On 20 Jun 2018, at 15:32, Jonathan T. Looney wrote:
On Wed, Jun 20, 2018 at 9:49 AM Stephen Kiernan
wrote:
And I was working on those sets of changes, when work and family
didn't
steal away time. I was told that some discussion happened at BSDCan
this
year in such that veriexec should go in
emove sys/capability.h after... maybe the 12-STABLE branch?
Jon
--
Jonathan Anderson
jonat...@freebsd.org
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-hea
one-option packages, etc.
Jon
--
Jonathan Anderson
jonat...@freebsd.org
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
Author: jonathan
Date: Wed Oct 18 00:33:20 2017
New Revision: 324712
URL: https://svnweb.freebsd.org/changeset/base/324712
Log:
Improve computation of {BC,LL}OBJS.
Now that OBJS has grown an OBJS_SRCS_FILTER variable, use this variable
in the computation of BCOBJS and LLOBJS too. Also mov
Author: jonathan
Date: Wed Oct 18 00:30:15 2017
New Revision: 324711
URL: https://svnweb.freebsd.org/changeset/base/324711
Log:
Improve logic of CLEANFILES+=${PROG_FULL}.{bc,ll}.
The build rule describing how to create ${PROG_FULL}.{bc,ll} is only
dependent on LLVM_LINK being defined, not
Author: jonathan
Date: Tue Oct 17 16:29:50 2017
New Revision: 324695
URL: https://svnweb.freebsd.org/changeset/base/324695
Log:
Add LLVM IR libraries to CLEANFILES.
We previously taught the build system how to create files like libfoo.bc,
but neglected to teach it about cleaning such file
Author: jonathan
Date: Sat Sep 9 13:18:32 2017
New Revision: 323365
URL: https://svnweb.freebsd.org/changeset/base/323365
Log:
Remove redundant source and object files.
Reviewed by: bdrewery, ngie
MFC after:1 week
Sponsored by: DARPA, AFRL
Differential Revision:https://r
(r322314)
@@ -123,6 +123,7 @@
03/24 Marcel Moolenaar born in Hilversum, the
Netherlands, 1968
03/24 Emanuel Haupt born in Zurich, Switzerland, 1979
03/25 Andrew R. Reiter born in Springfield, Massachusetts,
United States, 1980
+03/26 Jonathan Anderson born in Ottawa, Ontario,
Canada, 1983
On 05/18/17 04:13, Baptiste Daroussin wrote:
On Wed, May 17, 2017 at 10:51:28PM +, Jonathan Anderson wrote:
+void print_usage(const char *argv0)
Style(9) bug :)
Duly noted. :)
It looks like kib@ has already sorted this out in his timezone.
Jon
--
jonat...@freebsd.org
Author: jonathan
Date: Thu May 18 00:32:05 2017
New Revision: 318432
URL: https://svnweb.freebsd.org/changeset/base/318432
Log:
Fix some nroff syntax in rtld.1.
When I originally documented the LD_LIBRARY_PATH_FDS environment variable,
I used `.Ev` rather than `.It Ev` to introduce it; th
Author: jonathan
Date: Wed May 17 22:51:28 2017
New Revision: 318431
URL: https://svnweb.freebsd.org/changeset/base/318431
Log:
Allow rtld direct-exec to take a file descriptor.
When executing rtld directly, allow a file descriptor to be explicitly
specified rather than opened from the gi
Author: jonathan
Date: Tue May 16 13:27:44 2017
New Revision: 318352
URL: https://svnweb.freebsd.org/changeset/base/318352
Log:
Rename rtld's parse_libdir to parse_integer.
This is a more accurate name, as the integer doesn't have to be a library
directory descriptor. It is also a prerequ
On 15 May 2017, at 16:44, Jonathan Anderson wrote:
You can already execute "non-executable" binaries using the `exec`
shell built-in:
```
$ cp /bin/sh .
$ chmod -x sh
$ exec sh
```
Er, oops: I ought to have said, you can execute non-executable binaries
by copying and markin
to execute a
binary even if the sysadmin had set it to -x specifically to prevent
people from running it.
You can already execute "non-executable" binaries using the `exec` shell
built-in:
```
$ cp /bin/sh .
$ chmod -x sh
$ exec sh
```
Jon
--
Jonathan Anderson
jonat...@f
anges that affect
everybody).
Jon
--
Jonathan Anderson
jonat...@freebsd.org
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
confusion.
The .bco and .llo suffixes should already be included because of
bsd.suffixes-posix.mk (included from sys.mk). This SUFFIXES change, on the
other hand, is to add the .ll and .bc suffixes for the final build products (IR
"binaries" and "libraries").
I hope this clears up any confusion,
Jon
--
Jonathan Anderson
jonat...@freebsd.org
signature.asc
Description: OpenPGP digital signature
Author: jonathan
Date: Tue Nov 1 21:27:42 2016
New Revision: 308181
URL: https://svnweb.freebsd.org/changeset/base/308181
Log:
Add rules to build LLVM IR binaries and libraries.
Running `make libfoo.ll` or `make libfoo.bc` within a library directory
will now give us an LLVM IR version of
Author: jonathan
Date: Thu Oct 20 15:14:21 2016
New Revision: 307676
URL: https://svnweb.freebsd.org/changeset/base/307676
Log:
Add make rules to build LLVM IR from C/C++ sources.
As a foundation for future work with LLVM's Intermediate Representation (IR),
add new suffix rules that can b
Author: jonathan
Date: Wed Oct 12 00:42:46 2016
New Revision: 307075
URL: https://svnweb.freebsd.org/changeset/base/307075
Log:
Extract suffix rules into bsd.suffixes[-posix].mk.
Refactor make suffix rules into separate files (one for POSIX and one not),
and rationalise the rules so that
> On Aug 4, 2015, at 8:18 AM, Hans Petter Selasky wrote:
>
> Wouldn't the argument be the same for queue.3 . Once C-compilers finally
> decide to compile time support queues, we should throw queue.3 aswell?
Sure! Not right away, and not in a way that causes unnecessary churn, but if
there ar
Author: jonathan
Date: Thu May 14 15:14:03 2015
New Revision: 282906
URL: https://svnweb.freebsd.org/changeset/base/282906
Log:
Allow sizeof(cpuset_t) to be queried in capability mode.
This allows functions that retrieve and inspect pthread_attr_t objects to
work correctly: querying the c
ec/rtld-elf/tests/ld_library_pathfds.cFri Jun 20 17:14:59
2014(r267679)
@@ -0,0 +1,220 @@
+/*-
+ * Copyright 2014 Jonathan Anderson.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided tha
Author: jonathan
Date: Fri Jun 20 17:08:32 2014
New Revision: 267678
URL: http://svnweb.freebsd.org/changeset/base/267678
Log:
Add the LD_LIBRARY_PATH_FDS environmental variable.
This variable allows the loading of shared libraries via directory descriptors
rather than via library paths.
Author: jonathan
Date: Tue Feb 18 14:54:56 2014
New Revision: 262166
URL: http://svnweb.freebsd.org/changeset/base/262166
Log:
Add more __BEGIN_DECLS / __END_DECLS to .
capability.h currently only wraps some of its declarations in
__BEGIN_DECLS/__END_DECLS, so cap_enter(), cap_sandboxed(),
Author: jonathan
Date: Fri Oct 7 09:51:12 2011
New Revision: 226098
URL: http://svn.freebsd.org/changeset/base/226098
Log:
Change one printf() to log().
As noted in kern/159780, printf() is not very jail-friendly, since it can't
be easily monitored by jail management tools. This patch rep
. M. Watson
+ * Copyright (c) 2011 Jonathan Anderson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above
Author: jonathan
Date: Thu Aug 18 23:08:52 2011
New Revision: 224988
URL: http://svn.freebsd.org/changeset/base/224988
Log:
Auto-generated system call code based on r224987.
Approved by: re (implicit)
Modified:
head/sys/kern/init_sysent.c
head/sys/kern/syscalls.c
head/sys/kern/systr
ed on has insufficient rights (e.g.
+.Dv CAP_PDKILL
+for
+.Fn pdkill ) .
+.El
+.Sh SEE ALSO
+.Xr close 2 ,
+.Xr fork 2 ,
+.Xr fstat 2 ,
+.Xr kill 2 ,
+.Xr poll 2 ,
+.Xr wait4 2
+.Sh HISTORY
+The
+.Fn pdfork ,
+.Fn pdgetpid ,
+.Fn pdkill
+and
+.Fn pdwait4
+system calls first appeared in
+.Fx 9.0 .
+.
Fixed in r224911.
Jon
On 16 August 2011 14:57, Jonathan Anderson wrote:
> It looks like r224086 added "goto out" error handling, so our "return
> (error)" seems to be a merge conflict.
>
> Sorry, I'll ask RE if I can fix that right now.
>
>
> Jo
Author: jonathan
Date: Tue Aug 16 14:23:16 2011
New Revision: 224911
URL: http://svn.freebsd.org/changeset/base/224911
Log:
Fix a merge conflict.
r224086 added "goto out"-style error handling to nfssvc_nfsd(), in order
to reliably call NFSEXITCODE() before returning. Our Capsicum changes,
rg.sock, CAP_SOCK_ALL, &fp)) != 0)
> goto out;
> - return (error);
> if (fp->f_type != DTYPE_SOCKET) {
> fdrop(fp, td);
> error = EPERM;
> %%%
>
> --
> Jaakko
Author: jonathan
Date: Tue Aug 16 14:14:56 2011
New Revision: 224910
URL: http://svn.freebsd.org/changeset/base/224910
Log:
poll(2) implementation for capabilities.
When calling poll(2) on a capability, unwrap first and then poll the
underlying object.
Approved by: re (kib), mentor (
Author: jonathan
Date: Sat Aug 13 10:43:21 2011
New Revision: 224812
URL: http://svn.freebsd.org/changeset/base/224812
Log:
Allow openat(2), fstatat(2), etc. in capability mode.
namei() and lookup() can now perform "strictly relative" lookups.
Such lookups, performed when in capability mo
Author: jonathan
Date: Sat Aug 13 09:21:16 2011
New Revision: 224810
URL: http://svn.freebsd.org/changeset/base/224810
Log:
Allow Capsicum capabilities to delegate constrained
access to file system subtrees to sandboxed processes.
- Use of absolute paths and '..' are limited in capability
Author: jonathan
Date: Fri Aug 12 14:26:47 2011
New Revision: 224797
URL: http://svn.freebsd.org/changeset/base/224797
Log:
Rename CAP_*_KEVENT to CAP_*_EVENT.
Change the names of a couple of capability rights to be less
FreeBSD-specific.
Approved by: re (kib), mentor (rwatson)
Spo
Author: jonathan
Date: Fri Aug 12 11:43:56 2011
New Revision: 224794
URL: http://svn.freebsd.org/changeset/base/224794
Log:
Reorder and renumber capability rights.
This patch does three things:
- puts capability rights in a more pleasing declaration order
- changes mask values to matc
0,0 +1,151 @@
+/*-
+ * Copyright (c) 2009-2011 Robert N. M. Watson
+ * Copyright (c) 2011 Jonathan Anderson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistri
Author: jonathan
Date: Thu Aug 11 15:52:06 2011
New Revision: 224784
URL: http://svn.freebsd.org/changeset/base/224784
Log:
Use the right printf() format string without a cast to maxint_t.
As per kib's suggestion, we also change test_count from a size_t to an int;
its value at the moment
Author: jonathan
Date: Thu Aug 11 13:29:59 2011
New Revision: 224781
URL: http://svn.freebsd.org/changeset/base/224781
Log:
Only call fdclose() on successfully-opened FDs.
Since kern_openat() now uses falloc_noinstall() and finstall() separately,
there are cases where we could get to clea
Author: jonathan
Date: Tue Aug 9 14:06:50 2011
New Revision: 224732
URL: http://svn.freebsd.org/changeset/base/224732
Log:
Remove timeval2timespec and its converse, since we already have
TIMEVAL_TO_TIMESPEC() in .
Spotted by: bde
Approved by: re (kib), mentor (rwatson)
Modified:
hea
Author: jonathan
Date: Mon Aug 8 20:36:52 2011
New Revision: 224721
URL: http://svn.freebsd.org/changeset/base/224721
Log:
Create timeval2timespec() and timespec2timeval().
These functions will be used by process descriptors to convert process
creation time into process descriptor [acm]t
Author: jonathan
Date: Fri Aug 5 17:43:11 2011
New Revision: 224660
URL: http://svn.freebsd.org/changeset/base/224660
Log:
Expect fchflags(2) to fail with EOPNOTSUPP on NFS.
Even if we have CAP_FCHFLAGS, fchflags(2) fails on NFS. This is normal
and expected, so don't fail the test becaus
r224653)
@@ -0,0 +1,260 @@
+/*-
+ * Copyright (c) 2009-2011 Robert N. M. Watson
+ * Copyright (c) 2011 Jonathan Anderson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+
on/security/cap_test/cap_test.c Thu Aug 4 14:18:09
2011(r224650)
+++ head/tools/regression/security/cap_test/cap_test.c Thu Aug 4 14:20:13
2011(r224651)
@@ -1,5 +1,6 @@
/*-
* Copyright (c) 2008-2011 Robert N. M. Watson
+ * Copyright (c) 2011 Jonathan Anderson
*
Author: jonathan
Date: Fri Jul 22 12:50:21 2011
New Revision: 224268
URL: http://svn.freebsd.org/changeset/base/224268
Log:
Turn on AUDIT_ARG_RIGHTS() for cap_new(2).
Now that the code is in place to audit capability method rights, start
using it to audit the 'rights' argument to cap_new(
Author: jonathan
Date: Thu Jul 21 21:08:33 2011
New Revision: 224255
URL: http://svn.freebsd.org/changeset/base/224255
Log:
Declare more capability method rights.
This is a complete set of rights that can be held in a capability's
rights mask.
Approved by: re (kib), mentor (rwatson)
Author: jonathan
Date: Wed Jul 20 13:29:39 2011
New Revision: 224227
URL: http://svn.freebsd.org/changeset/base/224227
Log:
Add cap_new(2) and cap_getrights(2) symbols to libc.
These system calls have already been implemented in the kernel; now we
hook up libc symbols so userspace can dri
Author: jonathan
Date: Wed Jul 20 09:53:35 2011
New Revision: 224225
URL: http://svn.freebsd.org/changeset/base/224225
Log:
Export capability information via sysctls.
When reporting on a capability, flag the fact that it is a capability,
but also unwrap to report all of the usual informat
Author: jonathan
Date: Mon Jul 18 12:58:18 2011
New Revision: 224181
URL: http://svn.freebsd.org/changeset/base/224181
Log:
Provide ability to audit cap_rights_t arguments.
We wish to be able to audit capability rights arguments; this code
provides the necessary infrastructure.
This
Author: jonathan
Date: Fri Jul 15 18:33:12 2011
New Revision: 224067
URL: http://svn.freebsd.org/changeset/base/224067
Log:
Auto-generated system call code with cap_new(), cap_getrights().
Approved by: mentor (rwatson), re (Capsicum blanket)
Sponsored by: Google Inc
Modified:
head/sys/
Author: jonathan
Date: Fri Jul 15 18:26:19 2011
New Revision: 224066
URL: http://svn.freebsd.org/changeset/base/224066
Log:
Add cap_new() and cap_getrights() system calls.
Implement two previously-reserved Capsicum system calls:
- cap_new() creates a capability to wrap an existing file de
Author: jonathan
Date: Fri Jul 15 09:37:14 2011
New Revision: 224056
URL: http://svn.freebsd.org/changeset/base/224056
Log:
Add implementation for capabilities.
Code to actually implement Capsicum capabilities, including fileops and
kern_capwrap(), which creates a capability to wrap an ex
Author: jonathan
Date: Fri Jul 8 12:19:25 2011
New Revision: 223866
URL: http://svn.freebsd.org/changeset/base/223866
Log:
Fix the "passability" test in fdcopy().
Rather than checking to see if a descriptor is a kqueue, check to see if
its fileops flags include DFLAG_PASSABLE.
At th
Author: jonathan
Date: Fri Jul 8 12:16:30 2011
New Revision: 223865
URL: http://svn.freebsd.org/changeset/base/223865
Log:
Clarify the meaning of a test.
Rather than using err() if either of two failure conditions
fires (which can produce spurious error messages), just use
errx() if th
Author: jonathan
Date: Thu Jul 7 18:07:03 2011
New Revision: 223845
URL: http://svn.freebsd.org/changeset/base/223845
Log:
Ensure that kqueue is not inherited across fork().
Modify the existing unit test (from libkqueue) which already exercises
process events via
fork() and kill(). Now,
Author: jonathan
Date: Thu Jul 7 17:00:42 2011
New Revision: 223843
URL: http://svn.freebsd.org/changeset/base/223843
Log:
Make a comment more accurate.
This comment refers to CAP_NT_SMBS, which does not exist; it should refer to
SMB_CAP_NT_SMBS.
Fixing this comment makes it easier for
Author: jonathan
Date: Tue Jul 5 13:45:10 2011
New Revision: 223785
URL: http://svn.freebsd.org/changeset/base/223785
Log:
Rework _fget to accept capability parameters.
This new version of _fget() requires new parameters:
- cap_rights_t needrights
the rights that we expect the capa
Author: jonathan
Date: Mon Jul 4 14:40:32 2011
New Revision: 223762
URL: http://svn.freebsd.org/changeset/base/223762
Log:
Add kernel functions to unwrap capabilities.
cap_funwrap() and cap_funwrap_mmap() unwrap capabilities, exposing the
underlying object. Attempting to unwrap a capabil
Author: jonathan
Date: Sat Jul 2 15:41:22 2011
New Revision: 223723
URL: http://svn.freebsd.org/changeset/base/223723
Log:
Define the CAPABILITIES kernel option.
This option will enable Capsicum capabilities, which provide a fine-grained
mask on operations that can be performed on file d
Author: jonathan
Date: Fri Jul 1 12:13:48 2011
New Revision: 223710
URL: http://svn.freebsd.org/changeset/base/223710
Log:
Define cap_rights_t and DTYPE_CAPABILITY, which are required to
implement Capsicum capabilities.
Approved by: mentor (rwatson), re (bz)
Modified:
head/sys/sys/_ty
Author: jonathan
Date: Thu Jun 30 15:22:49 2011
New Revision: 223694
URL: http://svn.freebsd.org/changeset/base/223694
Log:
When Capsicum starts creating capabilities to wrap existing file
descriptors, we will want to allocate a new descriptor without installing
it in the FD array.
Spli
Author: jonathan
Date: Thu Jun 30 10:56:02 2011
New Revision: 223692
URL: http://svn.freebsd.org/changeset/base/223692
Log:
Add some checks to ensure that Capsicum is behaving correctly, and add some
more explicit comments about what's going on and what future maintainers
need to do when e.g
Author: jonathan
Date: Wed Jun 29 13:03:05 2011
New Revision: 223668
URL: http://svn.freebsd.org/changeset/base/223668
Log:
We may split today's CAPABILITIES into CAPABILITY_MODE (which has
to do with global namespaces) and CAPABILITIES (which has to do with
constraining file descriptors). J
Author: jonathan
Date: Sat Jun 25 12:37:06 2011
New Revision: 223533
URL: http://svn.freebsd.org/changeset/base/223533
Log:
Remove redundant Capsicum sysctl.
Since we're now declaring FEATURE(security_capabilities), there's no need for
an explicit SYSCTL_NODE.
Approved by: rwatson
Mo
Author: jonathan
Date: Fri Jun 24 14:40:22 2011
New Revision: 223505
URL: http://svn.freebsd.org/changeset/base/223505
Log:
Tidy up a capabilities-related comment.
This comment refers to an #ifdef that hasn't been merged [yet?]; remove it.
Approved by: rwatson
Modified:
head/sys/ker
Author: jonathan
Date: Wed May 4 12:44:46 2011
New Revision: 221431
URL: http://svn.freebsd.org/changeset/base/221431
Log:
Regression tests for Capsicum capability mode.
Ensure that system calls that access global namespaces, e.g. open(2), are not
permitted, and that whitelisted sysctls l
bsd.o
joe [label="Josef karthauser\n...@freebsd.org\n1999/10/22"]
joerg [label="Joerg wunsch\njo...@freebsd.org\n1993/11/14"]
jon [label="Jonathan chen\n...@freebsd.org\n2000/10/17"]
+jonathan [label="Jonathan anderson\njonat...@freebsd.org\n2010/10/0
67 matches
Mail list logo
