subject or object associated to credential
+.Fa u2 .
 .Pp
-The visibility of objects is influenced by the
+Specific types of subjects may need to submit to additional or different
+restrictions.
+As an example, for processes, see
+.Xr p_cansee 9 ,
+which calls this function.
+.Pp
+The implementation relies on
+.Xr cr_bsd_visible 9
+and consequently the
 .Xr sysctl 8
-variables
-.Va security.bsd.see_other_gids
-and
-.Va security.bsd.see_other_uids ,
-as per the description in
-.Xr cr_canseeothergids 9
-and
-.Xr cr_canseeotheruids 9
-respectively.
+variables referenced in its manual page influence the result.
 .Sh RETURN VALUES
-This function returns zero if the object with credential
+This function returns zero if the subject with credential
 .Fa u1
 can
 .Dq see
-the object with credential
+the subject or object with credential
 .Fa u2 ,
 or
 .Er ESRCH
@@ -67,24 +64,20 @@ otherwise.
 .Sh ERRORS
 .Bl -tag -width Er
 .It Bq Er ESRCH
-The object with credential
-.Fa u1
-cannot
-.Dq see
-the object with credential
-.Fa u2 .
-.It Bq Er ESRCH
-The object with credential
+The subject with credential
 .Fa u1
-has been jailed and the object with credential
+has been jailed and the subject or object with credential
 .Fa u2
-does not belong to the same jail as
-.Fa u1 .
+does not belong to the same jail or one of its sub-jails, as determined by
+.Xr prison_check 9 .
 .It Bq Er ESRCH
 The MAC subsystem denied visibility.
+.It Bq Er ESRCH
+.Xr cr_bsd_visible 9
+denied visibility according to the BSD security policies in force.
 .El
 .Sh SEE ALSO
-.Xr cr_canseeothergids 9 ,
-.Xr cr_canseeotheruids 9 ,
+.Xr prison_check 9 ,
 .Xr mac 9 ,
+.Xr cr_bsd_visible 9 ,
 .Xr p_cansee 9

git: fea4e20afb76 - stable/14 - p_cansee(9): Bring up-to-date, misc fixes

[Mitchell Horne]

The branch stable/14 has been updated by mhorne:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=fea4e20afb76b900bfc6a733487470e3ec6f13a2

commit fea4e20afb76b900bfc6a733487470e3ec6f13a2
Author: Olivier Certner 
AuthorDate: 2023-08-17 23:54:43 +
Commit: Mitchell Horne 
CommitDate: 2023-10-17 19:42:58 +

p_cansee(9): Bring up-to-date, misc fixes

Essentially defer to cr_cansee(9), except for the specifics.

Be more specific on the return codes.

Reviewed by:bcr, pauamma_gundo.com
MFC after:  2 weeks
Sponsored by:   Kumacom SAS
Differential Revision:  https://reviews.freebsd.org/D40637

(cherry picked from commit 2ede38aff5d4c91a17ab6d093f2e8cce24b5418b)
---
 share/man/man9/p_cansee.9 | 44 
 1 file changed, 16 insertions(+), 28 deletions(-)

diff --git a/share/man/man9/p_cansee.9 b/share/man/man9/p_cansee.9
index 84287dac951b..9fdce460dfea 100644
--- a/share/man/man9/p_cansee.9
+++ b/share/man/man9/p_cansee.9
@@ -24,19 +24,18 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd November 19, 2006
+.Dd August 18, 2023
 .Dt P_CANSEE 9
 .Os
 .Sh NAME
 .Nm p_cansee
 .Nd determine visibility of a process
 .Sh SYNOPSIS
-.In sys/param.h
 .In sys/proc.h
 .Ft int
 .Fn p_cansee "struct thread *td" "struct proc *p"
 .Sh DESCRIPTION
-This function can be used to determine if a given process
+This function determines if a given process
 .Fa p
 is visible to the thread
 .Fa td ,
@@ -45,13 +44,14 @@ where the notion of
 may be read as
 .Dq "awareness of existence" .
 .Pp
-The function is implemented using
-.Xr cr_cansee 9 ,
-and the dependencies on
-.Xr sysctl 8
-variables documented in the
-.Xr cr_cansee 9
-manual page apply.
+This function explicitly allows a thread to always see its own process,
+even with pending credentials changes
+.Po
+see
+.Xr ucred 9
+.Pc .
+Otherwise, it simply defers to
+.Xr cr_cansee 9 .
 .Sh RETURN VALUES
 The
 .Fn p_cansee
@@ -62,30 +62,18 @@ if the process denoted by
 .Fa p
 is visible by thread
 .Fa td ,
-or a non-zero error return value otherwise.
+or ESRCH otherwise.
 .Sh ERRORS
 .Bl -tag -width Er
 .It Bq Er ESRCH
-Process
-.Fa p
-is not visible to thread
-.Fa td
-as determined by
-.Xr cr_cansee 9 .
-.It Bq Er ESRCH
 Thread
 .Fa td
-has been jailed and process
+is not part of process
 .Fa p
-does not belong to the same jail as
-.Fa td .
-.It Bq Er ESRCH
-The MAC subsystem denied visibility.
+and cannot see it as determined by
+.Xr cr_cansee 9 .
 .El
 .Sh SEE ALSO
-.Xr jail 2 ,
-.Xr sysctl 8 ,
+.Xr ucred 9 ,
 .Xr cr_cansee 9 ,
-.Xr mac 9 ,
-.Xr p_candebug 9 ,
-.Xr prison_check 9
+.Xr p_candebug 9

git: 76781950658c - stable/14 - p_candebug(9): cr_bsd_visible() impacts, misc fixes

[Mitchell Horne]

The branch stable/14 has been updated by mhorne:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=76781950658cc95a0820af5f0fb013f2ef9eb3a9

commit 76781950658cc95a0820af5f0fb013f2ef9eb3a9
Author: Olivier Certner 
AuthorDate: 2023-08-17 23:54:43 +
Commit: Mitchell Horne 
CommitDate: 2023-10-17 19:42:58 +

p_candebug(9): cr_bsd_visible() impacts, misc fixes

Mention cr_bsd_visible(9).  Remove references to cr_canseeothergids(9)
and cr_canseeotheruids(9), as well as indirect references not
immediately useful.

Fix description of credentials checks to match reality.

Re-order errors to match code's check order.

Reviewed by:bcr, pauamma_gundo.com
MFC after:  2 weeks
Sponsored by:   Kumacom SAS
Differential Revision:  https://reviews.freebsd.org/D40638

(cherry picked from commit eb94f24fab4b44f13ca045370d9fcf12ca8835f2)
---
 share/man/man9/p_candebug.9 | 103 
 1 file changed, 56 insertions(+), 47 deletions(-)

diff --git a/share/man/man9/p_candebug.9 b/share/man/man9/p_candebug.9
index e80d313de55c..c824db974154 100644
--- a/share/man/man9/p_candebug.9
+++ b/share/man/man9/p_candebug.9
@@ -1,5 +1,6 @@
 .\"
 .\" Copyright (c) 2003 Joseph Koshy 
+.\" Copyright (c) 2023 Olivier Certner 
 .\"
 .\" All rights reserved.
 .\"
@@ -25,7 +26,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd November 19, 2006
+.Dd August 18, 2023
 .Dt P_CANDEBUG 9
 .Os
 .Sh NAME
@@ -37,24 +38,27 @@
 .Ft int
 .Fn p_candebug "struct thread *td" "struct proc *p"
 .Sh DESCRIPTION
-This function can be used to determine if a given process
+This function determines if a given process
 .Fa p
-is debuggable by the thread
+is debuggable by some thread
 .Fa td .
-.Sh SYSCTL VARIABLES
+.Pp
 The following
 .Xr sysctl 8
 variables directly influence the behaviour of
 .Fn p_candebug :
 .Bl -tag -width indent
+.It Va security.bsd.unprivileged_proc_debug
+Must be set to a non-zero value to allow unprivileged processes
+access to the kernel's debug facilities.
 .It Va kern.securelevel
 Debugging of the init process is not allowed if this variable is
 .Li 1
 or greater.
-.It Va security.bsd.unprivileged_proc_debug
-Must be set to a non-zero value to allow unprivileged processes
-access to the kernel's debug facilities.
 .El
+.Pp
+Other such variables indirectly influence it; see
+.Xr cr_bsd_visible 9 .
 .Sh RETURN VALUES
 The
 .Fn p_candebug
@@ -68,35 +72,45 @@ is debuggable by thread
 or a non-zero error return value otherwise.
 .Sh ERRORS
 .Bl -tag -width Er
-.It Bq Er EACCESS
-The MAC subsystem denied debuggability.
-.It Bq Er EAGAIN
-Process
-.Fa p
-is in the process of being
-.Fn exec Ns 'ed.
 .It Bq Er EPERM
+An unprivileged process attempted to debug another process but the system is
+configured to deny it
+.Po
+see
+.Xr sysctl 8
+variable
+.Va security.bsd.unprivileged_proc_debug
+above
+.Pc .
+.It Bq Er ESRCH
 Thread
 .Fa td
-lacks super-user credentials and process
-.Fa p
-is executing a set-user-ID or set-group-ID executable.
+has been jailed and the process to debug does not belong to the same jail or 
one
+of its sub-jails, as determined by
+.Xr prison_check 9 .
+.It Bq Er ESRCH
+.Xr cr_bsd_visible 9
+denied visibility according to the BSD security policies in force.
 .It Bq Er EPERM
 Thread
 .Fa td
-lacks super-user credentials and process
+lacks superuser credentials and its (effective) group set is not a superset of
+process
 .Fa p Ns 's
-group set is not a subset of
-.Fa td Ns 's
-effective group set.
+whole group set
+.Pq "including real, effective and saved group IDs" .
 .It Bq Er EPERM
 Thread
 .Fa td
-lacks super-user credentials and process
-.Fa p Ns 's
-user IDs do not match thread
-.Fa td Ns 's
-effective user ID.
+lacks superuser credentials and its (effective) user ID does not match all user
+IDs of process
+.Fa p .
+.It Bq Er EPERM
+Thread
+.Fa td
+lacks superuser credentials and process
+.Fa p
+is executing a set-user-ID or set-group-ID executable.
 .It Bq Er EPERM
 Process
 .Fa p
@@ -107,30 +121,25 @@ and the
 variable
 .Va kern.securelevel
 is greater than zero.
-.It Bq Er ESRCH
+.It Bq Er EBUSY
 Process
 .Fa p
-is not visible to thread
-.Fa td
-as determined by
-.Xr cr_canseeotheruids 9
-or
-.Xr cr_canseeothergids 9 .
-.It Bq Er ESRCH
-Thread
-.Fa td
-has been jailed and process
+is in the process of being
+.Fn exec Ns 'ed.
+.It Bq Er EPERM
+Process
 .Fa p
-does not belong to the same jail as
-.Fa td .
-.It Bq Er ESRCH
-The MAC subsystem denied debuggability.
+denied debuggability
+.Po
+see
+.Xr procctl 2 ,
+command
+.Dv PROC_TRACE_CTL
+.Pc .
 .El
 .Sh SEE ALSO
-.Xr jail 2 ,
-.Xr sysctl 8 ,
-.Xr cr_canseeothergids 9 ,
-.Xr cr_canseeotheruids 9 ,
+.Xr prison_check 9 ,
 .Xr mac 9 ,
-.Xr p_cansee 9 ,
-.Xr prison_check 9
+.Xr cr_bsd_visible 9 ,
+.Xr procctl 2 ,
+.Xr

git: 8d935c419fda - stable/14 - prison_check(9): Bring up-to-date with hierarchical jails

[Mitchell Horne]

The branch stable/14 has been updated by mhorne:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=8d935c419fdafa0cb6fe9e1a3ed6dd92fd76d776

commit 8d935c419fdafa0cb6fe9e1a3ed6dd92fd76d776
Author: Olivier Certner 
AuthorDate: 2023-08-17 23:54:44 +
Commit: Mitchell Horne 
CommitDate: 2023-10-17 19:42:59 +

prison_check(9): Bring up-to-date with hierarchical jails

Reviewed by:bcr, emaste, pauamma_gundo.com, mhorne
MFC after:  2 weeks
Sponsored by:   Kumacom SAS
Differential Revision:  https://reviews.freebsd.org/D40639

(cherry picked from commit e9fdd494537ca45b14e0917e8bb1595b6460f3a3)
---
 share/man/man9/prison_check.9 | 18 --
 1 file changed, 8 insertions(+), 10 deletions(-)

diff --git a/share/man/man9/prison_check.9 b/share/man/man9/prison_check.9
index b3bdcf6b4571..7f174e3ceb2e 100644
--- a/share/man/man9/prison_check.9
+++ b/share/man/man9/prison_check.9
@@ -25,22 +25,23 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd December 11, 2003
+.Dd August 18, 2023
 .Dt PRISON_CHECK 9
 .Os
 .Sh NAME
 .Nm prison_check
-.Nd determine if two credentials belong to the same jail
+.Nd determine if subjects may see entities according to jail restrictions
 .Sh SYNOPSIS
 .In sys/jail.h
 .Ft int
 .Fn prison_check "struct ucred *cred1" "struct ucred *cred2"
 .Sh DESCRIPTION
-This function can be used to determine if the two credentials
+This function determines if a subject with credentials
 .Fa cred1
-and
+is denied access to subjects or objects with credentials
 .Fa cred2
-belong to the same jail.
+according to the policy that a subject can see subjects or objects in its own
+jail or any sub-jail of it.
 .Sh RETURN VALUES
 The
 .Fn prison_check
@@ -48,12 +49,9 @@ function
 returns
 .Er ESRCH
 if
-.Fa cred1
-has been jailed, and
-.Fa cred1
-and
 .Fa cred2
-do not belong to the same jail.
+is not in the same jail or a sub-jail of that of
+.Fa cred1 .
 In all other cases,
 .Fn prison_check
 returns zero.

git: f3de805ace48 - stable/14 - groupmember(): Extract the supplementary group search in a separate function

[Mitchell Horne]

The branch stable/14 has been updated by mhorne:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=f3de805ace484db4a3bf9191a150ef4843ae92f3

commit f3de805ace484db4a3bf9191a150ef4843ae92f3
Author: Olivier Certner 
AuthorDate: 2023-08-17 23:54:44 +
Commit: Mitchell Horne 
CommitDate: 2023-10-17 19:42:59 +

groupmember(): Extract the supplementary group search in a separate function

This is in preparation for the introduction of the new realgroupmember()
function, which does the same search into supplementary groups as
groupmember().

Reviewed by:mhorne
MFC after:  2 weeks
Sponsored by:   Kumacom SAS
Differential Revision:  https://reviews.freebsd.org/D40640

(cherry picked from commit b725f232f3b09b4bcbc426854fe1545234c66965)
---
 sys/kern/kern_prot.c | 41 -
 1 file changed, 24 insertions(+), 17 deletions(-)

diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index 648c067dc528..21f5e5d3bc16 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -1273,36 +1273,43 @@ sys___setugid(struct thread *td, struct __setugid_args 
*uap)
 }
 
 /*
- * Check if gid is a member of the group set.
+ * Returns whether gid designates a supplementary group in cred.
  */
-int
-groupmember(gid_t gid, struct ucred *cred)
+static int
+supplementary_group_member(gid_t gid, struct ucred *cred)
 {
-   int l;
-   int h;
-   int m;
-
-   if (cred->cr_groups[0] == gid)
-   return(1);
+   int l, h, m;
 
/*
-* If gid was not our primary group, perform a binary search
-* of the supplemental groups.  This is possible because we
-* sort the groups in crsetgroups().
+* Perform a binary search of the supplemental groups.  This is possible
+* because we sort the groups in crsetgroups().
 */
l = 1;
h = cred->cr_ngroups;
+
while (l < h) {
-   m = l + ((h - l) / 2);
+   m = l + (h - l) / 2;
if (cred->cr_groups[m] < gid)
-   l = m + 1; 
+   l = m + 1;
else
-   h = m; 
+   h = m;
}
-   if ((l < cred->cr_ngroups) && (cred->cr_groups[l] == gid))
+
+   return (l < cred->cr_ngroups && cred->cr_groups[l] == gid);
+}
+
+/*
+ * Check if gid is a member of the (effective) group set (i.e., effective and
+ * supplementary groups).
+ */
+int
+groupmember(gid_t gid, struct ucred *cred)
+{
+
+   if (cred->cr_groups[0] == gid)
return (1);
 
-   return (0);
+   return (supplementary_group_member(gid, cred));
 }
 
 /*

git: d1fde7841f3f - stable/14 - New realgroupmember()

[Mitchell Horne]

The branch stable/14 has been updated by mhorne:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=d1fde7841f3f3dd86b932ae1f9bb285cbe16634c

commit d1fde7841f3f3dd86b932ae1f9bb285cbe16634c
Author: Olivier Certner 
AuthorDate: 2023-08-17 23:54:45 +
Commit: Mitchell Horne 
CommitDate: 2023-10-17 19:42:59 +

New realgroupmember()

Like groupmember(), but taking into account the real group instead of
the effective group.  Leverages the new supplementary_group_member()
function.

Reviewed by:mhorne
MFC after:  2 weeks
Sponsored by:   Kumacom SAS
Differential Revision:  https://reviews.freebsd.org/D40641
Differential Revision:  https://reviews.freebsd.org/D40643

(cherry picked from commit 2a2bfa6ad92e9c82dcc55733ad2fd58fd2ea7559)
(cherry picked from commit 5d9f38405a10fdcd9fc108c940dcf2642e9f1833)
---
 share/man/man9/Makefile  |  1 +
 share/man/man9/groupmember.9 |  7 +++
 sys/kern/kern_prot.c | 13 +
 sys/sys/ucred.h  |  1 +
 4 files changed, 22 insertions(+)

diff --git a/share/man/man9/Makefile b/share/man/man9/Makefile
index c3c81719b7d2..2122f8d6ea8c 100644
--- a/share/man/man9/Makefile
+++ b/share/man/man9/Makefile
@@ -1157,6 +1157,7 @@ MLINKS+=g_provider.9 g_destroy_provider.9 \
g_provider.9 g_error_provider.9 \
g_provider.9 g_new_providerf.9
 MLINKS+=gone_in.9 gone_in_dev.9
+MLINKS+=groupmember.9 realgroupmember.9
 MLINKS+=hash.9 hash32.9 \
hash.9 hash32_buf.9 \
hash.9 hash32_str.9 \
diff --git a/share/man/man9/groupmember.9 b/share/man/man9/groupmember.9
index 3a516622efce..ae7ccd477955 100644
--- a/share/man/man9/groupmember.9
+++ b/share/man/man9/groupmember.9
@@ -36,6 +36,8 @@
 .In sys/ucred.h
 .Ft int
 .Fn groupmember "gid_t gid" "struct ucred *cred"
+.Ft int
+.Fn realgroupmember "gid_t gid" "struct ucred *cred"
 .Sh DESCRIPTION
 The
 .Fn groupmember
@@ -49,6 +51,11 @@ Considered groups in
 .Fa cred
 are the effective and supplementary groups.
 The real group is not taken into account.
+.Pp
+Function
+.Fn realgroupmember
+works the same except that it considers instead the real and supplementary
+groups, and not the effective one.
 .Sh RETURN VALUES
 If the
 .Fa gid
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index 21f5e5d3bc16..23bd2009582b 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -1312,6 +1312,19 @@ groupmember(gid_t gid, struct ucred *cred)
return (supplementary_group_member(gid, cred));
 }
 
+/*
+ * Check if gid is a member of the real group set (i.e., real and supplementary
+ * groups).
+ */
+int
+realgroupmember(gid_t gid, struct ucred *cred)
+{
+   if (gid == cred->cr_rgid)
+   return (1);
+
+   return (supplementary_group_member(gid, cred));
+}
+
 /*
  * Test the active securelevel against a given level.  securelevel_gt()
  * implements (securelevel > level).  securelevel_ge() implements
diff --git a/sys/sys/ucred.h b/sys/sys/ucred.h
index eb92776c158a..633bf436fcd4 100644
--- a/sys/sys/ucred.h
+++ b/sys/sys/ucred.h
@@ -159,6 +159,7 @@ voidcru2x(struct ucred *cr, struct xucred *xcr);
 void   cru2xt(struct thread *td, struct xucred *xcr);
 void   crsetgroups(struct ucred *cr, int n, gid_t *groups);
 intgroupmember(gid_t gid, struct ucred *cred);
+intrealgroupmember(gid_t gid, struct ucred *cred);
 #endif /* _KERNEL */
 
 #endif /* !_SYS_UCRED_H_ */

git: f482bc958437 - stable/14 - cr_canseeothergids(): Use real instead of effective group membership

[Mitchell Horne]

The branch stable/14 has been updated by mhorne:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=f482bc958437e90cf8eb3a9e45e92efeb0b2556e

commit f482bc958437e90cf8eb3a9e45e92efeb0b2556e
Author: Olivier Certner 
AuthorDate: 2023-08-17 23:54:45 +
Commit: Mitchell Horne 
CommitDate: 2023-10-17 19:42:59 +

cr_canseeothergids(): Use real instead of effective group membership

Using the effective group and not the real one when testing membership
has the consequence that unprivileged processes cannot see setuid
commands they launch until these have relinquished their privileges.
This is also in contradiction with how the similar cr_canseeotheruids()
works, i.e., by taking into account real user IDs.

Fix this by substituting groupmember() with realgroupmember().  While
here, simplify the code.

PR: 272093
Reviewed by:mhorne
MFC after:  2 weeks
Sponsored by:   Kumacom SAS
Differential Revision:  https://reviews.freebsd.org/D40642
Differential Revision:  https://reviews.freebsd.org/D40644

(cherry picked from commit 91658080f1a598ddda03943a783c9a941199f7d2)
(cherry picked from commit 0452dd841336cea7cd979b13ef12b6ea5e992eff)
---
 share/man/man9/cr_bsd_visible.9 |  2 +-
 share/man/man9/cr_canseeothergids.9 |  8 
 sys/kern/kern_prot.c| 23 ++-
 3 files changed, 15 insertions(+), 18 deletions(-)

diff --git a/share/man/man9/cr_bsd_visible.9 b/share/man/man9/cr_bsd_visible.9
index bd676e6f5705..f2d42f3835dc 100644
--- a/share/man/man9/cr_bsd_visible.9
+++ b/share/man/man9/cr_bsd_visible.9
@@ -97,7 +97,7 @@ and
 are not members of any common group
 .Po
 as determined by
-.Xr groupmember 9
+.Xr realgroupmember 9
 .Pc .
 .It Bq Er ESRCH
 Credentials
diff --git a/share/man/man9/cr_canseeothergids.9 
b/share/man/man9/cr_canseeothergids.9
index f0c1e5c4e726..109d41a8545d 100644
--- a/share/man/man9/cr_canseeothergids.9
+++ b/share/man/man9/cr_canseeothergids.9
@@ -48,9 +48,9 @@ This function checks if a subject associated to credentials
 is denied seeing a subject or object associated to credentials
 .Fa u2
 by a policy that requires both credentials to have at least one group in 
common.
-For this determination, the effective and supplementary group IDs are used, but
-not the real group IDs, as per
-.Xr groupmember 9 .
+For this determination, the real and supplementary group IDs are used, but
+not the effective group IDs, as per
+.Xr realgroupmember 9 .
 .Pp
 This policy is active if and only if the
 .Xr sysctl 8
@@ -79,5 +79,5 @@ Otherwise, it returns
 .Er ESRCH .
 .Sh SEE ALSO
 .Xr cr_bsd_visible 9 ,
-.Xr groupmember 9 ,
+.Xr realgroupmember 9 ,
 .Xr priv_check_cred 9
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index 23bd2009582b..43fc3100bfa7 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -1404,21 +1404,18 @@ SYSCTL_INT(_security_bsd, OID_AUTO, see_other_gids, 
CTLFLAG_RW,
 int
 cr_canseeothergids(struct ucred *u1, struct ucred *u2)
 {
-   int i, match;
-
if (!see_other_gids) {
-   match = 0;
-   for (i = 0; i < u1->cr_ngroups; i++) {
-   if (groupmember(u1->cr_groups[i], u2))
-   match = 1;
-   if (match)
-   break;
-   }
-   if (!match) {
-   if (priv_check_cred(u1, PRIV_SEEOTHERGIDS) != 0)
-   return (ESRCH);
-   }
+   if (realgroupmember(u1->cr_rgid, u2))
+   return (0);
+
+   for (int i = 1; i < u1->cr_ngroups; i++)
+   if (realgroupmember(u1->cr_groups[i], u2))
+   return (0);
+
+   if (priv_check_cred(u1, PRIV_SEEOTHERGIDS) != 0)
+   return (ESRCH);
}
+
return (0);
 }
 

git: b6b76c1c09a4 - stable/14 - groupmember(), realgroupmember(): Return a bool instead of an int

[Mitchell Horne]

The branch stable/14 has been updated by mhorne:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=b6b76c1c09a44dbf9ef1ef8e6b0c3e8204baae7a

commit b6b76c1c09a44dbf9ef1ef8e6b0c3e8204baae7a
Author: Olivier Certner 
AuthorDate: 2023-08-17 23:54:47 +
Commit: Mitchell Horne 
CommitDate: 2023-10-17 19:42:59 +

groupmember(), realgroupmember(): Return a bool instead of an int

Requested by:   mhorne
Reviewed by:mhorne
MFC after:  2 weeks
MFC to: stable/14 releng/14.0
Sponsored by:   Kumacom SAS
Differential Revision:  https://reviews.freebsd.org/D40958
Differential Revision:  https://reviews.freebsd.org/D40959

(cherry picked from commit ffd3ef8ee0253ffaf214cf711251d112f6a2bcf6)
(cherry picked from commit 845b7c80887ac84c82ee776836ef86d68ea71c94)
---
 share/man/man9/groupmember.9 | 18 +-
 sys/kern/kern_prot.c | 12 ++--
 sys/sys/ucred.h  |  4 ++--
 3 files changed, 21 insertions(+), 13 deletions(-)

diff --git a/share/man/man9/groupmember.9 b/share/man/man9/groupmember.9
index ae7ccd477955..b7865a35fdc9 100644
--- a/share/man/man9/groupmember.9
+++ b/share/man/man9/groupmember.9
@@ -34,9 +34,9 @@
 .Sh SYNOPSIS
 .In sys/param.h
 .In sys/ucred.h
-.Ft int
+.Ft bool
 .Fn groupmember "gid_t gid" "struct ucred *cred"
-.Ft int
+.Ft bool
 .Fn realgroupmember "gid_t gid" "struct ucred *cred"
 .Sh DESCRIPTION
 The
@@ -57,9 +57,17 @@ Function
 works the same except that it considers instead the real and supplementary
 groups, and not the effective one.
 .Sh RETURN VALUES
-If the
-.Fa gid
-is found, 1 is returned, otherwise 0.
+The
+.Fn groupmember
+and
+.Fn realgroupmember
+functions return
+.Dv true
+if the given credentials indicate membership of the group
+.Fa gid ,
+or
+.Dv false
+otherwise.
 .Sh SEE ALSO
 .Xr getgroups 2
 .Xr setgroups 2
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index 43fc3100bfa7..14b19837d5dc 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -1275,7 +1275,7 @@ sys___setugid(struct thread *td, struct __setugid_args 
*uap)
 /*
  * Returns whether gid designates a supplementary group in cred.
  */
-static int
+static bool
 supplementary_group_member(gid_t gid, struct ucred *cred)
 {
int l, h, m;
@@ -1302,12 +1302,12 @@ supplementary_group_member(gid_t gid, struct ucred 
*cred)
  * Check if gid is a member of the (effective) group set (i.e., effective and
  * supplementary groups).
  */
-int
+bool
 groupmember(gid_t gid, struct ucred *cred)
 {
 
-   if (cred->cr_groups[0] == gid)
-   return (1);
+   if (gid == cred->cr_groups[0])
+   return (true);
 
return (supplementary_group_member(gid, cred));
 }
@@ -1316,11 +1316,11 @@ groupmember(gid_t gid, struct ucred *cred)
  * Check if gid is a member of the real group set (i.e., real and supplementary
  * groups).
  */
-int
+bool
 realgroupmember(gid_t gid, struct ucred *cred)
 {
if (gid == cred->cr_rgid)
-   return (1);
+   return (true);
 
return (supplementary_group_member(gid, cred));
 }
diff --git a/sys/sys/ucred.h b/sys/sys/ucred.h
index 633bf436fcd4..7c9e46e47774 100644
--- a/sys/sys/ucred.h
+++ b/sys/sys/ucred.h
@@ -158,8 +158,8 @@ voidcrcowfree(struct thread *td);
 void   cru2x(struct ucred *cr, struct xucred *xcr);
 void   cru2xt(struct thread *td, struct xucred *xcr);
 void   crsetgroups(struct ucred *cr, int n, gid_t *groups);
-intgroupmember(gid_t gid, struct ucred *cred);
-intrealgroupmember(gid_t gid, struct ucred *cred);
+bool   groupmember(gid_t gid, struct ucred *cred);
+bool   realgroupmember(gid_t gid, struct ucred *cred);
 #endif /* _KERNEL */
 
 #endif /* !_SYS_UCRED_H_ */

git: 4a8585251944 - stable/14 - security(7): security.bsd.see*: Be more accurate

[Mitchell Horne]

The branch stable/14 has been updated by mhorne:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=4a8585251944e1d8f0242ee7937204e4fbcd3e8f

commit 4a8585251944e1d8f0242ee7937204e4fbcd3e8f
Author: Olivier Certner 
AuthorDate: 2023-08-17 23:54:48 +
Commit: Mitchell Horne 
CommitDate: 2023-10-17 19:42:59 +

security(7): security.bsd.see*: Be more accurate

Reviewed by:mhorne, pauamma_gundo.com
MFC after:  2 weeks
Sponsored by:   Kumacom SAS
Differential Revision:  https://reviews.freebsd.org/D41108

(cherry picked from commit 61b6e00bee1d39e9c688e728fbf3a4efcdb61e66)
---
 share/man/man7/security.7 | 8 +---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/share/man/man7/security.7 b/share/man/man7/security.7
index ebe5e66e22af..a48e3607f0e5 100644
--- a/share/man/man7/security.7
+++ b/share/man/man7/security.7
@@ -959,16 +959,18 @@ Backwards compatibility shims for the interim sysctls 
under
 will not be added.
 .Bl -tag -width security.bsd.unprivileged_proc_debug
 .It Dv security.bsd.see_other_uids
-Controls visibility of processes owned by different uid.
+Controls visibility and reachability of subjects (e.g., processes) and objects
+(e.g., sockets) owned by a different uid.
 The knob directly affects the
 .Dv kern.proc
 sysctls filtering of data, which results in restricted output from
 utilities like
 .Xr ps 1 .
 .It Dv security.bsd.see_other_gids
-Same, for processes owned by different gid.
+Same, for subjects and objects owned by a different gid.
 .It Dv security.bsd.see_jail_proc
-Same, for processes belonging to a jail.
+Same, for subjects and objects belonging to a different jail, including
+sub-jails.
 .It Dv security.bsd.conservative_signals
 When enabled, unprivileged users are only allowed to send job control
 and usual termination signals like

git: b0186790020f - stable/14 - ptrace(2): Disabling: Describe influence of security.bsd.see_jail_proc

[Mitchell Horne]

The branch stable/14 has been updated by mhorne:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=b0186790020f1a3eecd6b1d86fe79841d90e3438

commit b0186790020f1a3eecd6b1d86fe79841d90e3438
Author: Olivier Certner 
AuthorDate: 2023-08-17 23:54:48 +
Commit: Mitchell Horne 
CommitDate: 2023-10-17 19:42:59 +

ptrace(2): Disabling: Describe influence of security.bsd.see_jail_proc

Reviewed by:mhorne, emaste, pauamma_gundo.com
MFC after:  2 weeks
Sponsored by:   Kumacom SAS
Differential Revision:  https://reviews.freebsd.org/D41109

(cherry picked from commit d952820105d6a2ad87ddf3bdc6c5fc5215d13b87)
---
 lib/libc/sys/ptrace.2 | 36 +---
 1 file changed, 21 insertions(+), 15 deletions(-)

diff --git a/lib/libc/sys/ptrace.2 b/lib/libc/sys/ptrace.2
index d7d244b1d84a..ae1770315aa5 100644
--- a/lib/libc/sys/ptrace.2
+++ b/lib/libc/sys/ptrace.2
@@ -1,7 +1,7 @@
 .\"$NetBSD: ptrace.2,v 1.2 1995/02/27 12:35:37 cgd Exp $
 .\"
 .\" This file is in the public domain.
-.Dd December 15, 2022
+.Dd August 18, 2023
 .Dt PTRACE 2
 .Os
 .Sh NAME
@@ -149,31 +149,37 @@ its scope.
 The following controls are provided for this:
 .Bl -tag -width security.bsd.unprivileged_proc_debug
 .It Dv security.bsd.allow_ptrace
-Setting this sysctl to zero value makes
+Setting this sysctl to zero makes
 .Nm
 return
 .Er ENOSYS
 always as if the syscall is not implemented by the kernel.
 .It Dv security.bsd.unprivileged_proc_debug
-Setting this sysctl to zero disallows use of
+Setting this sysctl to zero disallows the use of
 .Fn ptrace
 by unprivileged processes.
 .It Dv security.bsd.see_other_uids
-Setting this sysctl to zero value disallows
+Setting this sysctl to zero prevents
 .Fn ptrace
-requests from targeting processes with the real user identifier different
-from the real user identifier of the caller.
-The requests return
-.Er ESRCH
-if policy is not met.
+requests from targeting processes with a real user identifier different
+from the caller's.
+These requests will fail with error
+.Er ESRCH .
 .It Dv security.bsd.see_other_gids
-Setting this sysctl to zero value disallows
+Setting this sysctl to zero disallows
 .Fn ptrace
-requests from process belonging to a group that is not also one of
-the group of the target process.
-The requests return
-.Er ESRCH
-if policy is not met.
+requests from processes that have no groups in common with the target process,
+considering their sets of real and supplementary groups.
+These requests will fail with error
+.Er ESRCH .
+.It Dv security.bsd.see_jail_proc
+Setting this sysctl to zero disallows
+.Fn ptrace
+requests from processes belonging to a different jail than that of the target
+process, even if the requesting process' jail is an ancestor of the target
+process'.
+These requests will fail with error
+.Er ESRCH .
 .It Dv securelevel and init
 The
 .Xr init 1

git: c8ca21cc94df - stable/14 - sysctl(8): Mention more security.bsd knobs; Refer to security(7)

[Mitchell Horne]

The branch stable/14 has been updated by mhorne:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=c8ca21cc94df97ec5b85c8aa6dcc71f75e99ecfe

commit c8ca21cc94df97ec5b85c8aa6dcc71f75e99ecfe
Author: Olivier Certner 
AuthorDate: 2023-08-17 23:54:49 +
Commit: Mitchell Horne 
CommitDate: 2023-10-17 19:42:59 +

sysctl(8): Mention more security.bsd knobs; Refer to security(7)

Reviewed by:mhorne, pauamma_gundo.com, emaste
MFC after:  2 weeks
Sponsored by:   Kumacom SAS
Differential Revision:  https://reviews.freebsd.org/D41113

(cherry picked from commit 8d7a48d367ffde2a29419ef943c4099984e3af4d)
---
 sbin/sysctl/sysctl.8 | 9 +++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/sbin/sysctl/sysctl.8 b/sbin/sysctl/sysctl.8
index 3e995e40131b..ed768510eb6c 100644
--- a/sbin/sysctl/sysctl.8
+++ b/sbin/sysctl/sysctl.8
@@ -27,7 +27,7 @@
 .\"
 .\"From: @(#)sysctl.8  8.1 (Berkeley) 6/6/93
 .\"
-.Dd December 24, 2022
+.Dd August 18, 2023
 .Dt SYSCTL 8
 .Os
 .Sh NAME
@@ -194,7 +194,9 @@ for more information on which tunables are available and 
how to set them.
 .Pp
 The string and integer information is summarized below.
 For a detailed description of these variables see
-.Xr sysctl 3 .
+.Xr sysctl 3
+and
+.Xr security 7 .
 .Pp
 The changeable column indicates whether a process with appropriate
 privilege can change the value.
@@ -231,6 +233,8 @@ String and integer values can be set using
 .It "kern.logsigexit   integer yes"
 .It "security.bsd.suser_enabledinteger yes"
 .It "security.bsd.see_other_uids   integer yes"
+.It "security.bsd.see_other_gids   integer yes"
+.It "security.bsd.see_jail_procinteger yes"
 .It "security.bsd.unprivileged_proc_debug  integer yes"
 .It "security.bsd.unprivileged_read_msgbuf integer yes"
 .It "vm.loadavgstruct  no"
@@ -320,6 +324,7 @@ option has been deprecated and is silently ignored.
 .Xr sysctl 3 ,
 .Xr loader.conf 5 ,
 .Xr sysctl.conf 5 ,
+.Xr security 7,
 .Xr loader 8
 .Sh HISTORY
 A

git: 9e8372d0103a - stable/13 - MFC: Remove confDH_PARAMETERS settings in favor of using sendmail's built-in default which was added in sendmail 8.15.2 (the config line predates that 8.15.2 feature

[Gregory Neil Shapiro]

The branch stable/13 has been updated by gshapiro:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=9e8372d0103ac474c08cc0031110860855368b05

commit 9e8372d0103ac474c08cc0031110860855368b05
Author: Gregory Neil Shapiro 
AuthorDate: 2023-08-18 00:32:56 +
Commit: Gregory Neil Shapiro 
CommitDate: 2023-10-17 19:44:01 +

MFC: Remove confDH_PARAMETERS settings in favor of using sendmail's
built-in default which was added in sendmail 8.15.2 (the config
line predates that 8.15.2 feature).  This also alleviates the need
for admins to create the DH parameters file if they opt to use
Diffie-Hellman.

PR: 248387

(cherry picked from commit 98fd1add676321978db72d77d34ef51ca454c814)
---
 etc/sendmail/freebsd.mc | 1 -
 1 file changed, 1 deletion(-)

diff --git a/etc/sendmail/freebsd.mc b/etc/sendmail/freebsd.mc
index 97264805a67f..5fd201da3900 100644
--- a/etc/sendmail/freebsd.mc
+++ b/etc/sendmail/freebsd.mc
@@ -66,7 +66,6 @@ define(`confCLIENT_CERT', `CERT_DIR/host.cert')dnl
 define(`confCLIENT_KEY', `CERT_DIR/host.key')dnl
 define(`confCACERT', `CERT_DIR/cacert.pem')dnl
 define(`confCACERT_PATH', `CERT_DIR')dnl
-define(`confDH_PARAMETERS', `CERT_DIR/dh.param')dnl
 
 dnl Uncomment to allow relaying based on your MX records.
 dnl NOTE: This can allow sites to use your server as a backup MX without

git: 98f15d8f2fd4 - stable/12 - MFC: Remove confDH_PARAMETERS settings in favor of using sendmail's built-in default which was added in sendmail 8.15.2 (the config line predates that 8.15.2 feature

[Gregory Neil Shapiro]

The branch stable/12 has been updated by gshapiro:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=98f15d8f2fd46c49a4ede89ac1a52aa3b5da8a41

commit 98f15d8f2fd46c49a4ede89ac1a52aa3b5da8a41
Author: Gregory Neil Shapiro 
AuthorDate: 2023-08-18 00:32:56 +
Commit: Gregory Neil Shapiro 
CommitDate: 2023-10-17 19:48:22 +

MFC: Remove confDH_PARAMETERS settings in favor of using sendmail's
built-in default which was added in sendmail 8.15.2 (the config
line predates that 8.15.2 feature).  This also alleviates the need
for admins to create the DH parameters file if they opt to use
Diffie-Hellman.

PR: 248387

(cherry picked from commit 98fd1add676321978db72d77d34ef51ca454c814)
---
 etc/sendmail/freebsd.mc | 1 -
 1 file changed, 1 deletion(-)

diff --git a/etc/sendmail/freebsd.mc b/etc/sendmail/freebsd.mc
index 97264805a67f..5fd201da3900 100644
--- a/etc/sendmail/freebsd.mc
+++ b/etc/sendmail/freebsd.mc
@@ -66,7 +66,6 @@ define(`confCLIENT_CERT', `CERT_DIR/host.cert')dnl
 define(`confCLIENT_KEY', `CERT_DIR/host.key')dnl
 define(`confCACERT', `CERT_DIR/cacert.pem')dnl
 define(`confCACERT_PATH', `CERT_DIR')dnl
-define(`confDH_PARAMETERS', `CERT_DIR/dh.param')dnl
 
 dnl Uncomment to allow relaying based on your MX records.
 dnl NOTE: This can allow sites to use your server as a backup MX without

git: cd5edc7db261 - main - nfsd: Avoid acquiring a vnode for some NFSv4 Readdir operations

[Rick Macklem]

The branch main has been updated by rmacklem:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=cd5edc7db261fb228be4044e6fdd38850eb4e9c4

commit cd5edc7db261fb228be4044e6fdd38850eb4e9c4
Author: Rick Macklem 
AuthorDate: 2023-10-17 20:55:48 +
Commit: Rick Macklem 
CommitDate: 2023-10-17 20:55:48 +

nfsd: Avoid acquiring a vnode for some NFSv4 Readdir operations

Without this patch, a NFSv4 Readdir operation acquires the vnode for
each entry in the directory.  If only the Type, Fileid, Mounted_on_fileid
and ReaddirError attributes are requested by a client, acquiring the vnode
is not necessary for non-directories.  Directory vnodes must be acquired
to check for server file system mount points.

This patch avoids acquiring the vnode, as above, resulting in a 3-8%
improvement in Readdir RPC RTT for some simple tests I did.

Note that only non-rdirplus NFSv4 mounts will benefit from this change.

Tested during a recent IETF NFSv4 Bakeathon testing event.

MFC after:  1 month
---
 sys/fs/nfsserver/nfs_nfsdport.c | 30 +++---
 1 file changed, 27 insertions(+), 3 deletions(-)

diff --git a/sys/fs/nfsserver/nfs_nfsdport.c b/sys/fs/nfsserver/nfs_nfsdport.c
index 570ae653e06c..776d5c50861c 100644
--- a/sys/fs/nfsserver/nfs_nfsdport.c
+++ b/sys/fs/nfsserver/nfs_nfsdport.c
@@ -117,6 +117,11 @@ extern int nfsrv_issuedelegs;
 extern int nfsrv_dolocallocks;
 extern struct nfsdevicehead nfsrv_devidhead;
 
+/* Map d_type to vnode type. */
+static uint8_t dtype_to_vnode[DT_WHT + 1] = { VNON, VFIFO, VCHR, VNON, VDIR,
+VNON, VBLK, VNON, VREG, VNON, VLNK, VNON, VSOCK, VNON, VNON };
+#defineNFS_DTYPETOVTYPE(t) ((t) <= DT_WHT ? dtype_to_vnode[(t)] : 
VNON)
+
 static int nfsrv_createiovec(int, struct mbuf **, struct mbuf **,
 struct iovec **);
 static int nfsrv_createiovec_extpgs(int, int, struct mbuf **,
@@ -2310,7 +2315,7 @@ nfsrvd_readdirplus(struct nfsrv_descript *nd, int isdgram,
caddr_t bpos0, bpos1;
u_int64_t off, toff, verf __unused;
uint64_t *cookies = NULL, *cookiep;
-   nfsattrbit_t attrbits, rderrbits, savbits;
+   nfsattrbit_t attrbits, rderrbits, savbits, refbits;
struct uio io;
struct iovec iv;
struct componentname cn;
@@ -2361,9 +2366,20 @@ nfsrvd_readdirplus(struct nfsrv_descript *nd, int 
isdgram,
if (error)
goto nfsmout;
NFSSET_ATTRBIT(&savbits, &attrbits);
+   NFSSET_ATTRBIT(&refbits, &attrbits);
NFSCLRNOTFILLABLE_ATTRBIT(&attrbits, nd);
NFSZERO_ATTRBIT(&rderrbits);
NFSSETBIT_ATTRBIT(&rderrbits, NFSATTRBIT_RDATTRERROR);
+   /*
+* If these 4 bits are the only attributes requested by the
+* client, they can be satisfied without acquiring the vnode
+* for the file object unless it is a directory.
+* This will be indicated by savbits being all 0s.
+*/
+   NFSCLRBIT_ATTRBIT(&savbits, NFSATTRBIT_TYPE);
+   NFSCLRBIT_ATTRBIT(&savbits, NFSATTRBIT_FILEID);
+   NFSCLRBIT_ATTRBIT(&savbits, NFSATTRBIT_MOUNTEDONFILEID);
+   NFSCLRBIT_ATTRBIT(&savbits, NFSATTRBIT_RDATTRERROR);
} else {
NFSZERO_ATTRBIT(&attrbits);
}
@@ -2606,7 +2622,10 @@ again:
new_mp = mp;
mounted_on_fileno = (uint64_t)dp->d_fileno;
if ((nd->nd_flag & ND_NFSV3) ||
-   NFSNONZERO_ATTRBIT(&savbits)) {
+   NFSNONZERO_ATTRBIT(&savbits) ||
+   dp->d_type == DT_UNKNOWN ||
+   (dp->d_type == DT_DIR &&
+nfsrv_enable_crossmntpt != 0)) {
if (nd->nd_flag & ND_NFSV4)
refp = nfsv4root_getreferral(NULL,
vp, dp->d_fileno);
@@ -2743,6 +2762,11 @@ again:
break;
}
}
+   } else if (NFSNONZERO_ATTRBIT(&attrbits)) {
+   /* Only need Type and/or Fileid. */
+   VATTR_NULL(&nvap->na_vattr);
+   nvap->na_fileid = dp->d_fileno;
+   nvap->na_type = NFS_DTYPETOVTYPE(dp->d_type);
}
 
/*
@@ -2774,7 +2798,7 @@ again:
supports_nfsv4acls = 0;
if (refp != NULL) {
dirlen += nfsrv_putreferralattr(nd,
-   &savbits, refp, 0,
+   &refbits, refp, 0,

git: 83bd5a833c3a - main - mkimg_test: remove vtoc8 images, they aren't needed

[Warner Losh]

The branch main has been updated by imp:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=83bd5a833c3a14b74736e7b3fa0be66252a5a3dc

commit 83bd5a833c3a14b74736e7b3fa0be66252a5a3dc
Author: Warner Losh 
AuthorDate: 2023-10-17 21:52:02 +
Commit: Warner Losh 
CommitDate: 2023-10-17 21:56:19 +

mkimg_test: remove vtoc8 images, they aren't needed

vtoc8 support expired with sparc64 removal, so remove them all.

Sponsored by:   Netflix
---
 usr.bin/mkimg/tests/img-1x1-4096-vtoc8.qcow.hex| 544 
 usr.bin/mkimg/tests/img-1x1-4096-vtoc8.qcow2.hex   |  72 ---
 usr.bin/mkimg/tests/img-1x1-4096-vtoc8.raw.hex |  20 -
 usr.bin/mkimg/tests/img-1x1-4096-vtoc8.vhd.hex |  52 --
 usr.bin/mkimg/tests/img-1x1-4096-vtoc8.vhdf.hex|  28 --
 usr.bin/mkimg/tests/img-1x1-4096-vtoc8.vhdx.hex|  71 ---
 usr.bin/mkimg/tests/img-1x1-4096-vtoc8.vmdk.hex| 314 
 usr.bin/mkimg/tests/img-1x1-512-vtoc8.qcow.hex | 544 
 usr.bin/mkimg/tests/img-1x1-512-vtoc8.qcow2.hex|  72 ---
 usr.bin/mkimg/tests/img-1x1-512-vtoc8.raw.hex  |  20 -
 usr.bin/mkimg/tests/img-1x1-512-vtoc8.vhd.hex  |  52 --
 usr.bin/mkimg/tests/img-1x1-512-vtoc8.vhdf.hex |  28 --
 usr.bin/mkimg/tests/img-1x1-512-vtoc8.vhdx.hex |  71 ---
 usr.bin/mkimg/tests/img-1x1-512-vtoc8.vmdk.hex | 314 
 usr.bin/mkimg/tests/img-63x255-4096-vtoc8.qcow.hex | 550 -
 .../mkimg/tests/img-63x255-4096-vtoc8.qcow2.hex|  77 ---
 usr.bin/mkimg/tests/img-63x255-4096-vtoc8.raw.hex  |  22 -
 usr.bin/mkimg/tests/img-63x255-4096-vtoc8.vhd.hex  |  59 ---
 usr.bin/mkimg/tests/img-63x255-4096-vtoc8.vhdf.hex |  30 --
 usr.bin/mkimg/tests/img-63x255-4096-vtoc8.vhdx.hex |  73 ---
 usr.bin/mkimg/tests/img-63x255-4096-vtoc8.vmdk.hex | 324 
 usr.bin/mkimg/tests/img-63x255-512-vtoc8.qcow.hex  | 550 -
 usr.bin/mkimg/tests/img-63x255-512-vtoc8.qcow2.hex |  77 ---
 usr.bin/mkimg/tests/img-63x255-512-vtoc8.raw.hex   |  22 -
 usr.bin/mkimg/tests/img-63x255-512-vtoc8.vhd.hex   |  59 ---
 usr.bin/mkimg/tests/img-63x255-512-vtoc8.vhdf.hex  |  30 --
 usr.bin/mkimg/tests/img-63x255-512-vtoc8.vhdx.hex  |  73 ---
 usr.bin/mkimg/tests/img-63x255-512-vtoc8.vmdk.hex  | 324 
 28 files changed, 4472 deletions(-)

diff --git a/usr.bin/mkimg/tests/img-1x1-4096-vtoc8.qcow.hex 
b/usr.bin/mkimg/tests/img-1x1-4096-vtoc8.qcow.hex
deleted file mode 100644
index 93afee83d903..
--- a/usr.bin/mkimg/tests/img-1x1-4096-vtoc8.qcow.hex
+++ /dev/null
@@ -1,544 +0,0 @@
-  51 46 49 fb 00 00 00 01  00 00 00 00 00 00 00 00  |QFI.|
-0010  00 00 00 00 00 00 00 00  00 00 00 00 00 42 10 00  |.B..|
-0020  0c 09 00 00 00 00 00 00  00 00 00 00 00 00 10 00  ||
-0030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ||
-*
-1000  00 00 00 00 00 00 20 00  00 00 00 00 00 00 30 00  |.. ...0.|
-1010  00 00 00 00 00 00 40 00  00 00 00 00 00 00 00 00  |..@.|
-1020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ||
-*
-2000  00 00 00 00 00 00 50 00  00 00 00 00 00 00 60 00  |..P...`.|
-2010  00 00 00 00 00 00 70 00  00 00 00 00 00 00 80 00  |..p.|
-2020  00 00 00 00 00 00 90 00  00 00 00 00 00 00 a0 00  ||
-2030  00 00 00 00 00 00 b0 00  00 00 00 00 00 00 c0 00  ||
-2040  00 00 00 00 00 00 d0 00  00 00 00 00 00 00 e0 00  ||
-2050  00 00 00 00 00 00 f0 00  00 00 00 00 00 01 00 00  ||
-2060  00 00 00 00 00 01 10 00  00 00 00 00 00 01 20 00  |.. .|
-2070  00 00 00 00 00 01 30 00  00 00 00 00 00 01 40 00  |..0...@.|
-2080  00 00 00 00 00 01 50 00  00 00 00 00 00 01 60 00  |..P...`.|
-2090  00 00 00 00 00 01 70 00  00 00 00 00 00 01 80 00  |..p.|
-20a0  00 00 00 00 00 01 90 00  00 00 00 00 00 01 a0 00  ||
-20b0  00 00 00 00 00 01 b0 00  00 00 00 00 00 01 c0 00  ||
-20c0  00 00 00 00 00 01 d0 00  00 00 00 00 00 01 e0 00  ||
-20d0  00 00 00 00 00 01 f0 00  00 00 00 00 00 02 00 00  ||
-20e0  00 00 00 00 00 02 10 00  00 00 00 00 00 02 20 00  |.. .|
-20f0  00 00 00 00 00 02 30 00  00 00 00 00 00 02 40 00  |..0...@.|
-2100  00 00 00 00 00 02 50 00  00 00 00 00 00 02 60 00  |..P...`.|
-2110  00 00 00 00 00 02 70 00  00 00 00 00 00 02 80 00  |..p.|
-2120  00 00 00 00 00 02 90 00  00 00 00 00 00 02 a0 00  ||
-2130  00 00 00 00 00 02 b0 00  00 00 00 00 00 02 c0 00  ||
-2140  00 00 00 00 00 02 d0 00  00 00 00 00 00 02 e0 00  ||
-2150  00 00 00 00 00 02 f0 00  00 00 00 00 00 03 00 00  ||
-2160  00 00 00 00 00 03 10 00  00 00 00 00 00 03 20 00  |..

git: d2abbfede534 - main - mkimg: Regenerate all the tests for gpt

[Warner Losh]

The branch main has been updated by imp:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=d2abbfede5342b19f3e5994140cdb6622c95ef66

commit d2abbfede5342b19f3e5994140cdb6622c95ef66
Author: Warner Losh 
AuthorDate: 2023-10-17 21:54:20 +
Commit: Warner Losh 
CommitDate: 2023-10-17 21:56:19 +

mkimg: Regenerate all the tests for gpt

Recent changes to mkimg has changed the generated GPT images to be more
correct. Use make rebase to regenerate the baseline.

Sponsored by:   Netflix
---
 usr.bin/mkimg/tests/img-1x1-4096-gpt.qcow.hex | 1085 ++--
 usr.bin/mkimg/tests/img-1x1-4096-gpt.qcow2.hex|   43 +-
 usr.bin/mkimg/tests/img-1x1-4096-gpt.raw.hex  |   51 +-
 usr.bin/mkimg/tests/img-1x1-4096-gpt.vhd.hex  |   61 +-
 usr.bin/mkimg/tests/img-1x1-4096-gpt.vhdf.hex |   43 +-
 usr.bin/mkimg/tests/img-1x1-4096-gpt.vhdx.hex |   43 +-
 usr.bin/mkimg/tests/img-1x1-4096-gpt.vmdk.hex |  569 +--
 usr.bin/mkimg/tests/img-1x1-512-gpt.qcow.hex  | 1089 +++--
 usr.bin/mkimg/tests/img-1x1-512-gpt.qcow2.hex |   43 +-
 usr.bin/mkimg/tests/img-1x1-512-gpt.raw.hex   |   51 +-
 usr.bin/mkimg/tests/img-1x1-512-gpt.vhd.hex   |   61 +-
 usr.bin/mkimg/tests/img-1x1-512-gpt.vhdf.hex  |   43 +-
 usr.bin/mkimg/tests/img-1x1-512-gpt.vhdx.hex  |   43 +-
 usr.bin/mkimg/tests/img-1x1-512-gpt.vmdk.hex  |  569 +--
 usr.bin/mkimg/tests/img-63x255-4096-gpt.qcow.hex  | 1085 ++--
 usr.bin/mkimg/tests/img-63x255-4096-gpt.qcow2.hex |   43 +-
 usr.bin/mkimg/tests/img-63x255-4096-gpt.raw.hex   |   51 +-
 usr.bin/mkimg/tests/img-63x255-4096-gpt.vhd.hex   |   43 +-
 usr.bin/mkimg/tests/img-63x255-4096-gpt.vhdf.hex  |   43 +-
 usr.bin/mkimg/tests/img-63x255-4096-gpt.vhdx.hex  |   43 +-
 usr.bin/mkimg/tests/img-63x255-4096-gpt.vmdk.hex  |  569 +--
 usr.bin/mkimg/tests/img-63x255-512-gpt.qcow.hex   | 1089 +++--
 usr.bin/mkimg/tests/img-63x255-512-gpt.qcow2.hex  |   43 +-
 usr.bin/mkimg/tests/img-63x255-512-gpt.raw.hex|   51 +-
 usr.bin/mkimg/tests/img-63x255-512-gpt.vhd.hex|   43 +-
 usr.bin/mkimg/tests/img-63x255-512-gpt.vhdf.hex   |   43 +-
 usr.bin/mkimg/tests/img-63x255-512-gpt.vhdx.hex   |   43 +-
 usr.bin/mkimg/tests/img-63x255-512-gpt.vmdk.hex   |  569 +--
 28 files changed, 3798 insertions(+), 3754 deletions(-)

diff --git a/usr.bin/mkimg/tests/img-1x1-4096-gpt.qcow.hex 
b/usr.bin/mkimg/tests/img-1x1-4096-gpt.qcow.hex
index a974400ad2e8..ae764c000ae7 100644
--- a/usr.bin/mkimg/tests/img-1x1-4096-gpt.qcow.hex
+++ b/usr.bin/mkimg/tests/img-1x1-4096-gpt.qcow.hex
@@ -1,5 +1,6 @@
+# $FreeBSD$
   51 46 49 fb 00 00 00 01  00 00 00 00 00 00 00 00  |QFI.|
-0010  00 00 00 00 00 00 00 00  00 00 00 00 00 42 20 00  |.B .|
+0010  00 00 00 00 00 00 00 00  00 00 00 00 00 42 a0 00  |.B..|
 0020  0c 09 00 00 00 00 00 00  00 00 00 00 00 00 10 00  ||
 0030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ||
 *
@@ -7,569 +8,573 @@
 1010  00 00 00 00 00 00 40 00  00 00 00 00 00 00 00 00  |..@.|
 1020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ||
 *
-2000  00 00 00 00 00 00 50 00  00 00 00 00 00 00 60 00  |..P...`.|
-2010  00 00 00 00 00 00 70 00  00 00 00 00 00 00 80 00  |..p.|
-2020  00 00 00 00 00 00 90 00  00 00 00 00 00 00 a0 00  ||
-2030  00 00 00 00 00 00 b0 00  00 00 00 00 00 00 c0 00  ||
-2040  00 00 00 00 00 00 d0 00  00 00 00 00 00 00 e0 00  ||
-2050  00 00 00 00 00 00 f0 00  00 00 00 00 00 01 00 00  ||
-2060  00 00 00 00 00 01 10 00  00 00 00 00 00 01 20 00  |.. .|
-2070  00 00 00 00 00 01 30 00  00 00 00 00 00 01 40 00  |..0...@.|
-2080  00 00 00 00 00 01 50 00  00 00 00 00 00 01 60 00  |..P...`.|
-2090  00 00 00 00 00 01 70 00  00 00 00 00 00 01 80 00  |..p.|
-20a0  00 00 00 00 00 01 90 00  00 00 00 00 00 01 a0 00  ||
-20b0  00 00 00 00 00 01 b0 00  00 00 00 00 00 01 c0 00  ||
-20c0  00 00 00 00 00 01 d0 00  00 00 00 00 00 01 e0 00  ||
-20d0  00 00 00 00 00 01 f0 00  00 00 00 00 00 02 00 00  ||
-20e0  00 00 00 00 00 02 10 00  00 00 00 00 00 02 20 00  |.. .|
-20f0  00 00 00 00 00 02 30 00  00 00 00 00 00 02 40 00  |..0...@.|
-2100  00 00 00 00 00 02 50 00  00 00 00 00 00 02 60 00  |..P...`.|
-2110  00 00 00 00 00 02 70 00  00 00 00 00 00 02 80 00  |..p.|
-2120  00 00 00 00 00 02 90 00  00 00 00 00 00 02 a0 00  ||
-2130  00 00 00 00 00 02 b0 00  00 00 00 00 00 02 c0 00  ||
-2140  00 00 00 00 00 02 d0 00  00 00 00 00 00 02 e0 00  ||
-2150  00 00 00 00 00 02 f0 00  00 00 00

git: db7257ef972e - main - nfsd: Fix a server crash

[Rick Macklem]

The branch main has been updated by rmacklem:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=db7257ef972ed75e33929d39fd791d3699b53c63

commit db7257ef972ed75e33929d39fd791d3699b53c63
Author: Rick Macklem 
AuthorDate: 2023-10-18 02:40:23 +
Commit: Rick Macklem 
CommitDate: 2023-10-18 02:43:25 +

nfsd: Fix a server crash

PR#274346 reports a crash which appears to be caused by a NULL default 
session
being destroyed.  This patch should avoid the crash.

Tested by:  Joshua Kinard 
PR: 274346
MFC after:  2 weeks
---
 sys/fs/nfs/nfs_commonkrpc.c | 9 +
 sys/fs/nfs/nfs_commonsubs.c | 6 --
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/sys/fs/nfs/nfs_commonkrpc.c b/sys/fs/nfs/nfs_commonkrpc.c
index 936373c79366..29c7cdbd671c 100644
--- a/sys/fs/nfs/nfs_commonkrpc.c
+++ b/sys/fs/nfs/nfs_commonkrpc.c
@@ -1208,6 +1208,14 @@ tryagain:
NFSCL_DEBUG(1, "Got badsession\n");
NFSLOCKCLSTATE();
NFSLOCKMNT(nmp);
+   if (TAILQ_EMPTY(&nmp->nm_sess)) {
+   NFSUNLOCKMNT(nmp);
+   NFSUNLOCKCLSTATE();
+   printf("If server has not rebooted, "
+   "check NFS clients for unique "
+   "/etc/hostid's\n");
+   goto out;
+   }
sep = NFSMNT_MDSSESSION(nmp);
if (bcmp(sep->nfsess_sessionid, nd->nd_sequence,
NFSX_V4SESSIONID) == 0) {
@@ -1388,6 +1396,7 @@ tryagain:
nd->nd_repstat = NFSERR_STALEDONTRECOVER;
}
}
+out:
 
 #ifdef KDTRACE_HOOKS
if (nmp != NULL && dtrace_nfscl_nfs234_done_probe != NULL) {
diff --git a/sys/fs/nfs/nfs_commonsubs.c b/sys/fs/nfs/nfs_commonsubs.c
index ffe1ec542492..f2305795e53e 100644
--- a/sys/fs/nfs/nfs_commonsubs.c
+++ b/sys/fs/nfs/nfs_commonsubs.c
@@ -5141,11 +5141,13 @@ nfsrpc_destroysession(struct nfsmount *nmp, struct 
nfsclsession *tsep,
struct nfsrv_descript *nd = &nfsd;
int error;
 
+   if (tsep == NULL)
+   tsep = nfsmnt_mdssession(nmp);
+   if (tsep == NULL)
+   return (0);
nfscl_reqstart(nd, NFSPROC_DESTROYSESSION, nmp, NULL, 0, NULL, NULL, 0,
0, NULL);
NFSM_BUILD(tl, uint32_t *, NFSX_V4SESSIONID);
-   if (tsep == NULL)
-   tsep = nfsmnt_mdssession(nmp);
bcopy(tsep->nfsess_sessionid, tl, NFSX_V4SESSIONID);
nd->nd_flag |= ND_USEGSSNAME;
error = newnfs_request(nd, nmp, NULL, &nmp->nm_sockreq, NULL, p, cred,

git: c9ec2fb86cf1 - stable/14 - linux(4): Drop the outdated comments about sixth register on i386 int0x80

[Dmitry Chagin]

The branch stable/14 has been updated by dchagin:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=c9ec2fb86cf1c88624ff4e1694a19543771bffb4

commit c9ec2fb86cf1c88624ff4e1694a19543771bffb4
Author: Dmitry Chagin 
AuthorDate: 2023-10-10 09:33:22 +
Commit: Dmitry Chagin 
CommitDate: 2023-10-18 05:52:33 +

linux(4): Drop the outdated comments about sixth register on i386 int0x80

This is well documented in the Linux syscall(2).

MFC after:  1 week

(cherry picked from commit 5bdd74cc05e6c7d110688feacdbd22b6dffe5d72)
---
 sys/amd64/linux32/linux32_sysvec.c | 2 +-
 sys/i386/linux/linux_sysvec.c  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/sys/amd64/linux32/linux32_sysvec.c 
b/sys/amd64/linux32/linux32_sysvec.c
index 7104cc50735e..1002648c3df8 100644
--- a/sys/amd64/linux32/linux32_sysvec.c
+++ b/sys/amd64/linux32/linux32_sysvec.c
@@ -525,7 +525,7 @@ linux32_fetch_syscall_args(struct thread *td)
sa->args[2] = frame->tf_rdx;
sa->args[3] = frame->tf_rsi;
sa->args[4] = frame->tf_rdi;
-   sa->args[5] = frame->tf_rbp;/* Unconfirmed */
+   sa->args[5] = frame->tf_rbp;
sa->code = frame->tf_rax;
sa->original_code = sa->code;
 
diff --git a/sys/i386/linux/linux_sysvec.c b/sys/i386/linux/linux_sysvec.c
index a3d445951cce..8990b9b806ca 100644
--- a/sys/i386/linux/linux_sysvec.c
+++ b/sys/i386/linux/linux_sysvec.c
@@ -518,7 +518,7 @@ linux_fetch_syscall_args(struct thread *td)
sa->args[2] = frame->tf_edx;
sa->args[3] = frame->tf_esi;
sa->args[4] = frame->tf_edi;
-   sa->args[5] = frame->tf_ebp;/* Unconfirmed */
+   sa->args[5] = frame->tf_ebp;
 
if (sa->code >= p->p_sysent->sv_size)
/* nosys */

git: 133ada6bff53 - stable/14 - linux(4): Drop the outdated comment, nosys is fine since 39024a89

[Dmitry Chagin]

The branch stable/14 has been updated by dchagin:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=133ada6bff538483f308296ee944aa5ee24954ee

commit 133ada6bff538483f308296ee944aa5ee24954ee
Author: Dmitry Chagin 
AuthorDate: 2023-10-10 09:20:51 +
Commit: Dmitry Chagin 
CommitDate: 2023-10-18 05:52:33 +

linux(4): Drop the outdated comment, nosys is fine since 39024a89

MFC after:  1 week

(cherry picked from commit 03f5bd1e462576838e79145379ce314e2e03e4b3)
---
 sys/arm64/linux/linux_sysvec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sys/arm64/linux/linux_sysvec.c b/sys/arm64/linux/linux_sysvec.c
index 19dd5866ba50..a850d5e34bc0 100644
--- a/sys/arm64/linux/linux_sysvec.c
+++ b/sys/arm64/linux/linux_sysvec.c
@@ -121,7 +121,7 @@ linux_fetch_syscall_args(struct thread *td)
 
sa->code = td->td_frame->tf_x[8];
sa->original_code = sa->code;
-   /* LINUXTODO: generic syscall? */
+
if (sa->code >= p->p_sysent->sv_size)
sa->callp = &nosys_sysent;
else

git: 44e3ce37f2f8 - stable/14 - uma.h: Fix a typo in a source code comment

[Gordon Bergling]

The branch stable/14 has been updated by gbe:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=44e3ce37f2f849ca457e2d14fba132972f0bbe01

commit 44e3ce37f2f849ca457e2d14fba132972f0bbe01
Author: Gordon Bergling 
AuthorDate: 2023-10-15 12:09:21 +
Commit: Gordon Bergling 
CommitDate: 2023-10-18 05:57:16 +

uma.h: Fix a typo in a source code comment

- s/setable/settable/

(cherry picked from commit fc9f1d2c6391b1a4b133aab56ace625b72c9ea85)
---
 sys/vm/uma.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sys/vm/uma.h b/sys/vm/uma.h
index 31f8dba33081..76f30efc94d1 100644
--- a/sys/vm/uma.h
+++ b/sys/vm/uma.h
@@ -637,7 +637,7 @@ void uma_zone_set_smr(uma_zone_t zone, smr_t smr);
 smr_t uma_zone_get_smr(uma_zone_t zone);
 
 /*
- * These flags are setable in the allocf and visible in the freef.
+ * These flags are settable in the allocf and visible in the freef.
  */
 #define UMA_SLAB_BOOT  0x01/* Slab alloced from boot pages */
 #define UMA_SLAB_KERNEL0x04/* Slab alloced from kmem */

git: 6c4855c18eed - stable/13 - uma.h: Fix a typo in a source code comment

[Gordon Bergling]

The branch stable/13 has been updated by gbe:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=6c4855c18eed77d2482bbe9cc32498bd3ad6fbe2

commit 6c4855c18eed77d2482bbe9cc32498bd3ad6fbe2
Author: Gordon Bergling 
AuthorDate: 2023-10-15 12:09:21 +
Commit: Gordon Bergling 
CommitDate: 2023-10-18 05:57:39 +

uma.h: Fix a typo in a source code comment

- s/setable/settable/

(cherry picked from commit fc9f1d2c6391b1a4b133aab56ace625b72c9ea85)
---
 sys/vm/uma.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sys/vm/uma.h b/sys/vm/uma.h
index 794bde878197..954d64c4d63b 100644
--- a/sys/vm/uma.h
+++ b/sys/vm/uma.h
@@ -636,7 +636,7 @@ void uma_zone_set_smr(uma_zone_t zone, smr_t smr);
 smr_t uma_zone_get_smr(uma_zone_t zone);
 
 /*
- * These flags are setable in the allocf and visible in the freef.
+ * These flags are settable in the allocf and visible in the freef.
  */
 #define UMA_SLAB_BOOT  0x01/* Slab alloced from boot pages */
 #define UMA_SLAB_KERNEL0x04/* Slab alloced from kmem */

git: ef1dad6d83ff - main - stress2: Fix "-Wunused-but-set-variable" warnings

[Peter Holm]

The branch main has been updated by pho:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=ef1dad6d83ff662ed211433ac2e5805bae5d04e9

commit ef1dad6d83ff662ed211433ac2e5805bae5d04e9
Author: Peter Holm 
AuthorDate: 2023-10-18 06:54:38 +
Commit: Peter Holm 
CommitDate: 2023-10-18 06:54:38 +

stress2: Fix "-Wunused-but-set-variable" warnings
---
 tools/test/stress2/misc/exlock2.sh | 15 +--
 tools/test/stress2/misc/fcntl2.sh  |  2 ++
 tools/test/stress2/misc/fifo2.sh   |  8 
 tools/test/stress2/misc/mmap18.sh  | 13 -
 tools/test/stress2/misc/mmap32.sh  |  5 ++---
 tools/test/stress2/misc/poll2.sh   |  4 ++--
 tools/test/stress2/misc/procfs4.sh |  7 +++
 tools/test/stress2/misc/sendfile25.sh  |  4 +---
 tools/test/stress2/misc/setsockopt2.sh |  3 +++
 9 files changed, 26 insertions(+), 35 deletions(-)

diff --git a/tools/test/stress2/misc/exlock2.sh 
b/tools/test/stress2/misc/exlock2.sh
index 58a49919d86a..e1760cc52a4d 100755
--- a/tools/test/stress2/misc/exlock2.sh
+++ b/tools/test/stress2/misc/exlock2.sh
@@ -68,6 +68,7 @@ EOF
 #include 
 
 static _Atomic(int) *share;
+static int debug; /* Set to "1" for debug output */
 static int quit;
 static char file[80];
 
@@ -101,9 +102,8 @@ test1(void)
;   /* wait for test2 to signal "done" */
close(fd);
}
-#if defined(DEBUG)
-   fprintf(stderr, "%s: n = %d\n", __func__, n);
-#endif
+   if (debug != 0)
+   fprintf(stderr, "%s: n = %d\n", __func__, n);
 
_exit(0);
 }
@@ -114,17 +114,15 @@ test2(void)
struct flock fl;
struct stat st;
time_t start;
-   int e, fd, n;
+   int e, fd;
 
e = 0;
fd = 0;
-   n = 0;
start = time(NULL);
while (time(NULL) - start < RUNTIME) {
share[SYNC] = 1;
if ((fd = open(file, O_RDWR)) == -1)
goto out;
-   n++;
memset(&fl, 0, sizeof(fl));
fl.l_start = 0;
fl.l_len = 0;
@@ -151,12 +149,9 @@ out:
share[SYNC] = 0;
usleep(100);
}
-#if defined(DEBUG)
-   if (e != 0) {
+   if (debug != 0 && e != 0)
system("ps -Uroot | grep -v grep | grep  /tmp/exlock2 | "\
"awk '{print $1}' | xargs procstat -f");
-   }
-#endif
share[SYNC] = 0;
 
_exit(e);
diff --git a/tools/test/stress2/misc/fcntl2.sh 
b/tools/test/stress2/misc/fcntl2.sh
index 80be1bd05e5a..acb161fd0523 100755
--- a/tools/test/stress2/misc/fcntl2.sh
+++ b/tools/test/stress2/misc/fcntl2.sh
@@ -150,6 +150,8 @@ test(void)
}
close(fd);
unlink(file);
+   if (success == 0)
+   fprintf(stderr, "No calls to fcntl() succeeded.\n");
 
_exit(0);
 }
diff --git a/tools/test/stress2/misc/fifo2.sh b/tools/test/stress2/misc/fifo2.sh
index 9e4a7e632e9d..4a7b986931d9 100755
--- a/tools/test/stress2/misc/fifo2.sh
+++ b/tools/test/stress2/misc/fifo2.sh
@@ -96,6 +96,7 @@ EOF
 #include 
 
 #define N (128 * 1024 / (int)sizeof(u_int32_t))
+static int debug; /* Set to 1 for debug output */
 u_int32_t r[N];
 
 static void
@@ -143,11 +144,10 @@ calls(void *arg __unused)
arg6 = makearg();
arg7 = makearg();
 
-#if 0
-   fprintf(stderr, "%2d : syscall(%3d, %lx, %lx, %lx, %lx, %lx, 
%lx, %lx)\n",
-   i, SYS_open, arg1, arg2, arg3, arg4, arg5, arg6, arg7);
+   if (debug != 0)
+   fprintf(stderr, "%2d : syscall(%3d, %lx, %lx, %lx, %lx, 
%lx, %lx, %lx)\n",
+   i, SYS_open, arg1, arg2, arg3, arg4, arg5, arg6, 
arg7);
usleep(10);
-#endif
alarm(1);
syscall(SYS_open, arg1, arg2, arg3, arg4, arg5, arg6, arg7);
}
diff --git a/tools/test/stress2/misc/mmap18.sh 
b/tools/test/stress2/misc/mmap18.sh
index 065b5bb7df6c..f2b19c07fe60 100755
--- a/tools/test/stress2/misc/mmap18.sh
+++ b/tools/test/stress2/misc/mmap18.sh
@@ -89,6 +89,7 @@ EOF
 
 static u_int32_t r[N];
 static void *p;
+static int debug; /* set to 1 for debug output */
 
 static unsigned long
 makearg(void)
@@ -176,11 +177,9 @@ tmlock(void *arg __unused)
if (munlock(makeptr(), len) == 0)
n++;
}
-#if defined(DEBUG)
-   if (n < 10)
+   if (debug != 0 && n < 10)
fprintf(stderr, "Note: tmlock() only succeeded %d "
"times.\n", n);
-#endif
 
return (NULL);
 }
@@ -202,11 +201,9 @@ tmprotect(void *arg __unused)
n++;
usleep(1000);
}
-#if defined(DEBUG)
-   if (n < 10)
+   if (debug != 0 && n < 10)
fprintf(stderr, "Note: tmprotect() only succeeded %d "
"times.\n", n);
-#endif
 
return (NULL);
 }
@@ -226,11 +223,9 @@ tm