man filesystems: fix more xrefs after move to s4

Fixes: 1a720cbec513
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/1282

sys: Automated cleanup of cdefs and other formatting

Apply the following automated changes to try to eliminate
no-longer-needed sys/cdefs.h includes as well as now-empty
blank lines in a row.

Remov

sys: Automated cleanup of cdefs and other formatting

Apply the following automated changes to try to eliminate
no-longer-needed sys/cdefs.h includes as well as now-empty
blank lines in a row.

Remove /^#if.*\n#endif.*\n#include\s+<sys/cdefs.h>.*\n/
Remove /\n+#include\s+<sys/cdefs.h>.*\n+#if.*\n#endif.*\n+/
Remove /\n+#if.*\n#endif.*\n+/
Remove /^#if.*\n#endif.*\n/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/types.h>/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/param.h>/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/capsicum.h>/

Sponsored by: Netflix

show more ...

sys: Remove $FreeBSD$: one-line .c pattern

Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/

imgact_binmisc: Optionally pre-open the interpreter vnode

This allows the use of chroot and/or jail environments which depend on
interpreters registed with imgact_binmisc to use emulator binaries fr

imgact_binmisc: Optionally pre-open the interpreter vnode

This allows the use of chroot and/or jail environments which depend on
interpreters registed with imgact_binmisc to use emulator binaries from
the host to emulate programs inside the chroot.

Reviewed by: imp
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D37432

show more ...

imgact_binmisc: limit the extent of match on incoming entries

imgact_binmisc matches magic/mask from imgp->image_header, which is only a
single page in size mapped from the first page of an image. O

imgact_binmisc: limit the extent of match on incoming entries

imgact_binmisc matches magic/mask from imgp->image_header, which is only a
single page in size mapped from the first page of an image. One can specify
an interpreter that matches on, e.g., --offset 4096 --size 256 to read up to
256 bytes past the mapped first page.

The limitation is that we cannot specify a magic string that exceeds a
single page, and we can't allow offset + size to exceed a single page
either. A static assert has been added in case someone finds it useful to
try and expand the size, but it does seem a little unlikely.

While this looks kind of exploitable at a sideways squinty-glance, there are
a couple of mitigating factors:

1.) imgact_binmisc is not enabled by default,
2.) entries may only be added by the superuser,
3.) trying to exploit this information to read what's mapped past the end
would be worse than a root canal or some other relatably painful
experience, and
4.) there's no way one could pull this off without it being completely
obvious.

The first page is mapped out of an sf_buf, the implementation of which (or
lack thereof) depends on your platform.

MFC after: 1 week

show more ...

imgact_binmisc: move some calculations out of the exec path

The offset we need to account for in the interpreter string comes in two
variants:

1. Fixed - macros other than #a that will not vary fro

imgact_binmisc: move some calculations out of the exec path

The offset we need to account for in the interpreter string comes in two
variants:

1. Fixed - macros other than #a that will not vary from invocation to
invocation
2. Variable - #a, which is substitued with the argv0 that we're replacing

Note that we don't have a mechanism to modify an existing entry. By
recording both of these offset requirements when the interpreter is added,
we can avoid some unnecessary calculations in the exec path.

Most importantly, we can know up-front whether we need to grab
calculate/grab the the filename for this interpreter. We also get to avoid
walking the string a first time looking for macros. For most invocations,
it's a swift exit as they won't have any, but there's no point entering a
loop and searching for the macro indicator if we already know there will not
be one.

While we're here, go ahead and only calculate the argv0 name length once per
invocation. While it's unlikely that we'll have more than one #a, there's no
reason to recalculate it every time we encounter an #a when it will not
change.

I have not bothered trying to benchmark this at all, because it's arguably a
minor and straightforward/obvious improvement.

MFC after: 1 week

show more ...

imgact_binmisc: reorder members of struct imgact_binmisc_entry (NFC)

This doesn't change anything at the moment since the out-of-order elements
were a pair of uint32_t, but future additions may have

imgact_binmisc: reorder members of struct imgact_binmisc_entry (NFC)

This doesn't change anything at the moment since the out-of-order elements
were a pair of uint32_t, but future additions may have caused unnecessary
padding by following the existing precedent.

MFC after: 1 week

show more ...

imgact_binmisc: abstract away the list lock (NFC)

This module handles relatively few execs (initial qemu-user-static, then
qemu-user-static handles exec'ing itself for binaries it's already running)

imgact_binmisc: abstract away the list lock (NFC)

This module handles relatively few execs (initial qemu-user-static, then
qemu-user-static handles exec'ing itself for binaries it's already running),
but all execs pay the price of at least taking the relatively expensive
sx/slock to check for a match when this module is loaded. Future work will
almost certainly swap this out for another lock, perhaps an rmslock.

The RLOCK/WLOCK phrasing was chosen based on what the callers are really
wanting, rather than using the verbiage typically appropriate for an sx.

MFC after: 1 week

show more ...

imgact_binmisc: validate flags coming from userland

We may want to reserve bits in the future for kernel-only use, so start
rejecting any that aren't the two that we're currently expecting from
user

imgact_binmisc: validate flags coming from userland

We may want to reserve bits in the future for kernel-only use, so start
rejecting any that aren't the two that we're currently expecting from
userland.

MFC after: 1 week

show more ...

imgact_binmisc: minor re-organization of imgact_binmisc_exec exits

Notably, streamline error paths through the existing 'done' label, making it
easier to quickly verify correct cleanup.

Future work

imgact_binmisc: minor re-organization of imgact_binmisc_exec exits

Notably, streamline error paths through the existing 'done' label, making it
easier to quickly verify correct cleanup.

Future work might add a kernel-only flag to indicate that a interpreter uses
#a. Currently, all executions via imgact_binmisc pay the penalty of
constructing sname/fname, even if they will not use it. qemu-user-static
doesn't need it, the stock rc script for qemu-user-static certainly doesn't
use it, and I suspect these are the vast majority of (if not the only)
current users.

MFC after: 1 week

show more ...

imgact_binmisc: fix up some minor nits

- Removed a bunch of redundant headers
- Don't explicitly initialize to 0
- The !error check prior to setting imgp->interpreter_name is redundant, all
error

imgact_binmisc: fix up some minor nits

- Removed a bunch of redundant headers
- Don't explicitly initialize to 0
- The !error check prior to setting imgp->interpreter_name is redundant, all
error paths should and do return or go to 'done'. We have larger problems
otherwise.

show more ...

Merge ^/head r358269 through r358399.

Mark more nodes as CTLFLAG_MPSAFE or CTLFLAG_NEEDGIANT (17 of many)

r357614 added CTLFLAG_NEEDGIANT to make it easier to find nodes that are
still not MPSAFE (or already are but aren’t properly mark

Mark more nodes as CTLFLAG_MPSAFE or CTLFLAG_NEEDGIANT (17 of many)

r357614 added CTLFLAG_NEEDGIANT to make it easier to find nodes that are
still not MPSAFE (or already are but aren’t properly marked).
Use it in preparation for a general review of all nodes.

This is non-functional change that adds annotations to SYSCTL_NODE and
SYSCTL_PROC nodes using one of the soon-to-be-required flags.

Mark all obvious cases as MPSAFE. All entries that haven't been marked
as MPSAFE before are by default marked as NEEDGIANT

Approved by: kib (mentor, blanket)
Commented by: kib, gallatin, melifaro
Differential Revision: https://reviews.freebsd.org/D23718

show more ...

Merge ^/head r357270 through r357349.

Remove duplicated empty lines from kern/*.c

No functional changes.

Merge ^/head r340918 through r341763.

Add helper functions to copy strings into struct image_args.

Given a zeroed struct image_args with an allocated buf member,
exec_args_add_fname() must be called to install a file name (or NULL).
The

Add helper functions to copy strings into struct image_args.

Given a zeroed struct image_args with an allocated buf member,
exec_args_add_fname() must be called to install a file name (or NULL).
Then zero or more calls to exec_args_add_env() followed by zero or
more calls to exec_args_add_env(). exec_args_adjust_args() may be
called after args and/or env to allow an interpreter to be prepended to
the argument list.

To allow code reuse when adding arg and env variables, begin_envv
should be accessed with the accessor exec_args_get_begin_envv()
which handles the case when no environment entries have been added.

Use these functions to simplify exec_copyin_args() and
freebsd32_exec_copyin_args().

Reviewed by: kib
Obtained from: CheriBSD
Sponsored by: DARPA, AFRL
Differential Revision: https://reviews.freebsd.org/D15468

show more ...

Use NULL for SYSINIT's last arg, which is a pointer type

Sponsored by: The FreeBSD Foundation

Use C99 designated initializers for struct execsw

It it makes use slightly more clear and facilitates grepping.

tighten buffer bounds in imgact_binmisc_populate_interp

We must ensure there's space for the terminating null in the temporary
buffer in imgact_binmisc_populate_interp().

Note that there's no buffe

tighten buffer bounds in imgact_binmisc_populate_interp

We must ensure there's space for the terminating null in the temporary
buffer in imgact_binmisc_populate_interp().

Note that there's no buffer overflow here because xbe->xbe_interpreter's
length and null termination is checked in imgact_binmisc_add_entry()
before imgact_binmisc_populate_interp() is called. However, the latter
should correctly enforce its own bounds.

Reviewed by: sbruno
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D10042

show more ...

sys/kern: spelling fixes in comments.

No functional change.

MFH

Sponsored by: The FreeBSD Foundation

Repair a overflow condition where a user could submit a string that was
not getting a proper bounds check.

Thanks to CTurt for pointing at this with a big red blinking neon sign.

PR: 206761
Submit

Repair a overflow condition where a user could submit a string that was
not getting a proper bounds check.

Thanks to CTurt for pointing at this with a big red blinking neon sign.

PR: 206761
Submitted by: sson
Reviewed by: cturt@hardenedbsd.org
MFC after: 3 days

show more ...

Merge from head

Catch up with head, primarily for the 1.14.4.0 firmware.