git: 65d1a4cfda73 - main - Handle KDB_WHY_TRAP return on arm and mips
The branch main has been updated by mhorne:
URL:
https://cgit.FreeBSD.org/src/commit/?id=65d1a4cfda73201e34768d881a0b9206d00d4a71
commit 65d1a4cfda73201e34768d881a0b9206d00d4a71
Author: Mitchell Horne
AuthorDate: 2021-01-02 23:07:04 +
Commit: Mitchell Horne
CommitDate: 2021-01-02 23:07:04 +
Handle KDB_WHY_TRAP return on arm and mips
Upon exit from the debugger, checking the return code of kdb_trap()
allows one to retry the fatal page fault. This matches what is done on
all other architectures.
Reviewed by:jhb (earlier version)
Differential Revision: https://reviews.freebsd.org/D27535
---
sys/arm/arm/trap-v6.c | 7 ++-
sys/mips/mips/trap.c | 7 ++-
2 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/sys/arm/arm/trap-v6.c b/sys/arm/arm/trap-v6.c
index e35187da6d07..16f166e83114 100644
--- a/sys/arm/arm/trap-v6.c
+++ b/sys/arm/arm/trap-v6.c
@@ -562,6 +562,9 @@ abort_fatal(struct trapframe *tf, u_int idx, u_int fsr,
u_int far,
bool usermode;
const char *mode;
const char *rw_mode;
+#ifdef KDB
+ bool handled;
+#endif
usermode = TRAPF_USERMODE(tf);
#ifdef KDTRACE_HOOKS
@@ -609,8 +612,10 @@ abort_fatal(struct trapframe *tf, u_int idx, u_int fsr,
u_int far,
#ifdef KDB
if (debugger_on_trap) {
kdb_why = KDB_WHY_TRAP;
- kdb_trap(fsr, 0, tf);
+ handled = kdb_trap(fsr, 0, tf);
kdb_why = KDB_WHY_UNSET;
+ if (handled)
+ return (0);
}
#endif
panic("Fatal abort");
diff --git a/sys/mips/mips/trap.c b/sys/mips/mips/trap.c
index 78e7c0ed8113..96a2de4ee817 100644
--- a/sys/mips/mips/trap.c
+++ b/sys/mips/mips/trap.c
@@ -524,6 +524,9 @@ trap(struct trapframe *trapframe)
register_t pc;
int cop, error;
register_t *frame_regs;
+#ifdef KDB
+ bool handled;
+#endif
trapdebug_enter(trapframe, 0);
#ifdef KDB
@@ -1091,8 +1094,10 @@ err:
#ifdef KDB
if (debugger_on_trap) {
kdb_why = KDB_WHY_TRAP;
- kdb_trap(type, 0, trapframe);
+ handled = kdb_trap(type, 0, trapframe);
kdb_why = KDB_WHY_UNSET;
+ if (handled)
+ return (trapframe->pc);
}
#endif
panic("trap");
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: de2b94228075 - main - arm64: validate breakpoint registers
The branch main has been updated by mhorne:
URL:
https://cgit.FreeBSD.org/src/commit/?id=de2b9422807586d376ec7ffa7b660cd492464bdf
commit de2b9422807586d376ec7ffa7b660cd492464bdf
Author: Mitchell Horne
AuthorDate: 2021-02-09 18:29:38 +
Commit: Mitchell Horne
CommitDate: 2021-02-17 16:05:00 +
arm64: validate breakpoint registers
In particular, we want to disallow setting breakpoints on kernel
addresses from userspace. The control register fields are validated or
ignored as appropriate.
Reviewed by:markj
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D28560
---
sys/arm64/arm64/machdep.c | 37 +
sys/arm64/include/armreg.h | 17 +
2 files changed, 50 insertions(+), 4 deletions(-)
diff --git a/sys/arm64/arm64/machdep.c b/sys/arm64/arm64/machdep.c
index 90fc19d57415..bf44dba19482 100644
--- a/sys/arm64/arm64/machdep.c
+++ b/sys/arm64/arm64/machdep.c
@@ -357,6 +357,8 @@ int
set_dbregs(struct thread *td, struct dbreg *regs)
{
struct debug_monitor_state *monitor;
+ uint64_t addr;
+ uint32_t ctrl;
int count;
int i;
@@ -364,11 +366,38 @@ set_dbregs(struct thread *td, struct dbreg *regs)
count = 0;
monitor->dbg_enable_count = 0;
for (i = 0; i < DBG_BRP_MAX; i++) {
- /* TODO: Check these values */
- monitor->dbg_bvr[i] = regs->db_regs[i].dbr_addr;
- monitor->dbg_bcr[i] = regs->db_regs[i].dbr_ctrl;
- if ((monitor->dbg_bcr[i] & 1) != 0)
+ addr = regs->db_regs[i].dbr_addr;
+ ctrl = regs->db_regs[i].dbr_ctrl;
+
+ /* Don't let the user set a breakpoint on a kernel address. */
+ if (addr >= VM_MAXUSER_ADDRESS)
+ return (EINVAL);
+
+ /*
+* The lowest 2 bits are ignored, so record the effective
+* address.
+*/
+ addr = rounddown2(addr, 4);
+
+ /*
+* Some control fields are ignored, and other bits reserved.
+* Only unlinked, address-matching breakpoints are supported.
+*
+* XXX: fields that appear unvalidated, such as BAS, have
+* constrained undefined behaviour. If the user mis-programs
+* these, there is no risk to the system.
+*/
+ ctrl &= DBG_BCR_EN | DBG_BCR_PMC | DBG_BCR_BAS;
+ if ((ctrl & DBG_BCR_EN) != 0) {
+ /* Only target EL0. */
+ if ((ctrl & DBG_BCR_PMC) != DBG_BCR_PMC_EL0)
+ return (EINVAL);
+
monitor->dbg_enable_count++;
+ }
+
+ monitor->dbg_bvr[i] = addr;
+ monitor->dbg_bcr[i] = ctrl;
}
if (monitor->dbg_enable_count > 0)
monitor->dbg_flags |= DBGMON_ENABLED;
diff --git a/sys/arm64/include/armreg.h b/sys/arm64/include/armreg.h
index f5d25a572466..f2bce02782ec 100644
--- a/sys/arm64/include/armreg.h
+++ b/sys/arm64/include/armreg.h
@@ -944,6 +944,23 @@
#defineDBG_MDSCR_KDE (0x1 << 13)
#defineDBG_MDSCR_MDE (0x1 << 15)
+/* Debug Breakpoint Control Registers */
+#defineDBG_BCR_EN 0x1
+#defineDBG_BCR_PMC_SHIFT 1
+#defineDBG_BCR_PMC (0x3 << DBG_BCR_PMC_SHIFT)
+#define DBG_BCR_PMC_EL1(0x1 << DBG_BCR_PMC_SHIFT)
+#define DBG_BCR_PMC_EL0(0x2 << DBG_BCR_PMC_SHIFT)
+#defineDBG_BCR_BAS_SHIFT 5
+#defineDBG_BCR_BAS (0xf << DBG_BCR_BAS_SHIFT)
+#defineDBG_BCR_HMC_SHIFT 13
+#defineDBG_BCR_HMC (0x1 << DBG_BCR_HMC_SHIFT)
+#defineDBG_BCR_SSC_SHIFT 14
+#defineDBG_BCR_SSC (0x3 << DBG_BCR_SSC_SHIFT)
+#defineDBG_BCR_LBN_SHIFT 16
+#defineDBG_BCR_LBN (0xf << DBG_BCR_LBN_SHIFT)
+#defineDBG_BCR_BT_SHIFT20
+#defineDBG_BCR_BT (0xf << DBG_BCR_BT_SHIFT)
+
/* Perfomance Monitoring Counters */
#definePMCR_E (1 << 0) /* Enable all counters */
#definePMCR_P (1 << 1) /* Reset all counters */
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: bd012c715923 - main - arm64: handle watchpoint exceptions from EL0
The branch main has been updated by mhorne: URL: https://cgit.FreeBSD.org/src/commit/?id=bd012c71592323d957b409bb5e0cf7940729650e commit bd012c71592323d957b409bb5e0cf7940729650e Author: Mitchell Horne AuthorDate: 2021-02-05 21:46:48 + Commit: Mitchell Horne CommitDate: 2021-02-17 16:05:00 + arm64: handle watchpoint exceptions from EL0 This is a prerequisite to allowing the use of hardware watchpoints for userspace debuggers. This is also a slight departure from the x86 behaviour, since `si_addr` returns the data address that triggered the watchpoint, not the address of the instruction that was executed. Otherwise, there is no straightforward way for the application to determine which watchpoint was triggered. Make a note of this in the siginfo(3) man page. Reviewed by:jhb, markj (earlier version) Tested by: Michał Górny (mgo...@gentoo.org) MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D28561 --- share/man/man3/siginfo.3 | 7 ++- sys/arm64/arm64/trap.c | 6 ++ sys/arm64/include/armreg.h | 1 + 3 files changed, 13 insertions(+), 1 deletion(-) diff --git a/share/man/man3/siginfo.3 b/share/man/man3/siginfo.3 index fc4ea2ba1df7..acc8785b2f0d 100644 --- a/share/man/man3/siginfo.3 +++ b/share/man/man3/siginfo.3 @@ -27,7 +27,7 @@ .\" .\" $FreeBSD$ .\" -.Dd July 28, 2020 +.Dd February 17, 2021 .Dt SIGINFO 3 .Os .Sh NAME @@ -218,6 +218,11 @@ and may report the address of the faulting memory access (if available) in .Va si_addr instead. +Additionally +.Dv SIGTRAP +raised by a hardware watchpoint exception may report the data address that +triggered the watchpoint in +.Va si_addr . .Pp Sychronous signals set .Va si_trapno diff --git a/sys/arm64/arm64/trap.c b/sys/arm64/arm64/trap.c index 0b2d4760cea3..cb3a05ad0163 100644 --- a/sys/arm64/arm64/trap.c +++ b/sys/arm64/arm64/trap.c @@ -474,6 +474,7 @@ do_el0_sync(struct thread *td, struct trapframe *frame) case EXCP_UNKNOWN: case EXCP_DATA_ABORT_L: case EXCP_DATA_ABORT: + case EXCP_WATCHPT_EL0: far = READ_SPECIALREG(far_el1); break; } @@ -534,6 +535,11 @@ do_el0_sync(struct thread *td, struct trapframe *frame) exception); userret(td, frame); break; + case EXCP_WATCHPT_EL0: + call_trapsignal(td, SIGTRAP, TRAP_TRACE, (void *)far, + exception); + userret(td, frame); + break; case EXCP_MSR: /* * The CPU can raise EXCP_MSR when userspace executes an mrs diff --git a/sys/arm64/include/armreg.h b/sys/arm64/include/armreg.h index f2bce02782ec..70390d4ebf1e 100644 --- a/sys/arm64/include/armreg.h +++ b/sys/arm64/include/armreg.h @@ -230,6 +230,7 @@ #define EXCP_BRKPT_EL0 0x30/* Hardware breakpoint, from same EL */ #define EXCP_SOFTSTP_EL0 0x32/* Software Step, from lower EL */ #define EXCP_SOFTSTP_EL1 0x33/* Software Step, from same EL */ +#define EXCP_WATCHPT_EL0 0x34/* Watchpoint, from lower EL */ #define EXCP_WATCHPT_EL1 0x35/* Watchpoint, from same EL */ #define EXCP_BRK 0x3c/* Breakpoint */ ___ dev-commits-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: f2583be110ca - main - arm64: extend struct db_reg to include watchpoint registers
The branch main has been updated by mhorne:
URL:
https://cgit.FreeBSD.org/src/commit/?id=f2583be110ca3a5b32f0993f1464a5c69151c62f
commit f2583be110ca3a5b32f0993f1464a5c69151c62f
Author: Mitchell Horne
AuthorDate: 2021-01-28 17:49:47 +
Commit: Mitchell Horne
CommitDate: 2021-02-17 16:05:00 +
arm64: extend struct db_reg to include watchpoint registers
The motivation is to provide access to these registers from userspace
via ptrace(2) requests PT_GETDBREGS and PT_SETDBREGS.
This change breaks the ABI of these particular requests, but is
justified by the fact that the intended consumers (debuggers) have not
been taught to use them yet. Making this change now enables active
upstream work on lldb to begin using this interface, and take advantage
of the hardware debugging registers available on the platform.
PR: 252860
Reported by:Michał Górny (mgo...@gentoo.org)
Reviewed by:andrew, markj (earlier version)
Tested by: Michał Górny (mgo...@gentoo.org)
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D28415
---
sys/arm64/arm64/identcpu.c | 2 +-
sys/arm64/arm64/machdep.c | 71 ++
sys/arm64/include/armreg.h | 22 ++
sys/arm64/include/reg.h| 13 +++--
4 files changed, 92 insertions(+), 16 deletions(-)
diff --git a/sys/arm64/arm64/identcpu.c b/sys/arm64/arm64/identcpu.c
index bfbaad7a6483..c3544e9de9aa 100644
--- a/sys/arm64/arm64/identcpu.c
+++ b/sys/arm64/arm64/identcpu.c
@@ -350,7 +350,7 @@ static struct mrs_field id_aa64dfr0_fields[] = {
MRS_FIELD(ID_AA64DFR0, PMSVer, false, MRS_EXACT, id_aa64dfr0_pmsver),
MRS_FIELD(ID_AA64DFR0, CTX_CMPs, false, MRS_EXACT,
id_aa64dfr0_ctx_cmps),
- MRS_FIELD(ID_AA64DFR0, WRPs, false, MRS_EXACT, id_aa64dfr0_wrps),
+ MRS_FIELD(ID_AA64DFR0, WRPs, false, MRS_LOWER, id_aa64dfr0_wrps),
MRS_FIELD(ID_AA64DFR0, BRPs, false, MRS_LOWER, id_aa64dfr0_brps),
MRS_FIELD(ID_AA64DFR0, PMUVer, false, MRS_EXACT, id_aa64dfr0_pmuver),
MRS_FIELD(ID_AA64DFR0, TraceVer, false, MRS_EXACT,
diff --git a/sys/arm64/arm64/machdep.c b/sys/arm64/arm64/machdep.c
index bf44dba19482..73b06beeba7e 100644
--- a/sys/arm64/arm64/machdep.c
+++ b/sys/arm64/arm64/machdep.c
@@ -321,8 +321,8 @@ int
fill_dbregs(struct thread *td, struct dbreg *regs)
{
struct debug_monitor_state *monitor;
- int count, i;
- uint8_t debug_ver, nbkpts;
+ int i;
+ uint8_t debug_ver, nbkpts, nwtpts;
memset(regs, 0, sizeof(*regs));
@@ -330,23 +330,30 @@ fill_dbregs(struct thread *td, struct dbreg *regs)
&debug_ver);
extract_user_id_field(ID_AA64DFR0_EL1, ID_AA64DFR0_BRPs_SHIFT,
&nbkpts);
+ extract_user_id_field(ID_AA64DFR0_EL1, ID_AA64DFR0_WRPs_SHIFT,
+ &nwtpts);
/*
* The BRPs field contains the number of breakpoints - 1. Armv8-A
* allows the hardware to provide 2-16 breakpoints so this won't
-* overflow an 8 bit value.
+* overflow an 8 bit value. The same applies to the WRPs field.
*/
- count = nbkpts + 1;
+ nbkpts++;
+ nwtpts++;
- regs->db_info = debug_ver;
- regs->db_info <<= 8;
- regs->db_info |= count;
+ regs->db_debug_ver = debug_ver;
+ regs->db_nbkpts = nbkpts;
+ regs->db_nwtpts = nwtpts;
monitor = &td->td_pcb->pcb_dbg_regs;
if ((monitor->dbg_flags & DBGMON_ENABLED) != 0) {
- for (i = 0; i < count; i++) {
- regs->db_regs[i].dbr_addr = monitor->dbg_bvr[i];
- regs->db_regs[i].dbr_ctrl = monitor->dbg_bcr[i];
+ for (i = 0; i < nbkpts; i++) {
+ regs->db_breakregs[i].dbr_addr = monitor->dbg_bvr[i];
+ regs->db_breakregs[i].dbr_ctrl = monitor->dbg_bcr[i];
+ }
+ for (i = 0; i < nwtpts; i++) {
+ regs->db_watchregs[i].dbw_addr = monitor->dbg_wvr[i];
+ regs->db_watchregs[i].dbw_ctrl = monitor->dbg_wcr[i];
}
}
@@ -365,9 +372,10 @@ set_dbregs(struct thread *td, struct dbreg *regs)
monitor = &td->td_pcb->pcb_dbg_regs;
count = 0;
monitor->dbg_enable_count = 0;
+
for (i = 0; i < DBG_BRP_MAX; i++) {
- addr = regs->db_regs[i].dbr_addr;
- ctrl = regs->db_regs[i].dbr_ctrl;
+ addr = regs->db_breakregs[i].dbr_addr;
+ ctrl = regs->db_breakregs[i].dbr_ctrl;
/* Don't let the user set a breakpoint on a kernel address. */
if (addr >= VM_MAXUSER_ADDRESS)
@@ -399,6 +407,45
git: 45eabf5754ac - main - Bump __FreeBSD_version after f2583be110ca
The branch main has been updated by mhorne: URL: https://cgit.FreeBSD.org/src/commit/?id=45eabf5754ac1d291bd677fdf29f59ce4bbc2c8f commit 45eabf5754ac1d291bd677fdf29f59ce4bbc2c8f Author: Mitchell Horne AuthorDate: 2021-02-17 15:56:40 + Commit: Mitchell Horne CommitDate: 2021-02-17 16:09:06 + Bump __FreeBSD_version after f2583be110ca Provide a compatibility point around the ABI-breaking change. Sponsored by: The FreeBSD Foundation --- sys/sys/param.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/sys/param.h b/sys/sys/param.h index fa02b55d1f1b..0f0854f359fd 100644 --- a/sys/sys/param.h +++ b/sys/sys/param.h @@ -60,7 +60,7 @@ * in the range 5 to 9. */ #undef __FreeBSD_version -#define __FreeBSD_version 144 /* Master, propagated to newvers */ +#define __FreeBSD_version 145 /* Master, propagated to newvers */ /* * __FreeBSD_kernel__ indicates that this system uses the kernel of FreeBSD, ___ dev-commits-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 39df2b568230 - main - arm64: use macros to access special register values
The branch main has been updated by mhorne:
URL:
https://cgit.FreeBSD.org/src/commit/?id=39df2b568230e02350684e4f4d8353023daa1749
commit 39df2b568230e02350684e4f4d8353023daa1749
Author: Mitchell Horne
AuthorDate: 2021-01-28 17:53:00 +
Commit: Mitchell Horne
CommitDate: 2021-02-17 16:09:45 +
arm64: use macros to access special register values
---
sys/arm64/arm64/debug_monitor.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/sys/arm64/arm64/debug_monitor.c b/sys/arm64/arm64/debug_monitor.c
index dcb3645cf5d4..eb5d19567697 100644
--- a/sys/arm64/arm64/debug_monitor.c
+++ b/sys/arm64/arm64/debug_monitor.c
@@ -471,11 +471,13 @@ dbg_register_sync(struct debug_monitor_state *monitor)
void
dbg_monitor_init(void)
{
+ uint64_t aa64dfr0;
u_int i;
/* Find out many breakpoints and watchpoints we can use */
- dbg_watchpoint_num = ((READ_SPECIALREG(id_aa64dfr0_el1) >> 20) & 0xf) +
1;
- dbg_breakpoint_num = ((READ_SPECIALREG(id_aa64dfr0_el1) >> 12) & 0xf) +
1;
+ aa64dfr0 = READ_SPECIALREG(id_aa64dfr0_el1);
+ dbg_watchpoint_num = ID_AA64DFR0_WRPs_VAL(aa64dfr0);
+ dbg_breakpoint_num = ID_AA64DFR0_BRPs_VAL(aa64dfr0);
if (bootverbose && PCPU_GET(cpuid) == 0) {
printf("%d watchpoints and %d breakpoints supported\n",
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 9976b42b697c - main - ddb: fix show devmap output on 32-bit arm
The branch main has been updated by mhorne:
URL:
https://cgit.FreeBSD.org/src/commit/?id=9976b42b697ce203b1d257b2a6fe64c8a2961645
commit 9976b42b697ce203b1d257b2a6fe64c8a2961645
Author: Thomas Skibo
AuthorDate: 2021-01-11 20:58:12 +
Commit: Mitchell Horne
CommitDate: 2021-02-18 15:53:14 +
ddb: fix show devmap output on 32-bit arm
The output has been broken since 1b6dd6d772ca. Casting to uintmax_t
before the call to printf is necessary to ensure that 32-bit addresses
are interpreted correctly.
PR: 243236
MFC after: 3 days
---
sys/kern/subr_devmap.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/sys/kern/subr_devmap.c b/sys/kern/subr_devmap.c
index 8e07199b7f73..23baceb05129 100644
--- a/sys/kern/subr_devmap.c
+++ b/sys/kern/subr_devmap.c
@@ -74,7 +74,9 @@ devmap_dump_table(int (*prfunc)(const char *, ...))
prfunc("Static device mappings:\n");
for (pd = devmap_table; pd->pd_size != 0; ++pd) {
prfunc(" 0x%08jx - 0x%08jx mapped at VA 0x%08jx\n",
- pd->pd_pa, pd->pd_pa + pd->pd_size - 1, pd->pd_va);
+ (uintmax_t)pd->pd_pa,
+ (uintmax_t)(pd->pd_pa + pd->pd_size - 1),
+ (uintmax_t)pd->pd_va);
}
}
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 04d2d2d7fd22 - main - cgem: improve usage of busdma(9) KPI
The branch main has been updated by mhorne: URL: https://cgit.FreeBSD.org/src/commit/?id=04d2d2d7fd22bba638ccb5a0b2e0805087a70cd3 commit 04d2d2d7fd22bba638ccb5a0b2e0805087a70cd3 Author: Mitchell Horne AuthorDate: 2021-01-20 15:07:53 + Commit: Mitchell Horne CommitDate: 2021-02-18 21:17:41 + cgem: improve usage of busdma(9) KPI BUS_DMA_NOCACHE should only be used when one needs to guarantee the created mapping has uncached memory attributes, usually as a result of buggy hardware. Normal use cases should pass BUS_DMA_COHERENT, to create an appropriate mapping based on the flags passed to bus_dma_tag_create(). This should have no functional change, since the DMA tags in this driver are created without the BUS_DMA_COHERENT flag. Reported by:mmel Reviewed by:mmel, Thomas Skibo MFC after: 3 days --- sys/dev/cadence/if_cgem.c | 12 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/sys/dev/cadence/if_cgem.c b/sys/dev/cadence/if_cgem.c index 81fc39b831af..0583e846458a 100644 --- a/sys/dev/cadence/if_cgem.c +++ b/sys/dev/cadence/if_cgem.c @@ -443,17 +443,13 @@ cgem_setup_descs(struct cgem_softc *sc) return (err); /* -* Allocate DMA memory in non-cacheable space. We allocate transmit, -* receive and null descriptor queues all at once because the -* hardware only provides one register for the upper 32 bits of -* rx and tx descriptor queues hardware addresses. +* Allocate DMA memory. We allocate transmit, receive and null +* descriptor queues all at once because the hardware only provides +* one register for the upper 32 bits of rx and tx descriptor queues +* hardware addresses. */ err = bus_dmamem_alloc(sc->desc_dma_tag, (void **)&sc->rxring, -#ifdef __arm__ BUS_DMA_NOWAIT | BUS_DMA_COHERENT | BUS_DMA_ZERO, -#else - BUS_DMA_NOWAIT | BUS_DMA_NOCACHE | BUS_DMA_ZERO, -#endif &sc->rxring_dma_map); if (err) return (err); ___ dev-commits-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
Re: git: 04d2d2d7fd22 - main - cgem: improve usage of busdma(9) KPI
On Thu, Feb 18, 2021 at 5:19 PM Mitchell Horne wrote: > > The branch main has been updated by mhorne: > > URL: > https://cgit.FreeBSD.org/src/commit/?id=04d2d2d7fd22bba638ccb5a0b2e0805087a70cd3 > > commit 04d2d2d7fd22bba638ccb5a0b2e0805087a70cd3 > Author: Mitchell Horne > AuthorDate: 2021-01-20 15:07:53 +0000 > Commit: Mitchell Horne > CommitDate: 2021-02-18 21:17:41 + > > cgem: improve usage of busdma(9) KPI > > BUS_DMA_NOCACHE should only be used when one needs to guarantee the > created mapping has uncached memory attributes, usually as a result > of buggy hardware. Normal use cases should pass BUS_DMA_COHERENT, to > create an appropriate mapping based on the flags passed to > bus_dma_tag_create(). > > This should have no functional change, since the DMA tags in this driver > are created without the BUS_DMA_COHERENT flag. > > Reported by:mmel > Reviewed by:mmel, Thomas Skibo > MFC after: 3 days Whoops, forgot to include: Differential Revision: https://reviews.freebsd.org/D28775 > --- > sys/dev/cadence/if_cgem.c | 12 > 1 file changed, 4 insertions(+), 8 deletions(-) > > diff --git a/sys/dev/cadence/if_cgem.c b/sys/dev/cadence/if_cgem.c > index 81fc39b831af..0583e846458a 100644 > --- a/sys/dev/cadence/if_cgem.c > +++ b/sys/dev/cadence/if_cgem.c > @@ -443,17 +443,13 @@ cgem_setup_descs(struct cgem_softc *sc) > return (err); > > /* > -* Allocate DMA memory in non-cacheable space. We allocate transmit, > -* receive and null descriptor queues all at once because the > -* hardware only provides one register for the upper 32 bits of > -* rx and tx descriptor queues hardware addresses. > +* Allocate DMA memory. We allocate transmit, receive and null > +* descriptor queues all at once because the hardware only provides > +* one register for the upper 32 bits of rx and tx descriptor queues > +* hardware addresses. > */ > err = bus_dmamem_alloc(sc->desc_dma_tag, (void **)&sc->rxring, > -#ifdef __arm__ > BUS_DMA_NOWAIT | BUS_DMA_COHERENT | BUS_DMA_ZERO, > -#else > - BUS_DMA_NOWAIT | BUS_DMA_NOCACHE | BUS_DMA_ZERO, > -#endif > &sc->rxring_dma_map); > if (err) > return (err); ___ dev-commits-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 0a223cf980b5 - stable/13 - ddb: fix show devmap output on 32-bit arm
The branch stable/13 has been updated by mhorne:
URL:
https://cgit.FreeBSD.org/src/commit/?id=0a223cf980b5ef8bea726a843fe5a7faf2278330
commit 0a223cf980b5ef8bea726a843fe5a7faf2278330
Author: Thomas Skibo
AuthorDate: 2021-01-11 20:58:12 +
Commit: Mitchell Horne
CommitDate: 2021-02-23 14:30:14 +
ddb: fix show devmap output on 32-bit arm
The output has been broken since 1b6dd6d772ca. Casting to uintmax_t
before the call to printf is necessary to ensure that 32-bit addresses
are interpreted correctly.
PR: 243236
(cherry picked from commit 9976b42b697ce203b1d257b2a6fe64c8a2961645)
---
sys/kern/subr_devmap.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/sys/kern/subr_devmap.c b/sys/kern/subr_devmap.c
index 8e07199b7f73..23baceb05129 100644
--- a/sys/kern/subr_devmap.c
+++ b/sys/kern/subr_devmap.c
@@ -74,7 +74,9 @@ devmap_dump_table(int (*prfunc)(const char *, ...))
prfunc("Static device mappings:\n");
for (pd = devmap_table; pd->pd_size != 0; ++pd) {
prfunc(" 0x%08jx - 0x%08jx mapped at VA 0x%08jx\n",
- pd->pd_pa, pd->pd_pa + pd->pd_size - 1, pd->pd_va);
+ (uintmax_t)pd->pd_pa,
+ (uintmax_t)(pd->pd_pa + pd->pd_size - 1),
+ (uintmax_t)pd->pd_va);
}
}
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 007101f87ddf - stable/13 - cgem: improve usage of busdma(9) KPI
The branch stable/13 has been updated by mhorne: URL: https://cgit.FreeBSD.org/src/commit/?id=007101f87ddf679cbcdbff40882a89dbba0e0cf3 commit 007101f87ddf679cbcdbff40882a89dbba0e0cf3 Author: Mitchell Horne AuthorDate: 2021-01-20 15:07:53 + Commit: Mitchell Horne CommitDate: 2021-02-23 14:31:43 + cgem: improve usage of busdma(9) KPI BUS_DMA_NOCACHE should only be used when one needs to guarantee the created mapping has uncached memory attributes, usually as a result of buggy hardware. Normal use cases should pass BUS_DMA_COHERENT, to create an appropriate mapping based on the flags passed to bus_dma_tag_create(). This should have no functional change, since the DMA tags in this driver are created without the BUS_DMA_COHERENT flag. Reported by:mmel Reviewed by:mmel, Thomas Skibo (cherry picked from commit 04d2d2d7fd22bba638ccb5a0b2e0805087a70cd3) --- sys/dev/cadence/if_cgem.c | 12 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/sys/dev/cadence/if_cgem.c b/sys/dev/cadence/if_cgem.c index 81fc39b831af..0583e846458a 100644 --- a/sys/dev/cadence/if_cgem.c +++ b/sys/dev/cadence/if_cgem.c @@ -443,17 +443,13 @@ cgem_setup_descs(struct cgem_softc *sc) return (err); /* -* Allocate DMA memory in non-cacheable space. We allocate transmit, -* receive and null descriptor queues all at once because the -* hardware only provides one register for the upper 32 bits of -* rx and tx descriptor queues hardware addresses. +* Allocate DMA memory. We allocate transmit, receive and null +* descriptor queues all at once because the hardware only provides +* one register for the upper 32 bits of rx and tx descriptor queues +* hardware addresses. */ err = bus_dmamem_alloc(sc->desc_dma_tag, (void **)&sc->rxring, -#ifdef __arm__ BUS_DMA_NOWAIT | BUS_DMA_COHERENT | BUS_DMA_ZERO, -#else - BUS_DMA_NOWAIT | BUS_DMA_NOCACHE | BUS_DMA_ZERO, -#endif &sc->rxring_dma_map); if (err) return (err); ___ dev-commits-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 8837e9c54072 - stable/13 - arm64: validate breakpoint registers
The branch stable/13 has been updated by mhorne:
URL:
https://cgit.FreeBSD.org/src/commit/?id=8837e9c54072679b69ae0c0345e7ef7d241255aa
commit 8837e9c54072679b69ae0c0345e7ef7d241255aa
Author: Mitchell Horne
AuthorDate: 2021-02-09 18:29:38 +
Commit: Mitchell Horne
CommitDate: 2021-02-24 14:57:04 +
arm64: validate breakpoint registers
In particular, we want to disallow setting breakpoints on kernel
addresses from userspace. The control register fields are validated or
ignored as appropriate.
Reviewed by:markj
Sponsored by: The FreeBSD Foundation
(cherry picked from commit de2b9422807586d376ec7ffa7b660cd492464bdf)
---
sys/arm64/arm64/machdep.c | 37 +
sys/arm64/include/armreg.h | 17 +
2 files changed, 50 insertions(+), 4 deletions(-)
diff --git a/sys/arm64/arm64/machdep.c b/sys/arm64/arm64/machdep.c
index 90fc19d57415..bf44dba19482 100644
--- a/sys/arm64/arm64/machdep.c
+++ b/sys/arm64/arm64/machdep.c
@@ -357,6 +357,8 @@ int
set_dbregs(struct thread *td, struct dbreg *regs)
{
struct debug_monitor_state *monitor;
+ uint64_t addr;
+ uint32_t ctrl;
int count;
int i;
@@ -364,11 +366,38 @@ set_dbregs(struct thread *td, struct dbreg *regs)
count = 0;
monitor->dbg_enable_count = 0;
for (i = 0; i < DBG_BRP_MAX; i++) {
- /* TODO: Check these values */
- monitor->dbg_bvr[i] = regs->db_regs[i].dbr_addr;
- monitor->dbg_bcr[i] = regs->db_regs[i].dbr_ctrl;
- if ((monitor->dbg_bcr[i] & 1) != 0)
+ addr = regs->db_regs[i].dbr_addr;
+ ctrl = regs->db_regs[i].dbr_ctrl;
+
+ /* Don't let the user set a breakpoint on a kernel address. */
+ if (addr >= VM_MAXUSER_ADDRESS)
+ return (EINVAL);
+
+ /*
+* The lowest 2 bits are ignored, so record the effective
+* address.
+*/
+ addr = rounddown2(addr, 4);
+
+ /*
+* Some control fields are ignored, and other bits reserved.
+* Only unlinked, address-matching breakpoints are supported.
+*
+* XXX: fields that appear unvalidated, such as BAS, have
+* constrained undefined behaviour. If the user mis-programs
+* these, there is no risk to the system.
+*/
+ ctrl &= DBG_BCR_EN | DBG_BCR_PMC | DBG_BCR_BAS;
+ if ((ctrl & DBG_BCR_EN) != 0) {
+ /* Only target EL0. */
+ if ((ctrl & DBG_BCR_PMC) != DBG_BCR_PMC_EL0)
+ return (EINVAL);
+
monitor->dbg_enable_count++;
+ }
+
+ monitor->dbg_bvr[i] = addr;
+ monitor->dbg_bcr[i] = ctrl;
}
if (monitor->dbg_enable_count > 0)
monitor->dbg_flags |= DBGMON_ENABLED;
diff --git a/sys/arm64/include/armreg.h b/sys/arm64/include/armreg.h
index 201d7559320b..73d1010057b9 100644
--- a/sys/arm64/include/armreg.h
+++ b/sys/arm64/include/armreg.h
@@ -943,6 +943,23 @@
#defineDBG_MDSCR_KDE (0x1 << 13)
#defineDBG_MDSCR_MDE (0x1 << 15)
+/* Debug Breakpoint Control Registers */
+#defineDBG_BCR_EN 0x1
+#defineDBG_BCR_PMC_SHIFT 1
+#defineDBG_BCR_PMC (0x3 << DBG_BCR_PMC_SHIFT)
+#define DBG_BCR_PMC_EL1(0x1 << DBG_BCR_PMC_SHIFT)
+#define DBG_BCR_PMC_EL0(0x2 << DBG_BCR_PMC_SHIFT)
+#defineDBG_BCR_BAS_SHIFT 5
+#defineDBG_BCR_BAS (0xf << DBG_BCR_BAS_SHIFT)
+#defineDBG_BCR_HMC_SHIFT 13
+#defineDBG_BCR_HMC (0x1 << DBG_BCR_HMC_SHIFT)
+#defineDBG_BCR_SSC_SHIFT 14
+#defineDBG_BCR_SSC (0x3 << DBG_BCR_SSC_SHIFT)
+#defineDBG_BCR_LBN_SHIFT 16
+#defineDBG_BCR_LBN (0xf << DBG_BCR_LBN_SHIFT)
+#defineDBG_BCR_BT_SHIFT20
+#defineDBG_BCR_BT (0xf << DBG_BCR_BT_SHIFT)
+
/* Perfomance Monitoring Counters */
#definePMCR_E (1 << 0) /* Enable all counters */
#definePMCR_P (1 << 1) /* Reset all counters */
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 9372df63ad5b - stable/13 - arm64: handle watchpoint exceptions from EL0
The branch stable/13 has been updated by mhorne: URL: https://cgit.FreeBSD.org/src/commit/?id=9372df63ad5b814440732d171c8f04f0e1c26b87 commit 9372df63ad5b814440732d171c8f04f0e1c26b87 Author: Mitchell Horne AuthorDate: 2021-02-05 21:46:48 + Commit: Mitchell Horne CommitDate: 2021-02-24 14:58:09 + arm64: handle watchpoint exceptions from EL0 This is a prerequisite to allowing the use of hardware watchpoints for userspace debuggers. This is also a slight departure from the x86 behaviour, since `si_addr` returns the data address that triggered the watchpoint, not the address of the instruction that was executed. Otherwise, there is no straightforward way for the application to determine which watchpoint was triggered. Make a note of this in the siginfo(3) man page. Reviewed by:jhb, markj (earlier version) Tested by: Michał Górny (mgo...@gentoo.org) Sponsored by: The FreeBSD Foundation (cherry picked from commit bd012c71592323d957b409bb5e0cf7940729650e) --- share/man/man3/siginfo.3 | 7 ++- sys/arm64/arm64/trap.c | 6 ++ sys/arm64/include/armreg.h | 1 + 3 files changed, 13 insertions(+), 1 deletion(-) diff --git a/share/man/man3/siginfo.3 b/share/man/man3/siginfo.3 index fc4ea2ba1df7..acc8785b2f0d 100644 --- a/share/man/man3/siginfo.3 +++ b/share/man/man3/siginfo.3 @@ -27,7 +27,7 @@ .\" .\" $FreeBSD$ .\" -.Dd July 28, 2020 +.Dd February 17, 2021 .Dt SIGINFO 3 .Os .Sh NAME @@ -218,6 +218,11 @@ and may report the address of the faulting memory access (if available) in .Va si_addr instead. +Additionally +.Dv SIGTRAP +raised by a hardware watchpoint exception may report the data address that +triggered the watchpoint in +.Va si_addr . .Pp Sychronous signals set .Va si_trapno diff --git a/sys/arm64/arm64/trap.c b/sys/arm64/arm64/trap.c index 0b2d4760cea3..cb3a05ad0163 100644 --- a/sys/arm64/arm64/trap.c +++ b/sys/arm64/arm64/trap.c @@ -474,6 +474,7 @@ do_el0_sync(struct thread *td, struct trapframe *frame) case EXCP_UNKNOWN: case EXCP_DATA_ABORT_L: case EXCP_DATA_ABORT: + case EXCP_WATCHPT_EL0: far = READ_SPECIALREG(far_el1); break; } @@ -534,6 +535,11 @@ do_el0_sync(struct thread *td, struct trapframe *frame) exception); userret(td, frame); break; + case EXCP_WATCHPT_EL0: + call_trapsignal(td, SIGTRAP, TRAP_TRACE, (void *)far, + exception); + userret(td, frame); + break; case EXCP_MSR: /* * The CPU can raise EXCP_MSR when userspace executes an mrs diff --git a/sys/arm64/include/armreg.h b/sys/arm64/include/armreg.h index 73d1010057b9..66cd8591c7ab 100644 --- a/sys/arm64/include/armreg.h +++ b/sys/arm64/include/armreg.h @@ -230,6 +230,7 @@ #define EXCP_BRKPT_EL0 0x30/* Hardware breakpoint, from same EL */ #define EXCP_SOFTSTP_EL0 0x32/* Software Step, from lower EL */ #define EXCP_SOFTSTP_EL1 0x33/* Software Step, from same EL */ +#define EXCP_WATCHPT_EL0 0x34/* Watchpoint, from lower EL */ #define EXCP_WATCHPT_EL1 0x35/* Watchpoint, from same EL */ #define EXCP_BRK 0x3c/* Breakpoint */ ___ dev-commits-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 4786c8582c56 - stable/13 - arm64: extend struct db_reg to include watchpoint registers
The branch stable/13 has been updated by mhorne:
URL:
https://cgit.FreeBSD.org/src/commit/?id=4786c8582c569a7245dadbdbb4638d1667c10d62
commit 4786c8582c569a7245dadbdbb4638d1667c10d62
Author: Mitchell Horne
AuthorDate: 2021-01-28 17:49:47 +
Commit: Mitchell Horne
CommitDate: 2021-02-24 14:58:43 +
arm64: extend struct db_reg to include watchpoint registers
The motivation is to provide access to these registers from userspace
via ptrace(2) requests PT_GETDBREGS and PT_SETDBREGS.
This change breaks the ABI of these particular requests, but is
justified by the fact that the intended consumers (debuggers) have not
been taught to use them yet. Making this change now enables active
upstream work on lldb to begin using this interface, and take advantage
of the hardware debugging registers available on the platform.
PR: 252860
Reported by:Michał Górny (mgo...@gentoo.org)
Reviewed by:andrew, markj (earlier version)
Tested by: Michał Górny (mgo...@gentoo.org)
Sponsored by: The FreeBSD Foundation
(cherry picked from commit f2583be110ca3a5b32f0993f1464a5c69151c62f)
---
sys/arm64/arm64/identcpu.c | 2 +-
sys/arm64/arm64/machdep.c | 71 ++
sys/arm64/include/armreg.h | 22 ++
sys/arm64/include/reg.h| 13 +++--
4 files changed, 92 insertions(+), 16 deletions(-)
diff --git a/sys/arm64/arm64/identcpu.c b/sys/arm64/arm64/identcpu.c
index bfbaad7a6483..c3544e9de9aa 100644
--- a/sys/arm64/arm64/identcpu.c
+++ b/sys/arm64/arm64/identcpu.c
@@ -350,7 +350,7 @@ static struct mrs_field id_aa64dfr0_fields[] = {
MRS_FIELD(ID_AA64DFR0, PMSVer, false, MRS_EXACT, id_aa64dfr0_pmsver),
MRS_FIELD(ID_AA64DFR0, CTX_CMPs, false, MRS_EXACT,
id_aa64dfr0_ctx_cmps),
- MRS_FIELD(ID_AA64DFR0, WRPs, false, MRS_EXACT, id_aa64dfr0_wrps),
+ MRS_FIELD(ID_AA64DFR0, WRPs, false, MRS_LOWER, id_aa64dfr0_wrps),
MRS_FIELD(ID_AA64DFR0, BRPs, false, MRS_LOWER, id_aa64dfr0_brps),
MRS_FIELD(ID_AA64DFR0, PMUVer, false, MRS_EXACT, id_aa64dfr0_pmuver),
MRS_FIELD(ID_AA64DFR0, TraceVer, false, MRS_EXACT,
diff --git a/sys/arm64/arm64/machdep.c b/sys/arm64/arm64/machdep.c
index bf44dba19482..73b06beeba7e 100644
--- a/sys/arm64/arm64/machdep.c
+++ b/sys/arm64/arm64/machdep.c
@@ -321,8 +321,8 @@ int
fill_dbregs(struct thread *td, struct dbreg *regs)
{
struct debug_monitor_state *monitor;
- int count, i;
- uint8_t debug_ver, nbkpts;
+ int i;
+ uint8_t debug_ver, nbkpts, nwtpts;
memset(regs, 0, sizeof(*regs));
@@ -330,23 +330,30 @@ fill_dbregs(struct thread *td, struct dbreg *regs)
&debug_ver);
extract_user_id_field(ID_AA64DFR0_EL1, ID_AA64DFR0_BRPs_SHIFT,
&nbkpts);
+ extract_user_id_field(ID_AA64DFR0_EL1, ID_AA64DFR0_WRPs_SHIFT,
+ &nwtpts);
/*
* The BRPs field contains the number of breakpoints - 1. Armv8-A
* allows the hardware to provide 2-16 breakpoints so this won't
-* overflow an 8 bit value.
+* overflow an 8 bit value. The same applies to the WRPs field.
*/
- count = nbkpts + 1;
+ nbkpts++;
+ nwtpts++;
- regs->db_info = debug_ver;
- regs->db_info <<= 8;
- regs->db_info |= count;
+ regs->db_debug_ver = debug_ver;
+ regs->db_nbkpts = nbkpts;
+ regs->db_nwtpts = nwtpts;
monitor = &td->td_pcb->pcb_dbg_regs;
if ((monitor->dbg_flags & DBGMON_ENABLED) != 0) {
- for (i = 0; i < count; i++) {
- regs->db_regs[i].dbr_addr = monitor->dbg_bvr[i];
- regs->db_regs[i].dbr_ctrl = monitor->dbg_bcr[i];
+ for (i = 0; i < nbkpts; i++) {
+ regs->db_breakregs[i].dbr_addr = monitor->dbg_bvr[i];
+ regs->db_breakregs[i].dbr_ctrl = monitor->dbg_bcr[i];
+ }
+ for (i = 0; i < nwtpts; i++) {
+ regs->db_watchregs[i].dbw_addr = monitor->dbg_wvr[i];
+ regs->db_watchregs[i].dbw_ctrl = monitor->dbg_wcr[i];
}
}
@@ -365,9 +372,10 @@ set_dbregs(struct thread *td, struct dbreg *regs)
monitor = &td->td_pcb->pcb_dbg_regs;
count = 0;
monitor->dbg_enable_count = 0;
+
for (i = 0; i < DBG_BRP_MAX; i++) {
- addr = regs->db_regs[i].dbr_addr;
- ctrl = regs->db_regs[i].dbr_ctrl;
+ addr = regs->db_breakregs[i].dbr_addr;
+ ctrl = regs->db_breakregs[i].dbr_ctrl;
/* Don't let the user set a breakpoint on a kernel address. */
if (addr >= VM_MAXUSER_ADDRESS)
@@ -399,6 +407,45
git: ce9bc83f9146 - releng/13.0 - arm64: validate breakpoint registers
The branch releng/13.0 has been updated by mhorne:
URL:
https://cgit.FreeBSD.org/src/commit/?id=ce9bc83f914623a2f2309b10786bafc0d481054c
commit ce9bc83f914623a2f2309b10786bafc0d481054c
Author: Mitchell Horne
AuthorDate: 2021-02-09 18:29:38 +
Commit: Mitchell Horne
CommitDate: 2021-02-25 21:30:45 +
arm64: validate breakpoint registers
In particular, we want to disallow setting breakpoints on kernel
addresses from userspace. The control register fields are validated or
ignored as appropriate.
Reviewed by:markj
Sponsored by: The FreeBSD Foundation
Approved by:re (gjb)
(cherry picked from commit de2b9422807586d376ec7ffa7b660cd492464bdf)
(cherry picked from commit 8837e9c54072679b69ae0c0345e7ef7d241255aa)
---
sys/arm64/arm64/machdep.c | 37 +
sys/arm64/include/armreg.h | 17 +
2 files changed, 50 insertions(+), 4 deletions(-)
diff --git a/sys/arm64/arm64/machdep.c b/sys/arm64/arm64/machdep.c
index 90fc19d57415..bf44dba19482 100644
--- a/sys/arm64/arm64/machdep.c
+++ b/sys/arm64/arm64/machdep.c
@@ -357,6 +357,8 @@ int
set_dbregs(struct thread *td, struct dbreg *regs)
{
struct debug_monitor_state *monitor;
+ uint64_t addr;
+ uint32_t ctrl;
int count;
int i;
@@ -364,11 +366,38 @@ set_dbregs(struct thread *td, struct dbreg *regs)
count = 0;
monitor->dbg_enable_count = 0;
for (i = 0; i < DBG_BRP_MAX; i++) {
- /* TODO: Check these values */
- monitor->dbg_bvr[i] = regs->db_regs[i].dbr_addr;
- monitor->dbg_bcr[i] = regs->db_regs[i].dbr_ctrl;
- if ((monitor->dbg_bcr[i] & 1) != 0)
+ addr = regs->db_regs[i].dbr_addr;
+ ctrl = regs->db_regs[i].dbr_ctrl;
+
+ /* Don't let the user set a breakpoint on a kernel address. */
+ if (addr >= VM_MAXUSER_ADDRESS)
+ return (EINVAL);
+
+ /*
+* The lowest 2 bits are ignored, so record the effective
+* address.
+*/
+ addr = rounddown2(addr, 4);
+
+ /*
+* Some control fields are ignored, and other bits reserved.
+* Only unlinked, address-matching breakpoints are supported.
+*
+* XXX: fields that appear unvalidated, such as BAS, have
+* constrained undefined behaviour. If the user mis-programs
+* these, there is no risk to the system.
+*/
+ ctrl &= DBG_BCR_EN | DBG_BCR_PMC | DBG_BCR_BAS;
+ if ((ctrl & DBG_BCR_EN) != 0) {
+ /* Only target EL0. */
+ if ((ctrl & DBG_BCR_PMC) != DBG_BCR_PMC_EL0)
+ return (EINVAL);
+
monitor->dbg_enable_count++;
+ }
+
+ monitor->dbg_bvr[i] = addr;
+ monitor->dbg_bcr[i] = ctrl;
}
if (monitor->dbg_enable_count > 0)
monitor->dbg_flags |= DBGMON_ENABLED;
diff --git a/sys/arm64/include/armreg.h b/sys/arm64/include/armreg.h
index 201d7559320b..73d1010057b9 100644
--- a/sys/arm64/include/armreg.h
+++ b/sys/arm64/include/armreg.h
@@ -943,6 +943,23 @@
#defineDBG_MDSCR_KDE (0x1 << 13)
#defineDBG_MDSCR_MDE (0x1 << 15)
+/* Debug Breakpoint Control Registers */
+#defineDBG_BCR_EN 0x1
+#defineDBG_BCR_PMC_SHIFT 1
+#defineDBG_BCR_PMC (0x3 << DBG_BCR_PMC_SHIFT)
+#define DBG_BCR_PMC_EL1(0x1 << DBG_BCR_PMC_SHIFT)
+#define DBG_BCR_PMC_EL0(0x2 << DBG_BCR_PMC_SHIFT)
+#defineDBG_BCR_BAS_SHIFT 5
+#defineDBG_BCR_BAS (0xf << DBG_BCR_BAS_SHIFT)
+#defineDBG_BCR_HMC_SHIFT 13
+#defineDBG_BCR_HMC (0x1 << DBG_BCR_HMC_SHIFT)
+#defineDBG_BCR_SSC_SHIFT 14
+#defineDBG_BCR_SSC (0x3 << DBG_BCR_SSC_SHIFT)
+#defineDBG_BCR_LBN_SHIFT 16
+#defineDBG_BCR_LBN (0xf << DBG_BCR_LBN_SHIFT)
+#defineDBG_BCR_BT_SHIFT20
+#defineDBG_BCR_BT (0xf << DBG_BCR_BT_SHIFT)
+
/* Perfomance Monitoring Counters */
#definePMCR_E (1 << 0) /* Enable all counters */
#definePMCR_P (1 << 1) /* Reset all counters */
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: f1847ed16ebd - releng/13.0 - arm64: extend struct db_reg to include watchpoint registers
The branch releng/13.0 has been updated by mhorne:
URL:
https://cgit.FreeBSD.org/src/commit/?id=f1847ed16ebd16d91766934ff7c28e887fbd2846
commit f1847ed16ebd16d91766934ff7c28e887fbd2846
Author: Mitchell Horne
AuthorDate: 2021-01-28 17:49:47 +
Commit: Mitchell Horne
CommitDate: 2021-02-25 21:31:31 +
arm64: extend struct db_reg to include watchpoint registers
The motivation is to provide access to these registers from userspace
via ptrace(2) requests PT_GETDBREGS and PT_SETDBREGS.
This change breaks the ABI of these particular requests, but is
justified by the fact that the intended consumers (debuggers) have not
been taught to use them yet. Making this change now enables active
upstream work on lldb to begin using this interface, and take advantage
of the hardware debugging registers available on the platform.
PR: 252860
Reported by:Michał Górny (mgo...@gentoo.org)
Reviewed by:andrew, markj (earlier version)
Tested by: Michał Górny (mgo...@gentoo.org)
Sponsored by: The FreeBSD Foundation
Approved by:re (gjb)
(cherry picked from commit f2583be110ca3a5b32f0993f1464a5c69151c62f)
(cherry picked from commit 4786c8582c569a7245dadbdbb4638d1667c10d62)
---
sys/arm64/arm64/identcpu.c | 2 +-
sys/arm64/arm64/machdep.c | 71 ++
sys/arm64/include/armreg.h | 22 ++
sys/arm64/include/reg.h| 13 +++--
4 files changed, 92 insertions(+), 16 deletions(-)
diff --git a/sys/arm64/arm64/identcpu.c b/sys/arm64/arm64/identcpu.c
index bfbaad7a6483..c3544e9de9aa 100644
--- a/sys/arm64/arm64/identcpu.c
+++ b/sys/arm64/arm64/identcpu.c
@@ -350,7 +350,7 @@ static struct mrs_field id_aa64dfr0_fields[] = {
MRS_FIELD(ID_AA64DFR0, PMSVer, false, MRS_EXACT, id_aa64dfr0_pmsver),
MRS_FIELD(ID_AA64DFR0, CTX_CMPs, false, MRS_EXACT,
id_aa64dfr0_ctx_cmps),
- MRS_FIELD(ID_AA64DFR0, WRPs, false, MRS_EXACT, id_aa64dfr0_wrps),
+ MRS_FIELD(ID_AA64DFR0, WRPs, false, MRS_LOWER, id_aa64dfr0_wrps),
MRS_FIELD(ID_AA64DFR0, BRPs, false, MRS_LOWER, id_aa64dfr0_brps),
MRS_FIELD(ID_AA64DFR0, PMUVer, false, MRS_EXACT, id_aa64dfr0_pmuver),
MRS_FIELD(ID_AA64DFR0, TraceVer, false, MRS_EXACT,
diff --git a/sys/arm64/arm64/machdep.c b/sys/arm64/arm64/machdep.c
index bf44dba19482..73b06beeba7e 100644
--- a/sys/arm64/arm64/machdep.c
+++ b/sys/arm64/arm64/machdep.c
@@ -321,8 +321,8 @@ int
fill_dbregs(struct thread *td, struct dbreg *regs)
{
struct debug_monitor_state *monitor;
- int count, i;
- uint8_t debug_ver, nbkpts;
+ int i;
+ uint8_t debug_ver, nbkpts, nwtpts;
memset(regs, 0, sizeof(*regs));
@@ -330,23 +330,30 @@ fill_dbregs(struct thread *td, struct dbreg *regs)
&debug_ver);
extract_user_id_field(ID_AA64DFR0_EL1, ID_AA64DFR0_BRPs_SHIFT,
&nbkpts);
+ extract_user_id_field(ID_AA64DFR0_EL1, ID_AA64DFR0_WRPs_SHIFT,
+ &nwtpts);
/*
* The BRPs field contains the number of breakpoints - 1. Armv8-A
* allows the hardware to provide 2-16 breakpoints so this won't
-* overflow an 8 bit value.
+* overflow an 8 bit value. The same applies to the WRPs field.
*/
- count = nbkpts + 1;
+ nbkpts++;
+ nwtpts++;
- regs->db_info = debug_ver;
- regs->db_info <<= 8;
- regs->db_info |= count;
+ regs->db_debug_ver = debug_ver;
+ regs->db_nbkpts = nbkpts;
+ regs->db_nwtpts = nwtpts;
monitor = &td->td_pcb->pcb_dbg_regs;
if ((monitor->dbg_flags & DBGMON_ENABLED) != 0) {
- for (i = 0; i < count; i++) {
- regs->db_regs[i].dbr_addr = monitor->dbg_bvr[i];
- regs->db_regs[i].dbr_ctrl = monitor->dbg_bcr[i];
+ for (i = 0; i < nbkpts; i++) {
+ regs->db_breakregs[i].dbr_addr = monitor->dbg_bvr[i];
+ regs->db_breakregs[i].dbr_ctrl = monitor->dbg_bcr[i];
+ }
+ for (i = 0; i < nwtpts; i++) {
+ regs->db_watchregs[i].dbw_addr = monitor->dbg_wvr[i];
+ regs->db_watchregs[i].dbw_ctrl = monitor->dbg_wcr[i];
}
}
@@ -365,9 +372,10 @@ set_dbregs(struct thread *td, struct dbreg *regs)
monitor = &td->td_pcb->pcb_dbg_regs;
count = 0;
monitor->dbg_enable_count = 0;
+
for (i = 0; i < DBG_BRP_MAX; i++) {
- addr = regs->db_regs[i].dbr_addr;
- ctrl = regs->db_regs[i].dbr_ctrl;
+ addr = regs->db_breakregs[i].dbr_addr;
+ ctrl = regs->db_breakregs[i].dbr_ctrl;
/* Don't let the user set a breakpoint
git: 8f686c0f29f0 - releng/13.0 - arm64: handle watchpoint exceptions from EL0
The branch releng/13.0 has been updated by mhorne: URL: https://cgit.FreeBSD.org/src/commit/?id=8f686c0f29f094eba305d7911195bd629c3954bb commit 8f686c0f29f094eba305d7911195bd629c3954bb Author: Mitchell Horne AuthorDate: 2021-02-05 21:46:48 + Commit: Mitchell Horne CommitDate: 2021-02-25 21:31:17 + arm64: handle watchpoint exceptions from EL0 This is a prerequisite to allowing the use of hardware watchpoints for userspace debuggers. This is also a slight departure from the x86 behaviour, since `si_addr` returns the data address that triggered the watchpoint, not the address of the instruction that was executed. Otherwise, there is no straightforward way for the application to determine which watchpoint was triggered. Make a note of this in the siginfo(3) man page. Reviewed by:jhb, markj (earlier version) Tested by: Michał Górny (mgo...@gentoo.org) Sponsored by: The FreeBSD Foundation Approved by:re (gjb) (cherry picked from commit bd012c71592323d957b409bb5e0cf7940729650e) (cherry picked from commit 9372df63ad5b814440732d171c8f04f0e1c26b87) --- share/man/man3/siginfo.3 | 7 ++- sys/arm64/arm64/trap.c | 6 ++ sys/arm64/include/armreg.h | 1 + 3 files changed, 13 insertions(+), 1 deletion(-) diff --git a/share/man/man3/siginfo.3 b/share/man/man3/siginfo.3 index fc4ea2ba1df7..acc8785b2f0d 100644 --- a/share/man/man3/siginfo.3 +++ b/share/man/man3/siginfo.3 @@ -27,7 +27,7 @@ .\" .\" $FreeBSD$ .\" -.Dd July 28, 2020 +.Dd February 17, 2021 .Dt SIGINFO 3 .Os .Sh NAME @@ -218,6 +218,11 @@ and may report the address of the faulting memory access (if available) in .Va si_addr instead. +Additionally +.Dv SIGTRAP +raised by a hardware watchpoint exception may report the data address that +triggered the watchpoint in +.Va si_addr . .Pp Sychronous signals set .Va si_trapno diff --git a/sys/arm64/arm64/trap.c b/sys/arm64/arm64/trap.c index 0b2d4760cea3..cb3a05ad0163 100644 --- a/sys/arm64/arm64/trap.c +++ b/sys/arm64/arm64/trap.c @@ -474,6 +474,7 @@ do_el0_sync(struct thread *td, struct trapframe *frame) case EXCP_UNKNOWN: case EXCP_DATA_ABORT_L: case EXCP_DATA_ABORT: + case EXCP_WATCHPT_EL0: far = READ_SPECIALREG(far_el1); break; } @@ -534,6 +535,11 @@ do_el0_sync(struct thread *td, struct trapframe *frame) exception); userret(td, frame); break; + case EXCP_WATCHPT_EL0: + call_trapsignal(td, SIGTRAP, TRAP_TRACE, (void *)far, + exception); + userret(td, frame); + break; case EXCP_MSR: /* * The CPU can raise EXCP_MSR when userspace executes an mrs diff --git a/sys/arm64/include/armreg.h b/sys/arm64/include/armreg.h index 73d1010057b9..66cd8591c7ab 100644 --- a/sys/arm64/include/armreg.h +++ b/sys/arm64/include/armreg.h @@ -230,6 +230,7 @@ #define EXCP_BRKPT_EL0 0x30/* Hardware breakpoint, from same EL */ #define EXCP_SOFTSTP_EL0 0x32/* Software Step, from lower EL */ #define EXCP_SOFTSTP_EL1 0x33/* Software Step, from same EL */ +#define EXCP_WATCHPT_EL0 0x34/* Watchpoint, from lower EL */ #define EXCP_WATCHPT_EL1 0x35/* Watchpoint, from same EL */ #define EXCP_BRK 0x3c/* Breakpoint */ ___ dev-commits-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 1fc928770b5d - main - Remove stale references to opt_sio.h
The branch main has been updated by mhorne: URL: https://cgit.FreeBSD.org/src/commit/?id=1fc928770b5db5bafb7386c7a3bd4918a0d7e876 commit 1fc928770b5db5bafb7386c7a3bd4918a0d7e876 Author: Mitchell Horne AuthorDate: 2021-02-25 21:37:42 + Commit: Mitchell Horne CommitDate: 2021-02-26 01:43:12 + Remove stale references to opt_sio.h The sio(4) driver was removed entirely in 2019, commit 71f0077631fa. Reviewed by:imp Differential Revision: https://reviews.freebsd.org/D28929 --- sys/conf/options.amd64 | 7 --- sys/conf/options.i386 | 7 --- 2 files changed, 14 deletions(-) diff --git a/sys/conf/options.amd64 b/sys/conf/options.amd64 index 05b295647b6b..608bcd117e2f 100644 --- a/sys/conf/options.amd64 +++ b/sys/conf/options.amd64 @@ -24,13 +24,6 @@ LINSYSFS opt_dontuse.h TIMER_FREQ opt_clock.h -# options for serial support -COM_ESPopt_sio.h -COM_MULTIPORT opt_sio.h -CONSPEED opt_sio.h -GDBSPEED opt_sio.h -COM_NO_ACPIopt_sio.h - VGA_ALT_SEQACCESS opt_vga.h VGA_DEBUG opt_vga.h VGA_NO_FONT_LOADINGopt_vga.h diff --git a/sys/conf/options.i386 b/sys/conf/options.i386 index 011d787ec68c..02b4db48f4c7 100644 --- a/sys/conf/options.i386 +++ b/sys/conf/options.i386 @@ -67,13 +67,6 @@ I486_CPU opt_global.h I586_CPU opt_global.h I686_CPU opt_global.h -# options for serial support -COM_ESPopt_sio.h -COM_MULTIPORT opt_sio.h -CONSPEED opt_sio.h -GDBSPEED opt_sio.h -COM_NO_ACPIopt_sio.h - VGA_ALT_SEQACCESS opt_vga.h VGA_DEBUG opt_vga.h VGA_NO_FONT_LOADINGopt_vga.h ___ dev-commits-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 530d38441d55 - main - armv8crypto: add missing newline
The branch main has been updated by mhorne:
URL:
https://cgit.FreeBSD.org/src/commit/?id=530d38441d55b7ac62ebae6ac8ea76903a4a3b0c
commit 530d38441d55b7ac62ebae6ac8ea76903a4a3b0c
Author: Elliott Mitchell
AuthorDate: 2021-02-28 20:03:44 +
Commit: Mitchell Horne
CommitDate: 2021-02-28 20:03:55 +
armv8crypto: add missing newline
The missing newline mildly garbles boot-time messages and this can be
troublesome if you need those.
Fixes: a520f5ca580f ("armv8crypto: print a message on probe
failure")
Reported by:Mike Karels (m...@karels.net)
Reviewed By:gonzo
Differential Revision: https://reviews.freebsd.org/D28988
---
sys/crypto/armv8/armv8_crypto.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sys/crypto/armv8/armv8_crypto.c b/sys/crypto/armv8/armv8_crypto.c
index be39168d50f3..24f6eff5608d 100644
--- a/sys/crypto/armv8/armv8_crypto.c
+++ b/sys/crypto/armv8/armv8_crypto.c
@@ -122,7 +122,7 @@ armv8_crypto_probe(device_t dev)
default:
break;
case ID_AA64ISAR0_AES_NONE:
- device_printf(dev, "CPU lacks AES instructions");
+ device_printf(dev, "CPU lacks AES instructions\n");
break;
}
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
Re: git: 530d38441d55 - main - armv8crypto: add missing newline
On Sun, Feb 28, 2021 at 4:09 PM Mitchell Horne wrote:
>
> The branch main has been updated by mhorne:
>
> URL:
> https://cgit.FreeBSD.org/src/commit/?id=530d38441d55b7ac62ebae6ac8ea76903a4a3b0c
>
> commit 530d38441d55b7ac62ebae6ac8ea76903a4a3b0c
> Author: Elliott Mitchell
> AuthorDate: 2021-02-28 20:03:44 +0000
> Commit: Mitchell Horne
> CommitDate: 2021-02-28 20:03:55 +
>
> armv8crypto: add missing newline
>
> The missing newline mildly garbles boot-time messages and this can be
> troublesome if you need those.
>
> Fixes: a520f5ca580f ("armv8crypto: print a message on probe
> failure")
> Reported by:Mike Karels (m...@karels.net)
> Reviewed By:gonzo
> Differential Revision: https://reviews.freebsd.org/D28988
MFC after: 3 days
> ---
> sys/crypto/armv8/armv8_crypto.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/sys/crypto/armv8/armv8_crypto.c b/sys/crypto/armv8/armv8_crypto.c
> index be39168d50f3..24f6eff5608d 100644
> --- a/sys/crypto/armv8/armv8_crypto.c
> +++ b/sys/crypto/armv8/armv8_crypto.c
> @@ -122,7 +122,7 @@ armv8_crypto_probe(device_t dev)
> default:
> break;
> case ID_AA64ISAR0_AES_NONE:
> - device_printf(dev, "CPU lacks AES instructions");
> + device_printf(dev, "CPU lacks AES instructions\n");
> break;
> }
>
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 874635e38173 - main - arm64: fix hardware single-stepping from EL1
The branch main has been updated by mhorne:
URL:
https://cgit.FreeBSD.org/src/commit/?id=874635e381731e1fbd5e2d0459ca87814f1e455c
commit 874635e381731e1fbd5e2d0459ca87814f1e455c
Author: Mitchell Horne
AuthorDate: 2021-03-01 13:59:25 +
Commit: Mitchell Horne
CommitDate: 2021-03-01 14:04:22 +
arm64: fix hardware single-stepping from EL1
The main issue is that debug exceptions must to be disabled for the
entire duration that SS bit in MDSCR_EL1 is set. Otherwise, a
single-step exception will be generated immediately. This can occur
before returning from the debugger (when MDSCR is written to) or before
re-entering it after the single-step (when debug exceptions are unmasked
in the exception handler).
Solve this by delaying the unmask to C code for EL1, and avoid unmasking
at all while handling debug exceptions, thus avoiding any recursive
debug traps.
Reviewed by:markj, jhb
MFC after: 5 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D28944
---
sys/arm64/arm64/debug_monitor.c | 6 ++
sys/arm64/arm64/exception.S | 6 +-
sys/arm64/arm64/trap.c | 8
3 files changed, 19 insertions(+), 1 deletion(-)
diff --git a/sys/arm64/arm64/debug_monitor.c b/sys/arm64/arm64/debug_monitor.c
index eb5d19567697..c6622650f1ad 100644
--- a/sys/arm64/arm64/debug_monitor.c
+++ b/sys/arm64/arm64/debug_monitor.c
@@ -186,6 +186,9 @@ void
kdb_cpu_set_singlestep(void)
{
+ KASSERT((READ_SPECIALREG(daif) & PSR_D) == PSR_D,
+ ("%s: debug exceptions are not masked", __func__));
+
kdb_frame->tf_spsr |= DBG_SPSR_SS;
WRITE_SPECIALREG(mdscr_el1, READ_SPECIALREG(mdscr_el1) |
DBG_MDSCR_SS | DBG_MDSCR_KDE);
@@ -205,6 +208,9 @@ void
kdb_cpu_clear_singlestep(void)
{
+ KASSERT((READ_SPECIALREG(daif) & PSR_D) == PSR_D,
+ ("%s: debug exceptions are not masked", __func__));
+
WRITE_SPECIALREG(mdscr_el1, READ_SPECIALREG(mdscr_el1) &
~(DBG_MDSCR_SS | DBG_MDSCR_KDE));
diff --git a/sys/arm64/arm64/exception.S b/sys/arm64/arm64/exception.S
index 9fe825fd12b5..9a28a5eac022 100644
--- a/sys/arm64/arm64/exception.S
+++ b/sys/arm64/arm64/exception.S
@@ -75,8 +75,12 @@ __FBSDID("$FreeBSD$");
ldr x0, [x18, #(PC_CURTHREAD)]
bl dbg_monitor_enter
-.endif
msr daifclr, #8 /* Enable the debug exception */
+.endif
+ /*
+* For EL1, debug exceptions are conditionally unmasked in
+* do_el1h_sync().
+*/
.endm
.macro restore_registers el
diff --git a/sys/arm64/arm64/trap.c b/sys/arm64/arm64/trap.c
index cb3a05ad0163..d793e34a6894 100644
--- a/sys/arm64/arm64/trap.c
+++ b/sys/arm64/arm64/trap.c
@@ -377,6 +377,14 @@ do_el1h_sync(struct thread *td, struct trapframe *frame)
"do_el1_sync: curthread: %p, esr %lx, elr: %lx, frame: %p", td,
esr, frame->tf_elr, frame);
+ /*
+* Enable debug exceptions if we aren't already handling one. They will
+* be masked again in the exception handler's epilogue.
+*/
+ if (exception != EXCP_BRK && exception != EXCP_WATCHPT_EL1 &&
+ exception != EXCP_SOFTSTP_EL1)
+ dbg_enable();
+
switch (exception) {
case EXCP_FP_SIMD:
case EXCP_TRAP_FP:
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: bd0b7cbf5ac1 - main - arm64: update kdb_thrctx->pcb_lr with BKPT_SKIP
The branch main has been updated by mhorne:
URL:
https://cgit.FreeBSD.org/src/commit/?id=bd0b7cbf5ac1baff4211e09584e0b86d4d96228b
commit bd0b7cbf5ac1baff4211e09584e0b86d4d96228b
Author: Mitchell Horne
AuthorDate: 2021-03-01 14:00:17 +
Commit: Mitchell Horne
CommitDate: 2021-03-01 14:04:22 +
arm64: update kdb_thrctx->pcb_lr with BKPT_SKIP
This value should be kept in sync with updates to kdb_frame->tf_elr,
since it is queried by PC_REGS() in several places.
Reviewed by:markj, jhb
MFC after: 5 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D28943
---
sys/arm64/include/db_machdep.h | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/sys/arm64/include/db_machdep.h b/sys/arm64/include/db_machdep.h
index f2fd2a57a9c3..61b58415e41c 100644
--- a/sys/arm64/include/db_machdep.h
+++ b/sys/arm64/include/db_machdep.h
@@ -49,8 +49,9 @@ typedef long db_expr_t;
#defineBKPT_SIZE (4)
#defineBKPT_SET(inst) (BKPT_INST)
-#defineBKPT_SKIP do {
\
- kdb_frame->tf_elr += BKPT_SIZE; \
+#defineBKPT_SKIP do { \
+ kdb_frame->tf_elr += BKPT_SIZE; \
+ kdb_thrctx->pcb_lr += BKPT_SIZE;\
} while (0)
#definedb_clear_single_stepkdb_cpu_clear_singlestep
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: e152c882738f - main - arm64: add definition for IS_SSTEP_TRAP()
The branch main has been updated by mhorne: URL: https://cgit.FreeBSD.org/src/commit/?id=e152c882738ffe26a2f52e420e2a92c014943207 commit e152c882738ffe26a2f52e420e2a92c014943207 Author: Mitchell Horne AuthorDate: 2021-03-01 14:01:25 + Commit: Mitchell Horne CommitDate: 2021-03-01 14:04:23 + arm64: add definition for IS_SSTEP_TRAP() arm64 has a distinct exception code for single-step, so we can use this to detect when an unexpected SS trap is encountered, or when an expected one is not. See db_stop_at_pc(). Reviewed by:markj, jhb MFC after: 5 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D28942 --- sys/arm64/include/db_machdep.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sys/arm64/include/db_machdep.h b/sys/arm64/include/db_machdep.h index 61b58415e41c..105e8e507ce3 100644 --- a/sys/arm64/include/db_machdep.h +++ b/sys/arm64/include/db_machdep.h @@ -38,6 +38,7 @@ #include #defineT_BREAKPOINT(EXCP_BRK) +#defineT_SINGLESTEP(EXCP_SOFTSTP_EL1) #defineT_WATCHPOINT(EXCP_WATCHPT_EL1) typedef vm_offset_tdb_addr_t; @@ -58,6 +59,7 @@ typedef long db_expr_t; #definedb_set_single_step kdb_cpu_set_singlestep #defineIS_BREAKPOINT_TRAP(type, code) (type == T_BREAKPOINT) +#defineIS_SSTEP_TRAP(type, code) (type == T_SINGLESTEP) #defineIS_WATCHPOINT_TRAP(type, code) (type == T_WATCHPOINT) #defineinst_trap_return(ins) (0) ___ dev-commits-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 0ae676239927 - stable/13 - armv8crypto: add missing newline
The branch stable/13 has been updated by mhorne: URL: https://cgit.FreeBSD.org/src/commit/?id=0ae67623992788538b90b7c0e2882c4aa645a81f commit 0ae67623992788538b90b7c0e2882c4aa645a81f Author: Elliott Mitchell AuthorDate: 2021-02-28 20:03:44 + Commit: Mitchell Horne CommitDate: 2021-03-03 16:14:51 + armv8crypto: add missing newline The missing newline mildly garbles boot-time messages and this can be troublesome if you need those. Reported by:Mike Karels (m...@karels.net) Reviewed By:gonzo (cherry picked from commit 530d38441d55b7ac62ebae6ac8ea76903a4a3b0c) --- sys/crypto/armv8/armv8_crypto.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/crypto/armv8/armv8_crypto.c b/sys/crypto/armv8/armv8_crypto.c index be39168d50f3..24f6eff5608d 100644 --- a/sys/crypto/armv8/armv8_crypto.c +++ b/sys/crypto/armv8/armv8_crypto.c @@ -122,7 +122,7 @@ armv8_crypto_probe(device_t dev) default: break; case ID_AA64ISAR0_AES_NONE: - device_printf(dev, "CPU lacks AES instructions"); + device_printf(dev, "CPU lacks AES instructions\n"); break; } ___ dev-commits-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 661e2b8e1486 - releng/13.0 - ddb: fix show devmap output on 32-bit arm
The branch releng/13.0 has been updated by mhorne:
URL:
https://cgit.FreeBSD.org/src/commit/?id=661e2b8e1486cc966304ff98f766463de07e3f02
commit 661e2b8e1486cc966304ff98f766463de07e3f02
Author: Thomas Skibo
AuthorDate: 2021-01-11 20:58:12 +
Commit: Mitchell Horne
CommitDate: 2021-03-03 21:54:45 +
ddb: fix show devmap output on 32-bit arm
The output has been broken since 1b6dd6d772ca. Casting to uintmax_t
before the call to printf is necessary to ensure that 32-bit addresses
are interpreted correctly.
PR: 243236
Approved by:re (gjb)
(cherry picked from commit 9976b42b697ce203b1d257b2a6fe64c8a2961645)
(cherry picked from commit 0a223cf980b5ef8bea726a843fe5a7faf2278330)
---
sys/kern/subr_devmap.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/sys/kern/subr_devmap.c b/sys/kern/subr_devmap.c
index 8e07199b7f73..23baceb05129 100644
--- a/sys/kern/subr_devmap.c
+++ b/sys/kern/subr_devmap.c
@@ -74,7 +74,9 @@ devmap_dump_table(int (*prfunc)(const char *, ...))
prfunc("Static device mappings:\n");
for (pd = devmap_table; pd->pd_size != 0; ++pd) {
prfunc(" 0x%08jx - 0x%08jx mapped at VA 0x%08jx\n",
- pd->pd_pa, pd->pd_pa + pd->pd_size - 1, pd->pd_va);
+ (uintmax_t)pd->pd_pa,
+ (uintmax_t)(pd->pd_pa + pd->pd_size - 1),
+ (uintmax_t)pd->pd_va);
}
}
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: d2d99e6757fb - releng/13.0 - armv8crypto: add missing newline
The branch releng/13.0 has been updated by mhorne: URL: https://cgit.FreeBSD.org/src/commit/?id=d2d99e6757fb69f5b02711bba444774222ee9b3e commit d2d99e6757fb69f5b02711bba444774222ee9b3e Author: Elliott Mitchell AuthorDate: 2021-02-28 20:03:44 + Commit: Mitchell Horne CommitDate: 2021-03-03 21:54:22 + armv8crypto: add missing newline The missing newline mildly garbles boot-time messages and this can be troublesome if you need those. Reported by:Mike Karels (m...@karels.net) Reviewed by:gonzo Approved by:re (gjb) (cherry picked from commit 530d38441d55b7ac62ebae6ac8ea76903a4a3b0c) (cherry picked from commit 0ae67623992788538b90b7c0e2882c4aa645a81f) --- sys/crypto/armv8/armv8_crypto.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/crypto/armv8/armv8_crypto.c b/sys/crypto/armv8/armv8_crypto.c index be39168d50f3..24f6eff5608d 100644 --- a/sys/crypto/armv8/armv8_crypto.c +++ b/sys/crypto/armv8/armv8_crypto.c @@ -122,7 +122,7 @@ armv8_crypto_probe(device_t dev) default: break; case ID_AA64ISAR0_AES_NONE: - device_printf(dev, "CPU lacks AES instructions"); + device_printf(dev, "CPU lacks AES instructions\n"); break; } ___ dev-commits-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 0d3b3beeb253 - main - riscv: fix errors in some atomic type aliases
The branch main has been updated by mhorne: URL: https://cgit.FreeBSD.org/src/commit/?id=0d3b3beeb253e09b2b6b3805065594aecc7e2c2f commit 0d3b3beeb253e09b2b6b3805065594aecc7e2c2f Author: Mitchell Horne AuthorDate: 2021-03-04 17:52:45 + Commit: Mitchell Horne CommitDate: 2021-03-04 20:59:58 + riscv: fix errors in some atomic type aliases This appears to be a copy-and-paste error that has simply been overlooked. The tree contains only two calls to any of the affected variants, but recent additions to the test suite started exercising the call to atomic_clear_rel_int() in ng_leave_write(), reliably causing panics. Apparently, the issue was inherited from the arm64 atomic header. That instance was addressed in c90baf6817a0, but the fix did not make its way to RISC-V. Note that the particular test case ng_macfilter_test:main still appears to fail on this platform, but this change reduces the panic to a timeout. PR: 253237 Reported by:Jenkins, arichardson Reviewed by:kp, arichardson MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D29064 --- sys/riscv/include/atomic.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sys/riscv/include/atomic.h b/sys/riscv/include/atomic.h index d08047593861..d743fce6f1ff 100644 --- a/sys/riscv/include/atomic.h +++ b/sys/riscv/include/atomic.h @@ -288,7 +288,7 @@ atomic_store_rel_32(volatile uint32_t *p, uint32_t val) #defineatomic_subtract_acq_int atomic_subtract_acq_32 #defineatomic_add_rel_int atomic_add_rel_32 -#defineatomic_clear_rel_intatomic_add_rel_32 +#defineatomic_clear_rel_intatomic_clear_rel_32 #defineatomic_cmpset_rel_int atomic_cmpset_rel_32 #defineatomic_fcmpset_rel_int atomic_fcmpset_rel_32 #defineatomic_set_rel_int atomic_set_rel_32 @@ -490,7 +490,7 @@ atomic_store_rel_64(volatile uint64_t *p, uint64_t val) } #defineatomic_add_acq_long atomic_add_acq_64 -#defineatomic_clear_acq_long atomic_add_acq_64 +#defineatomic_clear_acq_long atomic_clear_acq_64 #defineatomic_cmpset_acq_long atomic_cmpset_acq_64 #defineatomic_fcmpset_acq_long atomic_fcmpset_acq_64 #defineatomic_load_acq_longatomic_load_acq_64 @@ -498,7 +498,7 @@ atomic_store_rel_64(volatile uint64_t *p, uint64_t val) #defineatomic_subtract_acq_longatomic_subtract_acq_64 #defineatomic_add_acq_ptr atomic_add_acq_64 -#defineatomic_clear_acq_ptratomic_add_acq_64 +#defineatomic_clear_acq_ptratomic_clear_acq_64 #defineatomic_cmpset_acq_ptr atomic_cmpset_acq_64 #defineatomic_fcmpset_acq_ptr atomic_fcmpset_acq_64 #defineatomic_load_acq_ptr atomic_load_acq_64 ___ dev-commits-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 46810641e879 - stable/13 - arm64: update kdb_thrctx->pcb_lr with BKPT_SKIP
The branch stable/13 has been updated by mhorne:
URL:
https://cgit.FreeBSD.org/src/commit/?id=46810641e879fb406354a7094a216e955c9ce117
commit 46810641e879fb406354a7094a216e955c9ce117
Author: Mitchell Horne
AuthorDate: 2021-03-01 14:00:17 +
Commit: Mitchell Horne
CommitDate: 2021-03-08 14:02:16 +
arm64: update kdb_thrctx->pcb_lr with BKPT_SKIP
This value should be kept in sync with updates to kdb_frame->tf_elr,
since it is queried by PC_REGS() in several places.
Reviewed by:markj, jhb
Sponsored by: The FreeBSD Foundation
(cherry picked from commit bd0b7cbf5ac1baff4211e09584e0b86d4d96228b)
---
sys/arm64/include/db_machdep.h | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/sys/arm64/include/db_machdep.h b/sys/arm64/include/db_machdep.h
index f2fd2a57a9c3..61b58415e41c 100644
--- a/sys/arm64/include/db_machdep.h
+++ b/sys/arm64/include/db_machdep.h
@@ -49,8 +49,9 @@ typedef long db_expr_t;
#defineBKPT_SIZE (4)
#defineBKPT_SET(inst) (BKPT_INST)
-#defineBKPT_SKIP do {
\
- kdb_frame->tf_elr += BKPT_SIZE; \
+#defineBKPT_SKIP do { \
+ kdb_frame->tf_elr += BKPT_SIZE; \
+ kdb_thrctx->pcb_lr += BKPT_SIZE;\
} while (0)
#definedb_clear_single_stepkdb_cpu_clear_singlestep
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 090db1352edb - stable/13 - arm64: add definition for IS_SSTEP_TRAP()
The branch stable/13 has been updated by mhorne: URL: https://cgit.FreeBSD.org/src/commit/?id=090db1352edbb62cfe4b5e936ee7664756f1580a commit 090db1352edbb62cfe4b5e936ee7664756f1580a Author: Mitchell Horne AuthorDate: 2021-03-01 14:01:25 + Commit: Mitchell Horne CommitDate: 2021-03-08 14:02:42 + arm64: add definition for IS_SSTEP_TRAP() arm64 has a distinct exception code for single-step, so we can use this to detect when an unexpected SS trap is encountered, or when an expected one is not. See db_stop_at_pc(). Reviewed by:markj, jhb Sponsored by: The FreeBSD Foundation (cherry picked from commit e152c882738ffe26a2f52e420e2a92c014943207) --- sys/arm64/include/db_machdep.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sys/arm64/include/db_machdep.h b/sys/arm64/include/db_machdep.h index 61b58415e41c..105e8e507ce3 100644 --- a/sys/arm64/include/db_machdep.h +++ b/sys/arm64/include/db_machdep.h @@ -38,6 +38,7 @@ #include #defineT_BREAKPOINT(EXCP_BRK) +#defineT_SINGLESTEP(EXCP_SOFTSTP_EL1) #defineT_WATCHPOINT(EXCP_WATCHPT_EL1) typedef vm_offset_tdb_addr_t; @@ -58,6 +59,7 @@ typedef long db_expr_t; #definedb_set_single_step kdb_cpu_set_singlestep #defineIS_BREAKPOINT_TRAP(type, code) (type == T_BREAKPOINT) +#defineIS_SSTEP_TRAP(type, code) (type == T_SINGLESTEP) #defineIS_WATCHPOINT_TRAP(type, code) (type == T_WATCHPOINT) #defineinst_trap_return(ins) (0) ___ dev-commits-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 35435ee5725a - stable/13 - arm64: fix hardware single-stepping from EL1
The branch stable/13 has been updated by mhorne:
URL:
https://cgit.FreeBSD.org/src/commit/?id=35435ee5725a8c0c67bdb4fd22d18154634dd081
commit 35435ee5725a8c0c67bdb4fd22d18154634dd081
Author: Mitchell Horne
AuthorDate: 2021-03-01 13:59:25 +
Commit: Mitchell Horne
CommitDate: 2021-03-08 14:01:32 +
arm64: fix hardware single-stepping from EL1
The main issue is that debug exceptions must to be disabled for the
entire duration that SS bit in MDSCR_EL1 is set. Otherwise, a
single-step exception will be generated immediately. This can occur
before returning from the debugger (when MDSCR is written to) or before
re-entering it after the single-step (when debug exceptions are unmasked
in the exception handler).
Solve this by delaying the unmask to C code for EL1, and avoid unmasking
at all while handling debug exceptions, thus avoiding any recursive
debug traps.
Reviewed by:markj, jhb
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 874635e381731e1fbd5e2d0459ca87814f1e455c)
---
sys/arm64/arm64/debug_monitor.c | 6 ++
sys/arm64/arm64/exception.S | 6 +-
sys/arm64/arm64/trap.c | 8
3 files changed, 19 insertions(+), 1 deletion(-)
diff --git a/sys/arm64/arm64/debug_monitor.c b/sys/arm64/arm64/debug_monitor.c
index dcb3645cf5d4..d302c8c95b4f 100644
--- a/sys/arm64/arm64/debug_monitor.c
+++ b/sys/arm64/arm64/debug_monitor.c
@@ -186,6 +186,9 @@ void
kdb_cpu_set_singlestep(void)
{
+ KASSERT((READ_SPECIALREG(daif) & PSR_D) == PSR_D,
+ ("%s: debug exceptions are not masked", __func__));
+
kdb_frame->tf_spsr |= DBG_SPSR_SS;
WRITE_SPECIALREG(mdscr_el1, READ_SPECIALREG(mdscr_el1) |
DBG_MDSCR_SS | DBG_MDSCR_KDE);
@@ -205,6 +208,9 @@ void
kdb_cpu_clear_singlestep(void)
{
+ KASSERT((READ_SPECIALREG(daif) & PSR_D) == PSR_D,
+ ("%s: debug exceptions are not masked", __func__));
+
WRITE_SPECIALREG(mdscr_el1, READ_SPECIALREG(mdscr_el1) &
~(DBG_MDSCR_SS | DBG_MDSCR_KDE));
diff --git a/sys/arm64/arm64/exception.S b/sys/arm64/arm64/exception.S
index bcb444ef2f55..2af32a185748 100644
--- a/sys/arm64/arm64/exception.S
+++ b/sys/arm64/arm64/exception.S
@@ -76,8 +76,12 @@ __FBSDID("$FreeBSD$");
ldr x0, [x18, #(PC_CURTHREAD)]
bl dbg_monitor_enter
-.endif
msr daifclr, #8 /* Enable the debug exception */
+.endif
+ /*
+* For EL1, debug exceptions are conditionally unmasked in
+* do_el1h_sync().
+*/
.endm
.macro restore_registers el
diff --git a/sys/arm64/arm64/trap.c b/sys/arm64/arm64/trap.c
index cb3a05ad0163..d793e34a6894 100644
--- a/sys/arm64/arm64/trap.c
+++ b/sys/arm64/arm64/trap.c
@@ -377,6 +377,14 @@ do_el1h_sync(struct thread *td, struct trapframe *frame)
"do_el1_sync: curthread: %p, esr %lx, elr: %lx, frame: %p", td,
esr, frame->tf_elr, frame);
+ /*
+* Enable debug exceptions if we aren't already handling one. They will
+* be masked again in the exception handler's epilogue.
+*/
+ if (exception != EXCP_BRK && exception != EXCP_WATCHPT_EL1 &&
+ exception != EXCP_SOFTSTP_EL1)
+ dbg_enable();
+
switch (exception) {
case EXCP_FP_SIMD:
case EXCP_TRAP_FP:
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: cc24f5bc6f6e - stable/13 - riscv: fix errors in some atomic type aliases
The branch stable/13 has been updated by mhorne: URL: https://cgit.FreeBSD.org/src/commit/?id=cc24f5bc6f6eb56a959bd23ebb051d3bf6ebf670 commit cc24f5bc6f6eb56a959bd23ebb051d3bf6ebf670 Author: Mitchell Horne AuthorDate: 2021-03-04 17:52:45 + Commit: Mitchell Horne CommitDate: 2021-03-08 14:03:01 + riscv: fix errors in some atomic type aliases This appears to be a copy-and-paste error that has simply been overlooked. The tree contains only two calls to any of the affected variants, but recent additions to the test suite started exercising the call to atomic_clear_rel_int() in ng_leave_write(), reliably causing panics. Apparently, the issue was inherited from the arm64 atomic header. That instance was addressed in c90baf6817a0, but the fix did not make its way to RISC-V. Note that the particular test case ng_macfilter_test:main still appears to fail on this platform, but this change reduces the panic to a timeout. PR: 253237 Reported by:Jenkins, arichardson Reviewed by:kp, arichardson (cherry picked from commit 0d3b3beeb253e09b2b6b3805065594aecc7e2c2f) --- sys/riscv/include/atomic.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sys/riscv/include/atomic.h b/sys/riscv/include/atomic.h index d08047593861..d743fce6f1ff 100644 --- a/sys/riscv/include/atomic.h +++ b/sys/riscv/include/atomic.h @@ -288,7 +288,7 @@ atomic_store_rel_32(volatile uint32_t *p, uint32_t val) #defineatomic_subtract_acq_int atomic_subtract_acq_32 #defineatomic_add_rel_int atomic_add_rel_32 -#defineatomic_clear_rel_intatomic_add_rel_32 +#defineatomic_clear_rel_intatomic_clear_rel_32 #defineatomic_cmpset_rel_int atomic_cmpset_rel_32 #defineatomic_fcmpset_rel_int atomic_fcmpset_rel_32 #defineatomic_set_rel_int atomic_set_rel_32 @@ -490,7 +490,7 @@ atomic_store_rel_64(volatile uint64_t *p, uint64_t val) } #defineatomic_add_acq_long atomic_add_acq_64 -#defineatomic_clear_acq_long atomic_add_acq_64 +#defineatomic_clear_acq_long atomic_clear_acq_64 #defineatomic_cmpset_acq_long atomic_cmpset_acq_64 #defineatomic_fcmpset_acq_long atomic_fcmpset_acq_64 #defineatomic_load_acq_longatomic_load_acq_64 @@ -498,7 +498,7 @@ atomic_store_rel_64(volatile uint64_t *p, uint64_t val) #defineatomic_subtract_acq_longatomic_subtract_acq_64 #defineatomic_add_acq_ptr atomic_add_acq_64 -#defineatomic_clear_acq_ptratomic_add_acq_64 +#defineatomic_clear_acq_ptratomic_clear_acq_64 #defineatomic_cmpset_acq_ptr atomic_cmpset_acq_64 #defineatomic_fcmpset_acq_ptr atomic_fcmpset_acq_64 #defineatomic_load_acq_ptr atomic_load_acq_64 ___ dev-commits-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 03572a87a84c - releng/13.0 - riscv: fix errors in some atomic type aliases
The branch releng/13.0 has been updated by mhorne: URL: https://cgit.FreeBSD.org/src/commit/?id=03572a87a84cde47f672480d3c5485713b7c39fb commit 03572a87a84cde47f672480d3c5485713b7c39fb Author: Mitchell Horne AuthorDate: 2021-03-04 17:52:45 + Commit: Mitchell Horne CommitDate: 2021-03-08 23:04:25 + riscv: fix errors in some atomic type aliases This appears to be a copy-and-paste error that has simply been overlooked. The tree contains only two calls to any of the affected variants, but recent additions to the test suite started exercising the call to atomic_clear_rel_int() in ng_leave_write(), reliably causing panics. Apparently, the issue was inherited from the arm64 atomic header. That instance was addressed in c90baf6817a0, but the fix did not make its way to RISC-V. Note that the particular test case ng_macfilter_test:main still appears to fail on this platform, but this change reduces the panic to a timeout. PR: 253237 Reported by:Jenkins, arichardson Reviewed by:kp, arichardson Approved by:re (gjb) (cherry picked from commit 0d3b3beeb253e09b2b6b3805065594aecc7e2c2f) (cherry picked from commit cc24f5bc6f6eb56a959bd23ebb051d3bf6ebf670) --- sys/riscv/include/atomic.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sys/riscv/include/atomic.h b/sys/riscv/include/atomic.h index d08047593861..d743fce6f1ff 100644 --- a/sys/riscv/include/atomic.h +++ b/sys/riscv/include/atomic.h @@ -288,7 +288,7 @@ atomic_store_rel_32(volatile uint32_t *p, uint32_t val) #defineatomic_subtract_acq_int atomic_subtract_acq_32 #defineatomic_add_rel_int atomic_add_rel_32 -#defineatomic_clear_rel_intatomic_add_rel_32 +#defineatomic_clear_rel_intatomic_clear_rel_32 #defineatomic_cmpset_rel_int atomic_cmpset_rel_32 #defineatomic_fcmpset_rel_int atomic_fcmpset_rel_32 #defineatomic_set_rel_int atomic_set_rel_32 @@ -490,7 +490,7 @@ atomic_store_rel_64(volatile uint64_t *p, uint64_t val) } #defineatomic_add_acq_long atomic_add_acq_64 -#defineatomic_clear_acq_long atomic_add_acq_64 +#defineatomic_clear_acq_long atomic_clear_acq_64 #defineatomic_cmpset_acq_long atomic_cmpset_acq_64 #defineatomic_fcmpset_acq_long atomic_fcmpset_acq_64 #defineatomic_load_acq_longatomic_load_acq_64 @@ -498,7 +498,7 @@ atomic_store_rel_64(volatile uint64_t *p, uint64_t val) #defineatomic_subtract_acq_longatomic_subtract_acq_64 #defineatomic_add_acq_ptr atomic_add_acq_64 -#defineatomic_clear_acq_ptratomic_add_acq_64 +#defineatomic_clear_acq_ptratomic_clear_acq_64 #defineatomic_cmpset_acq_ptr atomic_cmpset_acq_64 #defineatomic_fcmpset_acq_ptr atomic_fcmpset_acq_64 #defineatomic_load_acq_ptr atomic_load_acq_64 ___ dev-commits-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 7e7f7beee732 - main - ns8250: don't drop IER_TXRDY on bus_grab/ungrab
The branch main has been updated by mhorne:
URL:
https://cgit.FreeBSD.org/src/commit/?id=7e7f7beee732810d3afcc83828341ac3e139b5bd
commit 7e7f7beee732810d3afcc83828341ac3e139b5bd
Author: Mitchell Horne
AuthorDate: 2021-03-10 14:57:12 +
Commit: Mitchell Horne
CommitDate: 2021-03-10 15:04:42 +
ns8250: don't drop IER_TXRDY on bus_grab/ungrab
It has been observed that some systems are often unable to resume from
ddb after entering with debug.kdb.enter=1. Checking the status further
shows the terminal is blocked waiting in tty_drain(), but it never makes
progress in clearing the output queue, because sc->sc_txbusy is high.
I noticed that when entering polling mode for the debugger, IER_TXRDY is
set in the failure case. Since this bit is never tracked by the softc,
it will not be restored by ns8250_bus_ungrab(). This creates a race in
which a TX interrupt can be lost, creating the hang described above.
Ensuring that this bit is restored is enough to prevent this, and resume
from ddb as expected.
The solution is to track this bit in the sc->ier field, for the same
lifetime that TX interrupts are enabled.
PR: 223917, 240122
Reviewed by:imp, manu
Tested by: bz
MFC after: 5 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D29130
---
sys/dev/uart/uart_dev_ns8250.c | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/sys/dev/uart/uart_dev_ns8250.c b/sys/dev/uart/uart_dev_ns8250.c
index d920a76ae275..45b4d315c3d5 100644
--- a/sys/dev/uart/uart_dev_ns8250.c
+++ b/sys/dev/uart/uart_dev_ns8250.c
@@ -738,6 +738,7 @@ ns8250_bus_ipend(struct uart_softc *sc)
} else {
if (iir & IIR_TXRDY) {
ipend |= SER_INT_TXIDLE;
+ ns8250->ier &= ~IER_ETXRDY;
uart_setreg(bas, REG_IER, ns8250->ier);
uart_barrier(bas);
} else
@@ -1035,7 +1036,9 @@ ns8250_bus_transmit(struct uart_softc *sc)
uart_setreg(bas, REG_DATA, sc->sc_txbuf[i]);
uart_barrier(bas);
}
- uart_setreg(bas, REG_IER, ns8250->ier | IER_ETXRDY);
+ if (!broken_txfifo)
+ ns8250->ier |= IER_ETXRDY;
+ uart_setreg(bas, REG_IER, ns8250->ier);
uart_barrier(bas);
if (broken_txfifo)
ns8250_drain(bas, UART_DRAIN_TRANSMITTER);
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 17d301f7b59f - stable/13 - ns8250: don't drop IER_TXRDY on bus_grab/ungrab
The branch stable/13 has been updated by mhorne:
URL:
https://cgit.FreeBSD.org/src/commit/?id=17d301f7b59f49c52983fe0957208dddf40b1232
commit 17d301f7b59f49c52983fe0957208dddf40b1232
Author: Mitchell Horne
AuthorDate: 2021-03-10 14:57:12 +
Commit: Mitchell Horne
CommitDate: 2021-03-15 14:22:17 +
ns8250: don't drop IER_TXRDY on bus_grab/ungrab
It has been observed that some systems are often unable to resume from
ddb after entering with debug.kdb.enter=1. Checking the status further
shows the terminal is blocked waiting in tty_drain(), but it never makes
progress in clearing the output queue, because sc->sc_txbusy is high.
I noticed that when entering polling mode for the debugger, IER_TXRDY is
set in the failure case. Since this bit is never tracked by the softc,
it will not be restored by ns8250_bus_ungrab(). This creates a race in
which a TX interrupt can be lost, creating the hang described above.
Ensuring that this bit is restored is enough to prevent this, and resume
from ddb as expected.
The solution is to track this bit in the sc->ier field, for the same
lifetime that TX interrupts are enabled.
PR: 223917, 240122
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 7e7f7beee732810d3afcc83828341ac3e139b5bd)
---
sys/dev/uart/uart_dev_ns8250.c | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/sys/dev/uart/uart_dev_ns8250.c b/sys/dev/uart/uart_dev_ns8250.c
index d920a76ae275..45b4d315c3d5 100644
--- a/sys/dev/uart/uart_dev_ns8250.c
+++ b/sys/dev/uart/uart_dev_ns8250.c
@@ -738,6 +738,7 @@ ns8250_bus_ipend(struct uart_softc *sc)
} else {
if (iir & IIR_TXRDY) {
ipend |= SER_INT_TXIDLE;
+ ns8250->ier &= ~IER_ETXRDY;
uart_setreg(bas, REG_IER, ns8250->ier);
uart_barrier(bas);
} else
@@ -1035,7 +1036,9 @@ ns8250_bus_transmit(struct uart_softc *sc)
uart_setreg(bas, REG_DATA, sc->sc_txbuf[i]);
uart_barrier(bas);
}
- uart_setreg(bas, REG_IER, ns8250->ier | IER_ETXRDY);
+ if (!broken_txfifo)
+ ns8250->ier |= IER_ETXRDY;
+ uart_setreg(bas, REG_IER, ns8250->ier);
uart_barrier(bas);
if (broken_txfifo)
ns8250_drain(bas, UART_DRAIN_TRANSMITTER);
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: a54c346ff3e8 - stable/12 - ns8250: don't drop IER_TXRDY on bus_grab/ungrab
The branch stable/12 has been updated by mhorne:
URL:
https://cgit.FreeBSD.org/src/commit/?id=a54c346ff3e80ff8f2f3d0ec56b5374a7dc34429
commit a54c346ff3e80ff8f2f3d0ec56b5374a7dc34429
Author: Mitchell Horne
AuthorDate: 2021-03-10 14:57:12 +
Commit: Mitchell Horne
CommitDate: 2021-03-16 17:56:03 +
ns8250: don't drop IER_TXRDY on bus_grab/ungrab
It has been observed that some systems are often unable to resume from
ddb after entering with debug.kdb.enter=1. Checking the status further
shows the terminal is blocked waiting in tty_drain(), but it never makes
progress in clearing the output queue, because sc->sc_txbusy is high.
I noticed that when entering polling mode for the debugger, IER_TXRDY is
set in the failure case. Since this bit is never tracked by the softc,
it will not be restored by ns8250_bus_ungrab(). This creates a race in
which a TX interrupt can be lost, creating the hang described above.
Ensuring that this bit is restored is enough to prevent this, and resume
from ddb as expected.
The solution is to track this bit in the sc->ier field, for the same
lifetime that TX interrupts are enabled.
PR: 223917, 240122
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 7e7f7beee732810d3afcc83828341ac3e139b5bd)
---
sys/dev/uart/uart_dev_ns8250.c | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/sys/dev/uart/uart_dev_ns8250.c b/sys/dev/uart/uart_dev_ns8250.c
index 52775a9b8a44..997eca3ea6cd 100644
--- a/sys/dev/uart/uart_dev_ns8250.c
+++ b/sys/dev/uart/uart_dev_ns8250.c
@@ -735,6 +735,7 @@ ns8250_bus_ipend(struct uart_softc *sc)
} else {
if (iir & IIR_TXRDY) {
ipend |= SER_INT_TXIDLE;
+ ns8250->ier &= ~IER_ETXRDY;
uart_setreg(bas, REG_IER, ns8250->ier);
uart_barrier(bas);
} else
@@ -1032,7 +1033,9 @@ ns8250_bus_transmit(struct uart_softc *sc)
uart_setreg(bas, REG_DATA, sc->sc_txbuf[i]);
uart_barrier(bas);
}
- uart_setreg(bas, REG_IER, ns8250->ier | IER_ETXRDY);
+ if (!broken_txfifo)
+ ns8250->ier |= IER_ETXRDY;
+ uart_setreg(bas, REG_IER, ns8250->ier);
uart_barrier(bas);
if (broken_txfifo)
ns8250_drain(bas, UART_DRAIN_TRANSMITTER);
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: c362fe939f6f - main - pmcstat: fix duplicate event allocation on CPU 0
The branch main has been updated by mhorne:
URL:
https://cgit.FreeBSD.org/src/commit/?id=c362fe939f6fe52056fb7506be9e5cbd0a5ef60b
commit c362fe939f6fe52056fb7506be9e5cbd0a5ef60b
Author: Mitchell Horne
AuthorDate: 2023-09-27 16:37:46 +
Commit: Mitchell Horne
CommitDate: 2023-09-27 16:39:56 +
pmcstat: fix duplicate event allocation on CPU 0
Commit b6e28991bf3a modified the allocation path for system scope PMCs
so that the event was allocated early for CPU 0. The reason is so that
the PMC's capabilities could be checked, to determine if pmcstat should
allocate the event on every CPU, or just on one CPU in each NUMA domain.
In the current scheme, there is no way to determine this information
without performing the PMC allocation.
This broke the established use-case of log analysis, and so
0aa150775179a was committed to fix the assertion. The result was what
appeared to be functional, but in normal counter measurement pmcstat was
silently allocating two counters for CPU 0.
This cuts the total number of counters that can be allocated from a CPU
in half. Additionally, depending on the particular hardware/event, we
might not be able to allocate the same event twice on a single CPU.
The simplest solution is to release the early-allocated PMC once we have
obtained its capabilities, and reallocate it later on. This restores the
event list logic to behave as it has for many years, and partially
reverts commit b6e28991bf3a.
Reported by:alc, kevans
Reviewed by:jkoshy, ray
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D41978
---
usr.sbin/pmcstat/pmcstat.c | 19 +++
1 file changed, 15 insertions(+), 4 deletions(-)
diff --git a/usr.sbin/pmcstat/pmcstat.c b/usr.sbin/pmcstat/pmcstat.c
index fd4be99f83c8..c36cee436e55 100644
--- a/usr.sbin/pmcstat/pmcstat.c
+++ b/usr.sbin/pmcstat/pmcstat.c
@@ -713,8 +713,16 @@ main(int argc, char **argv)
errx(EX_SOFTWARE, "ERROR: Out of memory.");
(void) strncpy(ev->ev_name, optarg, c);
*(ev->ev_name + c) = '\0';
+
libpmc_initialize(&npmc);
+
if (args.pa_flags & FLAG_HAS_SYSTEM_PMCS) {
+ /*
+* We need to check the capabilities of the
+* desired event to determine if it should be
+* allocated on every CPU, or only a subset of
+* them. This requires allocating a PMC now.
+*/
if (pmc_allocate(ev->ev_spec, ev->ev_mode,
ev->ev_flags, ev->ev_cpu, &ev->ev_pmcid,
ev->ev_count) < 0)
@@ -726,8 +734,14 @@ main(int argc, char **argv)
err(EX_OSERR, "ERROR: Cannot get pmc "
"capabilities");
}
- }
+ /*
+* Release the PMC now that we have caps; we
+* will reallocate shortly.
+*/
+ pmc_release(ev->ev_pmcid);
+ ev->ev_pmcid = PMC_ID_INVALID;
+ }
STAILQ_INSERT_TAIL(&args.pa_events, ev, ev_next);
@@ -751,10 +765,7 @@ main(int argc, char **argv)
}
if (option == 's' || option == 'S') {
CPU_CLR(ev->ev_cpu, &cpumask);
- pmc_id_t saved_pmcid = ev->ev_pmcid;
- ev->ev_pmcid = PMC_ID_INVALID;
pmcstat_clone_event_descriptor(ev, &cpumask,
&args);
- ev->ev_pmcid = saved_pmcid;
CPU_SET(ev->ev_cpu, &cpumask);
}
git: 7974ca1cdbee - main - cr_canseejailproc(): New privilege, no direct check for UID 0
The branch main has been updated by mhorne:
URL:
https://cgit.FreeBSD.org/src/commit/?id=7974ca1cdbee949f5e453eea112be265b425c407
commit 7974ca1cdbee949f5e453eea112be265b425c407
Author: Olivier Certner
AuthorDate: 2023-08-17 23:54:37 +
Commit: Mitchell Horne
CommitDate: 2023-09-28 14:42:22 +
cr_canseejailproc(): New privilege, no direct check for UID 0
Use priv_check_cred() with a new privilege (PRIV_SEEJAILPROC) instead of
explicitly testing for UID 0 (the former has been the rule for almost 20
years).
As a consequence, cr_canseejailproc() now abides by the
'security.bsd.suser_enabled' sysctl and MAC policies.
Update the MAC policies Biba and LOMAC, and prison_priv_check() so that
they don't deny this privilege. This preserves the existing behavior
(the 'root' user is not restricted, even when jailed, unless
'security.bsd.suser_enabled' is not 0) and is consistent with what is
done for the related policies/privileges (PRIV_SEEOTHERGIDS,
PRIV_SEEOTHERUIDS).
Reviewed by:emaste (earlier version), mhorne
MFC after: 2 weeks
Sponsored by: Kumacom SAS
Differential Revision: https://reviews.freebsd.org/D40626
---
sys/kern/kern_jail.c | 1 +
sys/kern/kern_prot.c | 7 +--
sys/security/mac_biba/mac_biba.c | 1 +
sys/security/mac_lomac/mac_lomac.c | 1 +
sys/sys/priv.h | 1 +
5 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c
index 0c1f565638da..66bcd77ca8d2 100644
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@@ -3939,6 +3939,7 @@ prison_priv_check(struct ucred *cred, int priv)
*/
case PRIV_SEEOTHERGIDS:
case PRIV_SEEOTHERUIDS:
+ case PRIV_SEEJAILPROC:
/*
* Jail implements inter-process debugging limits already, so
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index 19e0b78c6709..ed15cb566499 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -1426,9 +1426,12 @@ SYSCTL_INT(_security_bsd, OID_AUTO, see_jail_proc,
CTLFLAG_RW,
int
cr_canseejailproc(struct ucred *u1, struct ucred *u2)
{
- if (u1->cr_uid == 0)
+ if (see_jail_proc || /* Policy deactivated. */
+ u1->cr_prison == u2->cr_prison || /* Same jail. */
+ priv_check_cred(u1, PRIV_SEEJAILPROC) == 0) /* Privileged. */
return (0);
- return (!see_jail_proc && u1->cr_prison != u2->cr_prison ? ESRCH : 0);
+
+ return (ESRCH);
}
/*-
diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c
index 6948548503e1..5d66e2fd4b9b 100644
--- a/sys/security/mac_biba/mac_biba.c
+++ b/sys/security/mac_biba/mac_biba.c
@@ -1924,6 +1924,7 @@ biba_priv_check(struct ucred *cred, int priv)
*/
case PRIV_SEEOTHERGIDS:
case PRIV_SEEOTHERUIDS:
+ case PRIV_SEEJAILPROC:
break;
/*
diff --git a/sys/security/mac_lomac/mac_lomac.c
b/sys/security/mac_lomac/mac_lomac.c
index 05bd0da06960..aa9abf458721 100644
--- a/sys/security/mac_lomac/mac_lomac.c
+++ b/sys/security/mac_lomac/mac_lomac.c
@@ -1702,6 +1702,7 @@ lomac_priv_check(struct ucred *cred, int priv)
*/
case PRIV_SEEOTHERGIDS:
case PRIV_SEEOTHERUIDS:
+ case PRIV_SEEJAILPROC:
break;
/*
diff --git a/sys/sys/priv.h b/sys/sys/priv.h
index 45cb5bab4275..a61de8d32fe0 100644
--- a/sys/sys/priv.h
+++ b/sys/sys/priv.h
@@ -105,6 +105,7 @@
#definePRIV_CRED_SETRESGID 58 /* setresgid. */
#definePRIV_SEEOTHERGIDS 59 /* Exempt bsd.seeothergids. */
#definePRIV_SEEOTHERUIDS 60 /* Exempt bsd.seeotheruids. */
+#definePRIV_SEEJAILPROC61 /* Exempt from
bsd.see_jail_proc. */
/*
* Debugging privileges.
git: e4a7b4f99cfd - main - New cr_bsd_visible(): Whether BSD policies deny seeing subjects/objects
The branch main has been updated by mhorne:
URL:
https://cgit.FreeBSD.org/src/commit/?id=e4a7b4f99cfd4931468c0866da4ae8b49cf5badb
commit e4a7b4f99cfd4931468c0866da4ae8b49cf5badb
Author: Olivier Certner
AuthorDate: 2023-08-17 23:54:38 +
Commit: Mitchell Horne
CommitDate: 2023-09-28 14:57:43 +
New cr_bsd_visible(): Whether BSD policies deny seeing subjects/objects
This is a new helper function that leverages existing code: It calls
successively cr_canseeotheruids(), cr_canseeothergids() and
cr_canseejailproc() (as long as the previous didn't deny access). Will
be used in a subsequent commit.
Reviewed by:mhorne
MFC after: 2 weeks
Sponsored by: Kumacom SAS
Differential Revision: https://reviews.freebsd.org/D40627
---
sys/kern/kern_prot.c | 19 +++
sys/sys/proc.h | 1 +
2 files changed, 20 insertions(+)
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index ed15cb566499..1e6073b554e4 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -1434,6 +1434,25 @@ cr_canseejailproc(struct ucred *u1, struct ucred *u2)
return (ESRCH);
}
+/*
+ * Helper for cr_cansee*() functions to abide by system-wide security.bsd.see_*
+ * policies. Determines if u1 "can see" u2 according to these policies.
+ * Returns: 0 for permitted, ESRCH otherwise
+ */
+int
+cr_bsd_visible(struct ucred *u1, struct ucred *u2)
+{
+ int error;
+
+ if ((error = cr_canseeotheruids(u1, u2)))
+ return (error);
+ if ((error = cr_canseeothergids(u1, u2)))
+ return (error);
+ if ((error = cr_canseejailproc(u1, u2)))
+ return (error);
+ return (0);
+}
+
/*-
* Determine if u1 "can see" the subject specified by u2.
* Returns: 0 for permitted, an errno value otherwise
diff --git a/sys/sys/proc.h b/sys/sys/proc.h
index 3102cae7add0..8609bbd124ad 100644
--- a/sys/sys/proc.h
+++ b/sys/sys/proc.h
@@ -1163,6 +1163,7 @@ void ast_sched(struct thread *td, int tda);
void ast_unsched_locked(struct thread *td, int tda);
struct thread *choosethread(void);
+intcr_bsd_visible(struct ucred *u1, struct ucred *u2);
intcr_cansee(struct ucred *u1, struct ucred *u2);
intcr_canseesocket(struct ucred *cred, struct socket *so);
intcr_canseeothergids(struct ucred *u1, struct ucred *u2);
git: 5817169bc4a0 - main - Fix 'security.bsd.see_jail_proc' by using cr_bsd_visible()
The branch main has been updated by mhorne:
URL:
https://cgit.FreeBSD.org/src/commit/?id=5817169bc4a06a35aa5ef7f5ed18f6cb35037e18
commit 5817169bc4a06a35aa5ef7f5ed18f6cb35037e18
Author: Olivier Certner
AuthorDate: 2023-08-17 23:54:38 +
Commit: Mitchell Horne
CommitDate: 2023-09-28 14:59:08 +
Fix 'security.bsd.see_jail_proc' by using cr_bsd_visible()
As implemented, this security policy would only prevent seeing processes
in sub-jails, but would not prevent sending signals to, changing
priority of or debugging processes in these, enabling attacks where
unprivileged users could tamper with random processes in sub-jails in
particular circumstances (conflated UIDs) despite the policy being
enforced.
PR: 272092
Reviewed by:mhorne
MFC after: 2 weeks
Sponsored by: Kumacom SAS
Differential Revision: https://reviews.freebsd.org/D40628
---
sys/kern/kern_prot.c | 25 +++--
sys/netinet/in_prot.c | 4 +---
2 files changed, 8 insertions(+), 21 deletions(-)
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index 1e6073b554e4..648c067dc528 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -1471,11 +1471,7 @@ cr_cansee(struct ucred *u1, struct ucred *u2)
if ((error = mac_cred_check_visible(u1, u2)))
return (error);
#endif
- if ((error = cr_canseeotheruids(u1, u2)))
- return (error);
- if ((error = cr_canseeothergids(u1, u2)))
- return (error);
- if ((error = cr_canseejailproc(u1, u2)))
+ if ((error = cr_bsd_visible(u1, u2)))
return (error);
return (0);
}
@@ -1536,9 +1532,7 @@ cr_cansignal(struct ucred *cred, struct proc *proc, int
signum)
if ((error = mac_proc_check_signal(cred, proc, signum)))
return (error);
#endif
- if ((error = cr_canseeotheruids(cred, proc->p_ucred)))
- return (error);
- if ((error = cr_canseeothergids(cred, proc->p_ucred)))
+ if ((error = cr_bsd_visible(cred, proc->p_ucred)))
return (error);
/*
@@ -1653,10 +1647,9 @@ p_cansched(struct thread *td, struct proc *p)
if ((error = mac_proc_check_sched(td->td_ucred, p)))
return (error);
#endif
- if ((error = cr_canseeotheruids(td->td_ucred, p->p_ucred)))
- return (error);
- if ((error = cr_canseeothergids(td->td_ucred, p->p_ucred)))
+ if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred)))
return (error);
+
if (td->td_ucred->cr_ruid != p->p_ucred->cr_ruid &&
td->td_ucred->cr_uid != p->p_ucred->cr_ruid) {
error = priv_check(td, PRIV_SCHED_DIFFCRED);
@@ -1723,9 +1716,7 @@ p_candebug(struct thread *td, struct proc *p)
if ((error = mac_proc_check_debug(td->td_ucred, p)))
return (error);
#endif
- if ((error = cr_canseeotheruids(td->td_ucred, p->p_ucred)))
- return (error);
- if ((error = cr_canseeothergids(td->td_ucred, p->p_ucred)))
+ if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred)))
return (error);
/*
@@ -1815,9 +1806,7 @@ cr_canseesocket(struct ucred *cred, struct socket *so)
if (error)
return (error);
#endif
- if (cr_canseeotheruids(cred, so->so_cred))
- return (ENOENT);
- if (cr_canseeothergids(cred, so->so_cred))
+ if (cr_bsd_visible(cred, so->so_cred))
return (ENOENT);
return (0);
@@ -1847,7 +1836,7 @@ p_canwait(struct thread *td, struct proc *p)
#endif
#if 0
/* XXXMAC: This could have odd effects on some shells. */
- if ((error = cr_canseeotheruids(td->td_ucred, p->p_ucred)))
+ if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred)))
return (error);
#endif
diff --git a/sys/netinet/in_prot.c b/sys/netinet/in_prot.c
index 222e39c6bcd2..204f4f60456e 100644
--- a/sys/netinet/in_prot.c
+++ b/sys/netinet/in_prot.c
@@ -67,9 +67,7 @@ cr_canseeinpcb(struct ucred *cred, struct inpcb *inp)
if (error)
return (error);
#endif
- if (cr_canseeotheruids(cred, inp->inp_cred))
- return (ENOENT);
- if (cr_canseeothergids(cred, inp->inp_cred))
+ if (cr_bsd_visible(cred, inp->inp_cred))
return (ENOENT);
return (0);
git: 91e9d669b475 - main - Make cr_bsd_visible()'s sub-functions internal
The branch main has been updated by mhorne:
URL:
https://cgit.FreeBSD.org/src/commit/?id=91e9d669b475d1900e8dc01a49ad90a621c4a068
commit 91e9d669b475d1900e8dc01a49ad90a621c4a068
Author: Olivier Certner
AuthorDate: 2023-08-17 23:54:39 +
Commit: Mitchell Horne
CommitDate: 2023-09-28 15:05:45 +
Make cr_bsd_visible()'s sub-functions internal
cr_canseeotheruids(), cr_canseeothergids() and cr_canseejailproc()
should not be used directly now. cr_bsd_visible() has to be called
instead.
Reviewed by:mhorne
Sponsored by: Kumacom SAS
Differential Revision: https://reviews.freebsd.org/D40629
---
sys/kern/kern_prot.c | 10 +++---
sys/sys/proc.h | 3 ---
2 files changed, 7 insertions(+), 6 deletions(-)
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index 648c067dc528..04aaebf0de63 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -91,6 +91,10 @@ static void crfree_final(struct ucred *cr);
static void crsetgroups_locked(struct ucred *cr, int ngrp,
gid_t *groups);
+static int cr_canseeotheruids(struct ucred *u1, struct ucred *u2);
+static int cr_canseeothergids(struct ucred *u1, struct ucred *u2);
+static int cr_canseejailproc(struct ucred *u1, struct ucred *u2);
+
#ifndef _SYS_SYSPROTO_H_
struct getpid_args {
int dummy;
@@ -1351,7 +1355,7 @@ SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids,
CTLFLAG_RW,
* References: *u1 and *u2 must not change during the call
* u1 may equal u2, in which case only one reference is required
*/
-int
+static int
cr_canseeotheruids(struct ucred *u1, struct ucred *u2)
{
@@ -1381,7 +1385,7 @@ SYSCTL_INT(_security_bsd, OID_AUTO, see_other_gids,
CTLFLAG_RW,
* References: *u1 and *u2 must not change during the call
* u1 may equal u2, in which case only one reference is required
*/
-int
+static int
cr_canseeothergids(struct ucred *u1, struct ucred *u2)
{
int i, match;
@@ -1423,7 +1427,7 @@ SYSCTL_INT(_security_bsd, OID_AUTO, see_jail_proc,
CTLFLAG_RW,
* References: *u1 and *u2 must not change during the call
* u1 may equal u2, in which case only one reference is required
*/
-int
+static int
cr_canseejailproc(struct ucred *u1, struct ucred *u2)
{
if (see_jail_proc || /* Policy deactivated. */
diff --git a/sys/sys/proc.h b/sys/sys/proc.h
index 8609bbd124ad..0b91b2a1a0b5 100644
--- a/sys/sys/proc.h
+++ b/sys/sys/proc.h
@@ -1166,9 +1166,6 @@ structthread *choosethread(void);
intcr_bsd_visible(struct ucred *u1, struct ucred *u2);
intcr_cansee(struct ucred *u1, struct ucred *u2);
intcr_canseesocket(struct ucred *cred, struct socket *so);
-intcr_canseeothergids(struct ucred *u1, struct ucred *u2);
-intcr_canseeotheruids(struct ucred *u1, struct ucred *u2);
-intcr_canseejailproc(struct ucred *u1, struct ucred *u2);
intcr_cansignal(struct ucred *cred, struct proc *proc, int signum);
intenterpgrp(struct proc *p, pid_t pgid, struct pgrp *pgrp,
struct session *sess);
git: c59ab75c04fa - main - cr_canseeotheruids(), cr_canseeothergids(): Man pages: Impacts of rename
The branch main has been updated by mhorne:
URL:
https://cgit.FreeBSD.org/src/commit/?id=c59ab75c04fa32bc6d292596ff5e4593a05a6b1b
commit c59ab75c04fa32bc6d292596ff5e4593a05a6b1b
Author: Olivier Certner
AuthorDate: 2023-08-17 23:54:39 +
Commit: Mitchell Horne
CommitDate: 2023-09-28 15:05:45 +
cr_canseeotheruids(), cr_canseeothergids(): Man pages: Impacts of rename
When these functions were renamed 7 years ago, their man pages were not.
Rename the latter in accordance and fix the names inside them. Fix
references to them as well. Add the old man pages to the list of
obsolete files.
Reviewed by:mhorne
MFC after: 2 weeks
Sponsored by: Kumacom SAS
Differential Revision: https://reviews.freebsd.org/D40630
---
ObsoleteFiles.inc | 4
share/man/man9/Makefile| 4 ++--
share/man/man9/cr_cansee.9 | 8
share/man/man9/{cr_seeothergids.9 => cr_canseeothergids.9} | 8
share/man/man9/{cr_seeotheruids.9 => cr_canseeotheruids.9} | 8
share/man/man9/p_candebug.9| 8
6 files changed, 22 insertions(+), 18 deletions(-)
diff --git a/ObsoleteFiles.inc b/ObsoleteFiles.inc
index 0b9d6247629b..64003b2c976f 100644
--- a/ObsoleteFiles.inc
+++ b/ObsoleteFiles.inc
@@ -51,6 +51,10 @@
# xargs -n1 | sort | uniq -d;
# done
+# 20230927: Man pages renamed to match the actual functions
+OLD_FILES+=usr/share/man/man9/cr_seeothergids.9.gz
+OLD_FILES+=usr/share/man/man9/cr_seeotheruids.9.gz
+
# 20230925
OLD_FILES+=usr/share/examples/diskless/ME
OLD_FILES+=usr/share/examples/diskless/README.BOOTP
diff --git a/share/man/man9/Makefile b/share/man/man9/Makefile
index 07a107b4bd7d..a989f4105d5c 100644
--- a/share/man/man9/Makefile
+++ b/share/man/man9/Makefile
@@ -69,9 +69,9 @@ MAN= accept_filter.9 \
counter.9 \
cpuset.9 \
cr_cansee.9 \
+ cr_canseeothergids.9 \
+ cr_canseeotheruids.9 \
critical_enter.9 \
- cr_seeothergids.9 \
- cr_seeotheruids.9 \
crypto.9 \
crypto_buffer.9 \
crypto_driver.9 \
diff --git a/share/man/man9/cr_cansee.9 b/share/man/man9/cr_cansee.9
index 8e058eb4e3e5..4824a231170b 100644
--- a/share/man/man9/cr_cansee.9
+++ b/share/man/man9/cr_cansee.9
@@ -50,9 +50,9 @@ variables
and
.Va security.bsd.see_other_uids ,
as per the description in
-.Xr cr_seeothergids 9
+.Xr cr_canseeothergids 9
and
-.Xr cr_seeotheruids 9
+.Xr cr_canseeotheruids 9
respectively.
.Sh RETURN VALUES
This function returns zero if the object with credential
@@ -84,7 +84,7 @@ does not belong to the same jail as
The MAC subsystem denied visibility.
.El
.Sh SEE ALSO
-.Xr cr_seeothergids 9 ,
-.Xr cr_seeotheruids 9 ,
+.Xr cr_canseeothergids 9 ,
+.Xr cr_canseeotheruids 9 ,
.Xr mac 9 ,
.Xr p_cansee 9
diff --git a/share/man/man9/cr_seeothergids.9
b/share/man/man9/cr_canseeothergids.9
similarity index 94%
rename from share/man/man9/cr_seeothergids.9
rename to share/man/man9/cr_canseeothergids.9
index bd8eb5d2e9d9..79269533ae5c 100644
--- a/share/man/man9/cr_seeothergids.9
+++ b/share/man/man9/cr_canseeothergids.9
@@ -26,14 +26,14 @@
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd November 11, 2003
-.Dt CR_SEEOTHERGIDS 9
+.Dt CR_CANSEEOTHERGIDS 9
.Os
.Sh NAME
-.Nm cr_seeothergids
+.Nm cr_canseeothergids
.Nd determine visibility of objects given their group memberships
.Sh SYNOPSIS
.Ft int
-.Fn cr_seeothergids "struct ucred *u1" "struct ucred *u2"
+.Fn cr_canseeothergids "struct ucred *u1" "struct ucred *u2"
.Sh DESCRIPTION
This function determines the visibility of objects in the
kernel based on the group IDs in the credentials
@@ -76,5 +76,5 @@ or
.Er ESRCH
otherwise.
.Sh SEE ALSO
-.Xr cr_seeotheruids 9 ,
+.Xr cr_canseeotheruids 9 ,
.Xr p_candebug 9
diff --git a/share/man/man9/cr_seeotheruids.9
b/share/man/man9/cr_canseeotheruids.9
similarity index 94%
rename from share/man/man9/cr_seeotheruids.9
rename to share/man/man9/cr_canseeotheruids.9
index 2cefd0f9dc8e..80acc2d7a6ca 100644
--- a/share/man/man9/cr_seeotheruids.9
+++ b/share/man/man9/cr_canseeotheruids.9
@@ -26,14 +26,14 @@
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd November 11, 2003
-.Dt CR_SEEOTHERUIDS 9
+.Dt CR_CANSEEOTHERUIDS 9
.Os
.Sh NAME
-.Nm cr_seeotheruids
+.Nm cr_canseeotheruids
.Nd determine visibility of objects given their user credentials
.Sh SYNOPSIS
.Ft int
-.Fn cr_seeotheruids "struct ucred *u1" "struct ucred *u2"
+.Fn cr_canseeotheruids "struct ucred *u1" "struct ucred *u2"
.Sh DESCRIPTION
This function determines the visibility of objects in the
kernel based on the real user IDs in the credentials
@@ -76,5 +76,5 @@ or
git: 29d863bb7ffc - main - cr_canseejailproc(9): New man page
The branch main has been updated by mhorne: URL: https://cgit.FreeBSD.org/src/commit/?id=29d863bb7ffc692998f21fa3e7a91afa1151cf1c commit 29d863bb7ffc692998f21fa3e7a91afa1151cf1c Author: Olivier Certner AuthorDate: 2023-08-17 23:54:40 + Commit: Mitchell Horne CommitDate: 2023-09-28 15:05:45 + cr_canseejailproc(9): New man page Reviewed by:pauamma_gundo.com, mhorne MFC after: 2 weeks Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40631 --- share/man/man9/Makefile| 1 + share/man/man9/cr_canseejailproc.9 | 81 ++ 2 files changed, 82 insertions(+) diff --git a/share/man/man9/Makefile b/share/man/man9/Makefile index a989f4105d5c..a33c42018dbf 100644 --- a/share/man/man9/Makefile +++ b/share/man/man9/Makefile @@ -69,6 +69,7 @@ MAN= accept_filter.9 \ counter.9 \ cpuset.9 \ cr_cansee.9 \ + cr_canseejailproc.9 \ cr_canseeothergids.9 \ cr_canseeotheruids.9 \ critical_enter.9 \ diff --git a/share/man/man9/cr_canseejailproc.9 b/share/man/man9/cr_canseejailproc.9 new file mode 100644 index ..775c76722b05 --- /dev/null +++ b/share/man/man9/cr_canseejailproc.9 @@ -0,0 +1,81 @@ +.\" +.\" SPDX-License-Identifier: BSD-2-Clause +.\" +.\" Copyright (c) 2023 Olivier Certner +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\"notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\"notice, this list of conditions and the following disclaimer in the +.\"documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE DEVELOPERS ``AS IS'' AND ANY EXPRESS OR +.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +.\" IN NO EVENT SHALL THE DEVELOPERS BE LIABLE FOR ANY DIRECT, INDIRECT, +.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd August 18, 2023 +.Dt CR_CANSEEJAILPROC 9 +.Os +.Sh NAME +.Nm cr_canseejailproc +.Nd determine if subjects may see entities in sub-jails +.Sh SYNOPSIS +.Ft int +.Fn cr_canseejailproc "struct ucred *u1" "struct ucred *u2" +.Sh DESCRIPTION +.Bf -emphasis +This function is internal. +Its functionality is integrated into the function +.Xr cr_bsd_visible 9 , +which should be called instead. +.Ef +.Pp +This function checks if a subject associated to credentials +.Fa u1 +is denied seeing a subject or object associated to credentials +.Fa u2 +by a policy that requires both credentials to be associated to the same jail. +This is a restriction to the baseline jail policy that a subject can see +subjects or objects in its own jail or any sub-jail of it. +.Pp +This policy is active if and only if the +.Xr sysctl 8 +variable +.Va security.bsd.see_jail_proc +is set to zero. +.Pp +As usual, the superuser (effective user ID 0) is exempt from this policy +provided that the +.Xr sysctl 8 +variable +.Va security.bsd.suser_enabled +is non-zero and no active MAC policy explicitly denies the exemption +.Po +see +.Xr priv_check_cred 9 +.Pc . +.Sh RETURN VALUES +The +.Fn cr_canseejailproc +function returns 0 if the policy is disabled, both credentials are associated to +the same jail, or if +.Fa u1 +has privilege exempting it from the policy. +Otherwise, it returns +.Er ESRCH . +.Sh SEE ALSO +.Xr cr_bsd_visible 9 , +.Xr priv_check_cred 9 +.Sh AUTHORS +This manual page was written by +.An Olivier Certner Aq Mt olce.free...@certner.fr .
git: 0d6bf73c4f20 - main - cr_bsd_visible(9): New man page
The branch main has been updated by mhorne: URL: https://cgit.FreeBSD.org/src/commit/?id=0d6bf73c4f20e6ed719c29c1b382d24bb0a81a2f commit 0d6bf73c4f20e6ed719c29c1b382d24bb0a81a2f Author: Olivier Certner AuthorDate: 2023-08-17 23:54:40 + Commit: Mitchell Horne CommitDate: 2023-09-28 15:05:45 + cr_bsd_visible(9): New man page Reviewed by:bcr, pauamma_gundo.com MFC after: 2 weeks Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40632 --- share/man/man9/Makefile | 1 + share/man/man9/cr_bsd_visible.9 | 117 2 files changed, 118 insertions(+) diff --git a/share/man/man9/Makefile b/share/man/man9/Makefile index a33c42018dbf..f07a886277e0 100644 --- a/share/man/man9/Makefile +++ b/share/man/man9/Makefile @@ -68,6 +68,7 @@ MAN= accept_filter.9 \ copy.9 \ counter.9 \ cpuset.9 \ + cr_bsd_visible.9 \ cr_cansee.9 \ cr_canseejailproc.9 \ cr_canseeothergids.9 \ diff --git a/share/man/man9/cr_bsd_visible.9 b/share/man/man9/cr_bsd_visible.9 new file mode 100644 index ..bd676e6f5705 --- /dev/null +++ b/share/man/man9/cr_bsd_visible.9 @@ -0,0 +1,117 @@ +.\" +.\" SPDX-License-Identifier: BSD-2-Clause +.\" +.\" Copyright (c) 2023 Olivier Certner +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\"notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\"notice, this list of conditions and the following disclaimer in the +.\"documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE DEVELOPERS ``AS IS'' AND ANY EXPRESS OR +.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +.\" IN NO EVENT SHALL THE DEVELOPERS BE LIABLE FOR ANY DIRECT, INDIRECT, +.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd August 18, 2023 +.Dt CR_BSD_VISIBLE 9 +.Os +.Sh NAME +.Nm cr_bsd_visible +.Nd determine if subjects may see entities according to BSD security policies +.Sh SYNOPSIS +.In sys/proc.h +.Ft int +.Fn cr_bsd_visible "struct ucred *u1" "struct ucred *u2" +.Sh DESCRIPTION +This function determines if a subject with credentials +.Fa u1 +is denied seeing an object or subject associated to credentials +.Fa u2 +by the following policies and associated +.Xr sysctl 8 +knobs: +.Bl -tag -width indent +.It Va security.bsd.seeotheruids +If set to 0, subjects cannot see other subjects or objects if they are not +associated with the same real user ID. +The corresponding internal function is +.Xr cr_canseeotheruids 9 . +.It Va security.bsd.seeothergids +If set to 0, subjects cannot see other subjects or objects if they are not both +a member of at least one common group. +The corresponding internal function is +.Xr cr_canseeothergids 9 . +.It Va security.bsd.see_jail_proc +If set to 0, subjects cannot see other subjects or objects that are not +associated with the same jail as they are. +The corresponding internal function is +.Xr cr_canseejailproc 9 . +.El +.Pp +As usual, the superuser (effective user ID 0) is exempt from any of these +policies provided that the +.Xr sysctl 8 +variable +.Va security.bsd.suser_enabled +is non-zero and no active MAC policy explicitly denies the exemption +.Po +see +.Xr priv_check_cred 9 +.Pc . +.Pp +This function is intended to be used as a helper to implement +.Xr cr_cansee 9 +and similar functions. +.Sh RETURN VALUES +This function returns zero if a subject with credentials +.Fa u1 +may see a subject or object with credentials +.Fa u2 +by the active above-mentioned policies, or +.Er ESRCH +otherwise. +.Sh ERRORS +.Bl -tag -width Er +.It Bq Er ESRCH +Credentials +.Fa u1 +and +.Fa u2 +do not have the same real user ID. +.It Bq Er ESRCH +Credentials +.Fa u1 +and +.Fa u2 +are not members of any common group +.Po +as determined by +.Xr groupmember 9 +.Pc . +.It Bq Er ESRCH +Credentials +.Fa u1 +and +.Fa u2 +are not in the same jail. +.El +.Sh SEE ALSO +.Xr cr_canseeotheruids 9 , +.Xr cr_canseeothergids 9 , +.Xr
git: 3fe9ea4d2d04 - main - cr_canseeothergids(9): Revamp, mark as internal
The branch main has been updated by mhorne: URL: https://cgit.FreeBSD.org/src/commit/?id=3fe9ea4d2d04d48a249b2e6161d416bb4d5b364e commit 3fe9ea4d2d04d48a249b2e6161d416bb4d5b364e Author: Olivier Certner AuthorDate: 2023-08-17 23:54:41 + Commit: Mitchell Horne CommitDate: 2023-09-28 15:05:45 + cr_canseeothergids(9): Revamp, mark as internal Significantly clarify. Replace references to cr_canseeotheruids(9) by ones to cr_bsd_visible(9). Reviewed by:pauamma_gundo.com, mhorne MFC after: 2 weeks Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40633 --- share/man/man9/cr_canseeothergids.9 | 77 +++-- 1 file changed, 40 insertions(+), 37 deletions(-) diff --git a/share/man/man9/cr_canseeothergids.9 b/share/man/man9/cr_canseeothergids.9 index 79269533ae5c..f0c1e5c4e726 100644 --- a/share/man/man9/cr_canseeothergids.9 +++ b/share/man/man9/cr_canseeothergids.9 @@ -1,5 +1,6 @@ .\" .\" Copyright (c) 2003 Joseph Koshy +.\" Copyright (c) 2023 Olivier Certner .\" .\" All rights reserved. .\" @@ -25,56 +26,58 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd November 11, 2003 +.Dd August 18, 2023 .Dt CR_CANSEEOTHERGIDS 9 .Os .Sh NAME .Nm cr_canseeothergids -.Nd determine visibility of objects given their group memberships +.Nd determine if subjects may see entities in a disjoint group set .Sh SYNOPSIS .Ft int .Fn cr_canseeothergids "struct ucred *u1" "struct ucred *u2" .Sh DESCRIPTION -This function determines the visibility of objects in the -kernel based on the group IDs in the credentials +.Bf -emphasis +This function is internal. +Its functionality is integrated into the function +.Xr cr_bsd_visible 9 , +which should be called instead. +.Ef +.Pp +This function checks if a subject associated to credentials .Fa u1 -and +is denied seeing a subject or object associated to credentials .Fa u2 -associated with them. +by a policy that requires both credentials to have at least one group in common. +For this determination, the effective and supplementary group IDs are used, but +not the real group IDs, as per +.Xr groupmember 9 . .Pp -The visibility of objects is influenced by the +This policy is active if and only if the .Xr sysctl 8 variable -.Va security.bsd.see_other_gids . -If this variable is non-zero then all objects in the kernel -are visible to each other irrespective of their group membership. -If this variable is zero then the object with credentials -.Fa u2 -is visible to the object with credentials -.Fa u1 -if either -.Fa u1 -is the super-user credential, or if at least one of -.Fa u1 Ns 's -group IDs is present in -.Fa u2 Ns 's -group set. -.Sh SYSCTL VARIABLES -.Bl -tag -width indent -.It Va security.bsd.see_other_gids -Must be non-zero if objects with unprivileged credentials are to be -able to see each other. -.El +.Va security.bsd.see_other_gids +is set to zero. +.Pp +As usual, the superuser (effective user ID 0) is exempt from this policy +provided that the +.Xr sysctl 8 +variable +.Va security.bsd.suser_enabled +is non-zero and no active MAC policy explicitly denies the exemption +.Po +see +.Xr priv_check_cred 9 +.Pc . .Sh RETURN VALUES -This function returns zero if the object with credential +The +.Fn cr_canseeothergids +function returns 0 if the policy is disabled, the credentials share at least one +common group, or if .Fa u1 -can -.Dq see -the object with credential -.Fa u2 , -or -.Er ESRCH -otherwise. +has privilege exempting it from the policy. +Otherwise, it returns +.Er ESRCH . .Sh SEE ALSO -.Xr cr_canseeotheruids 9 , -.Xr p_candebug 9 +.Xr cr_bsd_visible 9 , +.Xr groupmember 9 , +.Xr priv_check_cred 9
git: 75a45ca3b340 - main - groupmember(9): Detail which groups are considered, simplify
The branch main has been updated by mhorne: URL: https://cgit.FreeBSD.org/src/commit/?id=75a45ca3b34062fe793ae326ad9da614a1a06df1 commit 75a45ca3b34062fe793ae326ad9da614a1a06df1 Author: Olivier Certner AuthorDate: 2023-08-17 23:54:41 + Commit: Mitchell Horne CommitDate: 2023-09-28 15:05:45 + groupmember(9): Detail which groups are considered, simplify Reviewed by:mhorne MFC after: 2 weeks Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40634 --- share/man/man9/groupmember.9 | 36 +--- 1 file changed, 21 insertions(+), 15 deletions(-) diff --git a/share/man/man9/groupmember.9 b/share/man/man9/groupmember.9 index d447bf64c482..3a516622efce 100644 --- a/share/man/man9/groupmember.9 +++ b/share/man/man9/groupmember.9 @@ -1,5 +1,6 @@ .\" .\" Copyright (C) 2001 Chad David . All rights reserved. +.\" Copyright (C) 2023 Olivier Certner .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions @@ -24,12 +25,12 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH .\" DAMAGE. .\" -.Dd July 9, 2001 +.Dd August 18, 2023 .Dt GROUPMEMBER 9 .Os .Sh NAME .Nm groupmember -.Nd checks group set for a group ID +.Nd checks if credentials mandate some group membership .Sh SYNOPSIS .In sys/param.h .In sys/ucred.h @@ -38,21 +39,26 @@ .Sh DESCRIPTION The .Fn groupmember -function checks to see if the given -.Fa gid -is in the group set of the credentials. +function checks if credentials +.Fa cred +indicate that the associated subject or object is a member of the group +designated by the group ID +.Fa gid . .Pp -Its arguments are: -.Bl -tag -width ".Fa cred" -.It Fa gid -The group ID to check for. -.It Fa cred -The credentials to search for the group in. -.El +Considered groups in +.Fa cred +are the effective and supplementary groups. +The real group is not taken into account. .Sh RETURN VALUES If the .Fa gid -is found, 1 is returned; otherwise, 0 is returned. +is found, 1 is returned, otherwise 0. +.Sh SEE ALSO +.Xr getgroups 2 +.Xr setgroups 2 .Sh AUTHORS -This manual page was written by -.An Chad David Aq Mt dav...@acns.ab.ca . +This manual page was initially written by +.An -nosplit +.An Chad David Aq Mt dav...@acns.ab.ca +and was revised by +.An Olivier Certner Aq Mt olce.free...@certner.fr .
git: 4ddd253b38df - main - cr_canseeotheruids(9): Revamp, mark as internal
The branch main has been updated by mhorne: URL: https://cgit.FreeBSD.org/src/commit/?id=4ddd253b38dff872355cc1b5238b1bbfd380 commit 4ddd253b38dff872355cc1b5238b1bbfd380 Author: Olivier Certner AuthorDate: 2023-08-17 23:54:42 + Commit: Mitchell Horne CommitDate: 2023-09-28 15:05:45 + cr_canseeotheruids(9): Revamp, mark as internal Significantly clarify. Replace references to cr_canseeothergids(9) by ones to cr_bsd_visible(9). Reviewed by:bcr, mhorne MFC after: 2 weeks Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40635 --- share/man/man9/cr_canseeotheruids.9 | 73 ++--- 1 file changed, 36 insertions(+), 37 deletions(-) diff --git a/share/man/man9/cr_canseeotheruids.9 b/share/man/man9/cr_canseeotheruids.9 index 80acc2d7a6ca..230c5ea59b78 100644 --- a/share/man/man9/cr_canseeotheruids.9 +++ b/share/man/man9/cr_canseeotheruids.9 @@ -1,5 +1,6 @@ .\" .\" Copyright (c) 2003 Joseph Koshy +.\" Copyright (c) 2023 Olivier Certner .\" .\" All rights reserved. .\" @@ -25,56 +26,54 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd November 11, 2003 +.Dd August 18, 2023 .Dt CR_CANSEEOTHERUIDS 9 .Os .Sh NAME .Nm cr_canseeotheruids -.Nd determine visibility of objects given their user credentials +.Nd determine if subjects may see entities with differing user ID .Sh SYNOPSIS .Ft int .Fn cr_canseeotheruids "struct ucred *u1" "struct ucred *u2" .Sh DESCRIPTION -This function determines the visibility of objects in the -kernel based on the real user IDs in the credentials +.Bf -emphasis +This function is internal. +Its functionality is integrated into the function +.Xr cr_bsd_visible 9 , +which should be called instead. +.Ef +.Pp +This function checks if a subject associated to credentials .Fa u1 -and +is denied seeing a subject or object associated to credentials .Fa u2 -associated with them. +by a policy that requires both credentials to have the same real user ID. .Pp -The visibility of objects is influenced by the +This policy is active if and only if the .Xr sysctl 8 variable -.Va security.bsd.see_other_uids . -If this variable is non-zero then all objects in the kernel -are visible to each other irrespective of their user IDs. -If this variable is zero then the object with credentials -.Fa u2 -is visible to the object with credentials -.Fa u1 -if either -.Fa u1 -is the super-user credential, or if -.Fa u1 -and -.Fa u2 -have the same real user ID. -.Sh SYSCTL VARIABLES -.Bl -tag -width indent -.It Va security.bsd.see_other_uids -Must be non-zero if objects with unprivileged credentials are to be -able to see each other. -.El +.Va security.bsd.see_other_uids +is set to zero. +.Pp +As usual, the superuser (effective user ID 0) is exempt from this policy +provided that the +.Xr sysctl 8 +variable +.Va security.bsd.suser_enabled +is non-zero and no active MAC policy explicitly denies the exemption +.Po +see +.Xr priv_check_cred 9 +.Pc . .Sh RETURN VALUES -This function returns zero if the object with credential +The +.Fn cr_canseeotheruids +function returns 0 if the policy is disabled, both credentials have the same +real user ID, or if .Fa u1 -can -.Dq see -the object with credential -.Fa u2 , -or -.Er ESRCH -otherwise. +has privilege exempting it from the policy. +Otherwise, it returns +.Er ESRCH . .Sh SEE ALSO -.Xr cr_canseeothergids 9 , -.Xr p_candebug 9 +.Xr cr_bsd_visible 9 , +.Xr priv_check_cred 9
git: 82f9bc9ea8ed - main - cr_cansee(9): cr_bsd_visible() impacts, simplifications
The branch main has been updated by mhorne: URL: https://cgit.FreeBSD.org/src/commit/?id=82f9bc9ea8ed660c61050ad1d92f1a64108c7004 commit 82f9bc9ea8ed660c61050ad1d92f1a64108c7004 Author: Olivier Certner AuthorDate: 2023-08-17 23:54:42 + Commit: Mitchell Horne CommitDate: 2023-09-28 15:05:46 + cr_cansee(9): cr_bsd_visible() impacts, simplifications Remove references to cr_canseeothergids(9) and cr_canseeotheruids(9). Defer to cr_bsd_visible() for controlling sysctl(8) variables. Reviewed by:bcr, mhorne MFC after: 2 weeks Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40636 --- share/man/man9/cr_cansee.9 | 61 -- 1 file changed, 27 insertions(+), 34 deletions(-) diff --git a/share/man/man9/cr_cansee.9 b/share/man/man9/cr_cansee.9 index 4824a231170b..d5cdfdd6f8e5 100644 --- a/share/man/man9/cr_cansee.9 +++ b/share/man/man9/cr_cansee.9 @@ -1,5 +1,6 @@ .\" .\" Copyright (c) 2006 Ceri Davies +.\" Copyright (c) 2023 Olivier Certner .\" .\" All rights reserved. .\" @@ -23,43 +24,39 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd November 19, 2006 +.Dd August 18, 2023 .Dt CR_CANSEE 9 .Os .Sh NAME .Nm cr_cansee .Nd "determine visibility of objects given their user credentials" .Sh SYNOPSIS -.In sys/param.h -.In sys/systm.h -.In sys/ucred.h +.In sys/proc.h .Ft int .Fn cr_cansee "struct ucred *u1" "struct ucred *u2" .Sh DESCRIPTION -This function determines the visibility of objects in the -kernel based on the real user IDs and group IDs in the credentials +This function determines if a subject with credential .Fa u1 -and -.Fa u2 -associated with them. +can see a subject or object associated to credential +.Fa u2 . .Pp -The visibility of objects is influenced by the +Specific types of subjects may need to submit to additional or different +restrictions. +As an example, for processes, see +.Xr p_cansee 9 , +which calls this function. +.Pp +The implementation relies on +.Xr cr_bsd_visible 9 +and consequently the .Xr sysctl 8 -variables -.Va security.bsd.see_other_gids -and -.Va security.bsd.see_other_uids , -as per the description in -.Xr cr_canseeothergids 9 -and -.Xr cr_canseeotheruids 9 -respectively. +variables referenced in its manual page influence the result. .Sh RETURN VALUES -This function returns zero if the object with credential +This function returns zero if the subject with credential .Fa u1 can .Dq see -the object with credential +the subject or object with credential .Fa u2 , or .Er ESRCH @@ -67,24 +64,20 @@ otherwise. .Sh ERRORS .Bl -tag -width Er .It Bq Er ESRCH -The object with credential -.Fa u1 -cannot -.Dq see -the object with credential -.Fa u2 . -.It Bq Er ESRCH -The object with credential +The subject with credential .Fa u1 -has been jailed and the object with credential +has been jailed and the subject or object with credential .Fa u2 -does not belong to the same jail as -.Fa u1 . +does not belong to the same jail or one of its sub-jails, as determined by +.Xr prison_check 9 . .It Bq Er ESRCH The MAC subsystem denied visibility. +.It Bq Er ESRCH +.Xr cr_bsd_visible 9 +denied visibility according to the BSD security policies in force. .El .Sh SEE ALSO -.Xr cr_canseeothergids 9 , -.Xr cr_canseeotheruids 9 , +.Xr prison_check 9 , .Xr mac 9 , +.Xr cr_bsd_visible 9 , .Xr p_cansee 9
git: 2ede38aff5d4 - main - p_cansee(9): Bring up-to-date, misc fixes
The branch main has been updated by mhorne: URL: https://cgit.FreeBSD.org/src/commit/?id=2ede38aff5d4c91a17ab6d093f2e8cce24b5418b commit 2ede38aff5d4c91a17ab6d093f2e8cce24b5418b Author: Olivier Certner AuthorDate: 2023-08-17 23:54:43 + Commit: Mitchell Horne CommitDate: 2023-09-28 15:05:46 + p_cansee(9): Bring up-to-date, misc fixes Essentially defer to cr_cansee(9), except for the specifics. Be more specific on the return codes. Reviewed by:bcr, pauamma_gundo.com MFC after: 2 weeks Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40637 --- share/man/man9/p_cansee.9 | 44 1 file changed, 16 insertions(+), 28 deletions(-) diff --git a/share/man/man9/p_cansee.9 b/share/man/man9/p_cansee.9 index 84287dac951b..9fdce460dfea 100644 --- a/share/man/man9/p_cansee.9 +++ b/share/man/man9/p_cansee.9 @@ -24,19 +24,18 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd November 19, 2006 +.Dd August 18, 2023 .Dt P_CANSEE 9 .Os .Sh NAME .Nm p_cansee .Nd determine visibility of a process .Sh SYNOPSIS -.In sys/param.h .In sys/proc.h .Ft int .Fn p_cansee "struct thread *td" "struct proc *p" .Sh DESCRIPTION -This function can be used to determine if a given process +This function determines if a given process .Fa p is visible to the thread .Fa td , @@ -45,13 +44,14 @@ where the notion of may be read as .Dq "awareness of existence" . .Pp -The function is implemented using -.Xr cr_cansee 9 , -and the dependencies on -.Xr sysctl 8 -variables documented in the -.Xr cr_cansee 9 -manual page apply. +This function explicitly allows a thread to always see its own process, +even with pending credentials changes +.Po +see +.Xr ucred 9 +.Pc . +Otherwise, it simply defers to +.Xr cr_cansee 9 . .Sh RETURN VALUES The .Fn p_cansee @@ -62,30 +62,18 @@ if the process denoted by .Fa p is visible by thread .Fa td , -or a non-zero error return value otherwise. +or ESRCH otherwise. .Sh ERRORS .Bl -tag -width Er .It Bq Er ESRCH -Process -.Fa p -is not visible to thread -.Fa td -as determined by -.Xr cr_cansee 9 . -.It Bq Er ESRCH Thread .Fa td -has been jailed and process +is not part of process .Fa p -does not belong to the same jail as -.Fa td . -.It Bq Er ESRCH -The MAC subsystem denied visibility. +and cannot see it as determined by +.Xr cr_cansee 9 . .El .Sh SEE ALSO -.Xr jail 2 , -.Xr sysctl 8 , +.Xr ucred 9 , .Xr cr_cansee 9 , -.Xr mac 9 , -.Xr p_candebug 9 , -.Xr prison_check 9 +.Xr p_candebug 9
git: eb94f24fab4b - main - p_candebug(9): cr_bsd_visible() impacts, misc fixes
The branch main has been updated by mhorne: URL: https://cgit.FreeBSD.org/src/commit/?id=eb94f24fab4b44f13ca045370d9fcf12ca8835f2 commit eb94f24fab4b44f13ca045370d9fcf12ca8835f2 Author: Olivier Certner AuthorDate: 2023-08-17 23:54:43 + Commit: Mitchell Horne CommitDate: 2023-09-28 15:05:46 + p_candebug(9): cr_bsd_visible() impacts, misc fixes Mention cr_bsd_visible(9). Remove references to cr_canseeothergids(9) and cr_canseeotheruids(9), as well as indirect references not immediately useful. Fix description of credentials checks to match reality. Re-order errors to match code's check order. Reviewed by:bcr, pauamma_gundo.com MFC after: 2 weeks Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40638 --- share/man/man9/p_candebug.9 | 103 1 file changed, 56 insertions(+), 47 deletions(-) diff --git a/share/man/man9/p_candebug.9 b/share/man/man9/p_candebug.9 index e80d313de55c..c824db974154 100644 --- a/share/man/man9/p_candebug.9 +++ b/share/man/man9/p_candebug.9 @@ -1,5 +1,6 @@ .\" .\" Copyright (c) 2003 Joseph Koshy +.\" Copyright (c) 2023 Olivier Certner .\" .\" All rights reserved. .\" @@ -25,7 +26,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd November 19, 2006 +.Dd August 18, 2023 .Dt P_CANDEBUG 9 .Os .Sh NAME @@ -37,24 +38,27 @@ .Ft int .Fn p_candebug "struct thread *td" "struct proc *p" .Sh DESCRIPTION -This function can be used to determine if a given process +This function determines if a given process .Fa p -is debuggable by the thread +is debuggable by some thread .Fa td . -.Sh SYSCTL VARIABLES +.Pp The following .Xr sysctl 8 variables directly influence the behaviour of .Fn p_candebug : .Bl -tag -width indent +.It Va security.bsd.unprivileged_proc_debug +Must be set to a non-zero value to allow unprivileged processes +access to the kernel's debug facilities. .It Va kern.securelevel Debugging of the init process is not allowed if this variable is .Li 1 or greater. -.It Va security.bsd.unprivileged_proc_debug -Must be set to a non-zero value to allow unprivileged processes -access to the kernel's debug facilities. .El +.Pp +Other such variables indirectly influence it; see +.Xr cr_bsd_visible 9 . .Sh RETURN VALUES The .Fn p_candebug @@ -68,35 +72,45 @@ is debuggable by thread or a non-zero error return value otherwise. .Sh ERRORS .Bl -tag -width Er -.It Bq Er EACCESS -The MAC subsystem denied debuggability. -.It Bq Er EAGAIN -Process -.Fa p -is in the process of being -.Fn exec Ns 'ed. .It Bq Er EPERM +An unprivileged process attempted to debug another process but the system is +configured to deny it +.Po +see +.Xr sysctl 8 +variable +.Va security.bsd.unprivileged_proc_debug +above +.Pc . +.It Bq Er ESRCH Thread .Fa td -lacks super-user credentials and process -.Fa p -is executing a set-user-ID or set-group-ID executable. +has been jailed and the process to debug does not belong to the same jail or one +of its sub-jails, as determined by +.Xr prison_check 9 . +.It Bq Er ESRCH +.Xr cr_bsd_visible 9 +denied visibility according to the BSD security policies in force. .It Bq Er EPERM Thread .Fa td -lacks super-user credentials and process +lacks superuser credentials and its (effective) group set is not a superset of +process .Fa p Ns 's -group set is not a subset of -.Fa td Ns 's -effective group set. +whole group set +.Pq "including real, effective and saved group IDs" . .It Bq Er EPERM Thread .Fa td -lacks super-user credentials and process -.Fa p Ns 's -user IDs do not match thread -.Fa td Ns 's -effective user ID. +lacks superuser credentials and its (effective) user ID does not match all user +IDs of process +.Fa p . +.It Bq Er EPERM +Thread +.Fa td +lacks superuser credentials and process +.Fa p +is executing a set-user-ID or set-group-ID executable. .It Bq Er EPERM Process .Fa p @@ -107,30 +121,25 @@ and the variable .Va kern.securelevel is greater than zero. -.It Bq Er ESRCH +.It Bq Er EBUSY Process .Fa p -is not visible to thread -.Fa td -as determined by -.Xr cr_canseeotheruids 9 -or -.Xr cr_canseeothergids 9 . -.It Bq Er ESRCH -Thread -.Fa td -has been jailed and process +is in the process of being +.Fn exec Ns 'ed. +.It Bq Er EPERM +Process .Fa p -does not belong to the same jail as -.Fa td . -.It Bq Er ESRCH -The MAC subsystem denied debuggability. +denied debuggability +.Po +see +.Xr procctl 2 , +command +.Dv PROC_TRACE_CTL +.Pc . .El .Sh SEE ALSO -.Xr jail 2 , -.Xr sysctl 8 , -.Xr cr_canseeothergids 9 , -.Xr cr_canseeotheruids 9 , +.Xr prison_check 9 , .Xr mac 9 , -.Xr p_cansee 9 , -.Xr prison_check 9 +.Xr cr_bsd_visible 9 , +.Xr procctl 2 , +.Xr p_cansee 9
git: e9fdd494537c - main - prison_check(9): Bring up-to-date with hierarchical jails
The branch main has been updated by mhorne: URL: https://cgit.FreeBSD.org/src/commit/?id=e9fdd494537ca45b14e0917e8bb1595b6460f3a3 commit e9fdd494537ca45b14e0917e8bb1595b6460f3a3 Author: Olivier Certner AuthorDate: 2023-08-17 23:54:44 + Commit: Mitchell Horne CommitDate: 2023-09-28 15:05:46 + prison_check(9): Bring up-to-date with hierarchical jails Reviewed by:bcr, emaste, pauamma_gundo.com, mhorne MFC after: 2 weeks Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40639 --- share/man/man9/prison_check.9 | 18 -- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/share/man/man9/prison_check.9 b/share/man/man9/prison_check.9 index b3bdcf6b4571..7f174e3ceb2e 100644 --- a/share/man/man9/prison_check.9 +++ b/share/man/man9/prison_check.9 @@ -25,22 +25,23 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd December 11, 2003 +.Dd August 18, 2023 .Dt PRISON_CHECK 9 .Os .Sh NAME .Nm prison_check -.Nd determine if two credentials belong to the same jail +.Nd determine if subjects may see entities according to jail restrictions .Sh SYNOPSIS .In sys/jail.h .Ft int .Fn prison_check "struct ucred *cred1" "struct ucred *cred2" .Sh DESCRIPTION -This function can be used to determine if the two credentials +This function determines if a subject with credentials .Fa cred1 -and +is denied access to subjects or objects with credentials .Fa cred2 -belong to the same jail. +according to the policy that a subject can see subjects or objects in its own +jail or any sub-jail of it. .Sh RETURN VALUES The .Fn prison_check @@ -48,12 +49,9 @@ function returns .Er ESRCH if -.Fa cred1 -has been jailed, and -.Fa cred1 -and .Fa cred2 -do not belong to the same jail. +is not in the same jail or a sub-jail of that of +.Fa cred1 . In all other cases, .Fn prison_check returns zero.
git: b725f232f3b0 - main - groupmember(): Extract the supplementary group search in a separate function
The branch main has been updated by mhorne:
URL:
https://cgit.FreeBSD.org/src/commit/?id=b725f232f3b09b4bcbc426854fe1545234c66965
commit b725f232f3b09b4bcbc426854fe1545234c66965
Author: Olivier Certner
AuthorDate: 2023-08-17 23:54:44 +
Commit: Mitchell Horne
CommitDate: 2023-09-28 15:05:46 +
groupmember(): Extract the supplementary group search in a separate function
This is in preparation for the introduction of the new realgroupmember()
function, which does the same search into supplementary groups as
groupmember().
Reviewed by:mhorne
MFC after: 2 weeks
Sponsored by: Kumacom SAS
Differential Revision: https://reviews.freebsd.org/D40640
---
sys/kern/kern_prot.c | 41 -
1 file changed, 24 insertions(+), 17 deletions(-)
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index 04aaebf0de63..cbaeb1a50814 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -1277,36 +1277,43 @@ sys___setugid(struct thread *td, struct __setugid_args
*uap)
}
/*
- * Check if gid is a member of the group set.
+ * Returns whether gid designates a supplementary group in cred.
*/
-int
-groupmember(gid_t gid, struct ucred *cred)
+static int
+supplementary_group_member(gid_t gid, struct ucred *cred)
{
- int l;
- int h;
- int m;
-
- if (cred->cr_groups[0] == gid)
- return(1);
+ int l, h, m;
/*
-* If gid was not our primary group, perform a binary search
-* of the supplemental groups. This is possible because we
-* sort the groups in crsetgroups().
+* Perform a binary search of the supplemental groups. This is possible
+* because we sort the groups in crsetgroups().
*/
l = 1;
h = cred->cr_ngroups;
+
while (l < h) {
- m = l + ((h - l) / 2);
+ m = l + (h - l) / 2;
if (cred->cr_groups[m] < gid)
- l = m + 1;
+ l = m + 1;
else
- h = m;
+ h = m;
}
- if ((l < cred->cr_ngroups) && (cred->cr_groups[l] == gid))
+
+ return (l < cred->cr_ngroups && cred->cr_groups[l] == gid);
+}
+
+/*
+ * Check if gid is a member of the (effective) group set (i.e., effective and
+ * supplementary groups).
+ */
+int
+groupmember(gid_t gid, struct ucred *cred)
+{
+
+ if (cred->cr_groups[0] == gid)
return (1);
- return (0);
+ return (supplementary_group_member(gid, cred));
}
/*
git: 2a2bfa6ad92e - main - New realgroupmember()
The branch main has been updated by mhorne:
URL:
https://cgit.FreeBSD.org/src/commit/?id=2a2bfa6ad92e9c82dcc55733ad2fd58fd2ea7559
commit 2a2bfa6ad92e9c82dcc55733ad2fd58fd2ea7559
Author: Olivier Certner
AuthorDate: 2023-08-17 23:54:45 +
Commit: Mitchell Horne
CommitDate: 2023-09-28 15:05:46 +
New realgroupmember()
Like groupmember(), but taking into account the real group instead of
the effective group. Leverages the new supplementary_group_member()
function.
Reviewed by:mhorne
MFC after: 2 weeks
Sponsored by: Kumacom SAS
Differential Revision: https://reviews.freebsd.org/D40641
---
sys/kern/kern_prot.c | 13 +
sys/sys/ucred.h | 1 +
2 files changed, 14 insertions(+)
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index cbaeb1a50814..b62a5e9ee20b 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -1316,6 +1316,19 @@ groupmember(gid_t gid, struct ucred *cred)
return (supplementary_group_member(gid, cred));
}
+/*
+ * Check if gid is a member of the real group set (i.e., real and supplementary
+ * groups).
+ */
+int
+realgroupmember(gid_t gid, struct ucred *cred)
+{
+ if (gid == cred->cr_rgid)
+ return (1);
+
+ return (supplementary_group_member(gid, cred));
+}
+
/*
* Test the active securelevel against a given level. securelevel_gt()
* implements (securelevel > level). securelevel_ge() implements
diff --git a/sys/sys/ucred.h b/sys/sys/ucred.h
index eb92776c158a..633bf436fcd4 100644
--- a/sys/sys/ucred.h
+++ b/sys/sys/ucred.h
@@ -159,6 +159,7 @@ voidcru2x(struct ucred *cr, struct xucred *xcr);
void cru2xt(struct thread *td, struct xucred *xcr);
void crsetgroups(struct ucred *cr, int n, gid_t *groups);
intgroupmember(gid_t gid, struct ucred *cred);
+intrealgroupmember(gid_t gid, struct ucred *cred);
#endif /* _KERNEL */
#endif /* !_SYS_UCRED_H_ */
git: 91658080f1a5 - main - cr_canseeothergids(): Use real instead of effective group membership
The branch main has been updated by mhorne:
URL:
https://cgit.FreeBSD.org/src/commit/?id=91658080f1a598ddda03943a783c9a941199f7d2
commit 91658080f1a598ddda03943a783c9a941199f7d2
Author: Olivier Certner
AuthorDate: 2023-08-17 23:54:45 +
Commit: Mitchell Horne
CommitDate: 2023-09-28 15:05:46 +
cr_canseeothergids(): Use real instead of effective group membership
Using the effective group and not the real one when testing membership
has the consequence that unprivileged processes cannot see setuid
commands they launch until these have relinquished their privileges.
This is also in contradiction with how the similar cr_canseeotheruids()
works, i.e., by taking into account real user IDs.
Fix this by substituting groupmember() with realgroupmember(). While
here, simplify the code.
PR: 272093
Reviewed by:mhorne
MFC after: 2 weeks
Sponsored by: Kumacom SAS
Differential Revision: https://reviews.freebsd.org/D40642
---
sys/kern/kern_prot.c | 23 ++-
1 file changed, 10 insertions(+), 13 deletions(-)
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index b62a5e9ee20b..0f15771fb00d 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -1408,21 +1408,18 @@ SYSCTL_INT(_security_bsd, OID_AUTO, see_other_gids,
CTLFLAG_RW,
static int
cr_canseeothergids(struct ucred *u1, struct ucred *u2)
{
- int i, match;
-
if (!see_other_gids) {
- match = 0;
- for (i = 0; i < u1->cr_ngroups; i++) {
- if (groupmember(u1->cr_groups[i], u2))
- match = 1;
- if (match)
- break;
- }
- if (!match) {
- if (priv_check_cred(u1, PRIV_SEEOTHERGIDS) != 0)
- return (ESRCH);
- }
+ if (realgroupmember(u1->cr_rgid, u2))
+ return (0);
+
+ for (int i = 1; i < u1->cr_ngroups; i++)
+ if (realgroupmember(u1->cr_groups[i], u2))
+ return (0);
+
+ if (priv_check_cred(u1, PRIV_SEEOTHERGIDS) != 0)
+ return (ESRCH);
}
+
return (0);
}
git: 5d9f38405a10 - main - realgroupmember(9): Link to groupmember(9), document the function
The branch main has been updated by mhorne: URL: https://cgit.FreeBSD.org/src/commit/?id=5d9f38405a10fdcd9fc108c940dcf2642e9f1833 commit 5d9f38405a10fdcd9fc108c940dcf2642e9f1833 Author: Olivier Certner AuthorDate: 2023-08-17 23:54:46 + Commit: Mitchell Horne CommitDate: 2023-09-28 15:05:46 + realgroupmember(9): Link to groupmember(9), document the function Reviewed by:bcr (older version), mhorne MFC after: 2 weeks Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40643 --- share/man/man9/Makefile | 1 + share/man/man9/groupmember.9 | 7 +++ 2 files changed, 8 insertions(+) diff --git a/share/man/man9/Makefile b/share/man/man9/Makefile index f07a886277e0..1e38eaf8adae 100644 --- a/share/man/man9/Makefile +++ b/share/man/man9/Makefile @@ -1157,6 +1157,7 @@ MLINKS+=g_provider.9 g_destroy_provider.9 \ g_provider.9 g_error_provider.9 \ g_provider.9 g_new_providerf.9 MLINKS+=gone_in.9 gone_in_dev.9 +MLINKS+=groupmember.9 realgroupmember.9 MLINKS+=hash.9 hash32.9 \ hash.9 hash32_buf.9 \ hash.9 hash32_str.9 \ diff --git a/share/man/man9/groupmember.9 b/share/man/man9/groupmember.9 index 3a516622efce..ae7ccd477955 100644 --- a/share/man/man9/groupmember.9 +++ b/share/man/man9/groupmember.9 @@ -36,6 +36,8 @@ .In sys/ucred.h .Ft int .Fn groupmember "gid_t gid" "struct ucred *cred" +.Ft int +.Fn realgroupmember "gid_t gid" "struct ucred *cred" .Sh DESCRIPTION The .Fn groupmember @@ -49,6 +51,11 @@ Considered groups in .Fa cred are the effective and supplementary groups. The real group is not taken into account. +.Pp +Function +.Fn realgroupmember +works the same except that it considers instead the real and supplementary +groups, and not the effective one. .Sh RETURN VALUES If the .Fa gid
git: 0452dd841336 - main - cr_canseeothergids(): Policy change's manual pages impact
The branch main has been updated by mhorne: URL: https://cgit.FreeBSD.org/src/commit/?id=0452dd841336cea7cd979b13ef12b6ea5e992eff commit 0452dd841336cea7cd979b13ef12b6ea5e992eff Author: Olivier Certner AuthorDate: 2023-08-17 23:54:46 + Commit: Mitchell Horne CommitDate: 2023-09-28 15:05:46 + cr_canseeothergids(): Policy change's manual pages impact See previous commit that made cr_canseeothergids() use the new realgroupmember() function, taking into account real group IDs instead of effective ones. PR: 272093 Reviewed by:pauamma_gundo.com, mhorne MFC after: 2 weeks Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40644 --- share/man/man9/cr_bsd_visible.9 | 2 +- share/man/man9/cr_canseeothergids.9 | 8 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/share/man/man9/cr_bsd_visible.9 b/share/man/man9/cr_bsd_visible.9 index bd676e6f5705..f2d42f3835dc 100644 --- a/share/man/man9/cr_bsd_visible.9 +++ b/share/man/man9/cr_bsd_visible.9 @@ -97,7 +97,7 @@ and are not members of any common group .Po as determined by -.Xr groupmember 9 +.Xr realgroupmember 9 .Pc . .It Bq Er ESRCH Credentials diff --git a/share/man/man9/cr_canseeothergids.9 b/share/man/man9/cr_canseeothergids.9 index f0c1e5c4e726..109d41a8545d 100644 --- a/share/man/man9/cr_canseeothergids.9 +++ b/share/man/man9/cr_canseeothergids.9 @@ -48,9 +48,9 @@ This function checks if a subject associated to credentials is denied seeing a subject or object associated to credentials .Fa u2 by a policy that requires both credentials to have at least one group in common. -For this determination, the effective and supplementary group IDs are used, but -not the real group IDs, as per -.Xr groupmember 9 . +For this determination, the real and supplementary group IDs are used, but +not the effective group IDs, as per +.Xr realgroupmember 9 . .Pp This policy is active if and only if the .Xr sysctl 8 @@ -79,5 +79,5 @@ Otherwise, it returns .Er ESRCH . .Sh SEE ALSO .Xr cr_bsd_visible 9 , -.Xr groupmember 9 , +.Xr realgroupmember 9 , .Xr priv_check_cred 9
git: ffd3ef8ee025 - main - groupmember(), realgroupmember(): Return a bool instead of an int
The branch main has been updated by mhorne:
URL:
https://cgit.FreeBSD.org/src/commit/?id=ffd3ef8ee0253ffaf214cf711251d112f6a2bcf6
commit ffd3ef8ee0253ffaf214cf711251d112f6a2bcf6
Author: Olivier Certner
AuthorDate: 2023-08-17 23:54:47 +
Commit: Mitchell Horne
CommitDate: 2023-09-28 15:05:46 +
groupmember(), realgroupmember(): Return a bool instead of an int
Requested by: mhorne
Reviewed by:mhorne
MFC after: 2 weeks
MFC to: stable/14 releng/14.0
Sponsored by: Kumacom SAS
Differential Revision: https://reviews.freebsd.org/D40958
---
sys/kern/kern_prot.c | 12 ++--
sys/sys/ucred.h | 4 ++--
2 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index 0f15771fb00d..00eb2fccdeef 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -1279,7 +1279,7 @@ sys___setugid(struct thread *td, struct __setugid_args
*uap)
/*
* Returns whether gid designates a supplementary group in cred.
*/
-static int
+static bool
supplementary_group_member(gid_t gid, struct ucred *cred)
{
int l, h, m;
@@ -1306,12 +1306,12 @@ supplementary_group_member(gid_t gid, struct ucred
*cred)
* Check if gid is a member of the (effective) group set (i.e., effective and
* supplementary groups).
*/
-int
+bool
groupmember(gid_t gid, struct ucred *cred)
{
- if (cred->cr_groups[0] == gid)
- return (1);
+ if (gid == cred->cr_groups[0])
+ return (true);
return (supplementary_group_member(gid, cred));
}
@@ -1320,11 +1320,11 @@ groupmember(gid_t gid, struct ucred *cred)
* Check if gid is a member of the real group set (i.e., real and supplementary
* groups).
*/
-int
+bool
realgroupmember(gid_t gid, struct ucred *cred)
{
if (gid == cred->cr_rgid)
- return (1);
+ return (true);
return (supplementary_group_member(gid, cred));
}
diff --git a/sys/sys/ucred.h b/sys/sys/ucred.h
index 633bf436fcd4..7c9e46e47774 100644
--- a/sys/sys/ucred.h
+++ b/sys/sys/ucred.h
@@ -158,8 +158,8 @@ voidcrcowfree(struct thread *td);
void cru2x(struct ucred *cr, struct xucred *xcr);
void cru2xt(struct thread *td, struct xucred *xcr);
void crsetgroups(struct ucred *cr, int n, gid_t *groups);
-intgroupmember(gid_t gid, struct ucred *cred);
-intrealgroupmember(gid_t gid, struct ucred *cred);
+bool groupmember(gid_t gid, struct ucred *cred);
+bool realgroupmember(gid_t gid, struct ucred *cred);
#endif /* _KERNEL */
#endif /* !_SYS_UCRED_H_ */
git: 845b7c80887a - main - groupmember(9), realgroupmember(9): Impact of signature change
The branch main has been updated by mhorne: URL: https://cgit.FreeBSD.org/src/commit/?id=845b7c80887ac84c82ee776836ef86d68ea71c94 commit 845b7c80887ac84c82ee776836ef86d68ea71c94 Author: Olivier Certner AuthorDate: 2023-08-17 23:54:47 + Commit: Mitchell Horne CommitDate: 2023-09-28 15:05:46 + groupmember(9), realgroupmember(9): Impact of signature change Reviewed by:mhorne MFC after: 2 weeks MFC to: stable/14 releng/14.0 Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40959 --- share/man/man9/groupmember.9 | 18 +- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/share/man/man9/groupmember.9 b/share/man/man9/groupmember.9 index ae7ccd477955..b7865a35fdc9 100644 --- a/share/man/man9/groupmember.9 +++ b/share/man/man9/groupmember.9 @@ -34,9 +34,9 @@ .Sh SYNOPSIS .In sys/param.h .In sys/ucred.h -.Ft int +.Ft bool .Fn groupmember "gid_t gid" "struct ucred *cred" -.Ft int +.Ft bool .Fn realgroupmember "gid_t gid" "struct ucred *cred" .Sh DESCRIPTION The @@ -57,9 +57,17 @@ Function works the same except that it considers instead the real and supplementary groups, and not the effective one. .Sh RETURN VALUES -If the -.Fa gid -is found, 1 is returned, otherwise 0. +The +.Fn groupmember +and +.Fn realgroupmember +functions return +.Dv true +if the given credentials indicate membership of the group +.Fa gid , +or +.Dv false +otherwise. .Sh SEE ALSO .Xr getgroups 2 .Xr setgroups 2
git: 61b6e00bee1d - main - security(7): security.bsd.see*: Be more accurate
The branch main has been updated by mhorne: URL: https://cgit.FreeBSD.org/src/commit/?id=61b6e00bee1d39e9c688e728fbf3a4efcdb61e66 commit 61b6e00bee1d39e9c688e728fbf3a4efcdb61e66 Author: Olivier Certner AuthorDate: 2023-08-17 23:54:48 + Commit: Mitchell Horne CommitDate: 2023-09-28 15:05:47 + security(7): security.bsd.see*: Be more accurate Reviewed by:mhorne, pauamma_gundo.com MFC after: 2 weeks Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D41108 --- share/man/man7/security.7 | 10 ++ 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/share/man/man7/security.7 b/share/man/man7/security.7 index 63b984ff66dd..6d6742fca0bb 100644 --- a/share/man/man7/security.7 +++ b/share/man/man7/security.7 @@ -26,7 +26,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd March 30, 2023 +.Dd August 18, 2023 .Dt SECURITY 7 .Os .Sh NAME @@ -959,16 +959,18 @@ Backwards compatibility shims for the interim sysctls under will not be added. .Bl -tag -width security.bsd.unprivileged_proc_debug .It Dv security.bsd.see_other_uids -Controls visibility of processes owned by different uid. +Controls visibility and reachability of subjects (e.g., processes) and objects +(e.g., sockets) owned by a different uid. The knob directly affects the .Dv kern.proc sysctls filtering of data, which results in restricted output from utilities like .Xr ps 1 . .It Dv security.bsd.see_other_gids -Same, for processes owned by different gid. +Same, for subjects and objects owned by a different gid. .It Dv security.bsd.see_jail_proc -Same, for processes belonging to a jail. +Same, for subjects and objects belonging to a different jail, including +sub-jails. .It Dv security.bsd.conservative_signals When enabled, unprivileged users are only allowed to send job control and usual termination signals like
git: d952820105d6 - main - ptrace(2): Disabling: Describe influence of security.bsd.see_jail_proc
The branch main has been updated by mhorne: URL: https://cgit.FreeBSD.org/src/commit/?id=d952820105d6a2ad87ddf3bdc6c5fc5215d13b87 commit d952820105d6a2ad87ddf3bdc6c5fc5215d13b87 Author: Olivier Certner AuthorDate: 2023-08-17 23:54:48 + Commit: Mitchell Horne CommitDate: 2023-09-28 15:05:47 + ptrace(2): Disabling: Describe influence of security.bsd.see_jail_proc Reviewed by:mhorne, emaste, pauamma_gundo.com MFC after: 2 weeks Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D41109 --- lib/libc/sys/ptrace.2 | 36 +--- 1 file changed, 21 insertions(+), 15 deletions(-) diff --git a/lib/libc/sys/ptrace.2 b/lib/libc/sys/ptrace.2 index d7d244b1d84a..ae1770315aa5 100644 --- a/lib/libc/sys/ptrace.2 +++ b/lib/libc/sys/ptrace.2 @@ -1,7 +1,7 @@ .\"$NetBSD: ptrace.2,v 1.2 1995/02/27 12:35:37 cgd Exp $ .\" .\" This file is in the public domain. -.Dd December 15, 2022 +.Dd August 18, 2023 .Dt PTRACE 2 .Os .Sh NAME @@ -149,31 +149,37 @@ its scope. The following controls are provided for this: .Bl -tag -width security.bsd.unprivileged_proc_debug .It Dv security.bsd.allow_ptrace -Setting this sysctl to zero value makes +Setting this sysctl to zero makes .Nm return .Er ENOSYS always as if the syscall is not implemented by the kernel. .It Dv security.bsd.unprivileged_proc_debug -Setting this sysctl to zero disallows use of +Setting this sysctl to zero disallows the use of .Fn ptrace by unprivileged processes. .It Dv security.bsd.see_other_uids -Setting this sysctl to zero value disallows +Setting this sysctl to zero prevents .Fn ptrace -requests from targeting processes with the real user identifier different -from the real user identifier of the caller. -The requests return -.Er ESRCH -if policy is not met. +requests from targeting processes with a real user identifier different +from the caller's. +These requests will fail with error +.Er ESRCH . .It Dv security.bsd.see_other_gids -Setting this sysctl to zero value disallows +Setting this sysctl to zero disallows .Fn ptrace -requests from process belonging to a group that is not also one of -the group of the target process. -The requests return -.Er ESRCH -if policy is not met. +requests from processes that have no groups in common with the target process, +considering their sets of real and supplementary groups. +These requests will fail with error +.Er ESRCH . +.It Dv security.bsd.see_jail_proc +Setting this sysctl to zero disallows +.Fn ptrace +requests from processes belonging to a different jail than that of the target +process, even if the requesting process' jail is an ancestor of the target +process'. +These requests will fail with error +.Er ESRCH . .It Dv securelevel and init The .Xr init 1
git: 8d7a48d367ff - main - sysctl(8): Mention more security.bsd knobs; Refer to security(7)
The branch main has been updated by mhorne: URL: https://cgit.FreeBSD.org/src/commit/?id=8d7a48d367ffde2a29419ef943c4099984e3af4d commit 8d7a48d367ffde2a29419ef943c4099984e3af4d Author: Olivier Certner AuthorDate: 2023-08-17 23:54:49 + Commit: Mitchell Horne CommitDate: 2023-09-28 15:05:47 + sysctl(8): Mention more security.bsd knobs; Refer to security(7) Reviewed by:mhorne, pauamma_gundo.com, emaste MFC after: 2 weeks Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D41113 --- sbin/sysctl/sysctl.8 | 9 +++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/sbin/sysctl/sysctl.8 b/sbin/sysctl/sysctl.8 index 3e995e40131b..ed768510eb6c 100644 --- a/sbin/sysctl/sysctl.8 +++ b/sbin/sysctl/sysctl.8 @@ -27,7 +27,7 @@ .\" .\"From: @(#)sysctl.8 8.1 (Berkeley) 6/6/93 .\" -.Dd December 24, 2022 +.Dd August 18, 2023 .Dt SYSCTL 8 .Os .Sh NAME @@ -194,7 +194,9 @@ for more information on which tunables are available and how to set them. .Pp The string and integer information is summarized below. For a detailed description of these variables see -.Xr sysctl 3 . +.Xr sysctl 3 +and +.Xr security 7 . .Pp The changeable column indicates whether a process with appropriate privilege can change the value. @@ -231,6 +233,8 @@ String and integer values can be set using .It "kern.logsigexit integer yes" .It "security.bsd.suser_enabledinteger yes" .It "security.bsd.see_other_uids integer yes" +.It "security.bsd.see_other_gids integer yes" +.It "security.bsd.see_jail_procinteger yes" .It "security.bsd.unprivileged_proc_debug integer yes" .It "security.bsd.unprivileged_read_msgbuf integer yes" .It "vm.loadavgstruct no" @@ -320,6 +324,7 @@ option has been deprecated and is silently ignored. .Xr sysctl 3 , .Xr loader.conf 5 , .Xr sysctl.conf 5 , +.Xr security 7, .Xr loader 8 .Sh HISTORY A
git: 773606fcdfae - main - ofwdump: install dependent on MK_FDT
The branch main has been updated by mhorne:
URL:
https://cgit.FreeBSD.org/src/commit/?id=773606fcdfae00a3f850bcd39969a63d9a8fb129
commit 773606fcdfae00a3f850bcd39969a63d9a8fb129
Author: Mitchell Horne
AuthorDate: 2023-10-02 13:40:18 +
Commit: Mitchell Horne
CommitDate: 2023-10-02 13:40:18 +
ofwdump: install dependent on MK_FDT
The utility depends on the presence of the openfirm(4) pseudo-device,
which is gated by the FDT kernel option. The MK_FDT knob is correctly
set to "yes" for FDT/OFW-enabled platforms (powerpc* included); use it
to install the utility and eliminate the arch-specific Makefile logic.
No functional change intended.
Reviewed by:emaste, pkubaj
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D41977
---
tools/build/mk/OptionalObsoleteFiles.inc | 1 +
usr.sbin/Makefile| 1 +
usr.sbin/Makefile.aarch64| 1 -
usr.sbin/Makefile.arm| 2 --
usr.sbin/Makefile.powerpc| 1 -
usr.sbin/Makefile.riscv | 2 --
6 files changed, 2 insertions(+), 6 deletions(-)
diff --git a/tools/build/mk/OptionalObsoleteFiles.inc
b/tools/build/mk/OptionalObsoleteFiles.inc
index 9af0a319171a..fb22d56d53e0 100644
--- a/tools/build/mk/OptionalObsoleteFiles.inc
+++ b/tools/build/mk/OptionalObsoleteFiles.inc
@@ -2016,6 +2016,7 @@ OLD_DIRS+=usr/share/examples/ypldap
.endif
.if ${MK_FDT} == no
+OLD_FILES+=usr/sbin/ofwdump
OLD_FILES+=usr/share/man/man8/ofwdump.8.gz
.endif
diff --git a/usr.sbin/Makefile b/usr.sbin/Makefile
index b836bd412077..ca8b87a134eb 100644
--- a/usr.sbin/Makefile
+++ b/usr.sbin/Makefile
@@ -133,6 +133,7 @@ SUBDIR.${MK_EFI}+= efivar efidp efibootmgr efitable efiwake
.if ${MK_OPENSSL} != "no"
SUBDIR.${MK_EFI}+= uefisign
.endif
+SUBDIR.${MK_FDT}+= ofwdump
SUBDIR.${MK_FLOPPY}+= fdcontrol
SUBDIR.${MK_FLOPPY}+= fdformat
SUBDIR.${MK_FLOPPY}+= fdread
diff --git a/usr.sbin/Makefile.aarch64 b/usr.sbin/Makefile.aarch64
index e819369f4340..a72a085ff618 100644
--- a/usr.sbin/Makefile.aarch64
+++ b/usr.sbin/Makefile.aarch64
@@ -2,4 +2,3 @@
.if ${MK_ACPI} != "no"
SUBDIR+= acpi
.endif
-SUBDIR+= ofwdump
diff --git a/usr.sbin/Makefile.arm b/usr.sbin/Makefile.arm
deleted file mode 100644
index 3767c8c9e1ca..
--- a/usr.sbin/Makefile.arm
+++ /dev/null
@@ -1,2 +0,0 @@
-
-SUBDIR+= ofwdump
diff --git a/usr.sbin/Makefile.powerpc b/usr.sbin/Makefile.powerpc
index a6d5b3b35ad4..d6b05857e152 100644
--- a/usr.sbin/Makefile.powerpc
+++ b/usr.sbin/Makefile.powerpc
@@ -2,4 +2,3 @@
.if ${MACHINE_ARCH} != "powerpcspe"
SUBDIR+= nvram
.endif
-SUBDIR+= ofwdump
diff --git a/usr.sbin/Makefile.riscv b/usr.sbin/Makefile.riscv
deleted file mode 100644
index 3767c8c9e1ca..
--- a/usr.sbin/Makefile.riscv
+++ /dev/null
@@ -1,2 +0,0 @@
-
-SUBDIR+= ofwdump
git: 5a2849bc3c60 - stable/14 - pmcstat: fix duplicate event allocation on CPU 0
The branch stable/14 has been updated by mhorne:
URL:
https://cgit.FreeBSD.org/src/commit/?id=5a2849bc3c60426039ff2aeef1d2b54940152927
commit 5a2849bc3c60426039ff2aeef1d2b54940152927
Author: Mitchell Horne
AuthorDate: 2023-09-27 16:37:46 +
Commit: Mitchell Horne
CommitDate: 2023-10-10 17:06:12 +
pmcstat: fix duplicate event allocation on CPU 0
Commit b6e28991bf3a modified the allocation path for system scope PMCs
so that the event was allocated early for CPU 0. The reason is so that
the PMC's capabilities could be checked, to determine if pmcstat should
allocate the event on every CPU, or just on one CPU in each NUMA domain.
In the current scheme, there is no way to determine this information
without performing the PMC allocation.
This broke the established use-case of log analysis, and so
0aa150775179a was committed to fix the assertion. The result was what
appeared to be functional, but in normal counter measurement pmcstat was
silently allocating two counters for CPU 0.
This cuts the total number of counters that can be allocated from a CPU
in half. Additionally, depending on the particular hardware/event, we
might not be able to allocate the same event twice on a single CPU.
The simplest solution is to release the early-allocated PMC once we have
obtained its capabilities, and reallocate it later on. This restores the
event list logic to behave as it has for many years, and partially
reverts commit b6e28991bf3a.
Reported by:alc, kevans
Reviewed by:jkoshy, ray
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D41978
(cherry picked from commit c362fe939f6fe52056fb7506be9e5cbd0a5ef60b)
---
usr.sbin/pmcstat/pmcstat.c | 19 +++
1 file changed, 15 insertions(+), 4 deletions(-)
diff --git a/usr.sbin/pmcstat/pmcstat.c b/usr.sbin/pmcstat/pmcstat.c
index fd4be99f83c8..c36cee436e55 100644
--- a/usr.sbin/pmcstat/pmcstat.c
+++ b/usr.sbin/pmcstat/pmcstat.c
@@ -713,8 +713,16 @@ main(int argc, char **argv)
errx(EX_SOFTWARE, "ERROR: Out of memory.");
(void) strncpy(ev->ev_name, optarg, c);
*(ev->ev_name + c) = '\0';
+
libpmc_initialize(&npmc);
+
if (args.pa_flags & FLAG_HAS_SYSTEM_PMCS) {
+ /*
+* We need to check the capabilities of the
+* desired event to determine if it should be
+* allocated on every CPU, or only a subset of
+* them. This requires allocating a PMC now.
+*/
if (pmc_allocate(ev->ev_spec, ev->ev_mode,
ev->ev_flags, ev->ev_cpu, &ev->ev_pmcid,
ev->ev_count) < 0)
@@ -726,8 +734,14 @@ main(int argc, char **argv)
err(EX_OSERR, "ERROR: Cannot get pmc "
"capabilities");
}
- }
+ /*
+* Release the PMC now that we have caps; we
+* will reallocate shortly.
+*/
+ pmc_release(ev->ev_pmcid);
+ ev->ev_pmcid = PMC_ID_INVALID;
+ }
STAILQ_INSERT_TAIL(&args.pa_events, ev, ev_next);
@@ -751,10 +765,7 @@ main(int argc, char **argv)
}
if (option == 's' || option == 'S') {
CPU_CLR(ev->ev_cpu, &cpumask);
- pmc_id_t saved_pmcid = ev->ev_pmcid;
- ev->ev_pmcid = PMC_ID_INVALID;
pmcstat_clone_event_descriptor(ev, &cpumask,
&args);
- ev->ev_pmcid = saved_pmcid;
CPU_SET(ev->ev_cpu, &cpumask);
}
git: 74e4a8d208f0 - main - pmap: add pmap_kextract(9) man page
The branch main has been updated by mhorne:
URL:
https://cgit.FreeBSD.org/src/commit/?id=74e4a8d208f0b3cf2525e3786f3efba71fcdb752
commit 74e4a8d208f0b3cf2525e3786f3efba71fcdb752
Author: Mina Galić
AuthorDate: 2023-08-23 00:12:49 +
Commit: Mitchell Horne
CommitDate: 2023-10-13 18:27:24 +
pmap: add pmap_kextract(9) man page
Add a man page for pmap_kextract(9), with alias to vtophys(9). This man
page is based on pmap_extract(9).
Add it as cross reference in pmap(9), and add comments above the
function implementations.
Co-authored-by: Graham Perrin
Co-authored-by: mhorne
Sponsored by: The FreeBSD Foundation
Pull Request: https://github.com/freebsd/freebsd-src/pull/827
---
share/man/man9/Makefile| 2 ++
share/man/man9/pmap.9 | 1 +
share/man/man9/pmap_kextract.9 | 65 ++
sys/amd64/amd64/pmap.c | 8 +-
sys/arm64/arm64/pmap.c | 6
sys/riscv/riscv/pmap.c | 6
6 files changed, 87 insertions(+), 1 deletion(-)
diff --git a/share/man/man9/Makefile b/share/man/man9/Makefile
index 0b56a47db332..6768f52a38d6 100644
--- a/share/man/man9/Makefile
+++ b/share/man/man9/Makefile
@@ -268,6 +268,7 @@ MAN=accept_filter.9 \
pmap_copy.9 \
pmap_enter.9 \
pmap_extract.9 \
+ pmap_kextract.9 \
pmap_growkernel.9 \
pmap_init.9 \
pmap_is_modified.9 \
@@ -1807,6 +1808,7 @@ MLINKS+=PHOLD.9 PRELE.9 \
PHOLD.9 PROC_ASSERT_NOT_HELD.9
MLINKS+=pmap_copy.9 pmap_copy_page.9
MLINKS+=pmap_extract.9 pmap_extract_and_hold.9
+MLINKS+=pmap_kextract.9 vtophys.9
MLINKS+=pmap_init.9 pmap_init2.9
MLINKS+=pmap_is_modified.9 pmap_ts_referenced.9
MLINKS+=pmap_pinit.9 pmap_pinit0.9 \
diff --git a/share/man/man9/pmap.9 b/share/man/man9/pmap.9
index 3f6a0f63c264..db27fe880afc 100644
--- a/share/man/man9/pmap.9
+++ b/share/man/man9/pmap.9
@@ -97,6 +97,7 @@ operation.
.Xr pmap_init2 9 ,
.Xr pmap_is_modified 9 ,
.Xr pmap_is_prefaultable 9 ,
+.Xr pmap_kextract 9 ,
.Xr pmap_map 9 ,
.Xr pmap_mincore 9 ,
.Xr pmap_object_init_pt 9 ,
diff --git a/share/man/man9/pmap_kextract.9 b/share/man/man9/pmap_kextract.9
new file mode 100644
index ..dd73446648f2
--- /dev/null
+++ b/share/man/man9/pmap_kextract.9
@@ -0,0 +1,65 @@
+.\"
+.\" SPDX-License-Identifier: BSD-2-Clause
+.\"
+.\" Copyright (c) 2023 The FreeBSD Foundation
+.\"
+.\" This manual page was written by Mina Galić under
+.\" sponsorship from the FreeBSD Foundation.
+.\"
+.Dd August 24, 2023
+.Dt PMAP_KEXTRACT 9
+.Os
+.Sh NAME
+.Nm pmap_kextract ,
+.Nm vtophys
+.Nd extract a physical address from the kernel page table
+.Sh SYNOPSIS
+.In sys/param.h
+.In vm/vm.h
+.In vm/pmap.h
+.Ft vm_paddr_t
+.Fo pmap_kextract
+.Fa "vm_offset_t va"
+.Fc
+.Ft vm_paddr_t
+.Fo vtophys
+.Fa "vm_offset_t va"
+.Fc
+.Sh DESCRIPTION
+The
+.Fn pmap_kextract
+function retrieves the underlying physical memory address corresponding to the
given kernel virtual address
+.Fa va .
+The value of
+.Fa va
+must correlate to an active mapping in the kernel address space.
+.Pp
+.Fn vtophys
+is an alias for
+.Fn pmap_kextract
+and behaves identically.
+.Sh RETURN VALUES
+The
+.Fn pmap_kextract
+function will return the physical address
+.Pq Vt vm_paddr_t
+associated with the kernel virtual address
+.Fa va .
+.Pp
+.Fn pmap_kextract
+generally does not fail.
+However, if supplied with an illegitimate value for
+.Fa va ,
+the function may return zero, an invalid non-zero value, or call
+.Xr panic 9 .
+.Sh SEE ALSO
+.Xr pmap 9 ,
+.Xr pmap_extract 9
+.Sh AUTHORS
+.An -nosplit
+This manual page was written by
+.An Mina Galić Aq Mt free...@igalic.co ,
+based on the
+.Xr pmap_extract 9
+page written by
+.An Bruce M Simpson Aq Mt b...@spc.org .
diff --git a/sys/amd64/amd64/pmap.c b/sys/amd64/amd64/pmap.c
index ff83d8749313..8c438cfb4639 100644
--- a/sys/amd64/amd64/pmap.c
+++ b/sys/amd64/amd64/pmap.c
@@ -3846,7 +3846,7 @@ pmap_flush_cache_phys_range(vm_paddr_t spa, vm_paddr_t
epa, vm_memattr_t mattr)
* Extract the physical page address associated
* with the given map/virtual_address pair.
*/
-vm_paddr_t
+vm_paddr_t
pmap_extract(pmap_t pmap, vm_offset_t va)
{
pdp_entry_t *pdpe;
@@ -3933,6 +3933,12 @@ out:
return (m);
}
+/*
+ * Routine:pmap_kextract
+ * Function:
+ * Extract the physical page address associated with the given
kernel
+ * virtual address.
+ */
vm_paddr_t
pmap_kextract(vm_offset_t va)
{
diff --git a/sys/arm64/arm64/pmap.c b/sys/arm64/arm64/pmap.c
index 6f2afa0b98a3..8c2c6f9d7b81 100644
--- a/sys/arm64/arm64/pmap.c
+++ b/sys/arm64/arm64/pmap.c
@@ -1949,6 +1949,12 @@ pmap_klookup(vm_offset_t va, vm_paddr_t *pa)
return (true);
}
+/*
+ * Routine:pmap_kextract
+ * Function:
+ * Extract
Re: git: 74e4a8d208f0 - main - pmap: add pmap_kextract(9) man page
On 10/14/23 10:28, Konstantin Belousov wrote: On Fri, Oct 13, 2023 at 06:27:33PM +, Mitchell Horne wrote: The branch main has been updated by mhorne: URL: https://cgit.FreeBSD.org/src/commit/?id=74e4a8d208f0b3cf2525e3786f3efba71fcdb752 commit 74e4a8d208f0b3cf2525e3786f3efba71fcdb752 Author: Mina Galić AuthorDate: 2023-08-23 00:12:49 + Commit: Mitchell Horne CommitDate: 2023-10-13 18:27:24 + pmap: add pmap_kextract(9) man page Add a man page for pmap_kextract(9), with alias to vtophys(9). This man page is based on pmap_extract(9). Add it as cross reference in pmap(9), and add comments above the function implementations. Co-authored-by: Graham Perrin Co-authored-by: mhorne Sponsored by: The FreeBSD Foundation Pull Request: https://github.com/freebsd/freebsd-src/pull/827 --- share/man/man9/Makefile| 2 ++ share/man/man9/pmap.9 | 1 + share/man/man9/pmap_kextract.9 | 65 ++ sys/amd64/amd64/pmap.c | 8 +- sys/arm64/arm64/pmap.c | 6 sys/riscv/riscv/pmap.c | 6 6 files changed, 87 insertions(+), 1 deletion(-) diff --git a/share/man/man9/Makefile b/share/man/man9/Makefile index 0b56a47db332..6768f52a38d6 100644 --- a/share/man/man9/Makefile +++ b/share/man/man9/Makefile @@ -268,6 +268,7 @@ MAN=accept_filter.9 \ pmap_copy.9 \ pmap_enter.9 \ pmap_extract.9 \ + pmap_kextract.9 \ pmap_growkernel.9 \ pmap_init.9 \ pmap_is_modified.9 \ @@ -1807,6 +1808,7 @@ MLINKS+=PHOLD.9 PRELE.9 \ PHOLD.9 PROC_ASSERT_NOT_HELD.9 MLINKS+=pmap_copy.9 pmap_copy_page.9 MLINKS+=pmap_extract.9 pmap_extract_and_hold.9 +MLINKS+=pmap_kextract.9 vtophys.9 MLINKS+=pmap_init.9 pmap_init2.9 MLINKS+=pmap_is_modified.9 pmap_ts_referenced.9 MLINKS+=pmap_pinit.9 pmap_pinit0.9 \ diff --git a/share/man/man9/pmap.9 b/share/man/man9/pmap.9 index 3f6a0f63c264..db27fe880afc 100644 --- a/share/man/man9/pmap.9 +++ b/share/man/man9/pmap.9 @@ -97,6 +97,7 @@ operation. .Xr pmap_init2 9 , .Xr pmap_is_modified 9 , .Xr pmap_is_prefaultable 9 , +.Xr pmap_kextract 9 , .Xr pmap_map 9 , .Xr pmap_mincore 9 , .Xr pmap_object_init_pt 9 , diff --git a/share/man/man9/pmap_kextract.9 b/share/man/man9/pmap_kextract.9 new file mode 100644 index ..dd73446648f2 --- /dev/null +++ b/share/man/man9/pmap_kextract.9 @@ -0,0 +1,65 @@ +.\" +.\" SPDX-License-Identifier: BSD-2-Clause +.\" +.\" Copyright (c) 2023 The FreeBSD Foundation +.\" +.\" This manual page was written by Mina Galić under +.\" sponsorship from the FreeBSD Foundation. +.\" +.Dd August 24, 2023 +.Dt PMAP_KEXTRACT 9 +.Os +.Sh NAME +.Nm pmap_kextract , +.Nm vtophys +.Nd extract a physical address from the kernel page table +.Sh SYNOPSIS +.In sys/param.h +.In vm/vm.h +.In vm/pmap.h +.Ft vm_paddr_t +.Fo pmap_kextract +.Fa "vm_offset_t va" +.Fc +.Ft vm_paddr_t +.Fo vtophys +.Fa "vm_offset_t va" +.Fc +.Sh DESCRIPTION +The +.Fn pmap_kextract +function retrieves the underlying physical memory address corresponding to the given kernel virtual address Line too long. +.Fa va . +The value of +.Fa va +must correlate to an active mapping in the kernel address space. What does it mean 'correlate'? 'correlate' means that the relationship exists in both directions. We could describe an address as "belonging to" a VA->PA mapping, or we could say that an address "posseses" such a mapping. Maybe you have a strong opinion on why one is incorrect. Since 'correlate' is not established terminology, and needlessly confusing, I can simplify it to: "The value of va must belong to an active mapping in..." If you have a different suggestion, let me know. +.Pp +.Fn vtophys +is an alias for +.Fn pmap_kextract +and behaves identically. +.Sh RETURN VALUES +The +.Fn pmap_kextract +function will return the physical address +.Pq Vt vm_paddr_t +associated with the kernel virtual address and 'associated'? The function returns address of physical memory mapped at the supplied kernel virtual address. Sure, this is more accurate. +.Fa va . +.Pp +.Fn pmap_kextract +generally does not fail. +However, if supplied with an illegitimate value for +.Fa va , +the function may return zero, an invalid non-zero value, or call +.Xr panic 9 . +.Sh SEE ALSO +.Xr pmap 9 , +.Xr pmap_extract 9 +.Sh AUTHORS +.An -nosplit +This manual page was written by +.An Mina Galić Aq Mt free...@igalic.co , +based on the +.Xr pmap_extract 9 +page written by +.An Bruce M Simpson Aq Mt b...@spc.org . diff --git a/sys/amd64/amd64/pmap.c b/sys/amd64/amd64/pmap.c index ff83d8749313..8c438cfb4639 100644 --- a/sys/amd64/amd64/pmap.c +++ b/sys/amd64/amd64/pmap.c @@ -3846,7 +3846,7 @@ pmap_flush_cache_phys_range(vm_paddr_t spa,
git: d62e01996e7c - main - pmap_kextract(9): tweaks
The branch main has been updated by mhorne:
URL:
https://cgit.FreeBSD.org/src/commit/?id=d62e01996e7cb54f16272219e6ccd334b4822126
commit d62e01996e7cb54f16272219e6ccd334b4822126
Author: Mitchell Horne
AuthorDate: 2023-10-16 14:59:04 +
Commit: Mitchell Horne
CommitDate: 2023-10-16 15:02:18 +
pmap_kextract(9): tweaks
Improve the clarity of some descriptions. Fix a long line.
Suggested by: kib
Fixes: 74e4a8d208f0 ("pmap: add pmap_kextract(9) man page")
---
share/man/man9/pmap_kextract.9 | 12 ++--
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/share/man/man9/pmap_kextract.9 b/share/man/man9/pmap_kextract.9
index dd73446648f2..40008a1bc96c 100644
--- a/share/man/man9/pmap_kextract.9
+++ b/share/man/man9/pmap_kextract.9
@@ -6,7 +6,7 @@
.\" This manual page was written by Mina Galić under
.\" sponsorship from the FreeBSD Foundation.
.\"
-.Dd August 24, 2023
+.Dd October 16, 2023
.Dt PMAP_KEXTRACT 9
.Os
.Sh NAME
@@ -28,11 +28,12 @@
.Sh DESCRIPTION
The
.Fn pmap_kextract
-function retrieves the underlying physical memory address corresponding to the
given kernel virtual address
+function retrieves the underlying physical memory address corresponding to the
+given kernel virtual address
.Fa va .
The value of
.Fa va
-must correlate to an active mapping in the kernel address space.
+must belong to a valid mapping in the kernel address space.
.Pp
.Fn vtophys
is an alias for
@@ -41,9 +42,8 @@ and behaves identically.
.Sh RETURN VALUES
The
.Fn pmap_kextract
-function will return the physical address
-.Pq Vt vm_paddr_t
-associated with the kernel virtual address
+function returns the address of physical memory mapped at the kernel
+virtual address
.Fa va .
.Pp
.Fn pmap_kextract
git: 1ffcc2983834 - releng/14.0 - pmcstat: fix duplicate event allocation on CPU 0
The branch releng/14.0 has been updated by mhorne:
URL:
https://cgit.FreeBSD.org/src/commit/?id=1ffcc2983834accfd21089daa116ec802e90e088
commit 1ffcc2983834accfd21089daa116ec802e90e088
Author: Mitchell Horne
AuthorDate: 2023-09-27 16:37:46 +
Commit: Mitchell Horne
CommitDate: 2023-10-17 14:11:13 +
pmcstat: fix duplicate event allocation on CPU 0
Commit b6e28991bf3a modified the allocation path for system scope PMCs
so that the event was allocated early for CPU 0. The reason is so that
the PMC's capabilities could be checked, to determine if pmcstat should
allocate the event on every CPU, or just on one CPU in each NUMA domain.
In the current scheme, there is no way to determine this information
without performing the PMC allocation.
This broke the established use-case of log analysis, and so
0aa150775179a was committed to fix the assertion. The result was what
appeared to be functional, but in normal counter measurement pmcstat was
silently allocating two counters for CPU 0.
This cuts the total number of counters that can be allocated from a CPU
in half. Additionally, depending on the particular hardware/event, we
might not be able to allocate the same event twice on a single CPU.
The simplest solution is to release the early-allocated PMC once we have
obtained its capabilities, and reallocate it later on. This restores the
event list logic to behave as it has for many years, and partially
reverts commit b6e28991bf3a.
Approved by:re (karels)
Reported by:alc, kevans
Reviewed by:jkoshy, ray
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D41978
(cherry picked from commit c362fe939f6fe52056fb7506be9e5cbd0a5ef60b)
(cherry picked from commit 5a2849bc3c60426039ff2aeef1d2b54940152927)
---
usr.sbin/pmcstat/pmcstat.c | 19 +++
1 file changed, 15 insertions(+), 4 deletions(-)
diff --git a/usr.sbin/pmcstat/pmcstat.c b/usr.sbin/pmcstat/pmcstat.c
index fd4be99f83c8..c36cee436e55 100644
--- a/usr.sbin/pmcstat/pmcstat.c
+++ b/usr.sbin/pmcstat/pmcstat.c
@@ -713,8 +713,16 @@ main(int argc, char **argv)
errx(EX_SOFTWARE, "ERROR: Out of memory.");
(void) strncpy(ev->ev_name, optarg, c);
*(ev->ev_name + c) = '\0';
+
libpmc_initialize(&npmc);
+
if (args.pa_flags & FLAG_HAS_SYSTEM_PMCS) {
+ /*
+* We need to check the capabilities of the
+* desired event to determine if it should be
+* allocated on every CPU, or only a subset of
+* them. This requires allocating a PMC now.
+*/
if (pmc_allocate(ev->ev_spec, ev->ev_mode,
ev->ev_flags, ev->ev_cpu, &ev->ev_pmcid,
ev->ev_count) < 0)
@@ -726,8 +734,14 @@ main(int argc, char **argv)
err(EX_OSERR, "ERROR: Cannot get pmc "
"capabilities");
}
- }
+ /*
+* Release the PMC now that we have caps; we
+* will reallocate shortly.
+*/
+ pmc_release(ev->ev_pmcid);
+ ev->ev_pmcid = PMC_ID_INVALID;
+ }
STAILQ_INSERT_TAIL(&args.pa_events, ev, ev_next);
@@ -751,10 +765,7 @@ main(int argc, char **argv)
}
if (option == 's' || option == 'S') {
CPU_CLR(ev->ev_cpu, &cpumask);
- pmc_id_t saved_pmcid = ev->ev_pmcid;
- ev->ev_pmcid = PMC_ID_INVALID;
pmcstat_clone_event_descriptor(ev, &cpumask,
&args);
- ev->ev_pmcid = saved_pmcid;
CPU_SET(ev->ev_cpu, &cpumask);
}
git: 9dad3ed1d15c - stable/14 - cr_canseejailproc(): New privilege, no direct check for UID 0
The branch stable/14 has been updated by mhorne:
URL:
https://cgit.FreeBSD.org/src/commit/?id=9dad3ed1d15c95c3eedb49c59e55bb25a7071250
commit 9dad3ed1d15c95c3eedb49c59e55bb25a7071250
Author: Olivier Certner
AuthorDate: 2023-08-17 23:54:37 +
Commit: Mitchell Horne
CommitDate: 2023-10-17 19:42:58 +
cr_canseejailproc(): New privilege, no direct check for UID 0
Use priv_check_cred() with a new privilege (PRIV_SEEJAILPROC) instead of
explicitly testing for UID 0 (the former has been the rule for almost 20
years).
As a consequence, cr_canseejailproc() now abides by the
'security.bsd.suser_enabled' sysctl and MAC policies.
Update the MAC policies Biba and LOMAC, and prison_priv_check() so that
they don't deny this privilege. This preserves the existing behavior
(the 'root' user is not restricted, even when jailed, unless
'security.bsd.suser_enabled' is not 0) and is consistent with what is
done for the related policies/privileges (PRIV_SEEOTHERGIDS,
PRIV_SEEOTHERUIDS).
Reviewed by:emaste (earlier version), mhorne
MFC after: 2 weeks
Sponsored by: Kumacom SAS
Differential Revision: https://reviews.freebsd.org/D40626
(cherry picked from commit 7974ca1cdbee949f5e453eea112be265b425c407)
---
sys/kern/kern_jail.c | 1 +
sys/kern/kern_prot.c | 7 +--
sys/security/mac_biba/mac_biba.c | 1 +
sys/security/mac_lomac/mac_lomac.c | 1 +
sys/sys/priv.h | 1 +
5 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c
index 39bdcaf5ef0e..57e6024a9939 100644
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@@ -3938,6 +3938,7 @@ prison_priv_check(struct ucred *cred, int priv)
*/
case PRIV_SEEOTHERGIDS:
case PRIV_SEEOTHERUIDS:
+ case PRIV_SEEJAILPROC:
/*
* Jail implements inter-process debugging limits already, so
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index 19e0b78c6709..ed15cb566499 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -1426,9 +1426,12 @@ SYSCTL_INT(_security_bsd, OID_AUTO, see_jail_proc,
CTLFLAG_RW,
int
cr_canseejailproc(struct ucred *u1, struct ucred *u2)
{
- if (u1->cr_uid == 0)
+ if (see_jail_proc || /* Policy deactivated. */
+ u1->cr_prison == u2->cr_prison || /* Same jail. */
+ priv_check_cred(u1, PRIV_SEEJAILPROC) == 0) /* Privileged. */
return (0);
- return (!see_jail_proc && u1->cr_prison != u2->cr_prison ? ESRCH : 0);
+
+ return (ESRCH);
}
/*-
diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c
index 6948548503e1..5d66e2fd4b9b 100644
--- a/sys/security/mac_biba/mac_biba.c
+++ b/sys/security/mac_biba/mac_biba.c
@@ -1924,6 +1924,7 @@ biba_priv_check(struct ucred *cred, int priv)
*/
case PRIV_SEEOTHERGIDS:
case PRIV_SEEOTHERUIDS:
+ case PRIV_SEEJAILPROC:
break;
/*
diff --git a/sys/security/mac_lomac/mac_lomac.c
b/sys/security/mac_lomac/mac_lomac.c
index 05bd0da06960..aa9abf458721 100644
--- a/sys/security/mac_lomac/mac_lomac.c
+++ b/sys/security/mac_lomac/mac_lomac.c
@@ -1702,6 +1702,7 @@ lomac_priv_check(struct ucred *cred, int priv)
*/
case PRIV_SEEOTHERGIDS:
case PRIV_SEEOTHERUIDS:
+ case PRIV_SEEJAILPROC:
break;
/*
diff --git a/sys/sys/priv.h b/sys/sys/priv.h
index 45cb5bab4275..a61de8d32fe0 100644
--- a/sys/sys/priv.h
+++ b/sys/sys/priv.h
@@ -105,6 +105,7 @@
#definePRIV_CRED_SETRESGID 58 /* setresgid. */
#definePRIV_SEEOTHERGIDS 59 /* Exempt bsd.seeothergids. */
#definePRIV_SEEOTHERUIDS 60 /* Exempt bsd.seeotheruids. */
+#definePRIV_SEEJAILPROC61 /* Exempt from
bsd.see_jail_proc. */
/*
* Debugging privileges.
git: 3ad322db8902 - stable/14 - New cr_bsd_visible(): Whether BSD policies deny seeing subjects/objects
The branch stable/14 has been updated by mhorne:
URL:
https://cgit.FreeBSD.org/src/commit/?id=3ad322db8902da1c3d3669471e4e5738f980a849
commit 3ad322db8902da1c3d3669471e4e5738f980a849
Author: Olivier Certner
AuthorDate: 2023-08-17 23:54:38 +
Commit: Mitchell Horne
CommitDate: 2023-10-17 19:42:58 +
New cr_bsd_visible(): Whether BSD policies deny seeing subjects/objects
This is a new helper function that leverages existing code: It calls
successively cr_canseeotheruids(), cr_canseeothergids() and
cr_canseejailproc() (as long as the previous didn't deny access). Will
be used in a subsequent commit.
Reviewed by:mhorne
MFC after: 2 weeks
Sponsored by: Kumacom SAS
Differential Revision: https://reviews.freebsd.org/D40627
(cherry picked from commit e4a7b4f99cfd4931468c0866da4ae8b49cf5badb)
---
sys/kern/kern_prot.c | 19 +++
sys/sys/proc.h | 1 +
2 files changed, 20 insertions(+)
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index ed15cb566499..1e6073b554e4 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -1434,6 +1434,25 @@ cr_canseejailproc(struct ucred *u1, struct ucred *u2)
return (ESRCH);
}
+/*
+ * Helper for cr_cansee*() functions to abide by system-wide security.bsd.see_*
+ * policies. Determines if u1 "can see" u2 according to these policies.
+ * Returns: 0 for permitted, ESRCH otherwise
+ */
+int
+cr_bsd_visible(struct ucred *u1, struct ucred *u2)
+{
+ int error;
+
+ if ((error = cr_canseeotheruids(u1, u2)))
+ return (error);
+ if ((error = cr_canseeothergids(u1, u2)))
+ return (error);
+ if ((error = cr_canseejailproc(u1, u2)))
+ return (error);
+ return (0);
+}
+
/*-
* Determine if u1 "can see" the subject specified by u2.
* Returns: 0 for permitted, an errno value otherwise
diff --git a/sys/sys/proc.h b/sys/sys/proc.h
index 3102cae7add0..8609bbd124ad 100644
--- a/sys/sys/proc.h
+++ b/sys/sys/proc.h
@@ -1163,6 +1163,7 @@ void ast_sched(struct thread *td, int tda);
void ast_unsched_locked(struct thread *td, int tda);
struct thread *choosethread(void);
+intcr_bsd_visible(struct ucred *u1, struct ucred *u2);
intcr_cansee(struct ucred *u1, struct ucred *u2);
intcr_canseesocket(struct ucred *cred, struct socket *so);
intcr_canseeothergids(struct ucred *u1, struct ucred *u2);
git: e1153205a719 - stable/14 - Fix 'security.bsd.see_jail_proc' by using cr_bsd_visible()
The branch stable/14 has been updated by mhorne:
URL:
https://cgit.FreeBSD.org/src/commit/?id=e1153205a719c6cb792cb2213a3737ee6b53d59c
commit e1153205a719c6cb792cb2213a3737ee6b53d59c
Author: Olivier Certner
AuthorDate: 2023-08-17 23:54:38 +
Commit: Mitchell Horne
CommitDate: 2023-10-17 19:42:58 +
Fix 'security.bsd.see_jail_proc' by using cr_bsd_visible()
As implemented, this security policy would only prevent seeing processes
in sub-jails, but would not prevent sending signals to, changing
priority of or debugging processes in these, enabling attacks where
unprivileged users could tamper with random processes in sub-jails in
particular circumstances (conflated UIDs) despite the policy being
enforced.
PR: 272092
Reviewed by:mhorne
MFC after: 2 weeks
Sponsored by: Kumacom SAS
Differential Revision: https://reviews.freebsd.org/D40628
(cherry picked from commit 5817169bc4a06a35aa5ef7f5ed18f6cb35037e18)
---
sys/kern/kern_prot.c | 25 +++--
sys/netinet/in_prot.c | 4 +---
2 files changed, 8 insertions(+), 21 deletions(-)
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index 1e6073b554e4..648c067dc528 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -1471,11 +1471,7 @@ cr_cansee(struct ucred *u1, struct ucred *u2)
if ((error = mac_cred_check_visible(u1, u2)))
return (error);
#endif
- if ((error = cr_canseeotheruids(u1, u2)))
- return (error);
- if ((error = cr_canseeothergids(u1, u2)))
- return (error);
- if ((error = cr_canseejailproc(u1, u2)))
+ if ((error = cr_bsd_visible(u1, u2)))
return (error);
return (0);
}
@@ -1536,9 +1532,7 @@ cr_cansignal(struct ucred *cred, struct proc *proc, int
signum)
if ((error = mac_proc_check_signal(cred, proc, signum)))
return (error);
#endif
- if ((error = cr_canseeotheruids(cred, proc->p_ucred)))
- return (error);
- if ((error = cr_canseeothergids(cred, proc->p_ucred)))
+ if ((error = cr_bsd_visible(cred, proc->p_ucred)))
return (error);
/*
@@ -1653,10 +1647,9 @@ p_cansched(struct thread *td, struct proc *p)
if ((error = mac_proc_check_sched(td->td_ucred, p)))
return (error);
#endif
- if ((error = cr_canseeotheruids(td->td_ucred, p->p_ucred)))
- return (error);
- if ((error = cr_canseeothergids(td->td_ucred, p->p_ucred)))
+ if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred)))
return (error);
+
if (td->td_ucred->cr_ruid != p->p_ucred->cr_ruid &&
td->td_ucred->cr_uid != p->p_ucred->cr_ruid) {
error = priv_check(td, PRIV_SCHED_DIFFCRED);
@@ -1723,9 +1716,7 @@ p_candebug(struct thread *td, struct proc *p)
if ((error = mac_proc_check_debug(td->td_ucred, p)))
return (error);
#endif
- if ((error = cr_canseeotheruids(td->td_ucred, p->p_ucred)))
- return (error);
- if ((error = cr_canseeothergids(td->td_ucred, p->p_ucred)))
+ if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred)))
return (error);
/*
@@ -1815,9 +1806,7 @@ cr_canseesocket(struct ucred *cred, struct socket *so)
if (error)
return (error);
#endif
- if (cr_canseeotheruids(cred, so->so_cred))
- return (ENOENT);
- if (cr_canseeothergids(cred, so->so_cred))
+ if (cr_bsd_visible(cred, so->so_cred))
return (ENOENT);
return (0);
@@ -1847,7 +1836,7 @@ p_canwait(struct thread *td, struct proc *p)
#endif
#if 0
/* XXXMAC: This could have odd effects on some shells. */
- if ((error = cr_canseeotheruids(td->td_ucred, p->p_ucred)))
+ if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred)))
return (error);
#endif
diff --git a/sys/netinet/in_prot.c b/sys/netinet/in_prot.c
index 222e39c6bcd2..204f4f60456e 100644
--- a/sys/netinet/in_prot.c
+++ b/sys/netinet/in_prot.c
@@ -67,9 +67,7 @@ cr_canseeinpcb(struct ucred *cred, struct inpcb *inp)
if (error)
return (error);
#endif
- if (cr_canseeotheruids(cred, inp->inp_cred))
- return (ENOENT);
- if (cr_canseeothergids(cred, inp->inp_cred))
+ if (cr_bsd_visible(cred, inp->inp_cred))
return (ENOENT);
return (0);
git: f173bbdbc1f8 - stable/14 - cr_canseeotheruids(), cr_canseeothergids(): Man pages: Impacts of rename
The branch stable/14 has been updated by mhorne:
URL:
https://cgit.FreeBSD.org/src/commit/?id=f173bbdbc1f8701d55db52be30b738395ab3c925
commit f173bbdbc1f8701d55db52be30b738395ab3c925
Author: Olivier Certner
AuthorDate: 2023-08-17 23:54:39 +
Commit: Mitchell Horne
CommitDate: 2023-10-17 19:42:58 +
cr_canseeotheruids(), cr_canseeothergids(): Man pages: Impacts of rename
When these functions were renamed 7 years ago, their man pages were not.
Rename the latter in accordance and fix the names inside them. Fix
references to them as well. Add the old man pages to the list of
obsolete files.
Reviewed by:mhorne
MFC after: 2 weeks
Sponsored by: Kumacom SAS
Differential Revision: https://reviews.freebsd.org/D40630
(cherry picked from commit c59ab75c04fa32bc6d292596ff5e4593a05a6b1b)
---
ObsoleteFiles.inc | 4
share/man/man9/Makefile| 4 ++--
share/man/man9/cr_cansee.9 | 8
share/man/man9/{cr_seeothergids.9 => cr_canseeothergids.9} | 8
share/man/man9/{cr_seeotheruids.9 => cr_canseeotheruids.9} | 8
share/man/man9/p_candebug.9| 8
6 files changed, 22 insertions(+), 18 deletions(-)
diff --git a/ObsoleteFiles.inc b/ObsoleteFiles.inc
index 6f07b70494f8..6a5e4e39fc1e 100644
--- a/ObsoleteFiles.inc
+++ b/ObsoleteFiles.inc
@@ -51,6 +51,10 @@
# xargs -n1 | sort | uniq -d;
# done
+# 20231013: Man pages renamed to match the actual functions
+OLD_FILES+=usr/share/man/man9/cr_seeothergids.9.gz
+OLD_FILES+=usr/share/man/man9/cr_seeotheruids.9.gz
+
# 20230906: caroot bundle updated
OLD_FILES+=usr/share/certs/trusted/E-Tugra_Certification_Authority.pem
OLD_FILES+=usr/share/certs/trusted/E-Tugra_Global_Root_CA_ECC_v3.pem
diff --git a/share/man/man9/Makefile b/share/man/man9/Makefile
index eb670c924077..08ad811fa901 100644
--- a/share/man/man9/Makefile
+++ b/share/man/man9/Makefile
@@ -69,9 +69,9 @@ MAN= accept_filter.9 \
counter.9 \
cpuset.9 \
cr_cansee.9 \
+ cr_canseeothergids.9 \
+ cr_canseeotheruids.9 \
critical_enter.9 \
- cr_seeothergids.9 \
- cr_seeotheruids.9 \
crypto.9 \
crypto_buffer.9 \
crypto_driver.9 \
diff --git a/share/man/man9/cr_cansee.9 b/share/man/man9/cr_cansee.9
index 8e058eb4e3e5..4824a231170b 100644
--- a/share/man/man9/cr_cansee.9
+++ b/share/man/man9/cr_cansee.9
@@ -50,9 +50,9 @@ variables
and
.Va security.bsd.see_other_uids ,
as per the description in
-.Xr cr_seeothergids 9
+.Xr cr_canseeothergids 9
and
-.Xr cr_seeotheruids 9
+.Xr cr_canseeotheruids 9
respectively.
.Sh RETURN VALUES
This function returns zero if the object with credential
@@ -84,7 +84,7 @@ does not belong to the same jail as
The MAC subsystem denied visibility.
.El
.Sh SEE ALSO
-.Xr cr_seeothergids 9 ,
-.Xr cr_seeotheruids 9 ,
+.Xr cr_canseeothergids 9 ,
+.Xr cr_canseeotheruids 9 ,
.Xr mac 9 ,
.Xr p_cansee 9
diff --git a/share/man/man9/cr_seeothergids.9
b/share/man/man9/cr_canseeothergids.9
similarity index 94%
rename from share/man/man9/cr_seeothergids.9
rename to share/man/man9/cr_canseeothergids.9
index bd8eb5d2e9d9..79269533ae5c 100644
--- a/share/man/man9/cr_seeothergids.9
+++ b/share/man/man9/cr_canseeothergids.9
@@ -26,14 +26,14 @@
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd November 11, 2003
-.Dt CR_SEEOTHERGIDS 9
+.Dt CR_CANSEEOTHERGIDS 9
.Os
.Sh NAME
-.Nm cr_seeothergids
+.Nm cr_canseeothergids
.Nd determine visibility of objects given their group memberships
.Sh SYNOPSIS
.Ft int
-.Fn cr_seeothergids "struct ucred *u1" "struct ucred *u2"
+.Fn cr_canseeothergids "struct ucred *u1" "struct ucred *u2"
.Sh DESCRIPTION
This function determines the visibility of objects in the
kernel based on the group IDs in the credentials
@@ -76,5 +76,5 @@ or
.Er ESRCH
otherwise.
.Sh SEE ALSO
-.Xr cr_seeotheruids 9 ,
+.Xr cr_canseeotheruids 9 ,
.Xr p_candebug 9
diff --git a/share/man/man9/cr_seeotheruids.9
b/share/man/man9/cr_canseeotheruids.9
similarity index 94%
rename from share/man/man9/cr_seeotheruids.9
rename to share/man/man9/cr_canseeotheruids.9
index 2cefd0f9dc8e..80acc2d7a6ca 100644
--- a/share/man/man9/cr_seeotheruids.9
+++ b/share/man/man9/cr_canseeotheruids.9
@@ -26,14 +26,14 @@
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd November 11, 2003
-.Dt CR_SEEOTHERUIDS 9
+.Dt CR_CANSEEOTHERUIDS 9
.Os
.Sh NAME
-.Nm cr_seeotheruids
+.Nm cr_canseeotheruids
.Nd determine visibility of objects given their user credentials
.Sh SYNOPSIS
.Ft int
-.Fn cr_seeotheruids "struct ucred *u1" "struct ucred *u2"
+.Fn cr_canseeotheruids "struct ucred *u1" "struct ucred *u2"
git: ce4c78b612b1 - stable/14 - cr_canseejailproc(9): New man page
The branch stable/14 has been updated by mhorne: URL: https://cgit.FreeBSD.org/src/commit/?id=ce4c78b612b1d933320ae794b50f85f60db2e1a0 commit ce4c78b612b1d933320ae794b50f85f60db2e1a0 Author: Olivier Certner AuthorDate: 2023-08-17 23:54:40 + Commit: Mitchell Horne CommitDate: 2023-10-17 19:42:58 + cr_canseejailproc(9): New man page Reviewed by:pauamma_gundo.com, mhorne MFC after: 2 weeks Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40631 (cherry picked from commit 29d863bb7ffc692998f21fa3e7a91afa1151cf1c) --- share/man/man9/Makefile| 1 + share/man/man9/cr_canseejailproc.9 | 81 ++ 2 files changed, 82 insertions(+) diff --git a/share/man/man9/Makefile b/share/man/man9/Makefile index 08ad811fa901..71a11a7cc6c0 100644 --- a/share/man/man9/Makefile +++ b/share/man/man9/Makefile @@ -69,6 +69,7 @@ MAN= accept_filter.9 \ counter.9 \ cpuset.9 \ cr_cansee.9 \ + cr_canseejailproc.9 \ cr_canseeothergids.9 \ cr_canseeotheruids.9 \ critical_enter.9 \ diff --git a/share/man/man9/cr_canseejailproc.9 b/share/man/man9/cr_canseejailproc.9 new file mode 100644 index ..775c76722b05 --- /dev/null +++ b/share/man/man9/cr_canseejailproc.9 @@ -0,0 +1,81 @@ +.\" +.\" SPDX-License-Identifier: BSD-2-Clause +.\" +.\" Copyright (c) 2023 Olivier Certner +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\"notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\"notice, this list of conditions and the following disclaimer in the +.\"documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE DEVELOPERS ``AS IS'' AND ANY EXPRESS OR +.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +.\" IN NO EVENT SHALL THE DEVELOPERS BE LIABLE FOR ANY DIRECT, INDIRECT, +.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd August 18, 2023 +.Dt CR_CANSEEJAILPROC 9 +.Os +.Sh NAME +.Nm cr_canseejailproc +.Nd determine if subjects may see entities in sub-jails +.Sh SYNOPSIS +.Ft int +.Fn cr_canseejailproc "struct ucred *u1" "struct ucred *u2" +.Sh DESCRIPTION +.Bf -emphasis +This function is internal. +Its functionality is integrated into the function +.Xr cr_bsd_visible 9 , +which should be called instead. +.Ef +.Pp +This function checks if a subject associated to credentials +.Fa u1 +is denied seeing a subject or object associated to credentials +.Fa u2 +by a policy that requires both credentials to be associated to the same jail. +This is a restriction to the baseline jail policy that a subject can see +subjects or objects in its own jail or any sub-jail of it. +.Pp +This policy is active if and only if the +.Xr sysctl 8 +variable +.Va security.bsd.see_jail_proc +is set to zero. +.Pp +As usual, the superuser (effective user ID 0) is exempt from this policy +provided that the +.Xr sysctl 8 +variable +.Va security.bsd.suser_enabled +is non-zero and no active MAC policy explicitly denies the exemption +.Po +see +.Xr priv_check_cred 9 +.Pc . +.Sh RETURN VALUES +The +.Fn cr_canseejailproc +function returns 0 if the policy is disabled, both credentials are associated to +the same jail, or if +.Fa u1 +has privilege exempting it from the policy. +Otherwise, it returns +.Er ESRCH . +.Sh SEE ALSO +.Xr cr_bsd_visible 9 , +.Xr priv_check_cred 9 +.Sh AUTHORS +This manual page was written by +.An Olivier Certner Aq Mt olce.free...@certner.fr .
git: d9181d86c6ae - stable/14 - cr_bsd_visible(9): New man page
The branch stable/14 has been updated by mhorne: URL: https://cgit.FreeBSD.org/src/commit/?id=d9181d86c6aed243927620b414a7c37b1ae613d7 commit d9181d86c6aed243927620b414a7c37b1ae613d7 Author: Olivier Certner AuthorDate: 2023-08-17 23:54:40 + Commit: Mitchell Horne CommitDate: 2023-10-17 19:42:58 + cr_bsd_visible(9): New man page Reviewed by:bcr, pauamma_gundo.com MFC after: 2 weeks Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40632 (cherry picked from commit 0d6bf73c4f20e6ed719c29c1b382d24bb0a81a2f) --- share/man/man9/Makefile | 1 + share/man/man9/cr_bsd_visible.9 | 117 2 files changed, 118 insertions(+) diff --git a/share/man/man9/Makefile b/share/man/man9/Makefile index 71a11a7cc6c0..c3c81719b7d2 100644 --- a/share/man/man9/Makefile +++ b/share/man/man9/Makefile @@ -68,6 +68,7 @@ MAN= accept_filter.9 \ copy.9 \ counter.9 \ cpuset.9 \ + cr_bsd_visible.9 \ cr_cansee.9 \ cr_canseejailproc.9 \ cr_canseeothergids.9 \ diff --git a/share/man/man9/cr_bsd_visible.9 b/share/man/man9/cr_bsd_visible.9 new file mode 100644 index ..bd676e6f5705 --- /dev/null +++ b/share/man/man9/cr_bsd_visible.9 @@ -0,0 +1,117 @@ +.\" +.\" SPDX-License-Identifier: BSD-2-Clause +.\" +.\" Copyright (c) 2023 Olivier Certner +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\"notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\"notice, this list of conditions and the following disclaimer in the +.\"documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE DEVELOPERS ``AS IS'' AND ANY EXPRESS OR +.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +.\" IN NO EVENT SHALL THE DEVELOPERS BE LIABLE FOR ANY DIRECT, INDIRECT, +.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd August 18, 2023 +.Dt CR_BSD_VISIBLE 9 +.Os +.Sh NAME +.Nm cr_bsd_visible +.Nd determine if subjects may see entities according to BSD security policies +.Sh SYNOPSIS +.In sys/proc.h +.Ft int +.Fn cr_bsd_visible "struct ucred *u1" "struct ucred *u2" +.Sh DESCRIPTION +This function determines if a subject with credentials +.Fa u1 +is denied seeing an object or subject associated to credentials +.Fa u2 +by the following policies and associated +.Xr sysctl 8 +knobs: +.Bl -tag -width indent +.It Va security.bsd.seeotheruids +If set to 0, subjects cannot see other subjects or objects if they are not +associated with the same real user ID. +The corresponding internal function is +.Xr cr_canseeotheruids 9 . +.It Va security.bsd.seeothergids +If set to 0, subjects cannot see other subjects or objects if they are not both +a member of at least one common group. +The corresponding internal function is +.Xr cr_canseeothergids 9 . +.It Va security.bsd.see_jail_proc +If set to 0, subjects cannot see other subjects or objects that are not +associated with the same jail as they are. +The corresponding internal function is +.Xr cr_canseejailproc 9 . +.El +.Pp +As usual, the superuser (effective user ID 0) is exempt from any of these +policies provided that the +.Xr sysctl 8 +variable +.Va security.bsd.suser_enabled +is non-zero and no active MAC policy explicitly denies the exemption +.Po +see +.Xr priv_check_cred 9 +.Pc . +.Pp +This function is intended to be used as a helper to implement +.Xr cr_cansee 9 +and similar functions. +.Sh RETURN VALUES +This function returns zero if a subject with credentials +.Fa u1 +may see a subject or object with credentials +.Fa u2 +by the active above-mentioned policies, or +.Er ESRCH +otherwise. +.Sh ERRORS +.Bl -tag -width Er +.It Bq Er ESRCH +Credentials +.Fa u1 +and +.Fa u2 +do not have the same real user ID. +.It Bq Er ESRCH +Credentials +.Fa u1 +and +.Fa u2 +are not members of any common group +.Po +as determined by +.Xr groupmember 9 +.Pc . +.It Bq Er ESRCH +Credentials +.Fa u1 +and +.Fa u2 +are not in the same
git: ad1486b625ed - stable/14 - cr_canseeothergids(9): Revamp, mark as internal
The branch stable/14 has been updated by mhorne: URL: https://cgit.FreeBSD.org/src/commit/?id=ad1486b625edbf190ba0d9c77d695560e75037cb commit ad1486b625edbf190ba0d9c77d695560e75037cb Author: Olivier Certner AuthorDate: 2023-08-17 23:54:41 + Commit: Mitchell Horne CommitDate: 2023-10-17 19:42:58 + cr_canseeothergids(9): Revamp, mark as internal Significantly clarify. Replace references to cr_canseeotheruids(9) by ones to cr_bsd_visible(9). Reviewed by:pauamma_gundo.com, mhorne MFC after: 2 weeks Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40633 (cherry picked from commit 3fe9ea4d2d04d48a249b2e6161d416bb4d5b364e) --- share/man/man9/cr_canseeothergids.9 | 77 +++-- 1 file changed, 40 insertions(+), 37 deletions(-) diff --git a/share/man/man9/cr_canseeothergids.9 b/share/man/man9/cr_canseeothergids.9 index 79269533ae5c..f0c1e5c4e726 100644 --- a/share/man/man9/cr_canseeothergids.9 +++ b/share/man/man9/cr_canseeothergids.9 @@ -1,5 +1,6 @@ .\" .\" Copyright (c) 2003 Joseph Koshy +.\" Copyright (c) 2023 Olivier Certner .\" .\" All rights reserved. .\" @@ -25,56 +26,58 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd November 11, 2003 +.Dd August 18, 2023 .Dt CR_CANSEEOTHERGIDS 9 .Os .Sh NAME .Nm cr_canseeothergids -.Nd determine visibility of objects given their group memberships +.Nd determine if subjects may see entities in a disjoint group set .Sh SYNOPSIS .Ft int .Fn cr_canseeothergids "struct ucred *u1" "struct ucred *u2" .Sh DESCRIPTION -This function determines the visibility of objects in the -kernel based on the group IDs in the credentials +.Bf -emphasis +This function is internal. +Its functionality is integrated into the function +.Xr cr_bsd_visible 9 , +which should be called instead. +.Ef +.Pp +This function checks if a subject associated to credentials .Fa u1 -and +is denied seeing a subject or object associated to credentials .Fa u2 -associated with them. +by a policy that requires both credentials to have at least one group in common. +For this determination, the effective and supplementary group IDs are used, but +not the real group IDs, as per +.Xr groupmember 9 . .Pp -The visibility of objects is influenced by the +This policy is active if and only if the .Xr sysctl 8 variable -.Va security.bsd.see_other_gids . -If this variable is non-zero then all objects in the kernel -are visible to each other irrespective of their group membership. -If this variable is zero then the object with credentials -.Fa u2 -is visible to the object with credentials -.Fa u1 -if either -.Fa u1 -is the super-user credential, or if at least one of -.Fa u1 Ns 's -group IDs is present in -.Fa u2 Ns 's -group set. -.Sh SYSCTL VARIABLES -.Bl -tag -width indent -.It Va security.bsd.see_other_gids -Must be non-zero if objects with unprivileged credentials are to be -able to see each other. -.El +.Va security.bsd.see_other_gids +is set to zero. +.Pp +As usual, the superuser (effective user ID 0) is exempt from this policy +provided that the +.Xr sysctl 8 +variable +.Va security.bsd.suser_enabled +is non-zero and no active MAC policy explicitly denies the exemption +.Po +see +.Xr priv_check_cred 9 +.Pc . .Sh RETURN VALUES -This function returns zero if the object with credential +The +.Fn cr_canseeothergids +function returns 0 if the policy is disabled, the credentials share at least one +common group, or if .Fa u1 -can -.Dq see -the object with credential -.Fa u2 , -or -.Er ESRCH -otherwise. +has privilege exempting it from the policy. +Otherwise, it returns +.Er ESRCH . .Sh SEE ALSO -.Xr cr_canseeotheruids 9 , -.Xr p_candebug 9 +.Xr cr_bsd_visible 9 , +.Xr groupmember 9 , +.Xr priv_check_cred 9
git: 60cc4f16d4e9 - stable/14 - groupmember(9): Detail which groups are considered, simplify
The branch stable/14 has been updated by mhorne: URL: https://cgit.FreeBSD.org/src/commit/?id=60cc4f16d4e91d9d37a4619d708cfe88ff093526 commit 60cc4f16d4e91d9d37a4619d708cfe88ff093526 Author: Olivier Certner AuthorDate: 2023-08-17 23:54:41 + Commit: Mitchell Horne CommitDate: 2023-10-17 19:42:58 + groupmember(9): Detail which groups are considered, simplify Reviewed by:mhorne MFC after: 2 weeks Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40634 (cherry picked from commit 75a45ca3b34062fe793ae326ad9da614a1a06df1) --- share/man/man9/groupmember.9 | 36 +--- 1 file changed, 21 insertions(+), 15 deletions(-) diff --git a/share/man/man9/groupmember.9 b/share/man/man9/groupmember.9 index d447bf64c482..3a516622efce 100644 --- a/share/man/man9/groupmember.9 +++ b/share/man/man9/groupmember.9 @@ -1,5 +1,6 @@ .\" .\" Copyright (C) 2001 Chad David . All rights reserved. +.\" Copyright (C) 2023 Olivier Certner .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions @@ -24,12 +25,12 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH .\" DAMAGE. .\" -.Dd July 9, 2001 +.Dd August 18, 2023 .Dt GROUPMEMBER 9 .Os .Sh NAME .Nm groupmember -.Nd checks group set for a group ID +.Nd checks if credentials mandate some group membership .Sh SYNOPSIS .In sys/param.h .In sys/ucred.h @@ -38,21 +39,26 @@ .Sh DESCRIPTION The .Fn groupmember -function checks to see if the given -.Fa gid -is in the group set of the credentials. +function checks if credentials +.Fa cred +indicate that the associated subject or object is a member of the group +designated by the group ID +.Fa gid . .Pp -Its arguments are: -.Bl -tag -width ".Fa cred" -.It Fa gid -The group ID to check for. -.It Fa cred -The credentials to search for the group in. -.El +Considered groups in +.Fa cred +are the effective and supplementary groups. +The real group is not taken into account. .Sh RETURN VALUES If the .Fa gid -is found, 1 is returned; otherwise, 0 is returned. +is found, 1 is returned, otherwise 0. +.Sh SEE ALSO +.Xr getgroups 2 +.Xr setgroups 2 .Sh AUTHORS -This manual page was written by -.An Chad David Aq Mt dav...@acns.ab.ca . +This manual page was initially written by +.An -nosplit +.An Chad David Aq Mt dav...@acns.ab.ca +and was revised by +.An Olivier Certner Aq Mt olce.free...@certner.fr .
git: e04b81f8b76c - stable/14 - cr_canseeotheruids(9): Revamp, mark as internal
The branch stable/14 has been updated by mhorne: URL: https://cgit.FreeBSD.org/src/commit/?id=e04b81f8b76ceb31abec1c739b42e70433047d3d commit e04b81f8b76ceb31abec1c739b42e70433047d3d Author: Olivier Certner AuthorDate: 2023-08-17 23:54:42 + Commit: Mitchell Horne CommitDate: 2023-10-17 19:42:58 + cr_canseeotheruids(9): Revamp, mark as internal Significantly clarify. Replace references to cr_canseeothergids(9) by ones to cr_bsd_visible(9). Reviewed by:bcr, mhorne MFC after: 2 weeks Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40635 (cherry picked from commit 4ddd253b38dff872355cc1b5238b1bbfd380) --- share/man/man9/cr_canseeotheruids.9 | 73 ++--- 1 file changed, 36 insertions(+), 37 deletions(-) diff --git a/share/man/man9/cr_canseeotheruids.9 b/share/man/man9/cr_canseeotheruids.9 index 80acc2d7a6ca..230c5ea59b78 100644 --- a/share/man/man9/cr_canseeotheruids.9 +++ b/share/man/man9/cr_canseeotheruids.9 @@ -1,5 +1,6 @@ .\" .\" Copyright (c) 2003 Joseph Koshy +.\" Copyright (c) 2023 Olivier Certner .\" .\" All rights reserved. .\" @@ -25,56 +26,54 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd November 11, 2003 +.Dd August 18, 2023 .Dt CR_CANSEEOTHERUIDS 9 .Os .Sh NAME .Nm cr_canseeotheruids -.Nd determine visibility of objects given their user credentials +.Nd determine if subjects may see entities with differing user ID .Sh SYNOPSIS .Ft int .Fn cr_canseeotheruids "struct ucred *u1" "struct ucred *u2" .Sh DESCRIPTION -This function determines the visibility of objects in the -kernel based on the real user IDs in the credentials +.Bf -emphasis +This function is internal. +Its functionality is integrated into the function +.Xr cr_bsd_visible 9 , +which should be called instead. +.Ef +.Pp +This function checks if a subject associated to credentials .Fa u1 -and +is denied seeing a subject or object associated to credentials .Fa u2 -associated with them. +by a policy that requires both credentials to have the same real user ID. .Pp -The visibility of objects is influenced by the +This policy is active if and only if the .Xr sysctl 8 variable -.Va security.bsd.see_other_uids . -If this variable is non-zero then all objects in the kernel -are visible to each other irrespective of their user IDs. -If this variable is zero then the object with credentials -.Fa u2 -is visible to the object with credentials -.Fa u1 -if either -.Fa u1 -is the super-user credential, or if -.Fa u1 -and -.Fa u2 -have the same real user ID. -.Sh SYSCTL VARIABLES -.Bl -tag -width indent -.It Va security.bsd.see_other_uids -Must be non-zero if objects with unprivileged credentials are to be -able to see each other. -.El +.Va security.bsd.see_other_uids +is set to zero. +.Pp +As usual, the superuser (effective user ID 0) is exempt from this policy +provided that the +.Xr sysctl 8 +variable +.Va security.bsd.suser_enabled +is non-zero and no active MAC policy explicitly denies the exemption +.Po +see +.Xr priv_check_cred 9 +.Pc . .Sh RETURN VALUES -This function returns zero if the object with credential +The +.Fn cr_canseeotheruids +function returns 0 if the policy is disabled, both credentials have the same +real user ID, or if .Fa u1 -can -.Dq see -the object with credential -.Fa u2 , -or -.Er ESRCH -otherwise. +has privilege exempting it from the policy. +Otherwise, it returns +.Er ESRCH . .Sh SEE ALSO -.Xr cr_canseeothergids 9 , -.Xr p_candebug 9 +.Xr cr_bsd_visible 9 , +.Xr priv_check_cred 9
git: 2ecbfdaecbd0 - stable/14 - cr_cansee(9): cr_bsd_visible() impacts, simplifications
The branch stable/14 has been updated by mhorne: URL: https://cgit.FreeBSD.org/src/commit/?id=2ecbfdaecbd009d32b2453c7b2bd6c33656b92ef commit 2ecbfdaecbd009d32b2453c7b2bd6c33656b92ef Author: Olivier Certner AuthorDate: 2023-08-17 23:54:42 + Commit: Mitchell Horne CommitDate: 2023-10-17 19:42:58 + cr_cansee(9): cr_bsd_visible() impacts, simplifications Remove references to cr_canseeothergids(9) and cr_canseeotheruids(9). Defer to cr_bsd_visible() for controlling sysctl(8) variables. Reviewed by:bcr, mhorne MFC after: 2 weeks Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40636 (cherry picked from commit 82f9bc9ea8ed660c61050ad1d92f1a64108c7004) --- share/man/man9/cr_cansee.9 | 61 -- 1 file changed, 27 insertions(+), 34 deletions(-) diff --git a/share/man/man9/cr_cansee.9 b/share/man/man9/cr_cansee.9 index 4824a231170b..d5cdfdd6f8e5 100644 --- a/share/man/man9/cr_cansee.9 +++ b/share/man/man9/cr_cansee.9 @@ -1,5 +1,6 @@ .\" .\" Copyright (c) 2006 Ceri Davies +.\" Copyright (c) 2023 Olivier Certner .\" .\" All rights reserved. .\" @@ -23,43 +24,39 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd November 19, 2006 +.Dd August 18, 2023 .Dt CR_CANSEE 9 .Os .Sh NAME .Nm cr_cansee .Nd "determine visibility of objects given their user credentials" .Sh SYNOPSIS -.In sys/param.h -.In sys/systm.h -.In sys/ucred.h +.In sys/proc.h .Ft int .Fn cr_cansee "struct ucred *u1" "struct ucred *u2" .Sh DESCRIPTION -This function determines the visibility of objects in the -kernel based on the real user IDs and group IDs in the credentials +This function determines if a subject with credential .Fa u1 -and -.Fa u2 -associated with them. +can see a subject or object associated to credential +.Fa u2 . .Pp -The visibility of objects is influenced by the +Specific types of subjects may need to submit to additional or different +restrictions. +As an example, for processes, see +.Xr p_cansee 9 , +which calls this function. +.Pp +The implementation relies on +.Xr cr_bsd_visible 9 +and consequently the .Xr sysctl 8 -variables -.Va security.bsd.see_other_gids -and -.Va security.bsd.see_other_uids , -as per the description in -.Xr cr_canseeothergids 9 -and -.Xr cr_canseeotheruids 9 -respectively. +variables referenced in its manual page influence the result. .Sh RETURN VALUES -This function returns zero if the object with credential +This function returns zero if the subject with credential .Fa u1 can .Dq see -the object with credential +the subject or object with credential .Fa u2 , or .Er ESRCH @@ -67,24 +64,20 @@ otherwise. .Sh ERRORS .Bl -tag -width Er .It Bq Er ESRCH -The object with credential -.Fa u1 -cannot -.Dq see -the object with credential -.Fa u2 . -.It Bq Er ESRCH -The object with credential +The subject with credential .Fa u1 -has been jailed and the object with credential +has been jailed and the subject or object with credential .Fa u2 -does not belong to the same jail as -.Fa u1 . +does not belong to the same jail or one of its sub-jails, as determined by +.Xr prison_check 9 . .It Bq Er ESRCH The MAC subsystem denied visibility. +.It Bq Er ESRCH +.Xr cr_bsd_visible 9 +denied visibility according to the BSD security policies in force. .El .Sh SEE ALSO -.Xr cr_canseeothergids 9 , -.Xr cr_canseeotheruids 9 , +.Xr prison_check 9 , .Xr mac 9 , +.Xr cr_bsd_visible 9 , .Xr p_cansee 9
git: fea4e20afb76 - stable/14 - p_cansee(9): Bring up-to-date, misc fixes
The branch stable/14 has been updated by mhorne: URL: https://cgit.FreeBSD.org/src/commit/?id=fea4e20afb76b900bfc6a733487470e3ec6f13a2 commit fea4e20afb76b900bfc6a733487470e3ec6f13a2 Author: Olivier Certner AuthorDate: 2023-08-17 23:54:43 + Commit: Mitchell Horne CommitDate: 2023-10-17 19:42:58 + p_cansee(9): Bring up-to-date, misc fixes Essentially defer to cr_cansee(9), except for the specifics. Be more specific on the return codes. Reviewed by:bcr, pauamma_gundo.com MFC after: 2 weeks Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40637 (cherry picked from commit 2ede38aff5d4c91a17ab6d093f2e8cce24b5418b) --- share/man/man9/p_cansee.9 | 44 1 file changed, 16 insertions(+), 28 deletions(-) diff --git a/share/man/man9/p_cansee.9 b/share/man/man9/p_cansee.9 index 84287dac951b..9fdce460dfea 100644 --- a/share/man/man9/p_cansee.9 +++ b/share/man/man9/p_cansee.9 @@ -24,19 +24,18 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd November 19, 2006 +.Dd August 18, 2023 .Dt P_CANSEE 9 .Os .Sh NAME .Nm p_cansee .Nd determine visibility of a process .Sh SYNOPSIS -.In sys/param.h .In sys/proc.h .Ft int .Fn p_cansee "struct thread *td" "struct proc *p" .Sh DESCRIPTION -This function can be used to determine if a given process +This function determines if a given process .Fa p is visible to the thread .Fa td , @@ -45,13 +44,14 @@ where the notion of may be read as .Dq "awareness of existence" . .Pp -The function is implemented using -.Xr cr_cansee 9 , -and the dependencies on -.Xr sysctl 8 -variables documented in the -.Xr cr_cansee 9 -manual page apply. +This function explicitly allows a thread to always see its own process, +even with pending credentials changes +.Po +see +.Xr ucred 9 +.Pc . +Otherwise, it simply defers to +.Xr cr_cansee 9 . .Sh RETURN VALUES The .Fn p_cansee @@ -62,30 +62,18 @@ if the process denoted by .Fa p is visible by thread .Fa td , -or a non-zero error return value otherwise. +or ESRCH otherwise. .Sh ERRORS .Bl -tag -width Er .It Bq Er ESRCH -Process -.Fa p -is not visible to thread -.Fa td -as determined by -.Xr cr_cansee 9 . -.It Bq Er ESRCH Thread .Fa td -has been jailed and process +is not part of process .Fa p -does not belong to the same jail as -.Fa td . -.It Bq Er ESRCH -The MAC subsystem denied visibility. +and cannot see it as determined by +.Xr cr_cansee 9 . .El .Sh SEE ALSO -.Xr jail 2 , -.Xr sysctl 8 , +.Xr ucred 9 , .Xr cr_cansee 9 , -.Xr mac 9 , -.Xr p_candebug 9 , -.Xr prison_check 9 +.Xr p_candebug 9
git: 76781950658c - stable/14 - p_candebug(9): cr_bsd_visible() impacts, misc fixes
The branch stable/14 has been updated by mhorne: URL: https://cgit.FreeBSD.org/src/commit/?id=76781950658cc95a0820af5f0fb013f2ef9eb3a9 commit 76781950658cc95a0820af5f0fb013f2ef9eb3a9 Author: Olivier Certner AuthorDate: 2023-08-17 23:54:43 + Commit: Mitchell Horne CommitDate: 2023-10-17 19:42:58 + p_candebug(9): cr_bsd_visible() impacts, misc fixes Mention cr_bsd_visible(9). Remove references to cr_canseeothergids(9) and cr_canseeotheruids(9), as well as indirect references not immediately useful. Fix description of credentials checks to match reality. Re-order errors to match code's check order. Reviewed by:bcr, pauamma_gundo.com MFC after: 2 weeks Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40638 (cherry picked from commit eb94f24fab4b44f13ca045370d9fcf12ca8835f2) --- share/man/man9/p_candebug.9 | 103 1 file changed, 56 insertions(+), 47 deletions(-) diff --git a/share/man/man9/p_candebug.9 b/share/man/man9/p_candebug.9 index e80d313de55c..c824db974154 100644 --- a/share/man/man9/p_candebug.9 +++ b/share/man/man9/p_candebug.9 @@ -1,5 +1,6 @@ .\" .\" Copyright (c) 2003 Joseph Koshy +.\" Copyright (c) 2023 Olivier Certner .\" .\" All rights reserved. .\" @@ -25,7 +26,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd November 19, 2006 +.Dd August 18, 2023 .Dt P_CANDEBUG 9 .Os .Sh NAME @@ -37,24 +38,27 @@ .Ft int .Fn p_candebug "struct thread *td" "struct proc *p" .Sh DESCRIPTION -This function can be used to determine if a given process +This function determines if a given process .Fa p -is debuggable by the thread +is debuggable by some thread .Fa td . -.Sh SYSCTL VARIABLES +.Pp The following .Xr sysctl 8 variables directly influence the behaviour of .Fn p_candebug : .Bl -tag -width indent +.It Va security.bsd.unprivileged_proc_debug +Must be set to a non-zero value to allow unprivileged processes +access to the kernel's debug facilities. .It Va kern.securelevel Debugging of the init process is not allowed if this variable is .Li 1 or greater. -.It Va security.bsd.unprivileged_proc_debug -Must be set to a non-zero value to allow unprivileged processes -access to the kernel's debug facilities. .El +.Pp +Other such variables indirectly influence it; see +.Xr cr_bsd_visible 9 . .Sh RETURN VALUES The .Fn p_candebug @@ -68,35 +72,45 @@ is debuggable by thread or a non-zero error return value otherwise. .Sh ERRORS .Bl -tag -width Er -.It Bq Er EACCESS -The MAC subsystem denied debuggability. -.It Bq Er EAGAIN -Process -.Fa p -is in the process of being -.Fn exec Ns 'ed. .It Bq Er EPERM +An unprivileged process attempted to debug another process but the system is +configured to deny it +.Po +see +.Xr sysctl 8 +variable +.Va security.bsd.unprivileged_proc_debug +above +.Pc . +.It Bq Er ESRCH Thread .Fa td -lacks super-user credentials and process -.Fa p -is executing a set-user-ID or set-group-ID executable. +has been jailed and the process to debug does not belong to the same jail or one +of its sub-jails, as determined by +.Xr prison_check 9 . +.It Bq Er ESRCH +.Xr cr_bsd_visible 9 +denied visibility according to the BSD security policies in force. .It Bq Er EPERM Thread .Fa td -lacks super-user credentials and process +lacks superuser credentials and its (effective) group set is not a superset of +process .Fa p Ns 's -group set is not a subset of -.Fa td Ns 's -effective group set. +whole group set +.Pq "including real, effective and saved group IDs" . .It Bq Er EPERM Thread .Fa td -lacks super-user credentials and process -.Fa p Ns 's -user IDs do not match thread -.Fa td Ns 's -effective user ID. +lacks superuser credentials and its (effective) user ID does not match all user +IDs of process +.Fa p . +.It Bq Er EPERM +Thread +.Fa td +lacks superuser credentials and process +.Fa p +is executing a set-user-ID or set-group-ID executable. .It Bq Er EPERM Process .Fa p @@ -107,30 +121,25 @@ and the variable .Va kern.securelevel is greater than zero. -.It Bq Er ESRCH +.It Bq Er EBUSY Process .Fa p -is not visible to thread -.Fa td -as determined by -.Xr cr_canseeotheruids 9 -or -.Xr cr_canseeothergids 9 . -.It Bq Er ESRCH -Thread -.Fa td -has been jailed and process +is in the process of being +.Fn exec Ns 'ed. +.It Bq Er EPERM +Process .Fa p -does not belong to the same jail as -.Fa td . -.It Bq Er ESRCH -The MAC subsystem denied debuggability. +denied debuggability +.Po +see +.Xr procctl 2 , +command +.Dv PROC_TRACE_CTL +.Pc . .El .Sh SEE ALSO -.Xr jail 2 , -.Xr sysctl 8 , -.Xr cr_canseeothergids 9 , -.Xr cr_canseeother
git: 8d935c419fda - stable/14 - prison_check(9): Bring up-to-date with hierarchical jails
The branch stable/14 has been updated by mhorne: URL: https://cgit.FreeBSD.org/src/commit/?id=8d935c419fdafa0cb6fe9e1a3ed6dd92fd76d776 commit 8d935c419fdafa0cb6fe9e1a3ed6dd92fd76d776 Author: Olivier Certner AuthorDate: 2023-08-17 23:54:44 + Commit: Mitchell Horne CommitDate: 2023-10-17 19:42:59 + prison_check(9): Bring up-to-date with hierarchical jails Reviewed by:bcr, emaste, pauamma_gundo.com, mhorne MFC after: 2 weeks Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40639 (cherry picked from commit e9fdd494537ca45b14e0917e8bb1595b6460f3a3) --- share/man/man9/prison_check.9 | 18 -- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/share/man/man9/prison_check.9 b/share/man/man9/prison_check.9 index b3bdcf6b4571..7f174e3ceb2e 100644 --- a/share/man/man9/prison_check.9 +++ b/share/man/man9/prison_check.9 @@ -25,22 +25,23 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd December 11, 2003 +.Dd August 18, 2023 .Dt PRISON_CHECK 9 .Os .Sh NAME .Nm prison_check -.Nd determine if two credentials belong to the same jail +.Nd determine if subjects may see entities according to jail restrictions .Sh SYNOPSIS .In sys/jail.h .Ft int .Fn prison_check "struct ucred *cred1" "struct ucred *cred2" .Sh DESCRIPTION -This function can be used to determine if the two credentials +This function determines if a subject with credentials .Fa cred1 -and +is denied access to subjects or objects with credentials .Fa cred2 -belong to the same jail. +according to the policy that a subject can see subjects or objects in its own +jail or any sub-jail of it. .Sh RETURN VALUES The .Fn prison_check @@ -48,12 +49,9 @@ function returns .Er ESRCH if -.Fa cred1 -has been jailed, and -.Fa cred1 -and .Fa cred2 -do not belong to the same jail. +is not in the same jail or a sub-jail of that of +.Fa cred1 . In all other cases, .Fn prison_check returns zero.
git: f3de805ace48 - stable/14 - groupmember(): Extract the supplementary group search in a separate function
The branch stable/14 has been updated by mhorne:
URL:
https://cgit.FreeBSD.org/src/commit/?id=f3de805ace484db4a3bf9191a150ef4843ae92f3
commit f3de805ace484db4a3bf9191a150ef4843ae92f3
Author: Olivier Certner
AuthorDate: 2023-08-17 23:54:44 +
Commit: Mitchell Horne
CommitDate: 2023-10-17 19:42:59 +
groupmember(): Extract the supplementary group search in a separate function
This is in preparation for the introduction of the new realgroupmember()
function, which does the same search into supplementary groups as
groupmember().
Reviewed by:mhorne
MFC after: 2 weeks
Sponsored by: Kumacom SAS
Differential Revision: https://reviews.freebsd.org/D40640
(cherry picked from commit b725f232f3b09b4bcbc426854fe1545234c66965)
---
sys/kern/kern_prot.c | 41 -
1 file changed, 24 insertions(+), 17 deletions(-)
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index 648c067dc528..21f5e5d3bc16 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -1273,36 +1273,43 @@ sys___setugid(struct thread *td, struct __setugid_args
*uap)
}
/*
- * Check if gid is a member of the group set.
+ * Returns whether gid designates a supplementary group in cred.
*/
-int
-groupmember(gid_t gid, struct ucred *cred)
+static int
+supplementary_group_member(gid_t gid, struct ucred *cred)
{
- int l;
- int h;
- int m;
-
- if (cred->cr_groups[0] == gid)
- return(1);
+ int l, h, m;
/*
-* If gid was not our primary group, perform a binary search
-* of the supplemental groups. This is possible because we
-* sort the groups in crsetgroups().
+* Perform a binary search of the supplemental groups. This is possible
+* because we sort the groups in crsetgroups().
*/
l = 1;
h = cred->cr_ngroups;
+
while (l < h) {
- m = l + ((h - l) / 2);
+ m = l + (h - l) / 2;
if (cred->cr_groups[m] < gid)
- l = m + 1;
+ l = m + 1;
else
- h = m;
+ h = m;
}
- if ((l < cred->cr_ngroups) && (cred->cr_groups[l] == gid))
+
+ return (l < cred->cr_ngroups && cred->cr_groups[l] == gid);
+}
+
+/*
+ * Check if gid is a member of the (effective) group set (i.e., effective and
+ * supplementary groups).
+ */
+int
+groupmember(gid_t gid, struct ucred *cred)
+{
+
+ if (cred->cr_groups[0] == gid)
return (1);
- return (0);
+ return (supplementary_group_member(gid, cred));
}
/*
git: d1fde7841f3f - stable/14 - New realgroupmember()
The branch stable/14 has been updated by mhorne:
URL:
https://cgit.FreeBSD.org/src/commit/?id=d1fde7841f3f3dd86b932ae1f9bb285cbe16634c
commit d1fde7841f3f3dd86b932ae1f9bb285cbe16634c
Author: Olivier Certner
AuthorDate: 2023-08-17 23:54:45 +
Commit: Mitchell Horne
CommitDate: 2023-10-17 19:42:59 +
New realgroupmember()
Like groupmember(), but taking into account the real group instead of
the effective group. Leverages the new supplementary_group_member()
function.
Reviewed by:mhorne
MFC after: 2 weeks
Sponsored by: Kumacom SAS
Differential Revision: https://reviews.freebsd.org/D40641
Differential Revision: https://reviews.freebsd.org/D40643
(cherry picked from commit 2a2bfa6ad92e9c82dcc55733ad2fd58fd2ea7559)
(cherry picked from commit 5d9f38405a10fdcd9fc108c940dcf2642e9f1833)
---
share/man/man9/Makefile | 1 +
share/man/man9/groupmember.9 | 7 +++
sys/kern/kern_prot.c | 13 +
sys/sys/ucred.h | 1 +
4 files changed, 22 insertions(+)
diff --git a/share/man/man9/Makefile b/share/man/man9/Makefile
index c3c81719b7d2..2122f8d6ea8c 100644
--- a/share/man/man9/Makefile
+++ b/share/man/man9/Makefile
@@ -1157,6 +1157,7 @@ MLINKS+=g_provider.9 g_destroy_provider.9 \
g_provider.9 g_error_provider.9 \
g_provider.9 g_new_providerf.9
MLINKS+=gone_in.9 gone_in_dev.9
+MLINKS+=groupmember.9 realgroupmember.9
MLINKS+=hash.9 hash32.9 \
hash.9 hash32_buf.9 \
hash.9 hash32_str.9 \
diff --git a/share/man/man9/groupmember.9 b/share/man/man9/groupmember.9
index 3a516622efce..ae7ccd477955 100644
--- a/share/man/man9/groupmember.9
+++ b/share/man/man9/groupmember.9
@@ -36,6 +36,8 @@
.In sys/ucred.h
.Ft int
.Fn groupmember "gid_t gid" "struct ucred *cred"
+.Ft int
+.Fn realgroupmember "gid_t gid" "struct ucred *cred"
.Sh DESCRIPTION
The
.Fn groupmember
@@ -49,6 +51,11 @@ Considered groups in
.Fa cred
are the effective and supplementary groups.
The real group is not taken into account.
+.Pp
+Function
+.Fn realgroupmember
+works the same except that it considers instead the real and supplementary
+groups, and not the effective one.
.Sh RETURN VALUES
If the
.Fa gid
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index 21f5e5d3bc16..23bd2009582b 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -1312,6 +1312,19 @@ groupmember(gid_t gid, struct ucred *cred)
return (supplementary_group_member(gid, cred));
}
+/*
+ * Check if gid is a member of the real group set (i.e., real and supplementary
+ * groups).
+ */
+int
+realgroupmember(gid_t gid, struct ucred *cred)
+{
+ if (gid == cred->cr_rgid)
+ return (1);
+
+ return (supplementary_group_member(gid, cred));
+}
+
/*
* Test the active securelevel against a given level. securelevel_gt()
* implements (securelevel > level). securelevel_ge() implements
diff --git a/sys/sys/ucred.h b/sys/sys/ucred.h
index eb92776c158a..633bf436fcd4 100644
--- a/sys/sys/ucred.h
+++ b/sys/sys/ucred.h
@@ -159,6 +159,7 @@ voidcru2x(struct ucred *cr, struct xucred *xcr);
void cru2xt(struct thread *td, struct xucred *xcr);
void crsetgroups(struct ucred *cr, int n, gid_t *groups);
intgroupmember(gid_t gid, struct ucred *cred);
+intrealgroupmember(gid_t gid, struct ucred *cred);
#endif /* _KERNEL */
#endif /* !_SYS_UCRED_H_ */
git: f482bc958437 - stable/14 - cr_canseeothergids(): Use real instead of effective group membership
The branch stable/14 has been updated by mhorne:
URL:
https://cgit.FreeBSD.org/src/commit/?id=f482bc958437e90cf8eb3a9e45e92efeb0b2556e
commit f482bc958437e90cf8eb3a9e45e92efeb0b2556e
Author: Olivier Certner
AuthorDate: 2023-08-17 23:54:45 +
Commit: Mitchell Horne
CommitDate: 2023-10-17 19:42:59 +
cr_canseeothergids(): Use real instead of effective group membership
Using the effective group and not the real one when testing membership
has the consequence that unprivileged processes cannot see setuid
commands they launch until these have relinquished their privileges.
This is also in contradiction with how the similar cr_canseeotheruids()
works, i.e., by taking into account real user IDs.
Fix this by substituting groupmember() with realgroupmember(). While
here, simplify the code.
PR: 272093
Reviewed by:mhorne
MFC after: 2 weeks
Sponsored by: Kumacom SAS
Differential Revision: https://reviews.freebsd.org/D40642
Differential Revision: https://reviews.freebsd.org/D40644
(cherry picked from commit 91658080f1a598ddda03943a783c9a941199f7d2)
(cherry picked from commit 0452dd841336cea7cd979b13ef12b6ea5e992eff)
---
share/man/man9/cr_bsd_visible.9 | 2 +-
share/man/man9/cr_canseeothergids.9 | 8
sys/kern/kern_prot.c| 23 ++-
3 files changed, 15 insertions(+), 18 deletions(-)
diff --git a/share/man/man9/cr_bsd_visible.9 b/share/man/man9/cr_bsd_visible.9
index bd676e6f5705..f2d42f3835dc 100644
--- a/share/man/man9/cr_bsd_visible.9
+++ b/share/man/man9/cr_bsd_visible.9
@@ -97,7 +97,7 @@ and
are not members of any common group
.Po
as determined by
-.Xr groupmember 9
+.Xr realgroupmember 9
.Pc .
.It Bq Er ESRCH
Credentials
diff --git a/share/man/man9/cr_canseeothergids.9
b/share/man/man9/cr_canseeothergids.9
index f0c1e5c4e726..109d41a8545d 100644
--- a/share/man/man9/cr_canseeothergids.9
+++ b/share/man/man9/cr_canseeothergids.9
@@ -48,9 +48,9 @@ This function checks if a subject associated to credentials
is denied seeing a subject or object associated to credentials
.Fa u2
by a policy that requires both credentials to have at least one group in
common.
-For this determination, the effective and supplementary group IDs are used, but
-not the real group IDs, as per
-.Xr groupmember 9 .
+For this determination, the real and supplementary group IDs are used, but
+not the effective group IDs, as per
+.Xr realgroupmember 9 .
.Pp
This policy is active if and only if the
.Xr sysctl 8
@@ -79,5 +79,5 @@ Otherwise, it returns
.Er ESRCH .
.Sh SEE ALSO
.Xr cr_bsd_visible 9 ,
-.Xr groupmember 9 ,
+.Xr realgroupmember 9 ,
.Xr priv_check_cred 9
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index 23bd2009582b..43fc3100bfa7 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -1404,21 +1404,18 @@ SYSCTL_INT(_security_bsd, OID_AUTO, see_other_gids,
CTLFLAG_RW,
int
cr_canseeothergids(struct ucred *u1, struct ucred *u2)
{
- int i, match;
-
if (!see_other_gids) {
- match = 0;
- for (i = 0; i < u1->cr_ngroups; i++) {
- if (groupmember(u1->cr_groups[i], u2))
- match = 1;
- if (match)
- break;
- }
- if (!match) {
- if (priv_check_cred(u1, PRIV_SEEOTHERGIDS) != 0)
- return (ESRCH);
- }
+ if (realgroupmember(u1->cr_rgid, u2))
+ return (0);
+
+ for (int i = 1; i < u1->cr_ngroups; i++)
+ if (realgroupmember(u1->cr_groups[i], u2))
+ return (0);
+
+ if (priv_check_cred(u1, PRIV_SEEOTHERGIDS) != 0)
+ return (ESRCH);
}
+
return (0);
}
git: b6b76c1c09a4 - stable/14 - groupmember(), realgroupmember(): Return a bool instead of an int
The branch stable/14 has been updated by mhorne:
URL:
https://cgit.FreeBSD.org/src/commit/?id=b6b76c1c09a44dbf9ef1ef8e6b0c3e8204baae7a
commit b6b76c1c09a44dbf9ef1ef8e6b0c3e8204baae7a
Author: Olivier Certner
AuthorDate: 2023-08-17 23:54:47 +
Commit: Mitchell Horne
CommitDate: 2023-10-17 19:42:59 +
groupmember(), realgroupmember(): Return a bool instead of an int
Requested by: mhorne
Reviewed by:mhorne
MFC after: 2 weeks
MFC to: stable/14 releng/14.0
Sponsored by: Kumacom SAS
Differential Revision: https://reviews.freebsd.org/D40958
Differential Revision: https://reviews.freebsd.org/D40959
(cherry picked from commit ffd3ef8ee0253ffaf214cf711251d112f6a2bcf6)
(cherry picked from commit 845b7c80887ac84c82ee776836ef86d68ea71c94)
---
share/man/man9/groupmember.9 | 18 +-
sys/kern/kern_prot.c | 12 ++--
sys/sys/ucred.h | 4 ++--
3 files changed, 21 insertions(+), 13 deletions(-)
diff --git a/share/man/man9/groupmember.9 b/share/man/man9/groupmember.9
index ae7ccd477955..b7865a35fdc9 100644
--- a/share/man/man9/groupmember.9
+++ b/share/man/man9/groupmember.9
@@ -34,9 +34,9 @@
.Sh SYNOPSIS
.In sys/param.h
.In sys/ucred.h
-.Ft int
+.Ft bool
.Fn groupmember "gid_t gid" "struct ucred *cred"
-.Ft int
+.Ft bool
.Fn realgroupmember "gid_t gid" "struct ucred *cred"
.Sh DESCRIPTION
The
@@ -57,9 +57,17 @@ Function
works the same except that it considers instead the real and supplementary
groups, and not the effective one.
.Sh RETURN VALUES
-If the
-.Fa gid
-is found, 1 is returned, otherwise 0.
+The
+.Fn groupmember
+and
+.Fn realgroupmember
+functions return
+.Dv true
+if the given credentials indicate membership of the group
+.Fa gid ,
+or
+.Dv false
+otherwise.
.Sh SEE ALSO
.Xr getgroups 2
.Xr setgroups 2
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index 43fc3100bfa7..14b19837d5dc 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -1275,7 +1275,7 @@ sys___setugid(struct thread *td, struct __setugid_args
*uap)
/*
* Returns whether gid designates a supplementary group in cred.
*/
-static int
+static bool
supplementary_group_member(gid_t gid, struct ucred *cred)
{
int l, h, m;
@@ -1302,12 +1302,12 @@ supplementary_group_member(gid_t gid, struct ucred
*cred)
* Check if gid is a member of the (effective) group set (i.e., effective and
* supplementary groups).
*/
-int
+bool
groupmember(gid_t gid, struct ucred *cred)
{
- if (cred->cr_groups[0] == gid)
- return (1);
+ if (gid == cred->cr_groups[0])
+ return (true);
return (supplementary_group_member(gid, cred));
}
@@ -1316,11 +1316,11 @@ groupmember(gid_t gid, struct ucred *cred)
* Check if gid is a member of the real group set (i.e., real and supplementary
* groups).
*/
-int
+bool
realgroupmember(gid_t gid, struct ucred *cred)
{
if (gid == cred->cr_rgid)
- return (1);
+ return (true);
return (supplementary_group_member(gid, cred));
}
diff --git a/sys/sys/ucred.h b/sys/sys/ucred.h
index 633bf436fcd4..7c9e46e47774 100644
--- a/sys/sys/ucred.h
+++ b/sys/sys/ucred.h
@@ -158,8 +158,8 @@ voidcrcowfree(struct thread *td);
void cru2x(struct ucred *cr, struct xucred *xcr);
void cru2xt(struct thread *td, struct xucred *xcr);
void crsetgroups(struct ucred *cr, int n, gid_t *groups);
-intgroupmember(gid_t gid, struct ucred *cred);
-intrealgroupmember(gid_t gid, struct ucred *cred);
+bool groupmember(gid_t gid, struct ucred *cred);
+bool realgroupmember(gid_t gid, struct ucred *cred);
#endif /* _KERNEL */
#endif /* !_SYS_UCRED_H_ */
git: 4a8585251944 - stable/14 - security(7): security.bsd.see*: Be more accurate
The branch stable/14 has been updated by mhorne: URL: https://cgit.FreeBSD.org/src/commit/?id=4a8585251944e1d8f0242ee7937204e4fbcd3e8f commit 4a8585251944e1d8f0242ee7937204e4fbcd3e8f Author: Olivier Certner AuthorDate: 2023-08-17 23:54:48 + Commit: Mitchell Horne CommitDate: 2023-10-17 19:42:59 + security(7): security.bsd.see*: Be more accurate Reviewed by:mhorne, pauamma_gundo.com MFC after: 2 weeks Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D41108 (cherry picked from commit 61b6e00bee1d39e9c688e728fbf3a4efcdb61e66) --- share/man/man7/security.7 | 8 +--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/share/man/man7/security.7 b/share/man/man7/security.7 index ebe5e66e22af..a48e3607f0e5 100644 --- a/share/man/man7/security.7 +++ b/share/man/man7/security.7 @@ -959,16 +959,18 @@ Backwards compatibility shims for the interim sysctls under will not be added. .Bl -tag -width security.bsd.unprivileged_proc_debug .It Dv security.bsd.see_other_uids -Controls visibility of processes owned by different uid. +Controls visibility and reachability of subjects (e.g., processes) and objects +(e.g., sockets) owned by a different uid. The knob directly affects the .Dv kern.proc sysctls filtering of data, which results in restricted output from utilities like .Xr ps 1 . .It Dv security.bsd.see_other_gids -Same, for processes owned by different gid. +Same, for subjects and objects owned by a different gid. .It Dv security.bsd.see_jail_proc -Same, for processes belonging to a jail. +Same, for subjects and objects belonging to a different jail, including +sub-jails. .It Dv security.bsd.conservative_signals When enabled, unprivileged users are only allowed to send job control and usual termination signals like
git: b0186790020f - stable/14 - ptrace(2): Disabling: Describe influence of security.bsd.see_jail_proc
The branch stable/14 has been updated by mhorne: URL: https://cgit.FreeBSD.org/src/commit/?id=b0186790020f1a3eecd6b1d86fe79841d90e3438 commit b0186790020f1a3eecd6b1d86fe79841d90e3438 Author: Olivier Certner AuthorDate: 2023-08-17 23:54:48 + Commit: Mitchell Horne CommitDate: 2023-10-17 19:42:59 + ptrace(2): Disabling: Describe influence of security.bsd.see_jail_proc Reviewed by:mhorne, emaste, pauamma_gundo.com MFC after: 2 weeks Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D41109 (cherry picked from commit d952820105d6a2ad87ddf3bdc6c5fc5215d13b87) --- lib/libc/sys/ptrace.2 | 36 +--- 1 file changed, 21 insertions(+), 15 deletions(-) diff --git a/lib/libc/sys/ptrace.2 b/lib/libc/sys/ptrace.2 index d7d244b1d84a..ae1770315aa5 100644 --- a/lib/libc/sys/ptrace.2 +++ b/lib/libc/sys/ptrace.2 @@ -1,7 +1,7 @@ .\"$NetBSD: ptrace.2,v 1.2 1995/02/27 12:35:37 cgd Exp $ .\" .\" This file is in the public domain. -.Dd December 15, 2022 +.Dd August 18, 2023 .Dt PTRACE 2 .Os .Sh NAME @@ -149,31 +149,37 @@ its scope. The following controls are provided for this: .Bl -tag -width security.bsd.unprivileged_proc_debug .It Dv security.bsd.allow_ptrace -Setting this sysctl to zero value makes +Setting this sysctl to zero makes .Nm return .Er ENOSYS always as if the syscall is not implemented by the kernel. .It Dv security.bsd.unprivileged_proc_debug -Setting this sysctl to zero disallows use of +Setting this sysctl to zero disallows the use of .Fn ptrace by unprivileged processes. .It Dv security.bsd.see_other_uids -Setting this sysctl to zero value disallows +Setting this sysctl to zero prevents .Fn ptrace -requests from targeting processes with the real user identifier different -from the real user identifier of the caller. -The requests return -.Er ESRCH -if policy is not met. +requests from targeting processes with a real user identifier different +from the caller's. +These requests will fail with error +.Er ESRCH . .It Dv security.bsd.see_other_gids -Setting this sysctl to zero value disallows +Setting this sysctl to zero disallows .Fn ptrace -requests from process belonging to a group that is not also one of -the group of the target process. -The requests return -.Er ESRCH -if policy is not met. +requests from processes that have no groups in common with the target process, +considering their sets of real and supplementary groups. +These requests will fail with error +.Er ESRCH . +.It Dv security.bsd.see_jail_proc +Setting this sysctl to zero disallows +.Fn ptrace +requests from processes belonging to a different jail than that of the target +process, even if the requesting process' jail is an ancestor of the target +process'. +These requests will fail with error +.Er ESRCH . .It Dv securelevel and init The .Xr init 1
git: c8ca21cc94df - stable/14 - sysctl(8): Mention more security.bsd knobs; Refer to security(7)
The branch stable/14 has been updated by mhorne: URL: https://cgit.FreeBSD.org/src/commit/?id=c8ca21cc94df97ec5b85c8aa6dcc71f75e99ecfe commit c8ca21cc94df97ec5b85c8aa6dcc71f75e99ecfe Author: Olivier Certner AuthorDate: 2023-08-17 23:54:49 + Commit: Mitchell Horne CommitDate: 2023-10-17 19:42:59 + sysctl(8): Mention more security.bsd knobs; Refer to security(7) Reviewed by:mhorne, pauamma_gundo.com, emaste MFC after: 2 weeks Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D41113 (cherry picked from commit 8d7a48d367ffde2a29419ef943c4099984e3af4d) --- sbin/sysctl/sysctl.8 | 9 +++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/sbin/sysctl/sysctl.8 b/sbin/sysctl/sysctl.8 index 3e995e40131b..ed768510eb6c 100644 --- a/sbin/sysctl/sysctl.8 +++ b/sbin/sysctl/sysctl.8 @@ -27,7 +27,7 @@ .\" .\"From: @(#)sysctl.8 8.1 (Berkeley) 6/6/93 .\" -.Dd December 24, 2022 +.Dd August 18, 2023 .Dt SYSCTL 8 .Os .Sh NAME @@ -194,7 +194,9 @@ for more information on which tunables are available and how to set them. .Pp The string and integer information is summarized below. For a detailed description of these variables see -.Xr sysctl 3 . +.Xr sysctl 3 +and +.Xr security 7 . .Pp The changeable column indicates whether a process with appropriate privilege can change the value. @@ -231,6 +233,8 @@ String and integer values can be set using .It "kern.logsigexit integer yes" .It "security.bsd.suser_enabledinteger yes" .It "security.bsd.see_other_uids integer yes" +.It "security.bsd.see_other_gids integer yes" +.It "security.bsd.see_jail_procinteger yes" .It "security.bsd.unprivileged_proc_debug integer yes" .It "security.bsd.unprivileged_read_msgbuf integer yes" .It "vm.loadavgstruct no" @@ -320,6 +324,7 @@ option has been deprecated and is silently ignored. .Xr sysctl 3 , .Xr loader.conf 5 , .Xr sysctl.conf 5 , +.Xr security 7, .Xr loader 8 .Sh HISTORY A
Re: git: 3a338c534154 - main - Add the BBR and RACK stacks to the LINT kernel.
On 10/18/23 11:13, Dag-Erling Smørgrav wrote:
The branch main has been updated by des:
URL:
https://cgit.FreeBSD.org/src/commit/?id=3a338c534154164504005beb00a3c6feb03756cc
commit 3a338c534154164504005beb00a3c6feb03756cc
Author: Dag-Erling Smørgrav
AuthorDate: 2023-10-18 14:13:12 +
Commit: Dag-Erling Smørgrav
CommitDate: 2023-10-18 14:13:12 +
Add the BBR and RACK stacks to the LINT kernel.
While here, drop the EXTRA_TCP_STACKS option, which serves no purpose and
should never have been added. Instead, build bbr and rack as long as
either or both of INET and INET6 is enabled. There is no risk to anyone
who doesn't load one or both and then twiddle the relevant sysctls.
Differential Revision: https://reviews.freebsd.org/D42088
---
share/man/man5/src.conf.5 | 2 --
sys/conf/NOTES| 4 +++-
sys/conf/files| 7 +++
sys/conf/kern.opts.mk | 1 -
sys/conf/kern.post.mk | 4
sys/conf/options | 2 ++
sys/modules/tcp/Makefile | 7 ++-
7 files changed, 14 insertions(+), 13 deletions(-)
Hi,
There is a leftover description file,
tools/build/options/WITH_EXTRA_TCP_STACKS.
Mitchell
diff --git a/share/man/man5/src.conf.5 b/share/man/man5/src.conf.5
index 9d26531e515b..bc94d5c62234 100644
--- a/share/man/man5/src.conf.5
+++ b/share/man/man5/src.conf.5
@@ -641,8 +641,6 @@ Avoid installing examples to
.Pa /usr/share/examples/ .
.It Va WITH_EXPERIMENTAL
Include experimental features in the build.
-.It Va WITH_EXTRA_TCP_STACKS
-Build extra TCP stack modules.
.It Va WITHOUT_FDT
Do not build Flattened Device Tree support as part of the base system.
This includes the device tree compiler (dtc) and libfdt support library.
diff --git a/sys/conf/NOTES b/sys/conf/NOTES
index a5ed60792a1f..b12d5def2d57 100644
--- a/sys/conf/NOTES
+++ b/sys/conf/NOTES
@@ -681,7 +681,6 @@ options TCP_OFFLOAD # TCP offload support.
options TCP_RFC7413 # TCP Fast Open
options TCPHPTS
-makeoptionsWITH_EXTRA_TCP_STACKS=1 # RACK and BBR TCP kernel modules
# In order to enable IPSEC you MUST also add device crypto to
# your kernel configuration
@@ -693,6 +692,9 @@ options IPSEC #IP security (requires
device crypto)
options IPSEC_SUPPORT
#options IPSEC_DEBUG #debug for IP security
+# Alternative TCP stacks
+optionsTCP_BBR
+optionsTCP_RACK
# TLS framing and encryption/decryption of data over TCP sockets.
options KERN_TLS# TLS transmit and receive offload
diff --git a/sys/conf/files b/sys/conf/files
index 8c3bdca61905..c127ce7e7103 100644
--- a/sys/conf/files
+++ b/sys/conf/files
@@ -4361,6 +4361,13 @@ netinet/tcp_pcap.c optional inet tcppcap |
inet6 tcppcap \
compile-with "${NORMAL_C} ${NO_WNONNULL}"
netinet/tcp_reass.c optional inet | inet6
netinet/tcp_sack.coptional inet | inet6
+netinet/tcp_stacks/bbr.c optional inet tcp_bbr | inet6 tcp_bbr \
+ compile-with "${NORMAL_C} -DMODNAME=tcp_bbr -DSTACKNAME=bbr"
+netinet/tcp_stacks/rack.c optional inet tcp_bbr | inet6 tcp_bbr \
+ compile-with "${NORMAL_C} -DMODNAME=tcp_rack -DSTACKNAME=rack"
+netinet/tcp_stacks/rack_bbr_common.c optional inet tcp_bbr | inet tcp_rack |
inet6 tcp_bbr | inet6 tcp_rack
+netinet/tcp_stacks/sack_filter.c optional inet tcp_bbr | inet tcp_rack |
inet6 tcp_bbr | inet6 tcp_rack
+netinet/tcp_stacks/tailq_hash.coptional inet tcp_bbr | inet tcp_rack |
inet6 tcp_bbr | inet6 tcp_rack
netinet/tcp_stats.c optional stats inet | stats inet6
netinet/tcp_subr.coptional inet | inet6
netinet/tcp_syncache.coptional inet | inet6
diff --git a/sys/conf/kern.opts.mk b/sys/conf/kern.opts.mk
index f908f761b21e..cc6f8a1d8755 100644
--- a/sys/conf/kern.opts.mk
+++ b/sys/conf/kern.opts.mk
@@ -56,7 +56,6 @@ __DEFAULT_YES_OPTIONS = \
__DEFAULT_NO_OPTIONS = \
BHYVE_SNAPSHOT \
-EXTRA_TCP_STACKS \
KERNEL_RETPOLINE \
RATELIMIT \
REPRODUCIBLE_BUILD \
diff --git a/sys/conf/kern.post.mk b/sys/conf/kern.post.mk
index a4eb2e94a47b..bea29507a736 100644
--- a/sys/conf/kern.post.mk
+++ b/sys/conf/kern.post.mk
@@ -33,10 +33,6 @@ MKMODULESENV+= CONF_CFLAGS="${CONF_CFLAGS}"
MKMODULESENV+=WITH_CTF="${WITH_CTF}"
.endif
-.if defined(WITH_EXTRA_TCP_STACKS)
-MKMODULESENV+= WITH_EXTRA_TCP_STACKS="${WITH_EXTRA_TCP_STACKS}"
-.endif
-
.if !empty(KCSAN_ENABLED)
MKMODULESENV+=KCSAN_ENABLED="yes"
.endif
diff --git a/sys/conf/options b/sys/conf/options
index 4e74c4ab3a70..d2f31272d189 100644
--- a/sys/conf/options
+++ b/sys/conf/options
@@ -231,6 +231,8 @@ SW_WATCHDOG opt_watchdog.h
TCPHPTS opt_inet.h
TCP_REQUEST_TRK opt_global.h
TCP_ACCOUNTINGopt_global.h
+TCP_BBRopt_inet.h
+TCP_RACK opt_inet.h
git: 07c60e63237e - stable/14 - Make cr_bsd_visible()'s sub-functions internal
The branch stable/14 has been updated by mhorne:
URL:
https://cgit.FreeBSD.org/src/commit/?id=07c60e63237e1d4657cfbd6b03116c4913827e8c
commit 07c60e63237e1d4657cfbd6b03116c4913827e8c
Author: Olivier Certner
AuthorDate: 2023-08-17 23:54:39 +
Commit: Mitchell Horne
CommitDate: 2023-10-18 16:24:48 +
Make cr_bsd_visible()'s sub-functions internal
cr_canseeotheruids(), cr_canseeothergids() and cr_canseejailproc()
should not be used directly now. cr_bsd_visible() has to be called
instead.
Reviewed by:mhorne
Sponsored by: Kumacom SAS
Differential Revision: https://reviews.freebsd.org/D40629
(cherry picked from commit 91e9d669b475d1900e8dc01a49ad90a621c4a068)
---
sys/kern/kern_prot.c | 10 +++---
sys/sys/proc.h | 3 ---
2 files changed, 7 insertions(+), 6 deletions(-)
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index 14b19837d5dc..00eb2fccdeef 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -91,6 +91,10 @@ static void crfree_final(struct ucred *cr);
static void crsetgroups_locked(struct ucred *cr, int ngrp,
gid_t *groups);
+static int cr_canseeotheruids(struct ucred *u1, struct ucred *u2);
+static int cr_canseeothergids(struct ucred *u1, struct ucred *u2);
+static int cr_canseejailproc(struct ucred *u1, struct ucred *u2);
+
#ifndef _SYS_SYSPROTO_H_
struct getpid_args {
int dummy;
@@ -1371,7 +1375,7 @@ SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids,
CTLFLAG_RW,
* References: *u1 and *u2 must not change during the call
* u1 may equal u2, in which case only one reference is required
*/
-int
+static int
cr_canseeotheruids(struct ucred *u1, struct ucred *u2)
{
@@ -1401,7 +1405,7 @@ SYSCTL_INT(_security_bsd, OID_AUTO, see_other_gids,
CTLFLAG_RW,
* References: *u1 and *u2 must not change during the call
* u1 may equal u2, in which case only one reference is required
*/
-int
+static int
cr_canseeothergids(struct ucred *u1, struct ucred *u2)
{
if (!see_other_gids) {
@@ -1440,7 +1444,7 @@ SYSCTL_INT(_security_bsd, OID_AUTO, see_jail_proc,
CTLFLAG_RW,
* References: *u1 and *u2 must not change during the call
* u1 may equal u2, in which case only one reference is required
*/
-int
+static int
cr_canseejailproc(struct ucred *u1, struct ucred *u2)
{
if (see_jail_proc || /* Policy deactivated. */
diff --git a/sys/sys/proc.h b/sys/sys/proc.h
index 8609bbd124ad..0b91b2a1a0b5 100644
--- a/sys/sys/proc.h
+++ b/sys/sys/proc.h
@@ -1166,9 +1166,6 @@ structthread *choosethread(void);
intcr_bsd_visible(struct ucred *u1, struct ucred *u2);
intcr_cansee(struct ucred *u1, struct ucred *u2);
intcr_canseesocket(struct ucred *cred, struct socket *so);
-intcr_canseeothergids(struct ucred *u1, struct ucred *u2);
-intcr_canseeotheruids(struct ucred *u1, struct ucred *u2);
-intcr_canseejailproc(struct ucred *u1, struct ucred *u2);
intcr_cansignal(struct ucred *cred, struct proc *proc, int signum);
intenterpgrp(struct proc *p, pid_t pgid, struct pgrp *pgrp,
struct session *sess);
git: 63c01c18a8d3 - releng/14.0 - cr_canseejailproc(): New privilege, no direct check for UID 0
The branch releng/14.0 has been updated by mhorne:
URL:
https://cgit.FreeBSD.org/src/commit/?id=63c01c18a8d3feb957a4f91171aaac1f92ce5955
commit 63c01c18a8d3feb957a4f91171aaac1f92ce5955
Author: Olivier Certner
AuthorDate: 2023-08-17 23:54:37 +
Commit: Mitchell Horne
CommitDate: 2023-10-18 17:59:09 +
cr_canseejailproc(): New privilege, no direct check for UID 0
Use priv_check_cred() with a new privilege (PRIV_SEEJAILPROC) instead of
explicitly testing for UID 0 (the former has been the rule for almost 20
years).
As a consequence, cr_canseejailproc() now abides by the
'security.bsd.suser_enabled' sysctl and MAC policies.
Update the MAC policies Biba and LOMAC, and prison_priv_check() so that
they don't deny this privilege. This preserves the existing behavior
(the 'root' user is not restricted, even when jailed, unless
'security.bsd.suser_enabled' is not 0) and is consistent with what is
done for the related policies/privileges (PRIV_SEEOTHERGIDS,
PRIV_SEEOTHERUIDS).
Approved by:re (gjb)
Reviewed by:emaste (earlier version), mhorne
Sponsored by: Kumacom SAS
Differential Revision: https://reviews.freebsd.org/D40626
(cherry picked from commit 7974ca1cdbee949f5e453eea112be265b425c407)
(cherry picked from commit bedaf8af51c96cef025c13c41ba420163824e8cb)
---
sys/kern/kern_jail.c | 1 +
sys/kern/kern_prot.c | 7 +--
sys/security/mac_biba/mac_biba.c | 1 +
sys/security/mac_lomac/mac_lomac.c | 1 +
sys/sys/priv.h | 1 +
5 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c
index 39bdcaf5ef0e..57e6024a9939 100644
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@@ -3938,6 +3938,7 @@ prison_priv_check(struct ucred *cred, int priv)
*/
case PRIV_SEEOTHERGIDS:
case PRIV_SEEOTHERUIDS:
+ case PRIV_SEEJAILPROC:
/*
* Jail implements inter-process debugging limits already, so
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index 19e0b78c6709..ed15cb566499 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -1426,9 +1426,12 @@ SYSCTL_INT(_security_bsd, OID_AUTO, see_jail_proc,
CTLFLAG_RW,
int
cr_canseejailproc(struct ucred *u1, struct ucred *u2)
{
- if (u1->cr_uid == 0)
+ if (see_jail_proc || /* Policy deactivated. */
+ u1->cr_prison == u2->cr_prison || /* Same jail. */
+ priv_check_cred(u1, PRIV_SEEJAILPROC) == 0) /* Privileged. */
return (0);
- return (!see_jail_proc && u1->cr_prison != u2->cr_prison ? ESRCH : 0);
+
+ return (ESRCH);
}
/*-
diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c
index 6948548503e1..5d66e2fd4b9b 100644
--- a/sys/security/mac_biba/mac_biba.c
+++ b/sys/security/mac_biba/mac_biba.c
@@ -1924,6 +1924,7 @@ biba_priv_check(struct ucred *cred, int priv)
*/
case PRIV_SEEOTHERGIDS:
case PRIV_SEEOTHERUIDS:
+ case PRIV_SEEJAILPROC:
break;
/*
diff --git a/sys/security/mac_lomac/mac_lomac.c
b/sys/security/mac_lomac/mac_lomac.c
index 05bd0da06960..aa9abf458721 100644
--- a/sys/security/mac_lomac/mac_lomac.c
+++ b/sys/security/mac_lomac/mac_lomac.c
@@ -1702,6 +1702,7 @@ lomac_priv_check(struct ucred *cred, int priv)
*/
case PRIV_SEEOTHERGIDS:
case PRIV_SEEOTHERUIDS:
+ case PRIV_SEEJAILPROC:
break;
/*
diff --git a/sys/sys/priv.h b/sys/sys/priv.h
index 45cb5bab4275..a61de8d32fe0 100644
--- a/sys/sys/priv.h
+++ b/sys/sys/priv.h
@@ -105,6 +105,7 @@
#definePRIV_CRED_SETRESGID 58 /* setresgid. */
#definePRIV_SEEOTHERGIDS 59 /* Exempt bsd.seeothergids. */
#definePRIV_SEEOTHERUIDS 60 /* Exempt bsd.seeotheruids. */
+#definePRIV_SEEJAILPROC61 /* Exempt from
bsd.see_jail_proc. */
/*
* Debugging privileges.
git: 768fe2300987 - releng/14.0 - New cr_bsd_visible(): Whether BSD policies deny seeing subjects/objects
The branch releng/14.0 has been updated by mhorne:
URL:
https://cgit.FreeBSD.org/src/commit/?id=768fe23009877b42a9f45b0ca9e9c05f9db76649
commit 768fe23009877b42a9f45b0ca9e9c05f9db76649
Author: Olivier Certner
AuthorDate: 2023-08-17 23:54:38 +
Commit: Mitchell Horne
CommitDate: 2023-10-18 17:59:34 +
New cr_bsd_visible(): Whether BSD policies deny seeing subjects/objects
This is a new helper function that leverages existing code: It calls
successively cr_canseeotheruids(), cr_canseeothergids() and
cr_canseejailproc() (as long as the previous didn't deny access). Will
be used in a subsequent commit.
Approved by:re (gjb)
Reviewed by:mhorne
Sponsored by: Kumacom SAS
Differential Revision: https://reviews.freebsd.org/D40627
(cherry picked from commit e4a7b4f99cfd4931468c0866da4ae8b49cf5badb)
(cherry picked from commit 4a78431a52e9e65c6181a943bca2430633350db1)
---
sys/kern/kern_prot.c | 19 +++
sys/sys/proc.h | 1 +
2 files changed, 20 insertions(+)
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index ed15cb566499..1e6073b554e4 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -1434,6 +1434,25 @@ cr_canseejailproc(struct ucred *u1, struct ucred *u2)
return (ESRCH);
}
+/*
+ * Helper for cr_cansee*() functions to abide by system-wide security.bsd.see_*
+ * policies. Determines if u1 "can see" u2 according to these policies.
+ * Returns: 0 for permitted, ESRCH otherwise
+ */
+int
+cr_bsd_visible(struct ucred *u1, struct ucred *u2)
+{
+ int error;
+
+ if ((error = cr_canseeotheruids(u1, u2)))
+ return (error);
+ if ((error = cr_canseeothergids(u1, u2)))
+ return (error);
+ if ((error = cr_canseejailproc(u1, u2)))
+ return (error);
+ return (0);
+}
+
/*-
* Determine if u1 "can see" the subject specified by u2.
* Returns: 0 for permitted, an errno value otherwise
diff --git a/sys/sys/proc.h b/sys/sys/proc.h
index 3102cae7add0..8609bbd124ad 100644
--- a/sys/sys/proc.h
+++ b/sys/sys/proc.h
@@ -1163,6 +1163,7 @@ void ast_sched(struct thread *td, int tda);
void ast_unsched_locked(struct thread *td, int tda);
struct thread *choosethread(void);
+intcr_bsd_visible(struct ucred *u1, struct ucred *u2);
intcr_cansee(struct ucred *u1, struct ucred *u2);
intcr_canseesocket(struct ucred *cred, struct socket *so);
intcr_canseeothergids(struct ucred *u1, struct ucred *u2);
git: 7e21c691f295 - releng/14.0 - Fix 'security.bsd.see_jail_proc' by using cr_bsd_visible()
The branch releng/14.0 has been updated by mhorne:
URL:
https://cgit.FreeBSD.org/src/commit/?id=7e21c691f295b3babc8c57c0aeafa19faf1371b6
commit 7e21c691f295b3babc8c57c0aeafa19faf1371b6
Author: Olivier Certner
AuthorDate: 2023-08-17 23:54:38 +
Commit: Mitchell Horne
CommitDate: 2023-10-18 17:59:51 +
Fix 'security.bsd.see_jail_proc' by using cr_bsd_visible()
As implemented, this security policy would only prevent seeing processes
in sub-jails, but would not prevent sending signals to, changing
priority of or debugging processes in these, enabling attacks where
unprivileged users could tamper with random processes in sub-jails in
particular circumstances (conflated UIDs) despite the policy being
enforced.
Approved by:re (gjb)
PR: 272092
Reviewed by:mhorne
Sponsored by: Kumacom SAS
Differential Revision: https://reviews.freebsd.org/D40628
(cherry picked from commit 5817169bc4a06a35aa5ef7f5ed18f6cb35037e18)
(cherry picked from commit abfcae344feb89c635616769d12150f84c96c003)
---
sys/kern/kern_prot.c | 25 +++--
sys/netinet/in_prot.c | 4 +---
2 files changed, 8 insertions(+), 21 deletions(-)
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index 1e6073b554e4..648c067dc528 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -1471,11 +1471,7 @@ cr_cansee(struct ucred *u1, struct ucred *u2)
if ((error = mac_cred_check_visible(u1, u2)))
return (error);
#endif
- if ((error = cr_canseeotheruids(u1, u2)))
- return (error);
- if ((error = cr_canseeothergids(u1, u2)))
- return (error);
- if ((error = cr_canseejailproc(u1, u2)))
+ if ((error = cr_bsd_visible(u1, u2)))
return (error);
return (0);
}
@@ -1536,9 +1532,7 @@ cr_cansignal(struct ucred *cred, struct proc *proc, int
signum)
if ((error = mac_proc_check_signal(cred, proc, signum)))
return (error);
#endif
- if ((error = cr_canseeotheruids(cred, proc->p_ucred)))
- return (error);
- if ((error = cr_canseeothergids(cred, proc->p_ucred)))
+ if ((error = cr_bsd_visible(cred, proc->p_ucred)))
return (error);
/*
@@ -1653,10 +1647,9 @@ p_cansched(struct thread *td, struct proc *p)
if ((error = mac_proc_check_sched(td->td_ucred, p)))
return (error);
#endif
- if ((error = cr_canseeotheruids(td->td_ucred, p->p_ucred)))
- return (error);
- if ((error = cr_canseeothergids(td->td_ucred, p->p_ucred)))
+ if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred)))
return (error);
+
if (td->td_ucred->cr_ruid != p->p_ucred->cr_ruid &&
td->td_ucred->cr_uid != p->p_ucred->cr_ruid) {
error = priv_check(td, PRIV_SCHED_DIFFCRED);
@@ -1723,9 +1716,7 @@ p_candebug(struct thread *td, struct proc *p)
if ((error = mac_proc_check_debug(td->td_ucred, p)))
return (error);
#endif
- if ((error = cr_canseeotheruids(td->td_ucred, p->p_ucred)))
- return (error);
- if ((error = cr_canseeothergids(td->td_ucred, p->p_ucred)))
+ if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred)))
return (error);
/*
@@ -1815,9 +1806,7 @@ cr_canseesocket(struct ucred *cred, struct socket *so)
if (error)
return (error);
#endif
- if (cr_canseeotheruids(cred, so->so_cred))
- return (ENOENT);
- if (cr_canseeothergids(cred, so->so_cred))
+ if (cr_bsd_visible(cred, so->so_cred))
return (ENOENT);
return (0);
@@ -1847,7 +1836,7 @@ p_canwait(struct thread *td, struct proc *p)
#endif
#if 0
/* XXXMAC: This could have odd effects on some shells. */
- if ((error = cr_canseeotheruids(td->td_ucred, p->p_ucred)))
+ if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred)))
return (error);
#endif
diff --git a/sys/netinet/in_prot.c b/sys/netinet/in_prot.c
index 222e39c6bcd2..204f4f60456e 100644
--- a/sys/netinet/in_prot.c
+++ b/sys/netinet/in_prot.c
@@ -67,9 +67,7 @@ cr_canseeinpcb(struct ucred *cred, struct inpcb *inp)
if (error)
return (error);
#endif
- if (cr_canseeotheruids(cred, inp->inp_cred))
- return (ENOENT);
- if (cr_canseeothergids(cred, inp->inp_cred))
+ if (cr_bsd_visible(cred, inp->inp_cred))
return (ENOENT);
return (0);
git: 0f353091c3f9 - releng/14.0 - cr_canseeotheruids(), cr_canseeothergids(): Man pages: Impacts of rename
The branch releng/14.0 has been updated by mhorne:
URL:
https://cgit.FreeBSD.org/src/commit/?id=0f353091c3f9190ba282ea57d5dd2dd87fccf6bd
commit 0f353091c3f9190ba282ea57d5dd2dd87fccf6bd
Author: Olivier Certner
AuthorDate: 2023-08-17 23:54:39 +
Commit: Mitchell Horne
CommitDate: 2023-10-18 17:59:59 +
cr_canseeotheruids(), cr_canseeothergids(): Man pages: Impacts of rename
When these functions were renamed 7 years ago, their man pages were not.
Rename the latter in accordance and fix the names inside them. Fix
references to them as well. Add the old man pages to the list of
obsolete files.
Approved by:re (gjb)
Reviewed by:mhorne
Sponsored by: Kumacom SAS
Differential Revision: https://reviews.freebsd.org/D40630
(cherry picked from commit c59ab75c04fa32bc6d292596ff5e4593a05a6b1b)
(cherry picked from commit 50cb6641921f9bab29b8404af2c86da79ff0e451)
---
ObsoleteFiles.inc | 4
share/man/man9/Makefile| 4 ++--
share/man/man9/cr_cansee.9 | 8
share/man/man9/{cr_seeothergids.9 => cr_canseeothergids.9} | 8
share/man/man9/{cr_seeotheruids.9 => cr_canseeotheruids.9} | 8
share/man/man9/p_candebug.9| 8
6 files changed, 22 insertions(+), 18 deletions(-)
diff --git a/ObsoleteFiles.inc b/ObsoleteFiles.inc
index 589f6b968e9d..cff13e3d7478 100644
--- a/ObsoleteFiles.inc
+++ b/ObsoleteFiles.inc
@@ -51,6 +51,10 @@
# xargs -n1 | sort | uniq -d;
# done
+# 20231013: Man pages renamed to match the actual functions
+OLD_FILES+=usr/share/man/man9/cr_seeothergids.9.gz
+OLD_FILES+=usr/share/man/man9/cr_seeotheruids.9.gz
+
# 20230906: caroot bundle updated
OLD_FILES+=usr/share/certs/trusted/E-Tugra_Certification_Authority.pem
OLD_FILES+=usr/share/certs/trusted/E-Tugra_Global_Root_CA_ECC_v3.pem
diff --git a/share/man/man9/Makefile b/share/man/man9/Makefile
index eb670c924077..08ad811fa901 100644
--- a/share/man/man9/Makefile
+++ b/share/man/man9/Makefile
@@ -69,9 +69,9 @@ MAN= accept_filter.9 \
counter.9 \
cpuset.9 \
cr_cansee.9 \
+ cr_canseeothergids.9 \
+ cr_canseeotheruids.9 \
critical_enter.9 \
- cr_seeothergids.9 \
- cr_seeotheruids.9 \
crypto.9 \
crypto_buffer.9 \
crypto_driver.9 \
diff --git a/share/man/man9/cr_cansee.9 b/share/man/man9/cr_cansee.9
index 8e058eb4e3e5..4824a231170b 100644
--- a/share/man/man9/cr_cansee.9
+++ b/share/man/man9/cr_cansee.9
@@ -50,9 +50,9 @@ variables
and
.Va security.bsd.see_other_uids ,
as per the description in
-.Xr cr_seeothergids 9
+.Xr cr_canseeothergids 9
and
-.Xr cr_seeotheruids 9
+.Xr cr_canseeotheruids 9
respectively.
.Sh RETURN VALUES
This function returns zero if the object with credential
@@ -84,7 +84,7 @@ does not belong to the same jail as
The MAC subsystem denied visibility.
.El
.Sh SEE ALSO
-.Xr cr_seeothergids 9 ,
-.Xr cr_seeotheruids 9 ,
+.Xr cr_canseeothergids 9 ,
+.Xr cr_canseeotheruids 9 ,
.Xr mac 9 ,
.Xr p_cansee 9
diff --git a/share/man/man9/cr_seeothergids.9
b/share/man/man9/cr_canseeothergids.9
similarity index 94%
rename from share/man/man9/cr_seeothergids.9
rename to share/man/man9/cr_canseeothergids.9
index bd8eb5d2e9d9..79269533ae5c 100644
--- a/share/man/man9/cr_seeothergids.9
+++ b/share/man/man9/cr_canseeothergids.9
@@ -26,14 +26,14 @@
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd November 11, 2003
-.Dt CR_SEEOTHERGIDS 9
+.Dt CR_CANSEEOTHERGIDS 9
.Os
.Sh NAME
-.Nm cr_seeothergids
+.Nm cr_canseeothergids
.Nd determine visibility of objects given their group memberships
.Sh SYNOPSIS
.Ft int
-.Fn cr_seeothergids "struct ucred *u1" "struct ucred *u2"
+.Fn cr_canseeothergids "struct ucred *u1" "struct ucred *u2"
.Sh DESCRIPTION
This function determines the visibility of objects in the
kernel based on the group IDs in the credentials
@@ -76,5 +76,5 @@ or
.Er ESRCH
otherwise.
.Sh SEE ALSO
-.Xr cr_seeotheruids 9 ,
+.Xr cr_canseeotheruids 9 ,
.Xr p_candebug 9
diff --git a/share/man/man9/cr_seeotheruids.9
b/share/man/man9/cr_canseeotheruids.9
similarity index 94%
rename from share/man/man9/cr_seeotheruids.9
rename to share/man/man9/cr_canseeotheruids.9
index 2cefd0f9dc8e..80acc2d7a6ca 100644
--- a/share/man/man9/cr_seeotheruids.9
+++ b/share/man/man9/cr_canseeotheruids.9
@@ -26,14 +26,14 @@
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd November 11, 2003
-.Dt CR_SEEOTHERUIDS 9
+.Dt CR_CANSEEOTHERUIDS 9
.Os
.Sh NAME
-.Nm cr_seeotheruids
+.Nm cr_canseeotheruids
.Nd determine visibility of objects given their user credentials
.Sh SYNOPSIS
.Ft int
-.Fn cr_seeotheruids "struct ucred *u1" "struct ucred *u2"
+.Fn cr
git: 7b1a21deb3d3 - releng/14.0 - cr_canseejailproc(9): New man page
The branch releng/14.0 has been updated by mhorne: URL: https://cgit.FreeBSD.org/src/commit/?id=7b1a21deb3d39281c05b14363e8528ee09680689 commit 7b1a21deb3d39281c05b14363e8528ee09680689 Author: Olivier Certner AuthorDate: 2023-08-17 23:54:40 + Commit: Mitchell Horne CommitDate: 2023-10-18 18:00:05 + cr_canseejailproc(9): New man page Approved by:re (gjb) Reviewed by:pauamma_gundo.com, mhorne Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40631 (cherry picked from commit 29d863bb7ffc692998f21fa3e7a91afa1151cf1c) (cherry picked from commit 66eb6431479d1de3764228104ddd7a5f15ebf377) --- share/man/man9/Makefile| 1 + share/man/man9/cr_canseejailproc.9 | 81 ++ 2 files changed, 82 insertions(+) diff --git a/share/man/man9/Makefile b/share/man/man9/Makefile index 08ad811fa901..71a11a7cc6c0 100644 --- a/share/man/man9/Makefile +++ b/share/man/man9/Makefile @@ -69,6 +69,7 @@ MAN= accept_filter.9 \ counter.9 \ cpuset.9 \ cr_cansee.9 \ + cr_canseejailproc.9 \ cr_canseeothergids.9 \ cr_canseeotheruids.9 \ critical_enter.9 \ diff --git a/share/man/man9/cr_canseejailproc.9 b/share/man/man9/cr_canseejailproc.9 new file mode 100644 index ..775c76722b05 --- /dev/null +++ b/share/man/man9/cr_canseejailproc.9 @@ -0,0 +1,81 @@ +.\" +.\" SPDX-License-Identifier: BSD-2-Clause +.\" +.\" Copyright (c) 2023 Olivier Certner +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\"notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\"notice, this list of conditions and the following disclaimer in the +.\"documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE DEVELOPERS ``AS IS'' AND ANY EXPRESS OR +.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +.\" IN NO EVENT SHALL THE DEVELOPERS BE LIABLE FOR ANY DIRECT, INDIRECT, +.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd August 18, 2023 +.Dt CR_CANSEEJAILPROC 9 +.Os +.Sh NAME +.Nm cr_canseejailproc +.Nd determine if subjects may see entities in sub-jails +.Sh SYNOPSIS +.Ft int +.Fn cr_canseejailproc "struct ucred *u1" "struct ucred *u2" +.Sh DESCRIPTION +.Bf -emphasis +This function is internal. +Its functionality is integrated into the function +.Xr cr_bsd_visible 9 , +which should be called instead. +.Ef +.Pp +This function checks if a subject associated to credentials +.Fa u1 +is denied seeing a subject or object associated to credentials +.Fa u2 +by a policy that requires both credentials to be associated to the same jail. +This is a restriction to the baseline jail policy that a subject can see +subjects or objects in its own jail or any sub-jail of it. +.Pp +This policy is active if and only if the +.Xr sysctl 8 +variable +.Va security.bsd.see_jail_proc +is set to zero. +.Pp +As usual, the superuser (effective user ID 0) is exempt from this policy +provided that the +.Xr sysctl 8 +variable +.Va security.bsd.suser_enabled +is non-zero and no active MAC policy explicitly denies the exemption +.Po +see +.Xr priv_check_cred 9 +.Pc . +.Sh RETURN VALUES +The +.Fn cr_canseejailproc +function returns 0 if the policy is disabled, both credentials are associated to +the same jail, or if +.Fa u1 +has privilege exempting it from the policy. +Otherwise, it returns +.Er ESRCH . +.Sh SEE ALSO +.Xr cr_bsd_visible 9 , +.Xr priv_check_cred 9 +.Sh AUTHORS +This manual page was written by +.An Olivier Certner Aq Mt olce.free...@certner.fr .
git: b6b628ed96b3 - releng/14.0 - cr_canseeothergids(9): Revamp, mark as internal
The branch releng/14.0 has been updated by mhorne: URL: https://cgit.FreeBSD.org/src/commit/?id=b6b628ed96b3e829cff0cedc77f16e9277a99a96 commit b6b628ed96b3e829cff0cedc77f16e9277a99a96 Author: Olivier Certner AuthorDate: 2023-08-17 23:54:41 + Commit: Mitchell Horne CommitDate: 2023-10-18 18:00:19 + cr_canseeothergids(9): Revamp, mark as internal Significantly clarify. Replace references to cr_canseeotheruids(9) by ones to cr_bsd_visible(9). Approved by:re (gjb) Reviewed by:pauamma_gundo.com, mhorne Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40633 (cherry picked from commit 3fe9ea4d2d04d48a249b2e6161d416bb4d5b364e) (cherry picked from commit 15d2ead9623dc2b0a560fc0fd6ba89ca16715597) --- share/man/man9/cr_canseeothergids.9 | 77 +++-- 1 file changed, 40 insertions(+), 37 deletions(-) diff --git a/share/man/man9/cr_canseeothergids.9 b/share/man/man9/cr_canseeothergids.9 index 79269533ae5c..f0c1e5c4e726 100644 --- a/share/man/man9/cr_canseeothergids.9 +++ b/share/man/man9/cr_canseeothergids.9 @@ -1,5 +1,6 @@ .\" .\" Copyright (c) 2003 Joseph Koshy +.\" Copyright (c) 2023 Olivier Certner .\" .\" All rights reserved. .\" @@ -25,56 +26,58 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd November 11, 2003 +.Dd August 18, 2023 .Dt CR_CANSEEOTHERGIDS 9 .Os .Sh NAME .Nm cr_canseeothergids -.Nd determine visibility of objects given their group memberships +.Nd determine if subjects may see entities in a disjoint group set .Sh SYNOPSIS .Ft int .Fn cr_canseeothergids "struct ucred *u1" "struct ucred *u2" .Sh DESCRIPTION -This function determines the visibility of objects in the -kernel based on the group IDs in the credentials +.Bf -emphasis +This function is internal. +Its functionality is integrated into the function +.Xr cr_bsd_visible 9 , +which should be called instead. +.Ef +.Pp +This function checks if a subject associated to credentials .Fa u1 -and +is denied seeing a subject or object associated to credentials .Fa u2 -associated with them. +by a policy that requires both credentials to have at least one group in common. +For this determination, the effective and supplementary group IDs are used, but +not the real group IDs, as per +.Xr groupmember 9 . .Pp -The visibility of objects is influenced by the +This policy is active if and only if the .Xr sysctl 8 variable -.Va security.bsd.see_other_gids . -If this variable is non-zero then all objects in the kernel -are visible to each other irrespective of their group membership. -If this variable is zero then the object with credentials -.Fa u2 -is visible to the object with credentials -.Fa u1 -if either -.Fa u1 -is the super-user credential, or if at least one of -.Fa u1 Ns 's -group IDs is present in -.Fa u2 Ns 's -group set. -.Sh SYSCTL VARIABLES -.Bl -tag -width indent -.It Va security.bsd.see_other_gids -Must be non-zero if objects with unprivileged credentials are to be -able to see each other. -.El +.Va security.bsd.see_other_gids +is set to zero. +.Pp +As usual, the superuser (effective user ID 0) is exempt from this policy +provided that the +.Xr sysctl 8 +variable +.Va security.bsd.suser_enabled +is non-zero and no active MAC policy explicitly denies the exemption +.Po +see +.Xr priv_check_cred 9 +.Pc . .Sh RETURN VALUES -This function returns zero if the object with credential +The +.Fn cr_canseeothergids +function returns 0 if the policy is disabled, the credentials share at least one +common group, or if .Fa u1 -can -.Dq see -the object with credential -.Fa u2 , -or -.Er ESRCH -otherwise. +has privilege exempting it from the policy. +Otherwise, it returns +.Er ESRCH . .Sh SEE ALSO -.Xr cr_canseeotheruids 9 , -.Xr p_candebug 9 +.Xr cr_bsd_visible 9 , +.Xr groupmember 9 , +.Xr priv_check_cred 9
git: 789e43a68797 - releng/14.0 - cr_bsd_visible(9): New man page
The branch releng/14.0 has been updated by mhorne: URL: https://cgit.FreeBSD.org/src/commit/?id=789e43a68797f6feb478722d7c63f03a30110c4a commit 789e43a68797f6feb478722d7c63f03a30110c4a Author: Olivier Certner AuthorDate: 2023-08-17 23:54:40 + Commit: Mitchell Horne CommitDate: 2023-10-18 18:00:11 + cr_bsd_visible(9): New man page Approved by:re (gjb) Reviewed by:bcr, pauamma_gundo.com Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40632 (cherry picked from commit 0d6bf73c4f20e6ed719c29c1b382d24bb0a81a2f) (cherry picked from commit 3fa9a2a9177c5b4d8af7afecf0d74f345534a82c) --- share/man/man9/Makefile | 1 + share/man/man9/cr_bsd_visible.9 | 117 2 files changed, 118 insertions(+) diff --git a/share/man/man9/Makefile b/share/man/man9/Makefile index 71a11a7cc6c0..c3c81719b7d2 100644 --- a/share/man/man9/Makefile +++ b/share/man/man9/Makefile @@ -68,6 +68,7 @@ MAN= accept_filter.9 \ copy.9 \ counter.9 \ cpuset.9 \ + cr_bsd_visible.9 \ cr_cansee.9 \ cr_canseejailproc.9 \ cr_canseeothergids.9 \ diff --git a/share/man/man9/cr_bsd_visible.9 b/share/man/man9/cr_bsd_visible.9 new file mode 100644 index ..bd676e6f5705 --- /dev/null +++ b/share/man/man9/cr_bsd_visible.9 @@ -0,0 +1,117 @@ +.\" +.\" SPDX-License-Identifier: BSD-2-Clause +.\" +.\" Copyright (c) 2023 Olivier Certner +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\"notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\"notice, this list of conditions and the following disclaimer in the +.\"documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE DEVELOPERS ``AS IS'' AND ANY EXPRESS OR +.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +.\" IN NO EVENT SHALL THE DEVELOPERS BE LIABLE FOR ANY DIRECT, INDIRECT, +.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd August 18, 2023 +.Dt CR_BSD_VISIBLE 9 +.Os +.Sh NAME +.Nm cr_bsd_visible +.Nd determine if subjects may see entities according to BSD security policies +.Sh SYNOPSIS +.In sys/proc.h +.Ft int +.Fn cr_bsd_visible "struct ucred *u1" "struct ucred *u2" +.Sh DESCRIPTION +This function determines if a subject with credentials +.Fa u1 +is denied seeing an object or subject associated to credentials +.Fa u2 +by the following policies and associated +.Xr sysctl 8 +knobs: +.Bl -tag -width indent +.It Va security.bsd.seeotheruids +If set to 0, subjects cannot see other subjects or objects if they are not +associated with the same real user ID. +The corresponding internal function is +.Xr cr_canseeotheruids 9 . +.It Va security.bsd.seeothergids +If set to 0, subjects cannot see other subjects or objects if they are not both +a member of at least one common group. +The corresponding internal function is +.Xr cr_canseeothergids 9 . +.It Va security.bsd.see_jail_proc +If set to 0, subjects cannot see other subjects or objects that are not +associated with the same jail as they are. +The corresponding internal function is +.Xr cr_canseejailproc 9 . +.El +.Pp +As usual, the superuser (effective user ID 0) is exempt from any of these +policies provided that the +.Xr sysctl 8 +variable +.Va security.bsd.suser_enabled +is non-zero and no active MAC policy explicitly denies the exemption +.Po +see +.Xr priv_check_cred 9 +.Pc . +.Pp +This function is intended to be used as a helper to implement +.Xr cr_cansee 9 +and similar functions. +.Sh RETURN VALUES +This function returns zero if a subject with credentials +.Fa u1 +may see a subject or object with credentials +.Fa u2 +by the active above-mentioned policies, or +.Er ESRCH +otherwise. +.Sh ERRORS +.Bl -tag -width Er +.It Bq Er ESRCH +Credentials +.Fa u1 +and +.Fa u2 +do not have the same real user ID. +.It Bq Er ESRCH +Credentials +.Fa u1 +and +.Fa u2 +are not members of any common group +.Po +as determined by +.Xr groupmember 9 +.
git: 7dd1f9f9c949 - releng/14.0 - groupmember(9): Detail which groups are considered, simplify
The branch releng/14.0 has been updated by mhorne: URL: https://cgit.FreeBSD.org/src/commit/?id=7dd1f9f9c949bb16c7897374cf7051c3ced7c16e commit 7dd1f9f9c949bb16c7897374cf7051c3ced7c16e Author: Olivier Certner AuthorDate: 2023-08-17 23:54:41 + Commit: Mitchell Horne CommitDate: 2023-10-18 18:00:23 + groupmember(9): Detail which groups are considered, simplify Approved by:re (gjb) Reviewed by:mhorne Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40634 (cherry picked from commit 75a45ca3b34062fe793ae326ad9da614a1a06df1) (cherry picked from commit d4cb91af0c93055740f33566c5f97f9dc1ec8e5d) --- share/man/man9/groupmember.9 | 36 +--- 1 file changed, 21 insertions(+), 15 deletions(-) diff --git a/share/man/man9/groupmember.9 b/share/man/man9/groupmember.9 index d447bf64c482..3a516622efce 100644 --- a/share/man/man9/groupmember.9 +++ b/share/man/man9/groupmember.9 @@ -1,5 +1,6 @@ .\" .\" Copyright (C) 2001 Chad David . All rights reserved. +.\" Copyright (C) 2023 Olivier Certner .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions @@ -24,12 +25,12 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH .\" DAMAGE. .\" -.Dd July 9, 2001 +.Dd August 18, 2023 .Dt GROUPMEMBER 9 .Os .Sh NAME .Nm groupmember -.Nd checks group set for a group ID +.Nd checks if credentials mandate some group membership .Sh SYNOPSIS .In sys/param.h .In sys/ucred.h @@ -38,21 +39,26 @@ .Sh DESCRIPTION The .Fn groupmember -function checks to see if the given -.Fa gid -is in the group set of the credentials. +function checks if credentials +.Fa cred +indicate that the associated subject or object is a member of the group +designated by the group ID +.Fa gid . .Pp -Its arguments are: -.Bl -tag -width ".Fa cred" -.It Fa gid -The group ID to check for. -.It Fa cred -The credentials to search for the group in. -.El +Considered groups in +.Fa cred +are the effective and supplementary groups. +The real group is not taken into account. .Sh RETURN VALUES If the .Fa gid -is found, 1 is returned; otherwise, 0 is returned. +is found, 1 is returned, otherwise 0. +.Sh SEE ALSO +.Xr getgroups 2 +.Xr setgroups 2 .Sh AUTHORS -This manual page was written by -.An Chad David Aq Mt dav...@acns.ab.ca . +This manual page was initially written by +.An -nosplit +.An Chad David Aq Mt dav...@acns.ab.ca +and was revised by +.An Olivier Certner Aq Mt olce.free...@certner.fr .
git: f7cee2431fb2 - releng/14.0 - cr_cansee(9): cr_bsd_visible() impacts, simplifications
The branch releng/14.0 has been updated by mhorne: URL: https://cgit.FreeBSD.org/src/commit/?id=f7cee2431fb2c195250cfedc9f4efaca07afd223 commit f7cee2431fb2c195250cfedc9f4efaca07afd223 Author: Olivier Certner AuthorDate: 2023-08-17 23:54:42 + Commit: Mitchell Horne CommitDate: 2023-10-18 18:01:16 + cr_cansee(9): cr_bsd_visible() impacts, simplifications Remove references to cr_canseeothergids(9) and cr_canseeotheruids(9). Defer to cr_bsd_visible() for controlling sysctl(8) variables. Approved by:re (gjb) Reviewed by:bcr, mhorne Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40636 (cherry picked from commit 82f9bc9ea8ed660c61050ad1d92f1a64108c7004) (cherry picked from commit 0d8de5b2dd61ad550afa86688e61cf546507dca6) --- share/man/man9/cr_cansee.9 | 61 -- 1 file changed, 27 insertions(+), 34 deletions(-) diff --git a/share/man/man9/cr_cansee.9 b/share/man/man9/cr_cansee.9 index 4824a231170b..d5cdfdd6f8e5 100644 --- a/share/man/man9/cr_cansee.9 +++ b/share/man/man9/cr_cansee.9 @@ -1,5 +1,6 @@ .\" .\" Copyright (c) 2006 Ceri Davies +.\" Copyright (c) 2023 Olivier Certner .\" .\" All rights reserved. .\" @@ -23,43 +24,39 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd November 19, 2006 +.Dd August 18, 2023 .Dt CR_CANSEE 9 .Os .Sh NAME .Nm cr_cansee .Nd "determine visibility of objects given their user credentials" .Sh SYNOPSIS -.In sys/param.h -.In sys/systm.h -.In sys/ucred.h +.In sys/proc.h .Ft int .Fn cr_cansee "struct ucred *u1" "struct ucred *u2" .Sh DESCRIPTION -This function determines the visibility of objects in the -kernel based on the real user IDs and group IDs in the credentials +This function determines if a subject with credential .Fa u1 -and -.Fa u2 -associated with them. +can see a subject or object associated to credential +.Fa u2 . .Pp -The visibility of objects is influenced by the +Specific types of subjects may need to submit to additional or different +restrictions. +As an example, for processes, see +.Xr p_cansee 9 , +which calls this function. +.Pp +The implementation relies on +.Xr cr_bsd_visible 9 +and consequently the .Xr sysctl 8 -variables -.Va security.bsd.see_other_gids -and -.Va security.bsd.see_other_uids , -as per the description in -.Xr cr_canseeothergids 9 -and -.Xr cr_canseeotheruids 9 -respectively. +variables referenced in its manual page influence the result. .Sh RETURN VALUES -This function returns zero if the object with credential +This function returns zero if the subject with credential .Fa u1 can .Dq see -the object with credential +the subject or object with credential .Fa u2 , or .Er ESRCH @@ -67,24 +64,20 @@ otherwise. .Sh ERRORS .Bl -tag -width Er .It Bq Er ESRCH -The object with credential -.Fa u1 -cannot -.Dq see -the object with credential -.Fa u2 . -.It Bq Er ESRCH -The object with credential +The subject with credential .Fa u1 -has been jailed and the object with credential +has been jailed and the subject or object with credential .Fa u2 -does not belong to the same jail as -.Fa u1 . +does not belong to the same jail or one of its sub-jails, as determined by +.Xr prison_check 9 . .It Bq Er ESRCH The MAC subsystem denied visibility. +.It Bq Er ESRCH +.Xr cr_bsd_visible 9 +denied visibility according to the BSD security policies in force. .El .Sh SEE ALSO -.Xr cr_canseeothergids 9 , -.Xr cr_canseeotheruids 9 , +.Xr prison_check 9 , .Xr mac 9 , +.Xr cr_bsd_visible 9 , .Xr p_cansee 9
git: a8afbde0e81b - releng/14.0 - p_cansee(9): Bring up-to-date, misc fixes
The branch releng/14.0 has been updated by mhorne: URL: https://cgit.FreeBSD.org/src/commit/?id=a8afbde0e81b27a7a3f50157d7b3a6c8de578a26 commit a8afbde0e81b27a7a3f50157d7b3a6c8de578a26 Author: Olivier Certner AuthorDate: 2023-08-17 23:54:43 + Commit: Mitchell Horne CommitDate: 2023-10-18 18:01:20 + p_cansee(9): Bring up-to-date, misc fixes Essentially defer to cr_cansee(9), except for the specifics. Be more specific on the return codes. Approved by:re (gjb) Reviewed by:bcr, pauamma_gundo.com Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40637 (cherry picked from commit 2ede38aff5d4c91a17ab6d093f2e8cce24b5418b) (cherry picked from commit 57d0cc50cd2878fcca8a9a4bf931abee0260b48d) --- share/man/man9/p_cansee.9 | 44 1 file changed, 16 insertions(+), 28 deletions(-) diff --git a/share/man/man9/p_cansee.9 b/share/man/man9/p_cansee.9 index 84287dac951b..9fdce460dfea 100644 --- a/share/man/man9/p_cansee.9 +++ b/share/man/man9/p_cansee.9 @@ -24,19 +24,18 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd November 19, 2006 +.Dd August 18, 2023 .Dt P_CANSEE 9 .Os .Sh NAME .Nm p_cansee .Nd determine visibility of a process .Sh SYNOPSIS -.In sys/param.h .In sys/proc.h .Ft int .Fn p_cansee "struct thread *td" "struct proc *p" .Sh DESCRIPTION -This function can be used to determine if a given process +This function determines if a given process .Fa p is visible to the thread .Fa td , @@ -45,13 +44,14 @@ where the notion of may be read as .Dq "awareness of existence" . .Pp -The function is implemented using -.Xr cr_cansee 9 , -and the dependencies on -.Xr sysctl 8 -variables documented in the -.Xr cr_cansee 9 -manual page apply. +This function explicitly allows a thread to always see its own process, +even with pending credentials changes +.Po +see +.Xr ucred 9 +.Pc . +Otherwise, it simply defers to +.Xr cr_cansee 9 . .Sh RETURN VALUES The .Fn p_cansee @@ -62,30 +62,18 @@ if the process denoted by .Fa p is visible by thread .Fa td , -or a non-zero error return value otherwise. +or ESRCH otherwise. .Sh ERRORS .Bl -tag -width Er .It Bq Er ESRCH -Process -.Fa p -is not visible to thread -.Fa td -as determined by -.Xr cr_cansee 9 . -.It Bq Er ESRCH Thread .Fa td -has been jailed and process +is not part of process .Fa p -does not belong to the same jail as -.Fa td . -.It Bq Er ESRCH -The MAC subsystem denied visibility. +and cannot see it as determined by +.Xr cr_cansee 9 . .El .Sh SEE ALSO -.Xr jail 2 , -.Xr sysctl 8 , +.Xr ucred 9 , .Xr cr_cansee 9 , -.Xr mac 9 , -.Xr p_candebug 9 , -.Xr prison_check 9 +.Xr p_candebug 9
git: e0180be23e62 - releng/14.0 - cr_canseeotheruids(9): Revamp, mark as internal
The branch releng/14.0 has been updated by mhorne: URL: https://cgit.FreeBSD.org/src/commit/?id=e0180be23e62ee92bb15db22dc6bdc00886d8ecd commit e0180be23e62ee92bb15db22dc6bdc00886d8ecd Author: Olivier Certner AuthorDate: 2023-08-17 23:54:42 + Commit: Mitchell Horne CommitDate: 2023-10-18 18:01:09 + cr_canseeotheruids(9): Revamp, mark as internal Significantly clarify. Replace references to cr_canseeothergids(9) by ones to cr_bsd_visible(9). Approved by:re (gjb) Reviewed by:bcr, mhorne Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40635 (cherry picked from commit 4ddd253b38dff872355cc1b5238b1bbfd380) (cherry picked from commit d05ed9a37b84f277cbc06447b322930fe678b00e) --- share/man/man9/cr_canseeotheruids.9 | 73 ++--- 1 file changed, 36 insertions(+), 37 deletions(-) diff --git a/share/man/man9/cr_canseeotheruids.9 b/share/man/man9/cr_canseeotheruids.9 index 80acc2d7a6ca..230c5ea59b78 100644 --- a/share/man/man9/cr_canseeotheruids.9 +++ b/share/man/man9/cr_canseeotheruids.9 @@ -1,5 +1,6 @@ .\" .\" Copyright (c) 2003 Joseph Koshy +.\" Copyright (c) 2023 Olivier Certner .\" .\" All rights reserved. .\" @@ -25,56 +26,54 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd November 11, 2003 +.Dd August 18, 2023 .Dt CR_CANSEEOTHERUIDS 9 .Os .Sh NAME .Nm cr_canseeotheruids -.Nd determine visibility of objects given their user credentials +.Nd determine if subjects may see entities with differing user ID .Sh SYNOPSIS .Ft int .Fn cr_canseeotheruids "struct ucred *u1" "struct ucred *u2" .Sh DESCRIPTION -This function determines the visibility of objects in the -kernel based on the real user IDs in the credentials +.Bf -emphasis +This function is internal. +Its functionality is integrated into the function +.Xr cr_bsd_visible 9 , +which should be called instead. +.Ef +.Pp +This function checks if a subject associated to credentials .Fa u1 -and +is denied seeing a subject or object associated to credentials .Fa u2 -associated with them. +by a policy that requires both credentials to have the same real user ID. .Pp -The visibility of objects is influenced by the +This policy is active if and only if the .Xr sysctl 8 variable -.Va security.bsd.see_other_uids . -If this variable is non-zero then all objects in the kernel -are visible to each other irrespective of their user IDs. -If this variable is zero then the object with credentials -.Fa u2 -is visible to the object with credentials -.Fa u1 -if either -.Fa u1 -is the super-user credential, or if -.Fa u1 -and -.Fa u2 -have the same real user ID. -.Sh SYSCTL VARIABLES -.Bl -tag -width indent -.It Va security.bsd.see_other_uids -Must be non-zero if objects with unprivileged credentials are to be -able to see each other. -.El +.Va security.bsd.see_other_uids +is set to zero. +.Pp +As usual, the superuser (effective user ID 0) is exempt from this policy +provided that the +.Xr sysctl 8 +variable +.Va security.bsd.suser_enabled +is non-zero and no active MAC policy explicitly denies the exemption +.Po +see +.Xr priv_check_cred 9 +.Pc . .Sh RETURN VALUES -This function returns zero if the object with credential +The +.Fn cr_canseeotheruids +function returns 0 if the policy is disabled, both credentials have the same +real user ID, or if .Fa u1 -can -.Dq see -the object with credential -.Fa u2 , -or -.Er ESRCH -otherwise. +has privilege exempting it from the policy. +Otherwise, it returns +.Er ESRCH . .Sh SEE ALSO -.Xr cr_canseeothergids 9 , -.Xr p_candebug 9 +.Xr cr_bsd_visible 9 , +.Xr priv_check_cred 9
git: daf8ad192942 - releng/14.0 - p_candebug(9): cr_bsd_visible() impacts, misc fixes
The branch releng/14.0 has been updated by mhorne: URL: https://cgit.FreeBSD.org/src/commit/?id=daf8ad192942f6d9da1affca6a0ea9d3da42101f commit daf8ad192942f6d9da1affca6a0ea9d3da42101f Author: Olivier Certner AuthorDate: 2023-08-17 23:54:43 + Commit: Mitchell Horne CommitDate: 2023-10-18 18:01:26 + p_candebug(9): cr_bsd_visible() impacts, misc fixes Mention cr_bsd_visible(9). Remove references to cr_canseeothergids(9) and cr_canseeotheruids(9), as well as indirect references not immediately useful. Fix description of credentials checks to match reality. Re-order errors to match code's check order. Approved by:re (gjb) Reviewed by:bcr, pauamma_gundo.com Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40638 (cherry picked from commit eb94f24fab4b44f13ca045370d9fcf12ca8835f2) (cherry picked from commit c29ee9e238b36ef8a7c4508582d4512cda885192) --- share/man/man9/p_candebug.9 | 103 1 file changed, 56 insertions(+), 47 deletions(-) diff --git a/share/man/man9/p_candebug.9 b/share/man/man9/p_candebug.9 index e80d313de55c..c824db974154 100644 --- a/share/man/man9/p_candebug.9 +++ b/share/man/man9/p_candebug.9 @@ -1,5 +1,6 @@ .\" .\" Copyright (c) 2003 Joseph Koshy +.\" Copyright (c) 2023 Olivier Certner .\" .\" All rights reserved. .\" @@ -25,7 +26,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd November 19, 2006 +.Dd August 18, 2023 .Dt P_CANDEBUG 9 .Os .Sh NAME @@ -37,24 +38,27 @@ .Ft int .Fn p_candebug "struct thread *td" "struct proc *p" .Sh DESCRIPTION -This function can be used to determine if a given process +This function determines if a given process .Fa p -is debuggable by the thread +is debuggable by some thread .Fa td . -.Sh SYSCTL VARIABLES +.Pp The following .Xr sysctl 8 variables directly influence the behaviour of .Fn p_candebug : .Bl -tag -width indent +.It Va security.bsd.unprivileged_proc_debug +Must be set to a non-zero value to allow unprivileged processes +access to the kernel's debug facilities. .It Va kern.securelevel Debugging of the init process is not allowed if this variable is .Li 1 or greater. -.It Va security.bsd.unprivileged_proc_debug -Must be set to a non-zero value to allow unprivileged processes -access to the kernel's debug facilities. .El +.Pp +Other such variables indirectly influence it; see +.Xr cr_bsd_visible 9 . .Sh RETURN VALUES The .Fn p_candebug @@ -68,35 +72,45 @@ is debuggable by thread or a non-zero error return value otherwise. .Sh ERRORS .Bl -tag -width Er -.It Bq Er EACCESS -The MAC subsystem denied debuggability. -.It Bq Er EAGAIN -Process -.Fa p -is in the process of being -.Fn exec Ns 'ed. .It Bq Er EPERM +An unprivileged process attempted to debug another process but the system is +configured to deny it +.Po +see +.Xr sysctl 8 +variable +.Va security.bsd.unprivileged_proc_debug +above +.Pc . +.It Bq Er ESRCH Thread .Fa td -lacks super-user credentials and process -.Fa p -is executing a set-user-ID or set-group-ID executable. +has been jailed and the process to debug does not belong to the same jail or one +of its sub-jails, as determined by +.Xr prison_check 9 . +.It Bq Er ESRCH +.Xr cr_bsd_visible 9 +denied visibility according to the BSD security policies in force. .It Bq Er EPERM Thread .Fa td -lacks super-user credentials and process +lacks superuser credentials and its (effective) group set is not a superset of +process .Fa p Ns 's -group set is not a subset of -.Fa td Ns 's -effective group set. +whole group set +.Pq "including real, effective and saved group IDs" . .It Bq Er EPERM Thread .Fa td -lacks super-user credentials and process -.Fa p Ns 's -user IDs do not match thread -.Fa td Ns 's -effective user ID. +lacks superuser credentials and its (effective) user ID does not match all user +IDs of process +.Fa p . +.It Bq Er EPERM +Thread +.Fa td +lacks superuser credentials and process +.Fa p +is executing a set-user-ID or set-group-ID executable. .It Bq Er EPERM Process .Fa p @@ -107,30 +121,25 @@ and the variable .Va kern.securelevel is greater than zero. -.It Bq Er ESRCH +.It Bq Er EBUSY Process .Fa p -is not visible to thread -.Fa td -as determined by -.Xr cr_canseeotheruids 9 -or -.Xr cr_canseeothergids 9 . -.It Bq Er ESRCH -Thread -.Fa td -has been jailed and process +is in the process of being +.Fn exec Ns 'ed. +.It Bq Er EPERM +Process .Fa p -does not belong to the same jail as -.Fa td . -.It Bq Er ESRCH -The MAC subsystem denied debuggability. +denied debuggability +.Po +see +.Xr procctl 2 , +command +.Dv PROC_TRACE_CTL +.Pc . .El .Sh SEE ALSO -.Xr
