Author: stevek
Date: Fri May 17 17:21:32 2019
New Revision: 347932
URL: https://svnweb.freebsd.org/changeset/base/347932
Log:
Instead of individual conditional statements to look for each hypervisor
type, use a table to make it easier to add more in the future, if needed.
Add VirtualBox d
Author: stevek
Date: Fri May 17 17:50:01 2019
New Revision: 347933
URL: https://svnweb.freebsd.org/changeset/base/347933
Log:
Ensure we have obtained a lock on the process before calling
mac_veriexec_get_executable_flags(). Only try locking/unlocking if the caller
has not already acquired th
Author: stevek
Date: Fri May 17 18:02:26 2019
New Revision: 347934
URL: https://svnweb.freebsd.org/changeset/base/347934
Log:
Protect commands that are considered dangerous with checks for kmem write
priv. This allows for MAC/veriexec to prevent apps that are not "trusted"
from using these c
Author: stevek
Date: Fri May 17 18:06:24 2019
New Revision: 347935
URL: https://svnweb.freebsd.org/changeset/base/347935
Log:
Fix format strings for some debug messages that could have arguments that
are different types across architectures by using %ju and typecasting to
uintmax_t, where ap
Author: stevek
Date: Fri May 17 18:09:48 2019
New Revision: 347936
URL: https://svnweb.freebsd.org/changeset/base/347936
Log:
sysctls which should be restricted when securelevel is raised should also
be restricted when veriexec is enforced.
Add mpo_system_check_sysctl method to mac_veriex
Author: stevek
Date: Fri May 17 18:13:43 2019
New Revision: 347938
URL: https://svnweb.freebsd.org/changeset/base/347938
Log:
Obtain a shared lock instead of exclusive in the MAC/veriexec
MAC_VERIEXEC_CHECK_PATH_SYSCALL per-MAC policy system call.
When we are checking the status of the fi
Author: stevek
Date: Fri May 17 18:25:53 2019
New Revision: 347941
URL: https://svnweb.freebsd.org/changeset/base/347941
Log:
Add command to get version of the ioctl interface for the veriexec device.
Obtained from:Juniper Networks, Inc.
MFC after:1 week
Modified:
head/sys/
Author: stevek
Date: Fri May 17 19:27:07 2019
New Revision: 347942
URL: https://svnweb.freebsd.org/changeset/base/347942
Log:
Add a new ioctl for the larger params struct that includes the label.
We need to make the find_veriexec_file() function available publicly, so
rename it to mac_ver
Author: stevek
Date: Sun May 19 15:07:14 2019
New Revision: 347972
URL: https://svnweb.freebsd.org/changeset/base/347972
Log:
Add missing setting of hv_base to the leaf that we used.
Correct setting hv_high to use regs[0], not leaf.
Modified:
head/sys/x86/x86/identcpu.c
Modified: head/sys/
Author: stevek
Date: Tue May 21 13:29:53 2019
New Revision: 348051
URL: https://svnweb.freebsd.org/changeset/base/348051
Log:
The older detection methods (smbios.bios.vendor and smbios.system.product)
are able to determine some virtual machines, but the vm_guest variable was
still only being
@@ sobomax [label="Maxim Sobolev\nsobomax@F
sos [label="Soren Schmidt\n...@freebsd.org\n/??/??"]
sson [label="Stacey Son\ns...@freebsd.org\n2008/07/08"]
stas [label="Stanislav Sedov\ns...@freebsd.org\n2008/08/22"]
+stevek [label="Stephen J. Kiernan\nste.
Author: stevek
Date: Fri Oct 7 21:03:12 2016
New Revision: 306827
URL: https://svnweb.freebsd.org/changeset/base/306827
Log:
Just remove freeing memory in pmcstat_cleanup, since we only clean up
when we are exiting anyway.
Add NULL checks for all malloc and strdup returns.
Reviewed
Author: stevek
Date: Mon Oct 17 22:57:41 2016
New Revision: 307540
URL: https://svnweb.freebsd.org/changeset/base/307540
Log:
Add sysctl to make amd64 minidump retry count tunable at runtime.
PR: 213462
Submitted by: RaviPrakash Darbha
Reviewed by: cemi, markj
Approved by:
Author: stevek
Date: Wed Jun 20 00:41:30 2018
New Revision: 335399
URL: https://svnweb.freebsd.org/changeset/base/335399
Log:
MAC/veriexec implements a verified execution environment using the MAC
framework.
The code is organized into a few distinct pieces:
* The meta-data store (in
Author: stevek
Date: Wed Jun 20 00:48:46 2018
New Revision: 335400
URL: https://svnweb.freebsd.org/changeset/base/335400
Log:
Device for user space to interface with MAC/veriexec.
The veriexec device features the following ioctl commands:
VERIEXEC_ACTIVE
Activate veriexec functiona
Author: stevek
Date: Wed Jun 20 00:55:18 2018
New Revision: 335401
URL: https://svnweb.freebsd.org/changeset/base/335401
Log:
This library allows for user space applications to check file descriptors
or paths to see if they can be verified by MAC/veriexec.
Reviewed by: jtl, wblock
Obta
Author: stevek
Date: Wed Jun 20 01:08:54 2018
New Revision: 335402
URL: https://svnweb.freebsd.org/changeset/base/335402
Log:
This application (veriexecctl) handles reading a fingerprints file
containing paths, fingerprints, and optional option flags which in turn
get pushed into the MAC/ver
Author: stevek
Date: Wed Jun 20 06:54:38 2018
New Revision: 335430
URL: https://svnweb.freebsd.org/changeset/base/335430
Log:
Fix build breakage in veriexec for 32-bit architectures.
fsid_t and ino_t are 64-bit entities, use uintmax_t typecast to ensure we
can print it on 32-bit or 64-bit
Author: stevek
Date: Tue Jun 26 23:19:55 2018
New Revision: 335681
URL: https://svnweb.freebsd.org/changeset/base/335681
Log:
Revert r335402
While useful as an example, veriexecctl, as it is, has very little practical
use, since there is nothing ensuring the integrity of the manifest of h
Author: stevek
Date: Tue Jun 26 23:28:03 2018
New Revision: 335682
URL: https://svnweb.freebsd.org/changeset/base/335682
Log:
Partial revert of r335399 and r335400:
Unhook the MAC/veriexec, fingerprint handlers, and veriexec modules from
the kernel modules Makefile.
Reviewed by: sjg
M
Author: stevek
Date: Wed Jul 27 03:21:02 2016
New Revision: 303355
URL: https://svnweb.freebsd.org/changeset/base/303355
Log:
Add the NUM_CORE_FILES kernel config option which specifies the limit for the
number of core files allowed by a particular process when using the %I core
file name pa
Author: stevek
Date: Wed Jul 27 20:34:09 2016
New Revision: 303411
URL: https://svnweb.freebsd.org/changeset/base/303411
Log:
Prepare for network stack as a module
- Move cr_canseeinpcb to sys/netinet/in_prot.c in order to separate the
INET and INET6-specific code from the rest of the
Author: stevek
Date: Thu Jul 28 18:39:30 2016
New Revision: 303455
URL: https://svnweb.freebsd.org/changeset/base/303455
Log:
Remove BSD and USL copyright and update license block in in_prot.c, as the
code in this file was written by Robert N. M. Waston.
Move cr_can* prototypes from sys/s
Author: stevek
Date: Sat Aug 6 18:48:47 2016
New Revision: 303803
URL: https://svnweb.freebsd.org/changeset/base/303803
Log:
Add hw.fdt sysctl node.
Make FDT blob available via opaque hw.fdt.dtb sysctl, if a DTB has been
installed by the time sysctls are registered.
Reviewed by: andre
Author: stevek
Date: Tue Aug 9 02:16:21 2016
New Revision: 303863
URL: https://svnweb.freebsd.org/changeset/base/303863
Log:
Move IPv4-specific jail functions to new file netinet/in_jail.c
_prison_check_ip4 renamed to prison_check_ip4_locked
Move IPv6-specific jail functions to new file
Author: stevek
Date: Wed Aug 10 18:23:23 2016
New Revision: 303936
URL: https://svnweb.freebsd.org/changeset/base/303936
Log:
Add kernel environment variables under smbios.system for the following
SMBIOS Type 1 fields:
smbios.system.sku - SKU Number (SMBIOS 2.4 and above)
smbios.syste
Author: stevek
Date: Thu Aug 11 15:00:55 2016
New Revision: 303962
URL: https://svnweb.freebsd.org/changeset/base/303962
Log:
Add the missing space between .asciz directive and opening quote for some
lines within #ifdef BTXLDR_VERBOSE/#endif
Reported by: Kevin Zheng
Reviewed by: jhb
Author: stevek
Date: Thu Sep 5 17:48:39 2019
New Revision: 351878
URL: https://svnweb.freebsd.org/changeset/base/351878
Log:
Bump up the low range of cpuset numbers to account for the kernel cpuset.
Reviewed by: jeff
Obtained from:Juniper Networks, Inc.
Modified:
head/sys/ker
Author: stevek
Date: Fri Jul 31 16:08:25 2020
New Revision: 363738
URL: https://svnweb.freebsd.org/changeset/base/363738
Log:
Fix compilation error for install.c in loader
Fix typo in interp_include() invocation (missing 'p')
Remove setting tftpip, as servip is used by the tftp code in li
Author: stevek
Date: Fri Nov 11 16:59:26 2016
New Revision: 308534
URL: https://svnweb.freebsd.org/changeset/base/308534
Log:
The file_loadraw function grew an argument, update install function
accordingly.
Reviewed by: imp
Approved by: sjg (mentor)
MFC after:2 weeks
Sponsored
Author: stevek
Date: Fri Nov 11 17:41:17 2016
New Revision: 308535
URL: https://svnweb.freebsd.org/changeset/base/308535
Log:
Add support for LOADER_RC setting in the pkgfs manifest (defaults to
/loader.rc) to specify a Forth file to read from the pkgfs tarball and
process by Ficl.
This
Author: stevek
Date: Sat Jul 14 16:59:17 2018
New Revision: 336284
URL: https://svnweb.freebsd.org/changeset/base/336284
Log:
Remove RIPEMD-160 fingerprint modules for veriexec, since it has very
little practical use and would not be recommended for anyone to use in
a production environment.
Author: stevek
Date: Sat Jul 14 17:15:28 2018
New Revision: 336286
URL: https://svnweb.freebsd.org/changeset/base/336286
Log:
Fix a typo which could cause a build breakage when building with MAC/veriexec
enabled in the kernel config.
Remove unused mac_veriexec_print_db prototype in intern
Author: stevek
Date: Sat Jul 14 17:18:17 2018
New Revision: 336287
URL: https://svnweb.freebsd.org/changeset/base/336287
Log:
Add config(8) options that can be used to enable building MAC/veriexec
and its fingerprint modules into a kernel.
Reviewed by: sjg
Modified:
head/sys/conf/opti
Author: stevek
Date: Sat Jul 14 17:21:16 2018
New Revision: 336289
URL: https://svnweb.freebsd.org/changeset/base/336289
Log:
Add mpo_vnode_check_setmode MAC method to MAC/veriexec.
In the method, disallow changing SUID/SGID on verified files.
Obtained from:Juniper Networks, Inc.
Author: stevek
Date: Thu Sep 22 06:24:40 2016
New Revision: 306159
URL: https://svnweb.freebsd.org/changeset/base/306159
Log:
The getsecs() function is implemented in platform- and bootfw-specific
files and, in a number of these places, there were problems with how they
were declared.
S
Author: stevek
Date: Wed Dec 6 21:12:24 2017
New Revision: 326635
URL: https://svnweb.freebsd.org/changeset/base/326635
Log:
The function fwscanf() return value is wrong when encountering an early
matching failure.
According to the Open Group documentation for fwscanf:
"Upon successful
Author: stevek
Date: Wed Dec 6 21:18:45 2017
New Revision: 326636
URL: https://svnweb.freebsd.org/changeset/base/326636
Log:
The function make_relative_prefix_1 does not properly free locally
allocated memory when it returns early.
Free the memory associated with the variables full_progr
Author: stevek
Date: Tue Jan 31 16:12:31 2017
New Revision: 313019
URL: https://svnweb.freebsd.org/changeset/base/313019
Log:
Add the folowing set accessor functions for recently-added members of ifnet
structure:
if_gethwtsomax(), if_sethwtsomax() - if_hw_tsomax
if_gethw
Author: stevek
Date: Mon Feb 13 17:44:07 2017
New Revision: 313701
URL: https://svnweb.freebsd.org/changeset/base/313701
Log:
For MD_PRELOAD type md(4) devices, if there is a file name in the preloaded
meta-data, copy it into the softc structure.
When returning md(4) device details to the
Author: stevek
Date: Mon Feb 13 18:52:26 2017
New Revision: 313703
URL: https://svnweb.freebsd.org/changeset/base/313703
Log:
Fix typo where opening brace was needed.
Reported by: Michael Butler
Reviewed by: sjg
Approved by: sjg (mentor)
Modified:
head/sys/dev/md/md.c
Modified: h
Author: stevek
Date: Mon May 15 19:32:26 2017
New Revision: 318314
URL: https://svnweb.freebsd.org/changeset/base/318314
Log:
Add information to open(2) man page about the O_VERIFY flag.
Reviewed by: bjk wblock
Approved by: sjg (mentor)
Obtained from:Juniper Networks, Inc.
Mo
Author: stevek
Date: Thu May 25 18:55:10 2017
New Revision: 318893
URL: https://svnweb.freebsd.org/changeset/base/318893
Log:
MFC r318314
Add information to open(2) man page about the O_VERIFY flag.
PR: 219262
Reviewed by: bjk wblock
Approved by: sjg (mentor)
Obtained
Author: stevek
Date: Wed May 31 21:18:11 2017
New Revision: 319358
URL: https://svnweb.freebsd.org/changeset/base/319358
Log:
Add MD_VERIFY option to enable O_VERIFY in open for vnode type.
Add -o [no]verify option to mdconfig (and document in man page.)
Implement GEOM attribute MNT::verifie
Author: stevek
Date: Wed May 31 21:31:15 2017
New Revision: 319361
URL: https://svnweb.freebsd.org/changeset/base/319361
Log:
parse.c parse_string
When parse_semi fails, free s before returning
parse.c parse_numeric_aggregate
The memory assigned to bufp is complicated, it can either be
Author: stevek
Date: Thu Jun 1 16:44:39 2017
New Revision: 319443
URL: https://svnweb.freebsd.org/changeset/base/319443
Log:
When sysctlbyname fails, free buf before returning.
Submitted by: Thomas Rix
Reviewed by: jhb
Approved by: sjg (mentor)
MFC after:1 week
Differential
Author: stevek
Date: Thu Jun 1 19:21:30 2017
New Revision: 319453
URL: https://svnweb.freebsd.org/changeset/base/319453
Log:
Fix memory leak in edithost
The problem is that when the parameter 'pat' is null, the function locally
allocates a NULL string but never frees it.
Instead of
Author: stevek
Date: Fri Jun 2 20:25:25 2017
New Revision: 319508
URL: https://svnweb.freebsd.org/changeset/base/319508
Log:
Fix a memory leak with last
free memory allocated to 'buf'
Submitted by: Thomas Rix
Reviewed by: ed
Approved by: sjg (mentor)
MFC after:1 week
Diffe
Author: stevek
Date: Tue Jun 6 21:40:35 2017
New Revision: 319636
URL: https://svnweb.freebsd.org/changeset/base/319636
Log:
The memory assigned to the local variable 'copy' needs to be freed.
Found using clang's static analyzer - scan-build
Submitted by: Thomas Rix
Reviewed by: e
Author: stevek
Date: Tue Jun 6 21:51:04 2017
New Revision: 319638
URL: https://svnweb.freebsd.org/changeset/base/319638
Log:
Before returning because of an memory allocation error, free the memory
already allocated to buf.
Found using clang's static analyzer - scan-build
Submitted b
Author: stevek
Date: Tue Jun 6 22:17:55 2017
New Revision: 319639
URL: https://svnweb.freebsd.org/changeset/base/319639
Log:
When the input parameter node is NULL, memory is allocated to it.
To later free the memory, introduce a new variable lnode to track when
this happens.
Submitted
Author: stevek
Date: Tue Jun 13 15:50:16 2017
New Revision: 319903
URL: https://svnweb.freebsd.org/changeset/base/319903
Log:
The variable nargv is allocated but never freed, so free it when the it
is no longer used.
Submitted by: Thomas Rix
Reviewed by: ed
Approved by: sjg (mentor
Author: stevek
Date: Thu Jun 15 20:06:41 2017
New Revision: 319987
URL: https://svnweb.freebsd.org/changeset/base/319987
Log:
Replace md(4) usage in diskless(8) script rc.initdiskless with tmpfs(5).
Need to multiply the size of the disk passed to mount_md by 512 as mdmfs
expects number of 51
Author: stevek
Date: Tue Aug 20 01:06:43 2019
New Revision: 351244
URL: https://svnweb.freebsd.org/changeset/base/351244
Log:
usb_ethernet.h includes a number of mii headers, but only does so in
order to have struct mii_data available. However, it only really needs
a forward declaration of s
Author: stevek
Date: Thu Sep 3 03:48:42 2020
New Revision: 365286
URL: https://svnweb.freebsd.org/changeset/base/365286
Log:
Avoid issues with STAGING by using LIBUCL_DIR for the source directory
variable name instead of LIBUCL (which would otherwise end up with the
staging directory used i
Author: stevek
Date: Fri Sep 4 04:31:56 2020
New Revision: 365325
URL: https://svnweb.freebsd.org/changeset/base/365325
Log:
Avoid collisions with function names in openssl headers.
Just using MD5, SHA1, RMD160 and SHA256 for defines collides with
functions of the same name in OpenSSL. T
56 matches
Mail list logo
