kernel - Disable various dev accesses for RESTRICTEDROOT environments

* Do not allow CAM (e.g. /dev/sg0 and so forth) to be accessed if
RESTRICTEDROOT is active. Note that RESTRICTEDROOT is autom

kernel - Disable various dev accesses for RESTRICTEDROOT environments

* Do not allow CAM (e.g. /dev/sg0 and so forth) to be accessed if
RESTRICTEDROOT is active. Note that RESTRICTEDROOT is automatically
set for jails.

* Restrict writes to /dev/random and /dev/urandom

* Also restrict evdev, kbd, syscons, pci, console, devctl

show more ...

kernel - Add per-process capability-based restrictions

* This new system allows userland to set capability restrictions which
turns off numerous kernel features and root accesses. These restricti

kernel - Add per-process capability-based restrictions

* This new system allows userland to set capability restrictions which
turns off numerous kernel features and root accesses. These restrictions
are inherited by sub-processes recursively. Once set, restrictions cannot
be removed.

Basic restrictions that mimic an unadorned jail can be enabled without
creating a jail, but generally speaking real security also requires
creating a chrooted filesystem topology, and a jail is still needed
to really segregate processes from each other. If you do so, however,
you can (for example) disable mount/umount and most global root-only
features.

* Add new system calls and a manual page for syscap_get(2) and syscap_set(2)

* Add sys/caps.h

* Add the "setcaps" userland utility and manual page.

* Remove priv.9 and the priv_check infrastructure, replacing it with
a newly designed caps infrastructure.

* The intention is to add path restriction lists and similar features to
improve jailess security in the near future, and to optimize the
priv_check code.

show more ...

kernel - Make kprintf / kputchar more robust

* kprintf() via kputchar() can deadlock due to kprintf()s made from
Xinvltlb (which ignores critical sections). However, we still want
to be able to

kernel - Make kprintf / kputchar more robust

* kprintf() via kputchar() can deadlock due to kprintf()s made from
Xinvltlb (which ignores critical sections). However, we still want
to be able to dump diagnostic information from Xinvltlb!

* Adjust sccnputc() to use a non-blocking syscons lock.

* Adjust kputchar() to not issue a wakeup() on the console support
thread if called with mycpu->gd_intr_nesting_level != 0. To
compensate, the support thread now checks at a minimum rate of
once per second.

* Adjust kvcprintf() to always spin_trylock(), which means that
lines will be lost if multiple cpu's compete for the console
(but all lines will still wind up in the dmesg buffer). This
needs to be done to allow kprintf()s from Xinvltlb (which ignore
critical sections) to not deadlock the machine.

show more ...

i386 removal, part 70/x: Remove some i386 specific bits in the kernel.

syscons - Increase static buffer size for ttyv0.

* This allows the console on the EFI framebuffer to fill the whole screen
on "odd" resolutions. This only takes up slightly less than 12KB extra

syscons - Increase static buffer size for ttyv0.

* This allows the console on the EFI framebuffer to fill the whole screen
on "odd" resolutions. This only takes up slightly less than 12KB extra
space in the kernel binary size.

show more ...

kernel - Refactor tty clist code

* Remove all the old cruft, completely rewrite the clist code to use
a single linear buffer and a FIFO mechanism.

* The linear buffer just uses 16-bit elements in

kernel - Refactor tty clist code

* Remove all the old cruft, completely rewrite the clist code to use
a single linear buffer and a FIFO mechanism.

* The linear buffer just uses 16-bit elements in order to record
TTY_QUOTE along with the character.

* Fixes bug in last commit (lack of global locks around global clist
caches) by removing the cache entirely.

show more ...

kernel - Refactor tty_token, fix SMP performance issues

* Remove most uses of tty_token in favor of per-tty tp->t_token.
This is particularly important for removing bottlenecks related to PTYs,

kernel - Refactor tty_token, fix SMP performance issues

* Remove most uses of tty_token in favor of per-tty tp->t_token.
This is particularly important for removing bottlenecks related to PTYs,
which are used all over the place. tty_token remains in a few places
managing overall registration and global list manipulation.

* tty structures are now required to be persistent. Implement a sepearate
ttyinit() function. Continue to allow ttyregister() and ttyunregister()
calls, but these no longer presume destruction of the structure.

* Refactor ttymalloc() to take a **tty pointer and interlock allocations.
Allocations are intended to be one-time. ttymalloc() only requires the
tty_token for initial allocations.

* Remove all critical section use that was combined with tty_token and
tp->t_token. Leave only the tokens. The critical sections were
hold-overs going all the way back to pre-SMP days.

* syscons now gets its own token, vga_token. The ISA VGA code and
the framebuffer code also now use this token instead of tty_token.

* The keyboard subsystem now uses kbd_token instead of tty_token.

* A few remaining serial-like devices (snp, nmdm) also get their own
tokens, as well as use the now required tp->t_token.

* Remove use of tty_token in the session management code. This fixes
a niggling performance path since sessions almost universally go
hand-in-hand with fork/exec/exit sequences. Instead we use the
already-existing per-hash session token.

show more ...

Resolve some kernel option / .Cd mismatches.

* There is no WATCHDOG option. kern_wdog.c is compiled into the kernel
by default.

* SC_NO_PALETTE_LOADING was never a kernel option, so remove the

Resolve some kernel option / .Cd mismatches.

* There is no WATCHDOG option. kern_wdog.c is compiled into the kernel
by default.

* SC_NO_PALETTE_LOADING was never a kernel option, so remove the
associated #ifndefs.

* powernow(4) can't be compiled into the kernel

show more ...

kernel - Add support for MosChip PCIe serial com, and console support

* Add support for the MosChip PCIe serial com (brand is typically
'StarTech' 'Natikve PCI Express RS232 serial adapter card wi

kernel - Add support for MosChip PCIe serial com, and console support

* Add support for the MosChip PCIe serial com (brand is typically
'StarTech' 'Natikve PCI Express RS232 serial adapter card with
16550 UART'.

* Add late console support. Console operation works the same
way, set it up in /boot/loader.conf. Typically:

sio0.flags=0x00
sio4.flags=0x30
sio4.baud=115200
#set boot_serial="YES" <-- commented out, do not set this

Note that at the point a late-configured serial port
wants to become the console, syscons is probably already
the console, so you have to use flags 0x30 instead of
0x10 to force it to change the console.

* Note, you do not have to set boot_serial="YES", because it
won't really help since the adapter isn't accessible to the
boot loader or to the kernel until the PCIe device probes
in the middle of the boot sequence.

* The kernel now retests for consoles at the end of its normal
configuration sequence, which allows the now-available
sioN devices from PCIe card(s) to become the console.

* Remove syscons sccnterm() code that tried to undo the syscons
console designation. This code was never called in the past
because the system console couldn't actually change once
selected. But now it can, and the code completely blows up
syscons for numerous reasons. Just leave the console
designation intact from syscons's point of view (the main
system will be vectored elsewhere so syscons will simply
not receive new kernel console reads and writes).

* Add a siocntxwait() call before changing com parameters,
since we are potentially changing the baud rate here.

* Change how the SIO driver assigns baud rates for the console
to handle late-console configurations. Also, allow sio*.baud
variables in loader.conf to override the default com rate.

* Add entries for com5 and com6 to /etc/remote, and default to
a more reasonable baud rate of 115200.

show more ...

kernel: Include <sys/ttydefaults.h> where appropriate.

This is in preparation for moving <sys/termios.h> to <termios.h>.

syscons: Remove unused variable.

syscons - Fix NULL pointer access in 0d7c8a4d1cafae68239

syscons - Wait for drm modesetting at appropriate places.

* This avoids races between userland using DRM, and the drm modesetting
callbacks called by syscons.

* Always call the drm modesetting ca

syscons - Wait for drm modesetting at appropriate places.

* This avoids races between userland using DRM, and the drm modesetting
callbacks called by syscons.

* Always call the drm modesetting callback, when we are switching from a
virtual terminal that is in Graphics mode. Before that was skipped unless
we were switching to a virtual terminal that is in Text mode.
However with the framebuffer mmap-ing through syscons, it also makes sense
to use virtual terminals in Graphics mode, without going through drm. So
we have to make sure to restore the syscons framebuffer there as well.

show more ...

kernel - Fix syscons's visual bell

* The visual bell code was completely broken.

* Refactor the callout, and use the new callout_init_lk facility
to deal with races.

Reported-by: snurg

kernel: Remove use of deprecated "%r" radix format.

syscons - Skip drawing of the border, when switching to a graphics vty.

* When the target vty in a vty switch is in graphics mode, and we have
a dumb framebuffer (sc->fbi != NULL), we definitely d

syscons - Skip drawing of the border, when switching to a graphics vty.

* When the target vty in a vty switch is in graphics mode, and we have
a dumb framebuffer (sc->fbi != NULL), we definitely don't need to
call sc_set_border().

show more ...

syscons - Use COL and ROW #define constants.

syscons: Unbreak compile w/o splash

syscons - Partly implement FBIO_BLANK ioctl, for display powersaving.

* Only implement the parts relevant for display powersaving when a KMS
graphics driver is loaded. Adjust the existing V_DISPLA

syscons - Partly implement FBIO_BLANK ioctl, for display powersaving.

* Only implement the parts relevant for display powersaving when a KMS
graphics driver is loaded. Adjust the existing V_DISPLAY_* constant
definitions to match the corresponding definitions in FreeBSD.

show more ...

kernel - Get rid of old KDSETRAD keyboard ioctl, and some __i386__ kbd code.

* The KDSETREPEAT ioctl was implemented as a replacement more than 18 years
ago in 1999 (FreeBSD svn r44628).

syscons - Add minimal fbio support for "scfb" xorg driver with sc->fbi fb.

* At the moment there is no support for safely handling the case where
userspace has mapped the EFI framebuffer, and a dr

syscons - Add minimal fbio support for "scfb" xorg driver with sc->fbi fb.

* At the moment there is no support for safely handling the case where
userspace has mapped the EFI framebuffer, and a drm graphics driver is
loaded, that uses the same hardware as the EFI framebuffer.
(Either loading the drm(4) driver should be prevented in this case, or
the framebuffer should be forcibly unmapped from the userspace
application).

show more ...

kernel - Incidental MPLOCK removal (non-performance)

* Remove the MPLOCK in a ton of places that don't need it or can be
trivially tokenized or locked.

* Mostly non-performance adjustments, thoug

kernel - Incidental MPLOCK removal (non-performance)

* Remove the MPLOCK in a ton of places that don't need it or can be
trivially tokenized or locked.

* Mostly non-performance adjustments, though the X server does use
scmouse or sysmouse.

show more ...

syscons - Set cons_unavail when blanking framebuffer screen from syscons.

* This makes us treat panics while the screen is blanked in KMS mode
similar to panics while X is running. In both cases w

syscons - Set cons_unavail when blanking framebuffer screen from syscons.

* This makes us treat panics while the screen is blanked in KMS mode
similar to panics while X is running. In both cases we have no
possibility left to display the syscons console.

* This also sets the cons_unavail flag, when the KMS driver is unloaded
and the framebuffer console becomes unusable, until a new framebuffer
is registered for syscons (which will clear cons_unavail again).

show more ...

drm: Use fb_blank hooks from drm_fb_helper.c as a syscons screensaver.

* When the KMS framebuffer is registered in syscons, a screensaver is
registered in syscons, which uses the fb_blank callback

drm: Use fb_blank hooks from drm_fb_helper.c as a syscons screensaver.

* When the KMS framebuffer is registered in syscons, a screensaver is
registered in syscons, which uses the fb_blank callback (if provided
by the drm driver) for turning the display off.

* The syscons screensaver can be used by e.g. running "vidcontrol -t 30"
for a 30s "screensaver" timeout), or via the Shift-Pause shortcut (for
instantly enabling the "screensaver").

show more ...

syscons - Add need_unlock arg to sc_clean_up and sc_wait_scrn_saver_stop.

* This should fix issues with VT switching when the screen is blanked.