libc: implement C23 <stdbit.h> functions

This new header complies with ISO/IEC 9899:2024 (C23).

Contrary to glibc, we do not provide inline definitions in
<stdbit.h> as we expect our system compile

libc: implement C23 <stdbit.h> functions

This new header complies with ISO/IEC 9899:2024 (C23).

Contrary to glibc, we do not provide inline definitions in
<stdbit.h> as we expect our system compiler to soon recognise
these as builtins anyway.

Relnotes: yes
MFC after: 1 month
Reviewed by: adrian
Approved by: markj (mentor)
Differential Revision: https://reviews.freebsd.org/D53657

show more ...

Use ZFSTOP more broadly

Reviewed by: brooks
Obtained from: CheriBSD
Differential Revision: https://reviews.freebsd.org/D53791

Vendor import of blocklist 2025-04-28 (8aa81bf)

Upstream hash 8aa81bf70073715a749b1673884e84ac82cfce9f.

Approved by: emaste (mentor)
Obtained from: https://github.com/zoulasc/blocklist

blocklist: update to 2020-06-15 snapshot

Upstream hash 7093cd90cc9eae6bf9fa6b66f679ea6b15451c1e

Obtained from: https://github.com/zoulasc/blocklist
Sponsored by: The FreeBSD Foundation

libbsm: Rename package to audit-lib

This is part of audit, so use the new LIB_PACKAGE feature to name the
package audit-lib, rather than libbsm.

MFC after: 1 day
Reviewed by: bapt
Sponsored by: htt

libbsm: Rename package to audit-lib

This is part of audit, so use the new LIB_PACKAGE feature to name the
package audit-lib, rather than libbsm.

MFC after: 1 day
Reviewed by: bapt
Sponsored by: https://www.patreon.com/bsdivy
Differential Revision: https://reviews.freebsd.org/D52789

show more ...

Remove MK_GSSAPI

For MIT Kerberos, MK_GSSAPI has no meaning: GSSAPI is a required part of
Kerberos and is always built if MK_KERBEROS is enabled. Backport this
behaviour to Heimdal so it works the

Remove MK_GSSAPI

For MIT Kerberos, MK_GSSAPI has no meaning: GSSAPI is a required part of
Kerberos and is always built if MK_KERBEROS is enabled. Backport this
behaviour to Heimdal so it works the same way.

While here, change Heimdal's libcom_err and compile_et to be selected by
MK_KERBEROS, not MK_KERBEROS_SUPPORT, since these are part of Kerberos
and third-party users might need it even if Kerberos support is disabled
in the base system. This means MK_KERBEROS_SUPPORT installs the same
files with both MIT and Heimdal.

Reviewed by: cy
Differential Revision: https://reviews.freebsd.org/D51859

show more ...

gssapi,krb5: Replace libgssapi with the MIT version

lib/libgssapi is based on Heimdal. As on Linux systems, the MIT
libgssapi_krb5 replaces it. With both gssapi libraries and header files
installed

gssapi,krb5: Replace libgssapi with the MIT version

lib/libgssapi is based on Heimdal. As on Linux systems, the MIT
libgssapi_krb5 replaces it. With both gssapi libraries and header files
installed results in broken buildworld (gssd) and ports that will not
build without modifications to support the MIT gssapi in an alternate
location.

73ed0c7992fd removed the MIT GSSAPI headers from /usr/include. Apps using
MIT KRB5 gssapi functions and structures will fail to build without this
patch.

This patch includes a temporary patch to usr.sbin/gssd to allow it
to build with this patch. rmacklem@ has a patch for this and for
kgssapi that uses this patch to resolve kgssapi issues for NFS with
Kerberos.

This patch is an updated version of D51661 to allow it to build following
additional patchs to the tree.

This should have been implmented with 7e35117eb07f.

Fixes: 7e35117eb07f, 73ed0c7992fd
Differential Revision: https://reviews.freebsd.org/D51661

show more ...

Add sys/stdarg.h

While the type of va_list and implementation of va_*() psuedo functions
varies (sometimes greatly) by architecture, they will always be defined
by the compiler in a consistant way t

Add sys/stdarg.h

While the type of va_list and implementation of va_*() psuedo functions
varies (sometimes greatly) by architecture, they will always be defined
by the compiler in a consistant way that does not require machine
dependent handling.

MFC after: 1 week

Reviewed by: imp
Exp-run by: antoine (PR 286274)
Pull Request: https://github.com/freebsd/freebsd-src/pull/1595

show more ...

Provide user interface to retrieve reported extended errors

Reviewed by: brooks
Sponsored by: The FreeBSD Foundation
MFC after: 2 weeks
Differential revision: https://reviews.freebsd.org/D50483

Revert "isp: Fix abort issue introduced by previous commit"

This reverts commit 1f7c379c07168029694a9a33bc437b05cdee623e.

Leaked unintended changes. I'm sorry.

isp: Fix abort issue introduced by previous commit

Aborting ATIO while its CTIOs are in progress makes impossible to
handle their completions, making them stuck forever. Detect this
case by checkin

isp: Fix abort issue introduced by previous commit

Aborting ATIO while its CTIOs are in progress makes impossible to
handle their completions, making them stuck forever. Detect this
case by checking ctcnt counter and if so instead of aborting just
mark the ATIO as dead to block any new CTIOs. It is not perfect
since the task id can not be reused for some more time, but not
as bad as the task stuck forever.

MFC after: 1 week

show more ...

include: Add required guards for dev/vmm headers

Reported by: Jenkins
Fixes: ebd48f1e52d7 ("include: Install dev/vmm headers")

include: Install dev/vmm headers

In preparation for their use in libvmmapi.

Reviewed by: jhb
Differential Revision: https://reviews.freebsd.org/D47029

Import _FORTIFY_SOURCE implementation from NetBSD

This is a mostly-unmodified copy of the various *_chk implementations
and headers from NetBSD, without yet modifying system headers to start
actuall

Import _FORTIFY_SOURCE implementation from NetBSD

This is a mostly-unmodified copy of the various *_chk implementations
and headers from NetBSD, without yet modifying system headers to start
actually including them. A future commit will also apply the needed
bits to fix ssp/unistd.h.

Reviewed by: imp, pauamma_gundo.com (both previous versions), kib
Sponsored by: Stormshield
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D32306

show more ...

nvmf: Install nvmf.h and nvmf_proto.h in /usr/include/dev/nvmf

Reviewed by: imp
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D44707

include: Ensure security/audit/audit.h gets staged properly.

There is a conflict between bsm/audit.h and security/audit/audit.h due
to the way that staging is being set up using .PATH to point to th

include: Ensure security/audit/audit.h gets staged properly.

There is a conflict between bsm/audit.h and security/audit/audit.h due
to the way that staging is being set up using .PATH to point to the
full directory and the leaf files being specified in the list. Due to
this, the bsm/audit.h was getting staged as both bsm/audit.h and
security/audit/audit.h since the sys/bsm directory is listed first in
the .PATH list.

Use sys/security in the .PATH instead of sys/security/audit and specify
the audit header files as audit/<name>.h. This ensures that we get the
correct audit.h stanged for security/audit/audit.h.

Reviewed by: sjg
Obtained from: Juniper Networks, Inc.

show more ...

include: Allow SDESTDIR to be overridden

Obtained from: Juniper Networks, Inc.
Reviewed by: sjg
Differential Revision: https://reviews.freebsd.org/D44540

include: Remove ancient SCCS tags.

Remove ancient SCCS tags from the tree, automated scripting, with two
minor fixup to keep things compiling. All the common forms in the tree
were removed with a pe

include: Remove ancient SCCS tags.

Remove ancient SCCS tags from the tree, automated scripting, with two
minor fixup to keep things compiling. All the common forms in the tree
were removed with a perl script.

Sponsored by: Netflix

show more ...

pf: convert state retrieval to netlink

Use netlink to export pf's state table.

The primary motivation is to improve how we deal with very large state
stables. With the previous implementation we ha

pf: convert state retrieval to netlink

Use netlink to export pf's state table.

The primary motivation is to improve how we deal with very large state
stables. With the previous implementation we had to build the entire
list (both in the kernel and in userspace) before we could start
processing. With netlink we start to get data in userspace while the
kernel is still generating more. This reduces peak memory consumption
(which can get to the GB range once we hit millions of states).

Netlink also makes future extension easier, in that we can easily add
fields to the state export without breaking userspace. In that regard
it's similar to an nvlist-based approach, except that it also deals
with transport to userspace and that it performs significantly better
than nvlists. Testing has failed to measure a performance difference
between the previous struct-copy based ioctl and the netlink approach.

Differential Revision: https://reviews.freebsd.org/D38888

show more ...

pkgbase: Move headers and libs out of runtime and utilities

Headers from src/include were in the runtime-dev package but
subdirectories of src/include ended up in utilities-dev by default.
Neither p

pkgbase: Move headers and libs out of runtime and utilities

Headers from src/include were in the runtime-dev package but
subdirectories of src/include ended up in utilities-dev by default.
Neither package is a good choice - the headers in src/include are not
useful without the libraries contained in clibs-dev.

This moves the standard C headers to clibs-dev (C++ headers are already
in this package). While working on this, I found that various clang
libraries and headers were also bundled into utilities-dev by default
so these are also moved to clang-dev.

I also added a FreeBSD-build-essential meta package to make it simple to
install all the toolchain parts.

PR: 254173
Reviewed byb: manu
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D41815

show more ...

include: Implement N2867.

This adds macros for checked addition, subtraction, and multiplication with semantics similar to the builtins gcc and clang have had for years.

Reviewed by: kib, emaste
Di

include: Implement N2867.

This adds macros for checked addition, subtraction, and multiplication with semantics similar to the builtins gcc and clang have had for years.

Reviewed by: kib, emaste
Differential Revision: https://reviews.freebsd.org/D41734

show more ...

Add mac_grantbylabel

This module allows controlled privilege escallation via mac labels
securely associated with a process via mac_veriexec.

There are over 700 PRIV_* but we can compress many of th

Add mac_grantbylabel

This module allows controlled privilege escallation via mac labels
securely associated with a process via mac_veriexec.

There are over 700 PRIV_* but we can compress many of them into
a single GBL_* thus constraining the size of gbl labels.

The goal is to allow a daemon to run as an unprivileged process while
still being able a set of privileged operations needed.

We add APIs to libveriexec so that userland processes can check labels
and an exec_script API that allows a suitably labeled process to run
something like a python interpreter directly if necessary;
overcomming the 'indirect' flag applied to the interpreter.

Add -l option to sbin/veriexec to report labels.

Reviewed by: stevek
Sponsored by: Juniper Networks, Inc.
Differential Revision: https://reviews.freebsd.org/D41431

show more ...

Remove $FreeBSD$: one-line sh pattern

Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/

arm64 lib32: prepare arm64 headers to redirect to arm

In order to compile lib32 libraries and other 32-bit code on arm64,
<machine/foo.h> needs to be redirected to an arm header rather
than arm64 wh

arm64 lib32: prepare arm64 headers to redirect to arm

In order to compile lib32 libraries and other 32-bit code on arm64,
<machine/foo.h> needs to be redirected to an arm header rather
than arm64 when building with -m32. Ifdef the arm64 headers that
are installed in /usr/include/machine and used by user-level software
(including references from /usr/include/*.h) so that if __arm__ is
defined when including the arm64 version, <arm/foo.h> is included
rather than using the rest of the file's contents. Some arm headers
had no arm64 equivalent; headers were added just to do the redirection.
These files use #error if __arm__ is not defined to guard against
confusion. Also add an include/arm Makefile, and modify Makefiles
as needed to install everything, including the arm files in
/usr/include/arm. fenv.h comes from lib/msun/arm/fenv.h.

The new arm64 headers are:
acle-compat.h
cpuinfo.h
sysreg.h

Reviewed by: jrtc27, imp
Differential Revision: https://reviews.freebsd.org/D40944

show more ...

nvme: Don't install nvme_private.h in /usr/include.

Reviewed by: chuck, imp
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D40394