PERFORCE change 104982 for review
Robert Watson
rwatson at FreeBSD.org
Thu Aug 24 20:02:55 UTC 2006
http://perforce.freebsd.org/chv.cgi?CH=104982
Change 104982 by rwatson at rwatson_zoo on 2006/08/24 20:00:39
Integrate TrustedBSD base branch from FreeBSD CVS:
- Loop back audit pipe kqueue support.
Affected files ...
.. //depot/projects/trustedbsd/base/Makefile.inc1#77 integrate
.. //depot/projects/trustedbsd/base/gnu/usr.bin/Makefile#18 integrate
.. //depot/projects/trustedbsd/base/release/doc/en_US.ISO8859-1/relnotes/common/new.sgml#107 integrate
.. //depot/projects/trustedbsd/base/sbin/fsdb/fsdb.8#12 integrate
.. //depot/projects/trustedbsd/base/share/man/man4/fast_ipsec.4#5 integrate
.. //depot/projects/trustedbsd/base/share/man/man4/ipsec.4#4 integrate
.. //depot/projects/trustedbsd/base/share/mk/bsd.port.mk#4 integrate
.. //depot/projects/trustedbsd/base/sys/kern/vfs_mount.c#50 integrate
.. //depot/projects/trustedbsd/base/sys/netgraph/bluetooth/socket/ng_btsocket_rfcomm.c#14 integrate
.. //depot/projects/trustedbsd/base/sys/netgraph/ng_fec.c#16 integrate
.. //depot/projects/trustedbsd/base/sys/security/audit/audit_pipe.c#6 integrate
Differences ...
==== //depot/projects/trustedbsd/base/Makefile.inc1#77 (text+ko) ====
@@ -1,5 +1,5 @@
#
-# $FreeBSD: src/Makefile.inc1,v 1.553 2006/08/22 07:51:05 ru Exp $
+# $FreeBSD: src/Makefile.inc1,v 1.554 2006/08/24 17:02:26 imp Exp $
#
# Make command line options:
# -DNO_CLEANDIR run ${MAKE} clean, instead of ${MAKE} cleandir
@@ -1032,8 +1032,9 @@
.for _lib in ${_startup_libs} ${_prebuild_libs:Nlib/libpam} ${_generic_libs}
${_lib}__L: .PHONY
.if exists(${.CURDIR}/${_lib})
- ${_+_}@${ECHODIR} "===> ${_lib} (depend,all,install)"; \
+ ${_+_}@${ECHODIR} "===> ${_lib} (obj,depend,all,install)"; \
cd ${.CURDIR}/${_lib}; \
+ ${MAKE} DIRPRFX=${_lib}/ obj; \
${MAKE} DIRPRFX=${_lib}/ depend; \
${MAKE} DIRPRFX=${_lib}/ all; \
${MAKE} DIRPRFX=${_lib}/ install
@@ -1044,8 +1045,9 @@
# static PAM library, and dynamic PAM library before dynamic PAM
# modules.
lib/libpam__L: .PHONY
- ${_+_}@${ECHODIR} "===> lib/libpam (depend,all,install)"; \
+ ${_+_}@${ECHODIR} "===> lib/libpam (obj,depend,all,install)"; \
cd ${.CURDIR}/lib/libpam; \
+ ${MAKE} DIRPRFX=lib/libpam/ obj; \
${MAKE} DIRPRFX=lib/libpam/ depend; \
${MAKE} DIRPRFX=lib/libpam/ -D_NO_LIBPAM_SO_YET all; \
${MAKE} DIRPRFX=lib/libpam/ -D_NO_LIBPAM_SO_YET install
==== //depot/projects/trustedbsd/base/gnu/usr.bin/Makefile#18 (text+ko) ====
@@ -1,4 +1,4 @@
-# $FreeBSD: src/gnu/usr.bin/Makefile,v 1.89 2006/08/21 18:25:43 marcel Exp $
+# $FreeBSD: src/gnu/usr.bin/Makefile,v 1.90 2006/08/24 15:46:29 marcel Exp $
.include <bsd.own.mk>
@@ -24,7 +24,7 @@
sort \
${_texinfo}
-.if ${MACHINE_ARCH} == "arm" || ${MACHINE_ARCH} == "powerpc"
+.if ${MACHINE_ARCH} == "arm"
MK_GDB= no # not yet
.endif
==== //depot/projects/trustedbsd/base/release/doc/en_US.ISO8859-1/relnotes/common/new.sgml#107 (text+ko) ====
@@ -3,7 +3,7 @@
<corpauthor>The &os; Project</corpauthor>
- <pubdate>$FreeBSD: src/release/doc/en_US.ISO8859-1/relnotes/common/new.sgml,v 1.963 2006/08/23 03:42:36 gshapiro Exp $</pubdate>
+ <pubdate>$FreeBSD: src/release/doc/en_US.ISO8859-1/relnotes/common/new.sgml,v 1.964 2006/08/24 14:45:56 bmah Exp $</pubdate>
<copyright>
<year>2000</year>
@@ -350,9 +350,9 @@
implemented.</para>
<para>&os; now runs on the Xbox, whose architecture is nearly identical
- to the i386. For details of the latest development,
- see <ulink url="http://www.FreeBSD.org/platforms/xbox.html"></ulink>
- and <ulink url="http://xbox-bsd.nl"></ulink>.</para>
+ to the i386. For details of the latest development, see
+ <ulink url="http://www.FreeBSD.org/platforms/xbox.html"></ulink>.
+ &merged; </para>
<sect3 id="boot">
<title>Boot Loader Changes</title>
@@ -767,6 +767,13 @@
for example, by using <literal>tagged</literal>
rule option. For more details, see &man.ipfw.8;.</para>
+ <para>The <literal>IPFIREWALL_FORWARD_EXTENDED</literal> kernel
+ option has been removed. This option was used to permit
+ &man.ipfw.4; to redirect packets with local destinations.
+ This behavior is now always enabled when
+ the <literal>IPFIREWALL_FORWARD</literal> kernel option is
+ enabled. &merged;</para>
+
<para>The ip6fw(8) packet filter has been removed. Since &man.ipfw.4; has gained
IPv6 support, it should be used instead. Please note that some rules might need
to be adjusted.</para>
@@ -1084,6 +1091,10 @@
flag, which causes it to ignore files and directories with
the <literal>nodump</literal> flag set. &merged;</para>
+ <para>The &man.fsdb.8; utility now supports changing the birth
+ time of files on UFS2 file systems using the new
+ the <literal>btime</literal> command.</para>
+
<para>The &man.find.1; program now supports <option>-Btime</option>
and other related primaries, which can be used to create expressions
based on a file's creation time. &merged;</para>
@@ -1557,7 +1568,7 @@
&merged;</para>
<para><application>IPFilter</application> has been updated from
- 4.1.8 to 4.1.13.</para>
+ 4.1.8 to 4.1.13. &merged;</para>
<para><application>less</application> has been updated from v381
to v394.</para>
==== //depot/projects/trustedbsd/base/sbin/fsdb/fsdb.8#12 (text+ko) ====
@@ -26,9 +26,9 @@
.\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $FreeBSD: src/sbin/fsdb/fsdb.8,v 1.30 2006/08/23 22:44:00 ceri Exp $
+.\" $FreeBSD: src/sbin/fsdb/fsdb.8,v 1.31 2006/08/24 09:14:02 ceri Exp $
.\"
-.Dd August 23, 2006
+.Dd August 24, 2006
.Dt FSDB 8
.Os
.Sh NAME
@@ -224,6 +224,9 @@
or
.Va atimensec
field will be set to zero.
+Note that
+.Cm btime
+is available on UFS2 file systems only.
.Pp
.It Cm quit , q , exit , Em <EOF>
Exit the program.
==== //depot/projects/trustedbsd/base/share/man/man4/fast_ipsec.4#5 (text+ko) ====
@@ -22,9 +22,9 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
.\" THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $FreeBSD: src/share/man/man4/fast_ipsec.4,v 1.4 2006/06/26 22:30:07 thompsa Exp $
+.\" $FreeBSD: src/share/man/man4/fast_ipsec.4,v 1.5 2006/08/24 17:07:19 danger Exp $
.\"
-.Dd January 20, 2003
+.Dd August 24, 2006
.Dt FAST_IPSEC 4
.Os
.Sh NAME
@@ -32,6 +32,7 @@
.Nd hardware-accelerated IP Security Protocols
.Sh SYNOPSIS
.Cd "options FAST_IPSEC"
+.Cd "options IPSEC_FILTERGIF"
.Cd "device crypto"
.Pp
.Bl -item -compact
@@ -69,6 +70,11 @@
The user should refer to
.Xr ipsec 4
for basic information on setting up and using these protocols.
+Note that it is not currently possible to use
+.Nm
+in conjuction with the
+.Tn "KAME IPsec"
+implementation.
.Pp
System configuration requires the
.Xr crypto 4
@@ -83,6 +89,12 @@
.Dq enc0 ,
to perform packet filtering before outbound encryption and after decapsulation
inbound.
+.Pp
+To properly filter
+.Xr gif 4
+tunnels with firewalls, add
+.Cd "options IPSEC_FILTERGIF"
+to the kernel configuration file.
.Sh DIAGNOSTICS
To be added.
.Sh SEE ALSO
==== //depot/projects/trustedbsd/base/share/man/man4/ipsec.4#4 (text+ko) ====
@@ -27,9 +27,9 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $FreeBSD: src/share/man/man4/ipsec.4,v 1.18 2006/02/14 13:20:09 gnn Exp $
+.\" $FreeBSD: src/share/man/man4/ipsec.4,v 1.19 2006/08/24 17:07:19 danger Exp $
.\"
-.Dd February 14, 2006
+.Dd August 24, 2006
.Dt IPSEC 4
.Os
.Sh NAME
@@ -39,6 +39,10 @@
.In sys/types.h
.In netinet/in.h
.In netinet6/ipsec.h
+.Cd "options IPSEC"
+.Cd "options IPSEC_DEBUG"
+.Cd "options IPSEC_ESP"
+.Cd "options IPSEC_FILTERGIF"
.Sh DESCRIPTION
.Nm
is a security protocol implemented within the Internet Protocol layer
@@ -253,6 +257,7 @@
.Xr ioctl 2 ,
.Xr socket 2 ,
.Xr ipsec_set_policy 3 ,
+.Xr fast_ipsec 4 ,
.Xr icmp6 4 ,
.Xr intro 4 ,
.Xr ip6 4 ,
==== //depot/projects/trustedbsd/base/share/mk/bsd.port.mk#4 (text+ko) ====
@@ -1,7 +1,10 @@
-# $FreeBSD: src/share/mk/bsd.port.mk,v 1.307 2004/07/02 20:47:18 eik Exp $
+# $FreeBSD: src/share/mk/bsd.port.mk,v 1.308 2006/08/24 18:04:49 obrien Exp $
PORTSDIR?= /usr/ports
BSDPORTMK?= ${PORTSDIR}/Mk/bsd.port.mk
+# Needed to keep bsd.own.mk from reading in /etc/src.conf when building ports.
+SRCCONF= /dev/null
+
.include <bsd.own.mk>
.include "${BSDPORTMK}"
==== //depot/projects/trustedbsd/base/sys/kern/vfs_mount.c#50 (text+ko) ====
@@ -35,7 +35,7 @@
*/
#include <sys/cdefs.h>
-__FBSDID("$FreeBSD: src/sys/kern/vfs_mount.c,v 1.228 2006/06/27 14:46:31 jhb Exp $");
+__FBSDID("$FreeBSD: src/sys/kern/vfs_mount.c,v 1.229 2006/08/24 18:52:28 marius Exp $");
#include <sys/param.h>
#include <sys/conf.h>
@@ -693,14 +693,13 @@
if (errmsg_pos != -1 && ((2 * errmsg_pos + 1) < fsoptions->uio_iovcnt)
&& errmsg_len > 0 && errmsg != NULL) {
if (fsoptions->uio_segflg == UIO_SYSSPACE) {
- strncpy(fsoptions->uio_iov[2 * errmsg_pos + 1].iov_base,
- errmsg,
+ bcopy(errmsg,
+ fsoptions->uio_iov[2 * errmsg_pos + 1].iov_base,
fsoptions->uio_iov[2 * errmsg_pos + 1].iov_len);
} else {
- copystr(errmsg,
+ copyout(errmsg,
fsoptions->uio_iov[2 * errmsg_pos + 1].iov_base,
- fsoptions->uio_iov[2 * errmsg_pos + 1].iov_len,
- NULL);
+ fsoptions->uio_iov[2 * errmsg_pos + 1].iov_len);
}
}
==== //depot/projects/trustedbsd/base/sys/netgraph/bluetooth/socket/ng_btsocket_rfcomm.c#14 (text+ko) ====
@@ -28,7 +28,7 @@
* SUCH DAMAGE.
*
* $Id: ng_btsocket_rfcomm.c,v 1.28 2003/09/14 23:29:06 max Exp $
- * $FreeBSD: src/sys/netgraph/bluetooth/socket/ng_btsocket_rfcomm.c,v 1.22 2006/07/24 15:20:07 rwatson Exp $
+ * $FreeBSD: src/sys/netgraph/bluetooth/socket/ng_btsocket_rfcomm.c,v 1.23 2006/08/24 16:51:02 emax Exp $
*/
#include <sys/param.h>
@@ -1220,7 +1220,8 @@
ng_btsocket_rfcomm_session_p s = NULL;
struct sockaddr_l2cap l2sa;
struct sockopt l2sopt;
- int mtu, error;
+ int error;
+ u_int16_t mtu;
mtx_assert(&ng_btsocket_rfcomm_sessions_mtx, MA_OWNED);
==== //depot/projects/trustedbsd/base/sys/netgraph/ng_fec.c#16 (text+ko) ====
@@ -34,7 +34,7 @@
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
* THE POSSIBILITY OF SUCH DAMAGE.
*
- * $FreeBSD: src/sys/netgraph/ng_fec.c,v 1.26 2005/11/11 16:04:57 ru Exp $
+ * $FreeBSD: src/sys/netgraph/ng_fec.c,v 1.27 2006/08/24 19:50:00 ru Exp $
*/
/*-
* Copyright (c) 1996-1999 Whistle Communications, Inc.
@@ -1093,6 +1093,7 @@
char ifname[NG_FEC_FEC_NAME_MAX + 1];
struct ifnet *ifp;
priv_p priv;
+ const uint8_t eaddr[ETHER_ADDR_LEN] = {0, 0, 0, 0, 0, 0};
struct ng_fec_bundle *b;
int error = 0;
@@ -1143,7 +1144,7 @@
log(LOG_WARNING, "%s: can't acquire netgraph name\n", ifname);
/* Attach the interface */
- ether_ifattach(ifp, IF_LLADDR(priv->ifp));
+ ether_ifattach(ifp, eaddr);
callout_handle_init(&priv->fec_ch);
/* Override output method with our own */
==== //depot/projects/trustedbsd/base/sys/security/audit/audit_pipe.c#6 (text) ====
@@ -25,7 +25,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $FreeBSD: src/sys/security/audit/audit_pipe.c,v 1.7 2006/06/05 14:48:17 rwatson Exp $
+ * $FreeBSD: src/sys/security/audit/audit_pipe.c,v 1.8 2006/08/24 17:42:38 rwatson Exp $
*/
#include <sys/param.h>
@@ -172,6 +172,7 @@
static d_read_t audit_pipe_read;
static d_ioctl_t audit_pipe_ioctl;
static d_poll_t audit_pipe_poll;
+static d_kqfilter_t audit_pipe_kqfilter;
static struct cdevsw audit_pipe_cdevsw = {
.d_version = D_VERSION,
@@ -181,9 +182,20 @@
.d_read = audit_pipe_read,
.d_ioctl = audit_pipe_ioctl,
.d_poll = audit_pipe_poll,
+ .d_kqfilter = audit_pipe_kqfilter,
.d_name = AUDIT_PIPE_NAME,
};
+static int audit_pipe_kqread(struct knote *note, long hint);
+static void audit_pipe_kqdetach(struct knote *note);
+
+static struct filterops audit_pipe_read_filterops = {
+ .f_isfd = 1,
+ .f_attach = NULL,
+ .f_detach = audit_pipe_kqdetach,
+ .f_event = audit_pipe_kqread,
+};
+
/*
* Some global statistics on audit pipes.
*/
@@ -425,6 +437,7 @@
ap->ap_inserts++;
ap->ap_qlen++;
selwakeuppri(&ap->ap_selinfo, PSOCK);
+ KNOTE_LOCKED(&ap->ap_selinfo.si_note, 0);
if (ap->ap_flags & AUDIT_PIPE_ASYNC)
pgsigio(&ap->ap_sigio, SIGIO, 0);
}
@@ -520,6 +533,8 @@
return (NULL);
ap->ap_qlimit = AUDIT_PIPE_QLIMIT_DEFAULT;
TAILQ_INIT(&ap->ap_queue);
+ knlist_init(&ap->ap_selinfo.si_note, &audit_pipe_mtx, NULL, NULL,
+ NULL);
/*
* Default flags, naflags, and auid-specific preselection settings to
@@ -533,6 +548,9 @@
TAILQ_INIT(&ap->ap_preselect_list);
ap->ap_preselect_mode = AUDITPIPE_PRESELECT_MODE_TRAIL;
+ /*
+ * Add to global list and update global statistics.
+ */
TAILQ_INSERT_HEAD(&audit_pipe_list, ap, ap_list);
audit_pipe_count++;
audit_pipe_ever++;
@@ -572,6 +590,7 @@
audit_pipe_preselect_flush_locked(ap);
audit_pipe_flush(ap);
+ knlist_destroy(&ap->ap_selinfo.si_note);
TAILQ_REMOVE(&audit_pipe_list, ap, ap_list);
free(ap, M_AUDIT_PIPE);
audit_pipe_count--;
@@ -946,6 +965,71 @@
}
/*
+ * Audit pipe kqfilter.
+ */
+static int
+audit_pipe_kqfilter(struct cdev *dev, struct knote *kn)
+{
+ struct audit_pipe *ap;
+
+ ap = dev->si_drv1;
+ KASSERT(ap != NULL, ("audit_pipe_kqfilter: ap == NULL"));
+
+ if (kn->kn_filter != EVFILT_READ)
+ return (EINVAL);
+
+ kn->kn_fop = &audit_pipe_read_filterops;
+ kn->kn_hook = ap;
+
+ mtx_lock(&audit_pipe_mtx);
+ knlist_add(&ap->ap_selinfo.si_note, kn, 1);
+ mtx_unlock(&audit_pipe_mtx);
+ return (0);
+}
+
+/*
+ * Return true if there are records available for reading on the pipe.
+ */
+static int
+audit_pipe_kqread(struct knote *kn, long hint)
+{
+ struct audit_pipe_entry *ape;
+ struct audit_pipe *ap;
+
+ mtx_assert(&audit_pipe_mtx, MA_OWNED);
+
+ ap = (struct audit_pipe *)kn->kn_hook;
+ KASSERT(ap != NULL, ("audit_pipe_kqread: ap == NULL"));
+
+ if (ap->ap_qlen != 0) {
+ ape = TAILQ_FIRST(&ap->ap_queue);
+ KASSERT(ape != NULL, ("audit_pipe_kqread: ape == NULL"));
+
+ kn->kn_data = ape->ape_record_len;
+ return (1);
+ } else {
+ kn->kn_data = 0;
+ return (0);
+ }
+}
+
+/*
+ * Detach kqueue state from audit pipe.
+ */
+static void
+audit_pipe_kqdetach(struct knote *kn)
+{
+ struct audit_pipe *ap;
+
+ ap = (struct audit_pipe *)kn->kn_hook;
+ KASSERT(ap != NULL, ("audit_pipe_kqdetach: ap == NULL"));
+
+ mtx_lock(&audit_pipe_mtx);
+ knlist_remove(&ap->ap_selinfo.si_note, kn, 1);
+ mtx_unlock(&audit_pipe_mtx);
+}
+
+/*
* Initialize the audit pipe system.
*/
static void
More information about the trustedbsd-cvs
mailing list