#
2b3f93ea |
| 13-Oct-2023 |
Matthew Dillon <dillon@apollo.backplane.com> |
kernel - Add per-process capability-based restrictions
* This new system allows userland to set capability restrictions which turns off numerous kernel features and root accesses. These restricti
kernel - Add per-process capability-based restrictions
* This new system allows userland to set capability restrictions which turns off numerous kernel features and root accesses. These restrictions are inherited by sub-processes recursively. Once set, restrictions cannot be removed.
Basic restrictions that mimic an unadorned jail can be enabled without creating a jail, but generally speaking real security also requires creating a chrooted filesystem topology, and a jail is still needed to really segregate processes from each other. If you do so, however, you can (for example) disable mount/umount and most global root-only features.
* Add new system calls and a manual page for syscap_get(2) and syscap_set(2)
* Add sys/caps.h
* Add the "setcaps" userland utility and manual page.
* Remove priv.9 and the priv_check infrastructure, replacing it with a newly designed caps infrastructure.
* The intention is to add path restriction lists and similar features to improve jailess security in the near future, and to optimize the priv_check code.
show more ...
|
Revision tags: v6.4.0, v6.4.0rc1, v6.5.0, v6.2.2, v6.2.1, v6.2.0, v6.3.0, v6.0.1, v6.0.0, v6.0.0rc1, v6.1.0, v5.8.3, v5.8.2, v5.8.1, v5.8.0, v5.9.0, v5.8.0rc1, v5.6.3 |
|
#
b8b9f56e |
| 07-Feb-2020 |
Matthew Dillon <dillon@apollo.backplane.com> |
kernel - Clean up memory leaks and a stack buffer disclosure bug
* Clean up memory leaks, a stack buffer disclosure bug, and a missing priv check in if_oce (which probably never attaches these d
kernel - Clean up memory leaks and a stack buffer disclosure bug
* Clean up memory leaks, a stack buffer disclosure bug, and a missing priv check in if_oce (which probably never attaches these days). All in the network subsystem.
Reported-by: Ilja van Sprundel
show more ...
|
Revision tags: v5.6.2, v5.6.1, v5.6.0, v5.6.0rc1, v5.7.0, v5.4.3, v5.4.2 |
|
#
eb67213a |
| 26-Mar-2019 |
Matthew Dillon <dillon@apollo.backplane.com> |
kernel - Rewrite the callout_*() API
* Rewrite the entire API from scratch and improve compatibility with FreeBSD. This is not an attempt to achieve full API compatibility, as FreeBSD's API has
kernel - Rewrite the callout_*() API
* Rewrite the entire API from scratch and improve compatibility with FreeBSD. This is not an attempt to achieve full API compatibility, as FreeBSD's API has unnecessary complexity that coders would frequently make mistakes interpreting.
* Remove the IPI mechanisms in favor of fine-grained spin-locks instead.
* Add some robustness features in an attempt to track down corrupted callwheel lists due to originating subsystems freeing structures out from under an active callout.
* The code supports a full-blown type-stable/adhoc-reuse structural separation between the front-end and the back-end, but this feature is currently not operational and may be removed at some future point. Instead we currently just embed the struct _callout inside the struct callout.
* Replace callout_stop_sync() with callout_cancel().
* callout_drain() is now implemented as a synchronous cancel instead of an asynchronous stop, which is closer to the FreeBSD API and expected operation for ported code (usb stack in particular). We will just have to fix any deadlocks which we come across.
* Retain our callout_terminate() function as the 'better' way to stop using a callout, as it will not only cancel the callout but also de-flag the structure so it can no longer be used.
show more ...
|
Revision tags: v5.4.1, v5.4.0, v5.5.0, v5.4.0rc1, v5.2.2, v5.2.1, v5.2.0, v5.3.0, v5.2.0rc |
|
#
0644d75b |
| 31-Jan-2018 |
zrj <rimvydas.jasinskas@gmail.com> |
kernel/netif: Avoid empty if/else bodies.
|
#
680f56fe |
| 13-Jan-2018 |
Sascha Wildner <saw@online.de> |
kernel: Fix some -Wundef warnings in oce(4) and mps(4).
__FreeBSD_version is not defined in DragonFly, so make it clearer which path we take.
|
Revision tags: v5.0.2, v5.0.1, v5.0.0, v5.0.0rc2, v5.1.0, v5.0.0rc1, v4.8.1, v4.8.0, v4.6.2, v4.9.0, v4.8.0rc, v4.6.1, v4.6.0, v4.6.0rc2, v4.6.0rc, v4.7.0, v4.4.3, v4.4.2, v4.4.1, v4.4.0, v4.5.0, v4.4.0rc, v4.2.4, v4.3.1 |
|
#
14929979 |
| 25-Jul-2015 |
Sepherosa Ziehau <sephe@dragonflybsd.org> |
netif: Configure mbuf clusters/jclusters limits
Default mbuf clusters limit work for most of the network device drivers. The drivers modified by this commit: - Use mbuf jclusters. - Size of the rec
netif: Configure mbuf clusters/jclusters limits
Default mbuf clusters limit work for most of the network device drivers. The drivers modified by this commit: - Use mbuf jclusters. - Size of the reception queues could be configured. - Support multiple reception queues.
et(4) and mxge(4) are special; they use non-cluster mbuf for small packets reception, so we adjust non-cluster mbuf limit manually in these two drivers.
show more ...
|
Revision tags: v4.2.3, v4.2.1, v4.2.0, v4.0.6, v4.3.0, v4.2.0rc, v4.0.5, v4.0.4 |
|
#
b5523eac |
| 19-Feb-2015 |
Sascha Wildner <saw@online.de> |
kernel: Move us to using M_NOWAIT and M_WAITOK for mbuf functions.
The main reason is that our having to use the MB_WAIT and MB_DONTWAIT flags was a recurring issue when porting drivers from FreeBSD
kernel: Move us to using M_NOWAIT and M_WAITOK for mbuf functions.
The main reason is that our having to use the MB_WAIT and MB_DONTWAIT flags was a recurring issue when porting drivers from FreeBSD because it tended to get forgotten and the code would compile anyway with the wrong constants. And since MB_WAIT and MB_DONTWAIT ended up as ocflags for an objcache_get() or objcache_reclaimlist call (which use M_WAITOK and M_NOWAIT), it was just one big converting back and forth with some sanitization in between.
This commit allows M_* again for the mbuf functions and keeps the sanitizing as it was before: when M_WAITOK is among the passed flags, objcache functions will be called with M_WAITOK and when it is absent, they will be called with M_NOWAIT. All other flags are scrubbed by the MB_OCFLAG() macro which does the same as the former MBTOM().
Approved-by: dillon
show more ...
|
Revision tags: v4.0.3, v4.0.2 |
|
#
92ff3983 |
| 22-Dec-2014 |
Sascha Wildner <saw@online.de> |
kernel: Don't confuse kmalloc() and mbuf flags.
|
#
26595b18 |
| 28-Nov-2014 |
Sascha Wildner <saw@online.de> |
kernel: Use the new auto-created sysctl ctx/tree in various drivers.
Everywhere where we formerly rolled a hw.fooX.* per-device ctx/tree ourselves.
This commit switches it to dev.foo.X.*
|
Revision tags: v4.0.1, v4.0.0, v4.0.0rc3, v4.0.0rc2, v4.0.0rc, v4.1.0 |
|
#
3a25be87 |
| 07-Sep-2014 |
Sascha Wildner <saw@online.de> |
kernel: Use NULL for pointers in DRIVER_MODULE().
|
Revision tags: v3.8.2 |
|
#
73029d08 |
| 29-Jun-2014 |
Franco Fichtner <franco@lastsummer.de> |
kernel: make pktinfo and cpuid native to ip_input()
In order to remove ether_input_pkt(), switch the prototype of if_input() and adjust all callers. While there, consolidate the style of the invoke
kernel: make pktinfo and cpuid native to ip_input()
In order to remove ether_input_pkt(), switch the prototype of if_input() and adjust all callers. While there, consolidate the style of the invoke.
Suggested and reviewed by: sephe
show more ...
|
Revision tags: v3.8.1, v3.6.3, v3.8.0, v3.8.0rc2, v3.9.0, v3.8.0rc, v3.6.2, v3.6.1, v3.6.0, v3.7.1, v3.6.0rc, v3.7.0, v3.4.3 |
|
#
0552df75 |
| 22-Jul-2013 |
Sepherosa Ziehau <sephe@dragonflybsd.org> |
oce: Don't clear M_PKTHDR when create mbuf chain
|
#
c976b08e |
| 13-Jul-2013 |
Sascha Wildner <saw@online.de> |
kernel/oce: Sync oce(4) driver with FreeBSD.
An update by Emulex. Most notably, it adds support for Skyhawk adapters.
The port to DragonFly wasn't tested on a Skyhawk but looks like it should just
kernel/oce: Sync oce(4) driver with FreeBSD.
An update by Emulex. Most notably, it adds support for Skyhawk adapters.
The port to DragonFly wasn't tested on a Skyhawk but looks like it should just work[tm].
Thanks to Mihai Carabas for testing it on a BladeEngine 3 to see that I didn't break anything which previously worked.
Taken-from: FreeBSD
show more ...
|
#
d1cb63e7 |
| 01-Jul-2013 |
Sascha Wildner <saw@online.de> |
kernel/oce: Fix wrong maxsegs argument for bus_dmamap_load_mbuf_segment().
Mindlessly introduced by me after it was tested by Mihai and led to a panic.
I had misunderstood a comment by sephe. OCE_M
kernel/oce: Fix wrong maxsegs argument for bus_dmamap_load_mbuf_segment().
Mindlessly introduced by me after it was tested by Mihai and led to a panic.
I had misunderstood a comment by sephe. OCE_MAX_TX_ELEMENTS is (as the name implies) just for the tx path.
Reported-by: Mihai Carabas <mihai.carabas@gmail.com>
show more ...
|
#
229aec1c |
| 01-Jul-2013 |
Sascha Wildner <saw@online.de> |
kernel/netif: Bring in the oce(4) driver for Emulex OneConnect 10Gb NICs.
According to the manual page, it supports:
* Emulex BladeEngine 2 * Emulex BladeEngine 3 * Emulex Lancer
It seems to be in
kernel/netif: Bring in the oce(4) driver for Emulex OneConnect 10Gb NICs.
According to the manual page, it supports:
* Emulex BladeEngine 2 * Emulex BladeEngine 3 * Emulex Lancer
It seems to be in solid shape, but some features remain yet unported (such as MSI-X support). Also, the module is named 'if_oce.ko' in DragonFly (like it is with all other network drivers) instead of 'oce.ko' like in FreeBSD.
The driver was tested by Mihai Carabas with a BladeEngine 3 adapter.
Taken-from: FreeBSD Additional-clue-by: sephe
show more ...
|