#
2b3f93ea |
| 13-Oct-2023 |
Matthew Dillon <dillon@apollo.backplane.com> |
kernel - Add per-process capability-based restrictions
* This new system allows userland to set capability restrictions which turns off numerous kernel features and root accesses. These restricti
kernel - Add per-process capability-based restrictions
* This new system allows userland to set capability restrictions which turns off numerous kernel features and root accesses. These restrictions are inherited by sub-processes recursively. Once set, restrictions cannot be removed.
Basic restrictions that mimic an unadorned jail can be enabled without creating a jail, but generally speaking real security also requires creating a chrooted filesystem topology, and a jail is still needed to really segregate processes from each other. If you do so, however, you can (for example) disable mount/umount and most global root-only features.
* Add new system calls and a manual page for syscap_get(2) and syscap_set(2)
* Add sys/caps.h
* Add the "setcaps" userland utility and manual page.
* Remove priv.9 and the priv_check infrastructure, replacing it with a newly designed caps infrastructure.
* The intention is to add path restriction lists and similar features to improve jailess security in the near future, and to optimize the priv_check code.
show more ...
|
Revision tags: v6.4.0, v6.4.0rc1, v6.5.0, v6.2.2, v6.2.1, v6.2.0, v6.3.0, v6.0.1, v6.0.0, v6.0.0rc1, v6.1.0, v5.8.3, v5.8.2, v5.8.1, v5.8.0, v5.9.0, v5.8.0rc1, v5.6.3 |
|
#
b8b9f56e |
| 07-Feb-2020 |
Matthew Dillon <dillon@apollo.backplane.com> |
kernel - Clean up memory leaks and a stack buffer disclosure bug
* Clean up memory leaks, a stack buffer disclosure bug, and a missing priv check in if_oce (which probably never attaches these d
kernel - Clean up memory leaks and a stack buffer disclosure bug
* Clean up memory leaks, a stack buffer disclosure bug, and a missing priv check in if_oce (which probably never attaches these days). All in the network subsystem.
Reported-by: Ilja van Sprundel
show more ...
|
#
c443c74f |
| 22-Oct-2019 |
zrj <rimvydas.jasinskas@gmail.com> |
<net/if_var.h>: Remove last explicit dependency on <sys/malloc.h>.
These kernel sources pass M_NOWAIT flag to m_copym() and friends. Mark that it was for M_NOWAIT visibility.
|
Revision tags: v5.6.2, v5.6.1, v5.6.0, v5.6.0rc1, v5.7.0, v5.4.3, v5.4.2, v5.4.1, v5.4.0, v5.5.0, v5.4.0rc1, v5.2.2, v5.2.1, v5.2.0, v5.3.0, v5.2.0rc, v5.0.2, v5.0.1, v5.0.0, v5.0.0rc2, v5.1.0, v5.0.0rc1, v4.8.1, v4.8.0, v4.6.2, v4.9.0, v4.8.0rc, v4.6.1, v4.6.0, v4.6.0rc2, v4.6.0rc, v4.7.0, v4.4.3, v4.4.2, v4.4.1, v4.4.0, v4.5.0, v4.4.0rc, v4.2.4, v4.3.1, v4.2.3, v4.2.1, v4.2.0, v4.0.6, v4.3.0, v4.2.0rc, v4.0.5, v4.0.4, v4.0.3 |
|
#
60a260ad |
| 07-Jan-2015 |
Sascha Wildner <saw@online.de> |
kernel: Remove our ancient SCTP support.
It was based on an early stage of FreeBSD's support and never got beyond that point, due to lack of usage and lack of maintenance.
It is also kind of standi
kernel: Remove our ancient SCTP support.
It was based on an early stage of FreeBSD's support and never got beyond that point, due to lack of usage and lack of maintenance.
It is also kind of standing the the way of ongoing work in the IPv6 stack by sephe.
If anyone ever wants to start again on upgrading and maintaining it, they can decide then if reverting this commit again makes sense as a base.
Requested-by: sephe Approved-by: dillon
show more ...
|
Revision tags: v4.0.2 |
|
#
26595b18 |
| 28-Nov-2014 |
Sascha Wildner <saw@online.de> |
kernel: Use the new auto-created sysctl ctx/tree in various drivers.
Everywhere where we formerly rolled a hw.fooX.* per-device ctx/tree ourselves.
This commit switches it to dev.foo.X.*
|
Revision tags: v4.0.1, v4.0.0, v4.0.0rc3, v4.0.0rc2, v4.0.0rc, v4.1.0, v3.8.2, v3.8.1, v3.6.3, v3.8.0, v3.8.0rc2, v3.9.0, v3.8.0rc, v3.6.2, v3.6.1, v3.6.0, v3.7.1, v3.6.0rc, v3.7.0, v3.4.3 |
|
#
c976b08e |
| 13-Jul-2013 |
Sascha Wildner <saw@online.de> |
kernel/oce: Sync oce(4) driver with FreeBSD.
An update by Emulex. Most notably, it adds support for Skyhawk adapters.
The port to DragonFly wasn't tested on a Skyhawk but looks like it should just
kernel/oce: Sync oce(4) driver with FreeBSD.
An update by Emulex. Most notably, it adds support for Skyhawk adapters.
The port to DragonFly wasn't tested on a Skyhawk but looks like it should just work[tm].
Thanks to Mihai Carabas for testing it on a BladeEngine 3 to see that I didn't break anything which previously worked.
Taken-from: FreeBSD
show more ...
|
#
229aec1c |
| 01-Jul-2013 |
Sascha Wildner <saw@online.de> |
kernel/netif: Bring in the oce(4) driver for Emulex OneConnect 10Gb NICs.
According to the manual page, it supports:
* Emulex BladeEngine 2 * Emulex BladeEngine 3 * Emulex Lancer
It seems to be in
kernel/netif: Bring in the oce(4) driver for Emulex OneConnect 10Gb NICs.
According to the manual page, it supports:
* Emulex BladeEngine 2 * Emulex BladeEngine 3 * Emulex Lancer
It seems to be in solid shape, but some features remain yet unported (such as MSI-X support). Also, the module is named 'if_oce.ko' in DragonFly (like it is with all other network drivers) instead of 'oce.ko' like in FreeBSD.
The driver was tested by Mihai Carabas with a BladeEngine 3 adapter.
Taken-from: FreeBSD Additional-clue-by: sephe
show more ...
|