hardenedbsd/HardenedBSD
1
0
Fork 0
mirror of https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git synced 2024-11-21 18:50:50 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge branch 'freebsd/current/main' into hardened/current/master

Browse Source
This commit is contained in:
HardenedBSD Sync Services 2024-11-18 06:01:18 -07:00
commit f58581c140
No known key found for this signature in database
7 changed files with 498 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
bin/ps/ps.1
View File

@ -377,7 +377,7 @@ the include file
.It Dv "P2_PROTMAX_ENABLE" Ta No "0x00000200" Ta "Force enable implied PROT_MAX" .It Dv "P2_PROTMAX_ENABLE" Ta No "0x00000200" Ta "Force enable implied PROT_MAX"
.It Dv "P2_PROTMAX_DISABLE" Ta No "0x00000400" Ta "Force disable implied PROT_MAX" .It Dv "P2_PROTMAX_DISABLE" Ta No "0x00000400" Ta "Force disable implied PROT_MAX"
.It Dv "P2_STKGAP_DISABLE" Ta No "0x00000800" Ta "Disable stack gap for MAP_STACK" .It Dv "P2_STKGAP_DISABLE" Ta No "0x00000800" Ta "Disable stack gap for MAP_STACK"
.It Dv "P2_STKGAP_DISABLE_EXEC" Ta No " 0x00001000" Ta "Stack gap disabled after exec" .It Dv "P2_STKGAP_DISABLE_EXEC" Ta No "0x00001000" Ta "Stack gap disabled after exec"
.It Dv "P2_ITSTOPPED" Ta No "0x00002000" Ta "itimers stopped (as part of process stop)" .It Dv "P2_ITSTOPPED" Ta No "0x00002000" Ta "itimers stopped (as part of process stop)"
.It Dv "P2_PTRACEREQ" Ta No "0x00004000" Ta "Active ptrace req" .It Dv "P2_PTRACEREQ" Ta No "0x00004000" Ta "Active ptrace req"
.It Dv "P2_NO_NEW_PRIVS" Ta No "0x00008000" Ta "Ignore setuid on exec" .It Dv "P2_NO_NEW_PRIVS" Ta No "0x00008000" Ta "Ignore setuid on exec"

26
sys/netpfil/pf/pflow.c
View File

@ -26,6 +26,7 @@
#include <sys/callout.h> #include <sys/callout.h>
#include <sys/endian.h> #include <sys/endian.h>
#include <sys/interrupt.h> #include <sys/interrupt.h>
#include <sys/jail.h>
#include <sys/kernel.h> #include <sys/kernel.h>
#include <sys/malloc.h> #include <sys/malloc.h>
#include <sys/module.h> #include <sys/module.h>
@ -184,15 +185,28 @@ vnet_pflowattach(void)
VNET_SYSINIT(vnet_pflowattach, SI_SUB_PROTO_FIREWALL, SI_ORDER_ANY, VNET_SYSINIT(vnet_pflowattach, SI_SUB_PROTO_FIREWALL, SI_ORDER_ANY,
vnet_pflowattach, NULL); vnet_pflowattach, NULL);
static void static int
vnet_pflowdetach(void) pflow_jail_remove(void *obj, void *data __unused)
{ {
#ifdef VIMAGE
const struct prison *pr = obj;
#endif
struct pflow_softc *sc; struct pflow_softc *sc;
CURVNET_SET(pr->pr_vnet);
CK_LIST_FOREACH(sc, &V_pflowif_list, sc_next) { CK_LIST_FOREACH(sc, &V_pflowif_list, sc_next) {
pflow_destroy(sc->sc_id, false); pflow_destroy(sc->sc_id, false);
} }
CURVNET_RESTORE();
return (0);
}
static void
vnet_pflowdetach(void)
{
/* Should have been done by pflow_jail_remove() */
MPASS(CK_LIST_EMPTY(&V_pflowif_list)); MPASS(CK_LIST_EMPTY(&V_pflowif_list));
delete_unrhdr(V_pflow_unr); delete_unrhdr(V_pflow_unr);
mtx_destroy(&V_pflowif_list_mtx); mtx_destroy(&V_pflowif_list_mtx);
@ -1776,6 +1790,8 @@ static const struct nlhdr_parser *all_parsers[] = {
&set_parser, &set_parser,
}; };
static unsigned pflow_do_osd_jail_slot;
static int static int
pflow_init(void) pflow_init(void)
{ {
@ -1784,6 +1800,11 @@ pflow_init(void)
NL_VERIFY_PARSERS(all_parsers); NL_VERIFY_PARSERS(all_parsers);
static osd_method_t methods[PR_MAXMETHOD] = {
[PR_METHOD_REMOVE] = pflow_jail_remove,
};
pflow_do_osd_jail_slot = osd_jail_register(NULL, methods);
family_id = genl_register_family(PFLOWNL_FAMILY_NAME, 0, 2, PFLOWNL_CMD_MAX); family_id = genl_register_family(PFLOWNL_FAMILY_NAME, 0, 2, PFLOWNL_CMD_MAX);
MPASS(family_id != 0); MPASS(family_id != 0);
ret = genl_register_cmds(PFLOWNL_FAMILY_NAME, pflow_cmds, NL_ARRAY_LEN(pflow_cmds)); ret = genl_register_cmds(PFLOWNL_FAMILY_NAME, pflow_cmds, NL_ARRAY_LEN(pflow_cmds));
@ -1794,6 +1815,7 @@ pflow_init(void)
static void static void
pflow_uninit(void) pflow_uninit(void)
{ {
osd_jail_deregister(pflow_do_osd_jail_slot);
genl_unregister_family(PFLOWNL_FAMILY_NAME); genl_unregister_family(PFLOWNL_FAMILY_NAME);
} }

88
tools/test/stress2/misc/zfs15.sh Executable file
View File

@ -0,0 +1,88 @@
#!/bin/sh
# Test scenario suggestion by: markj@
[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1
kldstat -v | grep -q zfs.ko || { kldload zfs.ko; loaded=1; } ||
exit 0
. ../default.cfg
here=`pwd`
level=`jot -r 1 1 3` # Redundancy levels
mp1=/stress2_tank/test
s=0
u1=$mdstart
u2=$((u1 + 1))
u3=$((u1 + 2))
u4=$((u1 + 3))
u5=$((u1 + 4))
set -e
mdconfig -l | grep -q md$u1 && mdconfig -d -u $u1
mdconfig -l | grep -q md$u2 && mdconfig -d -u $u2
mdconfig -l | grep -q md$u3 && mdconfig -d -u $u3
mdconfig -l | grep -q md$u4 && mdconfig -d -u $u4
mdconfig -l | grep -q md$u5 && mdconfig -d -u $u5
mdconfig -s 512m -u $u1
mdconfig -s 512m -u $u2
mdconfig -s 512m -u $u3
mdconfig -s 512m -u $u4
mdconfig -s 512m -u $u5
zpool list | egrep -q "^stress2_tank" && zpool destroy stress2_tank
[ -d /stress2_tank ] && rm -rf /stress2_tank
zpool create stress2_tank raidz$level md$u1 md$u2 md$u3 md$u4
zfs create stress2_tank/test
set +e
export RUNDIR=/stress2_tank/test/stressX
export runRUNTIME=5m
export LOAD=80
export symlinkLOAD=80
export rwLOAD=80
export TESTPROGS="
testcases/lockf2/lockf2
testcases/symlink/symlink
testcases/openat/openat
testcases/rw/rw
testcases/fts/fts
testcases/link/link
testcases/lockf/lockf
testcases/creat/creat
testcases/mkdir/mkdir
testcases/rename/rename
testcases/mkfifo/mkfifo
testcases/dirnprename/dirnprename
testcases/dirrename/dirrename
testcases/swap/swap
"
(cd ..; ./testcases/run/run $TESTPROGS > /dev/null 2>&1) &
sleep 60
echo "zpool attach stress2_tank raidz$level-0 md$u5"
zpool attach stress2_tank raidz$level-0 md$u5
sleep 30
zfs snapshot stress2_tank/test@1
wait
while zpool status | grep -q "in progress"; do
sleep 5
done
zpool scrub stress2_tank
zpool status | grep -q "errors: No known data errors" ||
{ zpool status; s=1; }
zfs umount stress2_tank/test
zfs destroy -r stress2_tank
zpool destroy stress2_tank
mdconfig -d -u $u1
mdconfig -d -u $u2
mdconfig -d -u $u3
mdconfig -d -u $u4
mdconfig -d -u $u5
[ -n "$loaded" ] && kldunload zfs.ko
exit $s

105
tools/test/stress2/misc/zfs16.sh Executable file
View File

@ -0,0 +1,105 @@
#!/bin/sh
# No problems seen
[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1
kldstat -v | grep -q zfs.ko || { kldload zfs.ko; loaded=1; } ||
exit 0
. ../default.cfg
here=`pwd`
cd /tmp
sed '1,/^EOF/d' < $here/datamove.sh > zfs16.c
mycc -o zfs16 -Wall -O0 -g zfs16.c || exit 1
rm -f zfs16.c
mp1=/stress2_tank/test
u1=$mdstart
u2=$((u1 + 1))
set -eu
mdconfig -l | grep -q md$u1 && mdconfig -d -u $u1
mdconfig -l | grep -q md$u2 && mdconfig -d -u $u2
mdconfig -s 2g -u $u1
mdconfig -s 2g -u $u2
zpool list | egrep -q "^stress2_tank" && zpool destroy stress2_tank
[ -d /stress2_tank ] && rm -rf /stress2_tank
zpool create stress2_tank md$u1 md$u2
zfs create stress2_tank/test
set +e
(cd $here/../testcases/swap; ./swap -t 2m -i 20 -l 100 -h > /dev/null) &
sleep 2
cd $mp1
while pgrep -q swap; do
/tmp/zfs16; s=$?
rm -f /stress2_tank/test/*
done
cd $here
while pkill swap; do sleep 1; done
wait
zfs umount stress2_tank/test
zfs destroy -r stress2_tank
zpool destroy stress2_tank
mdconfig -d -u $u1
mdconfig -d -u $u2
rm -f /tmp/zfs16
set +u
[ $loaded ] && kldunload zfs.ko
exit $s
EOF
#include <sys/types.h>
#include <err.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/mman.h>
#include <sys/param.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#define SIZ (500UL * 1024 * 1024)
int
main(int argc __unused, char *argv[])
{
off_t hole;
size_t len;
int fd;
char *p, *path;
len = SIZ;
path = argv[1];
if ((fd = open(path, O_CREAT | O_TRUNC | O_RDWR, 0622)) == -1)
err(1,"open()");
if (ftruncate(fd, len) == -1)
err(1, "ftruncate");
if ((p = mmap(NULL, len, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0)) ==
MAP_FAILED) {
if (errno == ENOMEM)
return (1);
err(1, "mmap(1)");
}
p[1 * 1024] = 1;
p[2 * 1024] = 1;
p[4 * 1024] = 1;
if (msync(p, len, MS_SYNC | MS_INVALIDATE) == -1)
err(1, "msync()");
if ((hole = lseek(fd, 0, SEEK_HOLE)) == -1)
err(1, "lseek(SEEK_HOLE)");
if (hole != SIZ)
printf("--> hole = %jd, file size=%jd\n",
(intmax_t)hole, (intmax_t)SIZ);
close(fd);
return (hole == SIZ ? 0 : 1);
}

74
tools/test/stress2/misc/zfs17.sh Executable file
View File

@ -0,0 +1,74 @@
#!/bin/sh
#
# Copyright (c) 2024 Peter Holm <pho@FreeBSD.org>
#
# SPDX-License-Identifier: BSD-2-Clause
#
# Copy from nullfs over zfs to nullfs over ufs
# Test scenario description by: mjguzik
# Page fault seen:
# https://people.freebsd.org/~pho/stress/log/log0498.txt
[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1
[ `sysctl -n kern.kstack_pages` -lt 4 ] && exit 0
. ../default.cfg
set -u
kldstat -v | grep -q zfs.ko || { kldload zfs.ko ||
exit 0; loaded=1; }
u1=$mdstart
u2=$((u1 + 1))
u3=$((u2 + 1))
mp0=/stress2_tank/test # zfs mount
mp1=$mntpoint # nullfs of zfs
mp2=$mntpoint$mdstart # ufs
mp3=$mntpoint$((mdstart + 1)) # nullfs of ufs
mkdir -p $mp2 $mp3
mdconfig -l | grep -q md$u1 && mdconfig -d -u $u1
mdconfig -l | grep -q md$u2 && mdconfig -d -u $u2
mdconfig -s 2g -u $u1
mdconfig -s 2g -u $u2
zpool list | egrep -q "^stress2_tank" && zpool destroy stress2_tank
[ -d /stress2_tank ] && rm -rf /stress2_tank
zpool create stress2_tank raidz md$u1 md$u2
zfs create ${mp0#/}
mount | grep -q $mp1 && umount -f $mp1
mount -t nullfs $mp0 $mp1
mdconfig -a -t swap -s 1g -u $u3
newfs $newfs_flags /dev/md$u3 > /dev/null
mount /dev/md$u3 $mp2
mount -t nullfs $mp2 $mp3
dd if=/dev/zero of=$diskimage bs=1m count=50 status=none
cp $diskimage $mp1
cp $mp1/diskimage $mp3
rm -f $diskimage
umount $mp3
umount $mp2
mdconfig -d -u $u3
while mount | grep -q "on $mntpoint "; do
umount $mntpoint && break
sleep 1
done
zfs umount ${mp0#/}
zfs destroy -r stress2_tank
zpool destroy stress2_tank
mdconfig -d -u $u2
mdconfig -d -u $u1
set +u
[ -n "$loaded" ] && kldunload zfs.ko
exit 0

134
tools/test/stress2/misc/zfs18.sh Executable file
View File

@ -0,0 +1,134 @@
#!/bin/sh
# File corruption scenario.
# Test program obtained from Kyle Evans <kevans@FreeBSD.org>
# "panic: VERIFY3(rc->rc_count == number) failed (4849664 == 0)" seen.
# Page fault seen:
# https://people.freebsd.org/~pho/stress/log/log0560.txt
[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1
[ `sysctl -n kern.kstack_pages` -lt 4 ] && exit 0
. ../default.cfg
prog=$(basename "$0" .sh)
cat > /tmp/$prog.c <<EOF
#include <sys/mman.h>
#include <sys/stat.h>
#include <assert.h>
#include <err.h>
#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>
//#define FILE "2"
#define FILE "file"
int
main(void)
{
struct stat sb;
ssize_t wsz;
size_t bufsz;
void *buf, *obuf;
int mfd, fd;
int done = 0;
mfd = open(FILE, O_RDONLY);
assert(mfd >= 0);
assert(fstat(mfd, &sb) == 0);
bufsz = sb.st_size;
buf = obuf = mmap(NULL, bufsz, PROT_READ, MAP_SHARED, mfd, 0);
assert(buf != MAP_FAILED);
/* O_RDWR */
fd = open(FILE, O_RDWR);
if (fd < 0)
err(1, "open");
assert(fd >= 0);
again:
while (bufsz > 0) {
wsz = write(fd, buf, bufsz);
if (wsz < 0)
err(1, "write");
else if (wsz == 0)
fprintf(stderr, "Huh?\n");
bufsz -= wsz;
buf += wsz;
}
bufsz = sb.st_size;
buf = obuf;
if (++done < 2)
goto again;
close(fd);
munmap(obuf, sb.st_size);
close(mfd);
return (0);
}
EOF
mycc -o /tmp/$prog -Wall -Wextra -O0 /tmp/$prog.c || exit 1
set -u
kldstat -v | grep -q zfs.ko || { kldload zfs.ko ||
exit 0; loaded=1; }
u1=$mdstart
u2=$((u1 + 1))
mp0=/stress2_tank/test # zfs mount
mdconfig -l | grep -q md$u1 && mdconfig -d -u $u1
mdconfig -l | grep -q md$u2 && mdconfig -d -u $u2
mdconfig -s 4g -u $u1
mdconfig -s 4g -u $u2
zpool list | egrep -q "^stress2_tank" && zpool destroy stress2_tank
[ -d /stress2_tank ] && rm -rf /stress2_tank
zpool create stress2_tank raidz md$u1 md$u2
zfs create ${mp0#/}
here=`pwd`
cd /stress2_tank
# Optimized file creation:
#jot -b 'A' -s '' 875998989 > file
dd if=/dev/random of=file bs=1m count=$(((875998990/1024/1024)+1)) status=none
truncate -s 875998990 file
cat file file > file.post
mv file file.orig
counter=1
s=0
start=`date +%s`
while [ $((`date +%s` - start)) -lt 300 ]; do
cp file.orig file
/tmp/$prog
if ! cmp file file.post; then
echo "Iteration #$counter"
od -t x8 file | head -1000 > /tmp/$prog.file1
od -t x8 file.post | head -1000 > /tmp/$prog.file2
diff /tmp/$prog.file1 /tmp/$prog.file2 | head -15
rm /tmp/$prog.file1 /tmp/$prog.file2
s=1
break
fi
counter=$((counter + 1))
done
cd $here
zfs umount ${mp0#/}
zfs destroy -r stress2_tank
zpool destroy stress2_tank
mdconfig -d -u $u2
mdconfig -d -u $u1
set +u
[ $loaded ] && kldunload zfs.ko
rm /tmp/$prog /tmp/$prog.c
exit $s

72
tools/test/stress2/misc/zfs19.sh Executable file
View File

@ -0,0 +1,72 @@
#!/bin/sh
#
# Copyright (c) 2024 Peter Holm <pho@FreeBSD.org>
#
# SPDX-License-Identifier: BSD-2-Clause
#
# Hunt for "vm_fault: pager read error, pid 99058 (mmap)"
[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1
kldstat -v | grep -q zfs.ko || { kldload zfs.ko; loaded=1; } ||
exit 0
. ../default.cfg
prog=$(basename "$0" .sh)
here=`pwd`
log=/tmp/$prog.log
mp1=/stress2_tank/test
u1=$mdstart
u2=$((u1 + 1))
set -e
mdconfig -l | grep -q md$u1 && mdconfig -d -u $u1
mdconfig -l | grep -q md$u2 && mdconfig -d -u $u2
mdconfig -s 2g -u $u1
mdconfig -s 2g -u $u2
zpool list | egrep -q "^stress2_tank" && zpool destroy stress2_tank
[ -d /stress2_tank ] && rm -rf /stress2_tank
zpool create stress2_tank md$u1 md$u2
zfs create stress2_tank/test
set +e
export RUNDIR=/stress2_tank/test/stressX
export runRUNTIME=2m
export LOAD=70
export mmapLOAD=100
export TESTPROGS="testcases/mmap/mmap testcases/swap/swap"
(cd ..; ./testcases/run/run $TESTPROGS > /dev/null 2>&1) & rpid=$!
sleep 5
tail -F -n 0 /var/log/messages > $log & lpid=$!
start=`date +%s`
while [ $((`date +%s` - start)) -lt 120 ]; do
zfs umount -f stress2_tank/test &&
zfs mount stress2_tank/test
sleep 5
zfs list | grep -q /stress2_tank/test || break
pgrep -q mmap || break
done
pkill run swap mmap
while pgrep -q swap; do pkill swap; done
wait $rpid
zfs umount stress2_tank/test
zfs destroy -r stress2_tank
zpool destroy stress2_tank
mdconfig -d -u $u1
mdconfig -d -u $u2
[ -n "$loaded" ] && kldunload zfs.ko
kill $lpid && wait $lpid
grep -m 1 "pager read error" $log && s=1 || s=0
rm $log
s=0 # This is an expected behavior for zfs
exit $s