kernel - Add per-process capability-based restrictions* This new system allows userland to set capability restrictions which turns off numerous kernel features and root accesses. These restricti
kernel - Add per-process capability-based restrictions* This new system allows userland to set capability restrictions which turns off numerous kernel features and root accesses. These restrictions are inherited by sub-processes recursively. Once set, restrictions cannot be removed. Basic restrictions that mimic an unadorned jail can be enabled without creating a jail, but generally speaking real security also requires creating a chrooted filesystem topology, and a jail is still needed to really segregate processes from each other. If you do so, however, you can (for example) disable mount/umount and most global root-only features.* Add new system calls and a manual page for syscap_get(2) and syscap_set(2)* Add sys/caps.h* Add the "setcaps" userland utility and manual page.* Remove priv.9 and the priv_check infrastructure, replacing it with a newly designed caps infrastructure.* The intention is to add path restriction lists and similar features to improve jailess security in the near future, and to optimize the priv_check code.
show more ...
PRIV: Missed a removal
PRIV: Handle libpanel and libzstd in case it is needed
Fix a typo in a locale upgrade script.
Fix typo in various licenses: merchantibility -> merchantability
Fix several typos in calendars, READMEs and other files.
tools/udpecho: Add command line option to prevent REUSEPORT.
test/netperf: Fix "clobbered" warning.
tools/tools/README: briefly describe chkldd
tools/tools/README: Clean up a bit.
Add sanity check to "remove-deprecated-files" target.Import helper awk script to detect objects linked to particularlibrary.Separate the check to a new target "check-deprecated-files" inetc/Mak
Add sanity check to "remove-deprecated-files" target.Import helper awk script to detect objects linked to particularlibrary.Separate the check to a new target "check-deprecated-files" inetc/Makefile and utilize the script to report libraries that arestill in use.Default is to check directories under /usr/local/. Additional placesto search may be specified via CHECK_DEPRECATED_DIRS variable, like: make CHECK_DEPRECATED_DIRS="/opt/lib /opt/bin" upgradeSuggested and reviewed by: Sascha Wildner
drm: Remove the gen-drm_pciids scriptAll drm drivers now directly use Linux PCI IDs descriptions
tools/wesside: Update to use /dev/tap directlyUse the autocloner /dev/tap instead of relying upon pre-created (andhard-coded) /dev/tap3.
Use NULL for pointers in tools/usbtest too (forgotten in last commit).
tools/toeplitz: Provide NBBY fallback.
<sys/time.h>: Add 3rd arg to timespecadd()/sub() and make them public.* Switch to the three argument versions of the timespecadd() and timespecsub() macros. These are now the predominant ones. Fr
<sys/time.h>: Add 3rd arg to timespecadd()/sub() and make them public.* Switch to the three argument versions of the timespecadd() and timespecsub() macros. These are now the predominant ones. FreeBSD, OpenBSD, NetBSD, and Solaris (albeit only for the kernel) have them.* Make those macros public too. This allows for a number of cleanups where they were defined locally.Pointed-out-by: zrjReviewed-by: dillon
kernel/drm: Various cleanups.* Change further references for the radeonkms.ko -> radeon.ko renaming.* Remove no longer needed iicbus_if.h from Makefile.* Cleanup radeon Makefile.
PRIV: Handle histedit.h in unpriv_base.sh
PRIV: Add helper tool.To speed up vendor updates.
GC: Remove old clang 3.8 that required extern sources. In preparations for libc++ import.
Remove IPsec and related code from the system.It was unmaintained ever since we inherited it from FreeBSD 4.8.In fact, we had two implementations from that time: IPSEC and FAST_IPSEC.FAST_IPSEC
Remove IPsec and related code from the system.It was unmaintained ever since we inherited it from FreeBSD 4.8.In fact, we had two implementations from that time: IPSEC and FAST_IPSEC.FAST_IPSEC is the implementation to which FreeBSD has moved since, butit didn't even build in DragonFly.Fixes for dports have been committed to DeltaPorts.Requested-by: dillonDports-testing-and-fixing: zrj
tools/w00t: Fix double assignment.
Normalize libcrypto and libssl DPADD variable names and adjust Makefiles.
s/NO_MAN/NOMAN/ in various Makefiles.
Simplify some Makefiles.If there is just one source file that is named ${PROG}.c, SRCS doesnot need to be set.
12345678910