tame(1), like nice(1) but for permissions
I'm not sure if this makes sense, since tame(2) was designed to operate on processes after they have already been initialized, and this would set the allowed operations before initializing the process. It's a fairly simple change to get the basics working as shown here, but it's currently not very useful as more complex programs generally can't start even if given all current tame(2) permissions. I mostly did this to get more experience working in the kernel, not because I think it is a good idea, but I welcome feedback all the same. First the manual, followed by the code, then the kernel and tame(2) manpage diff. Thanks, Jeremy TAME(1) General Commands ManualTAME(1) NAME tame - restrict system operations for process SYNOPSIS tame [-aCcdghIiRSptuw] utility [argument ...] DESCRIPTION tame restricts system operations using the tame(2) system call, then executes the utility with the given arguments. If the utility attempts to perform an operation which was not permitted, it will be killed by the system with SIGKILL. By default, tame restricts almost all system operations for the executed process, allowing only the execution of processes (TAME_EXEC), use of stdio (TAME_STDIO), and reading the file system (TAME_RPATH). All flags with the exception of -h, -R, and -S allow additional system operations. The options that allow additional system operations are as follows, with the tame(2) option that they enable: -a TAME_ABORT -C TAME_CMSG -c TAME_CPATH -d TAME_DNS -g TAME_GETPW -I TAME_IOCTL -i TAME_INET -p TAME_PROC -t TAME_TMPPATH -u TAME_UNIX -w TAME_WPATH The following options restrict system operations that are allowed by default: -R TAME_RW -r TAME_RPATH The -h option displays the usage. If the -r option is used, utilty must be the full path to the utility, tame will no longer search the PATH to find it, as it will have already restricted the permissions that would allow that. EXIT STATUS The tame utility exits with one of the following values: 125 An error occurred. 126 The utility was not found or could not be invoked. Otherwise, the exit status of tame shall be that of utility. EXAMPLES Only allow overwriting files that already exist, do not allow creating new files: $ tame -w cp from to SEE ALSO tame(2) HISTORY The tame() system call appeared in OpenBSD 5.8. $Mdocdate: $ OpenBSD 5.8 tame.c: /* $OpenBSD: $ */ /* * Copyright (c) 2015 Jeremy Evans jer...@openbsd.org * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * * THE SOFTWARE IS PROVIDED AS IS AND THE AUTHOR DISCLAIMS ALL WARRANTIES * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ #include err.h #include stdio.h #include stdlib.h #include sys/tame.h #include unistd.h __dead void usage(int); int main(int argc, char *argv[]) { char ch; char *file; /* TAME_RPATH needed to find process to execute * TAME_EXEC needed to execute the process * TAME_STDIO needed by almost all processes */ int tame_flags = TAME_RPATH | TAME_STDIO | TAME_EXEC; while ((ch = getopt(argc, argv, aCcdghIiRrptuw)) != -1) switch (ch) { case 'a': tame_flags |= TAME_ABORT; break; case 'C': tame_flags |= TAME_CMSG; break; case 'c': tame_flags |= TAME_CPATH; break; case 'd': tame_flags |= TAME_DNS; break; case 'g': tame_flags |= TAME_GETPW; break; case 'I': tame_flags |= TAME_IOCTL; break; case 'i': tame_flags |= TAME_INET; break; case 'p': tame_flags |= TAME_PROC; break;
Re: cardbus fix
On Mon, Jul 20, 2015 at 02:48:22AM +0200, Mark Kettenis wrote: Some (early) acpi machines leave the cardbus bridge unconfigured. In particular, those machines don't configure the bus number for the cardbus bus. This makes our driver skip attaching the 32-bit cardbus handling and only support 16-bit pcmcia cards. Diff below makes our driver assign an available bus number and configure the bridge with it. This makes cardbus work on a machine in the class mentioned above. ok? ok mlarkin Index: pccbb.c === RCS file: /cvs/src/sys/dev/pci/pccbb.c,v retrieving revision 1.94 diff -u -p -r1.94 pccbb.c --- pccbb.c 19 Jul 2015 05:37:38 - 1.94 +++ pccbb.c 19 Jul 2015 23:59:24 - @@ -372,6 +372,7 @@ pccbbattach(struct device *parent, struc pci_chipset_tag_t pc = pa-pa_pc; pci_intr_handle_t ih; const char *intrstr = NULL; + u_long busnum; int flags; pccbb_attach_hook(parent, self, pa); @@ -447,8 +448,19 @@ pccbbattach(struct device *parent, struc printf(: %s, intrstr); /* - * When bus number isn't set correctly, give up using 32-bit CardBus - * mode. + * When the bus number isn't configured, try to allocate one + * ourselves. + */ + if ((sc-sc_busnum 0x0000) == 0 pa-pa_busex + extent_alloc(pa-pa_busex, 1, 1, 0, 0, EX_NOWAIT, busnum) == 0) { + sc-sc_busnum |= (busnum 8); + sc-sc_busnum |= (busnum 16); + pci_conf_write(pc, pa-pa_tag, PCI_BUSNUM, sc-sc_busnum); + } + + /* + * When the bus number still isn't set correctly, give up + * using 32-bit CardBus mode. */ if (((sc-sc_busnum 8) 0xff) == 0) { printf(, CardBus support disabled);
Re: httpd: hsts (rfc 6797)
- Original Message - There is a non-standard preload token that Google requires to get onto Chrome's HSTS preload list[0] which is also used by Firefox. Any chance of supporting this? Or is its omission a conscious decision? [0] https://hstspreload.appspot.com/ FWIW, from my experience, the preload token presence is not yet enforced. Having Strict-Transport-Security: max-age=31536000; includeSubDomains is just enough. -- Marco Bonetti
Re: tame(1), like nice(1) but for permissions
Hi I'm not sure I can think of many uses for this, tame is not something you are intended to just apply blindly, do you have any use cases? I think the -aCcdghIiRSptuw approach is a bad idea and it would be better to do it with named flags like -o abort,cmsg,cpath. Maybe take a look at getsubopt(3), although I don't know if that API is in vogue anymore. Also adding TAME_EXEC seems like a different change entirely? On Mon, Jul 20, 2015 at 01:00:00AM -0700, Jeremy Evans wrote: I'm not sure if this makes sense, since tame(2) was designed to operate on processes after they have already been initialized, and this would set the allowed operations before initializing the process. It's a fairly simple change to get the basics working as shown here, but it's currently not very useful as more complex programs generally can't start even if given all current tame(2) permissions. I mostly did this to get more experience working in the kernel, not because I think it is a good idea, but I welcome feedback all the same. First the manual, followed by the code, then the kernel and tame(2) manpage diff. Thanks, Jeremy TAME(1) General Commands ManualTAME(1) NAME tame - restrict system operations for process SYNOPSIS tame [-aCcdghIiRSptuw] utility [argument ...] DESCRIPTION tame restricts system operations using the tame(2) system call, then executes the utility with the given arguments. If the utility attempts to perform an operation which was not permitted, it will be killed by the system with SIGKILL. By default, tame restricts almost all system operations for the executed process, allowing only the execution of processes (TAME_EXEC), use of stdio (TAME_STDIO), and reading the file system (TAME_RPATH). All flags with the exception of -h, -R, and -S allow additional system operations. The options that allow additional system operations are as follows, with the tame(2) option that they enable: -a TAME_ABORT -C TAME_CMSG -c TAME_CPATH -d TAME_DNS -g TAME_GETPW -I TAME_IOCTL -i TAME_INET -p TAME_PROC -t TAME_TMPPATH -u TAME_UNIX -w TAME_WPATH The following options restrict system operations that are allowed by default: -R TAME_RW -r TAME_RPATH The -h option displays the usage. If the -r option is used, utilty must be the full path to the utility, tame will no longer search the PATH to find it, as it will have already restricted the permissions that would allow that. EXIT STATUS The tame utility exits with one of the following values: 125 An error occurred. 126 The utility was not found or could not be invoked. Otherwise, the exit status of tame shall be that of utility. EXAMPLES Only allow overwriting files that already exist, do not allow creating new files: $ tame -w cp from to SEE ALSO tame(2) HISTORY The tame() system call appeared in OpenBSD 5.8. $Mdocdate: $ OpenBSD 5.8 tame.c: /*$OpenBSD: $ */ /* * Copyright (c) 2015 Jeremy Evans jer...@openbsd.org * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * * THE SOFTWARE IS PROVIDED AS IS AND THE AUTHOR DISCLAIMS ALL WARRANTIES * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ #include err.h #include stdio.h #include stdlib.h #include sys/tame.h #include unistd.h __dead void usage(int); int main(int argc, char *argv[]) { char ch; char *file; /* TAME_RPATH needed to find process to execute * TAME_EXEC needed to execute the process * TAME_STDIO needed by almost all processes */ int tame_flags = TAME_RPATH | TAME_STDIO | TAME_EXEC; while ((ch = getopt(argc, argv, aCcdghIiRrptuw)) != -1) switch (ch) { case 'a': tame_flags |= TAME_ABORT; break; case 'C': tame_flags |= TAME_CMSG; break; case 'c':
Re: Missing descriptor in uvideo.h
There is a typo with struct usb_video_output_header_desc, corresponding to table 3-15. Last field should be bmaControls. -- Cordialement, Coues Ludovic +336 148 743 42
doas failsafe
Hi, I've just shot myself in the foot after /etc/doas.conf tweaking. This patch adds a failsafe permit :wheel rule in case of syntax error. Is this safe enough? Should it be done elsewhere (with some kind of visudo)? Index: doas.c === RCS file: /cvs/src/usr.bin/doas/doas.c,v retrieving revision 1.14 diff -u -p -u -r1.14 doas.c --- doas.c 20 Jul 2015 01:04:37 - 1.14 +++ doas.c 20 Jul 2015 12:16:11 - @@ -138,12 +138,13 @@ permit(uid_t uid, gid_t *groups, int ngr return (*lastr)-action == PERMIT; } -static void +static int parseconfig(const char *filename) { extern FILE *yyfp; extern int yyparse(void); struct stat sb; + int ret; yyfp = fopen(filename, r); if (!yyfp) { @@ -158,8 +159,9 @@ parseconfig(const char *filename) if (sb.st_uid != 0) errx(1, %s is not owned by root, filename); - yyparse(); + ret = yyparse(); fclose(yyfp); + return ret; } static int @@ -201,7 +203,7 @@ copyenv(const char **oldenvp, struct rul int ei; int nsafe, nbad; int nextras = 0; - + nbad = arraylen(badset); if ((rule-options KEEPENV) !rule-envlist) { size_t i, ii; @@ -280,8 +282,18 @@ main(int argc, char **argv, char **envp) int ngroups; int i, ch; int sflag = 0; + const char *safeident = :wheel; - parseconfig(/etc/doas.conf); + if (parseconfig(/etc/doas.conf) != 0) { + fprintf(stderr, using failsafe rule\n); + if (!(rules = reallocarray(rules, 1, sizeof(*rules + errx(1, can't allocate rules); + if (!(rules[0] = calloc(1, sizeof(struct rule + errx(1, can't allocate rule); + rules[0]-action = PERMIT; + rules[0]-ident = safeident; + nrules = 1; + } while ((ch = getopt(argc, argv, su:)) != -1) { switch (ch) { Index: parse.y === RCS file: /cvs/src/usr.bin/doas/parse.y,v retrieving revision 1.6 diff -u -p -u -r1.6 parse.y --- parse.y 19 Jul 2015 22:11:41 - 1.6 +++ parse.y 20 Jul 2015 12:16:11 - @@ -149,7 +149,7 @@ yyerror(const char *fmt, ...) va_list va; va_start(va, fmt); - verrx(1, fmt, va); + vwarnx(fmt, va); } struct keyword { -- Manuel Giraud
Re: doas failsafe
Manuel Giraud wrote: Hi, I've just shot myself in the foot after /etc/doas.conf tweaking. This patch adds a failsafe permit :wheel rule in case of syntax error. Is this safe enough? Should it be done elsewhere (with some kind of visudo)? I think the failsafe is run su. Since it is possible to configure doas to even less than permit :wheel this would in some cases be a fail open.
Re: Missing descriptor in uvideo.h
On 15/07/15(Wed) 17:30, ludovic coues wrote: 2015-07-15 17:04 GMT+02:00 Martin Pieuchot m...@openbsd.org: On 15/07/15(Wed) 16:45, Ludovic Coues wrote: Following is a diff adding missing USB descriptor to uvideo.h according to USB Video spec 1.5 . It also update a couple of table reference from spec 1.1 to 1.5 Do not hesitate to explain *why* do you need that, it might not be clear to everybody on this list :) Oh, right. I'm working on an alternative to lsusb for my summer of code. By design, I'm using pretty much every USB descriptor defined by the spec. Index: sys/dev/usb/uvideo.h === RCS file: /cvs/src/sys/dev/usb/uvideo.h,v retrieving revision 1.57 diff -u -p -r1.57 uvideo.h --- sys/dev/usb/uvideo.h 9 Jul 2015 14:58:32 - 1.57 +++ sys/dev/usb/uvideo.h 14 Jul 2015 17:24:42 - +/* Table 3-18: Still Image Frame Descriptor */ +struct usb_video_still_image_frame_desc { + uByte bLength; + uByte bDescriptorType; + uByte bDescriptorSubtype; + uByte bEndpointAddress; + uByte bNumImageSizePatterns; + uByte data[1]; +/* struct { + uWord wWidth; + wWord wHeight; + } __packed size[1]; */ +/* uByte bNumCompressionPattern; */ +/* uByte bCompression[1]; */ Why are they commented? Mainly as a way to document the spec in the code. I could remove the data field and uncomment the size field. I would be pretty close to the spec and this struct could be filled with a memcpy. But size would be a field of size 32 followed by two field of size 8. I don't know how I could access bNumCompressionPattern or bCompression in this case. Is it because by ``wWord'' you mean uDword? Did you consider using an union with #define? Martin
Octeon flash driver for DSR500
Here is a diff that adds a new flash driver for octeon that allows me to access the internal memory of my DSR500. This follows the CFI specification with code borrowed from zrouter (FreeBSD). The idea, once the current driver is thoroughly tested, would be to move it to MI land. The prerequisites to MI are width, shift and row detection and handling. In the long run I hope to be able to also add wdc support. For now I would like to commit my work in the octeon tree with write support disabled. Comments? Okays? Index: conf/GENERIC === RCS file: /cvs/src/sys/arch/octeon/conf/GENERIC,v retrieving revision 1.21 diff -u -p -r1.21 GENERIC --- conf/GENERIC19 Jul 2015 23:46:50 - 1.21 +++ conf/GENERIC20 Jul 2015 18:51:58 - @@ -35,6 +35,7 @@ uartbus0 at mainbus0 octrtc0at mainbus0 octcf0 at iobus0 +amdcf0 at iobus0 octrng0at iobus0 com0 at uartbus0 Index: conf/files.octeon === RCS file: /cvs/src/sys/arch/octeon/conf/files.octeon,v retrieving revision 1.23 diff -u -p -r1.23 files.octeon --- conf/files.octeon 19 Jul 2015 23:46:50 - 1.23 +++ conf/files.octeon 20 Jul 2015 18:51:58 - @@ -10,6 +10,7 @@ major { cd = 3 } major { wd = 4 } major { rd = 8 } major { octcf = 15 } +major { amdcf = 19 } file dev/cninit.c file arch/octeon/octeon/autoconf.c @@ -74,6 +75,11 @@ file arch/octeon/dev/octdwctwo.c octdw device octcf: disk attach octcf at iobus file arch/octeon/dev/octcf.c octcf + +device amdcf: disk +attach amdcf at iobus +file arch/octeon/dev/amdcf.c amdcf + # On-board RNG device octrng Index: dev/octeon_iobus.c === RCS file: /cvs/src/sys/arch/octeon/dev/octeon_iobus.c,v retrieving revision 1.13 diff -u -p -r1.13 octeon_iobus.c --- dev/octeon_iobus.c 19 Jul 2015 23:46:50 - 1.13 +++ dev/octeon_iobus.c 20 Jul 2015 18:51:58 - @@ -149,6 +149,7 @@ static const struct octeon_iobus_addrs i { cn30xxgmx, GMX0_BASE_PORT0 }, { octrng, OCTEON_RNG_BASE }, { dwctwo, USBN_BASE }, + { amdcf, OCTEON_AMDCF_BASE}, }; /* There can only be one. */ Index: dev/amdcf.c === RCS file: dev/amdcf.c diff -N dev/amdcf.c --- /dev/null 1 Jan 1970 00:00:00 - +++ dev/amdcf.c 20 Jul 2015 18:51:58 - @@ -0,0 +1,952 @@ +/* $OpenBSD$ */ + +/* + * Copyright (c) 2007, Juniper Networks, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + *notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + *notice, this list of conditions and the following disclaimer in the + *documentation and/or other materials provided with the distribution. + * 3. Neither the name of the author nor the names of any co-contributors + *may be used to endorse or promote products derived from this software + *without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* + * Copyright (c) 2009 Sam Leffler, Errno Consulting + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + *notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + *notice, this list of conditions and the following disclaimer in the + *documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
Re: tame(1), like nice(1) but for permissions
On Mon, Jul 20, 2015 at 10:41:08AM -0600, Theo de Raadt wrote: On Mon, Jul 20, 2015 at 12:04:43PM -0400, Ted Unangst wrote: chroot is probably the best comparision. yes, we provide a chroot(1), but There is no chroot(1). :p practically nothing uses it. everything is instead calling chroot(2) on its own. the things that do use chroot(1) are doing so for specialized namespace reasons, not for sandboxing. I have a huge counter-example: dpb. Specifically, chroot(8) does the nice usercontext thingies that would be cumbersome to do from perl. chroot was only used as a partial example. I have the same concerns with tame(1). First, it is very premature. Secondly, TAME_EXEC is a very nasty semantic. Most importantly the purpose of tame is to allow a programmer to seperate their initial-setup from the main-loop processing. By tagging the unix feature-set into a simple effect classifications, it also guides the programming of general purpose unix tools, guiding them towards privdrop, privsep; or if they have no specific priv-slit happening, at minimum it constraints most to files-only or network-only behaviours. From the outside, a regular user is not going to know the system features and semantics that a program uses, not in a detailed fashion. tame -a firefox doesn't work. Is tame broken? We don't need that kind of grief. Sorry, should have made things clearer. I just meant that chroot was a bad comparison. I can't see any sane use of a tame(1) at the moment.
Re: move pflow(4) to sosend(9)
On Mon, Jul 20, 2015 at 06:58:06PM +0200, Alexander Bluhm wrote: On Mon, Jul 20, 2015 at 01:09:07AM +, Florian Obser wrote: - s = splnet(); + s = splnet(); pflow_flush(sc); + splx(s); This splx() looks strange, too. Why flush something that could be filled by an interrupt after splx()? I think you have to put everything in one splnet() block. I wonder wether pflow(4) is ever run at splnet(). Otherwise splsoftnet() for the block should be enough. But that is another topic. Keep the splnet() for now. No it's not. The spl dance is here for two reasons: 1) protect against pf messing with pflow state while pflow is sending data 2) protect the ip_output() I'm removing pf runs at softnet and ip_output() is gone. so softnet it is ;) I was afraid I got the spl stuff wrong. I'll stare at it a bit more. All the other comments from you and blambert@ are integrated in my tree. -- I'm not entirely sure you are real.
Re: tame(1), like nice(1) but for permissions
On 07/20 09:36, Nicholas Marriott wrote: Hi I'm not sure I can think of many uses for this, tame is not something you are intended to just apply blindly, do you have any use cases? Well, there is the example in the man page. :) But no, currently it's not very useful, as more complex programs such as sh(1) or perl(1) won't start even if given all current tame(2) permissions. For this to be useful, you'd need to give TAME_EXEC additional permissions such that you could do `tame -tp sh`, and get a sh that could execute processes, but not write to the file system or do network access. And like I said originally, I'm not sure this is a good idea. It was just a way for me to get more kernel experience. I think the -aCcdghIiRSptuw approach is a bad idea and it would be better to do it with named flags like -o abort,cmsg,cpath. Maybe take a look at getsubopt(3), although I don't know if that API is in vogue anymore. If this is worthy of more work, the command line options can certainly be changed. I just used getopt(3) since it seemed like the easiest way to handle it. Also adding TAME_EXEC seems like a different change entirely? Without TAME_EXEC, you can't call execve(2) to create another process. There currently isn't a tame(2) permission that allows execing, one had to be added. Thanks, Jeremy
Re: Clarification on bgpd behaviour
i'm replying to this thread so people browsing archives do not read deprecated info. The recent commits on kroute fixes the issue reported. When the interface is down the local link is no longer listed in the routing table. Thank you for your work! On Thu, Jan 15, 2015 at 11:23 PM, Pedro Caetano pedrocaet...@binaryflows.com wrote: That is correct, all routers share a /28 segment, r1 talks with upstream1 and upstream2, r2 talks with upstream1 and upstream2 each with its own private AS. Tomorrow i'll try your suggestions and report back. Thank you, Pedro Caetano On Thu, Jan 15, 2015 at 11:12 PM, Claudio Jeker cje...@diehard.n-r-g.com wrote: On Thu, Jan 15, 2015 at 10:38:50PM +, Pedro Caetano wrote: Hi I have setup openbsd routers running dual homed with another pair of upstream routers announcing a default route. Each router has two interfaces, egress and ingress. r1 - openbsd1 r2 - openbsd2 r3 - upstream1 r4 - upstream2 vio0 is the external interface uses a /28 network to talk ibgp with two upstream routers. vio1 is the internal interface that also uses a /28 network to interconnect both openbsd routers. Each router has its own private AS, talking with both isp peers via the vio0 (there is only one remote AS) to get a default-route. The two openbsd routers are also connected via ibgp via the vio1 interface. If both routers have own private AS numbers they will not have an ibgp session but a ebgp one. Only if they share a common AS number then it is an ibgp session. BGP works as expected, yet there is a behaviour i find strange. By setting vio0 down on r1, shouldn't the local route be removed? No, this is (currently) not happening. The local route (which is staticly declared on the interface) is always valid no matter what. There is currently a lot of work going on in the routing code and maybe we get feature but no promises. Although r2 announces a valid default-route, the local route in fib is preferred rendering that network unreachable. Are r1 - r4 sharing on common network? A few things you can do to make the situation better: - set nexthop self (on the session between r1 and r2 over vio1) - use carp on vio1 and demote carp in the neighbor section for r3 r4 -- :wq Claudio
Re: tame(1), like nice(1) but for permissions
Sorry, should have made things clearer. I just meant that chroot was a bad comparison. I can't see any sane use of a tame(1) at the moment. No, no no, Ted's comments are completely valid. You cannot replace the narrow chroot calls in the privsep daemons with chroot(8) run externally. Any attempts to do so would degrade security. Same here with tame. Same with your pkg building tools.
Re: tame(1), like nice(1) but for permissions
Jeremy Evans wrote: If this is worthy of more work, the command line options can certainly be changed. I just used getopt(3) since it seemed like the easiest way to handle it. I talked with theo about this some. I'd say it's probably too early, and may lead us down a weird path, where tame has to record all sorts of state and watch for certain milestones to be reached. that logic is better kept in the program. currently, the tame model is that you modify the program as necessary to work best with tame. if you're doing that, add the tame calls you want. as you noticed, programs not expecting to work with tame require very permissive options and may not work even so. chroot is probably the best comparision. yes, we provide a chroot(1), but practically nothing uses it. everything is instead calling chroot(2) on its own. the things that do use chroot(1) are doing so for specialized namespace reasons, not for sandboxing.
Re: tame(1), like nice(1) but for permissions
On Mon, Jul 20, 2015 at 12:04:43PM -0400, Ted Unangst wrote: chroot is probably the best comparision. yes, we provide a chroot(1), but There is no chroot(1). :p practically nothing uses it. everything is instead calling chroot(2) on its own. the things that do use chroot(1) are doing so for specialized namespace reasons, not for sandboxing. I have a huge counter-example: dpb. Specifically, chroot(8) does the nice usercontext thingies that would be cumbersome to do from perl. chroot was only used as a partial example. I have the same concerns with tame(1). First, it is very premature. Secondly, TAME_EXEC is a very nasty semantic. Most importantly the purpose of tame is to allow a programmer to seperate their initial-setup from the main-loop processing. By tagging the unix feature-set into a simple effect classifications, it also guides the programming of general purpose unix tools, guiding them towards privdrop, privsep; or if they have no specific priv-slit happening, at minimum it constraints most to files-only or network-only behaviours. From the outside, a regular user is not going to know the system features and semantics that a program uses, not in a detailed fashion. tame -a firefox doesn't work. Is tame broken? We don't need that kind of grief.
Re: move pflow(4) to sosend(9)
On Mon, Jul 20, 2015 at 01:09:07AM +, Florian Obser wrote: so pflow(4) shoving it's data with ip_output into the network stack seems wrong. this converts it to use sosend(9) and might even give us non-legacy IP support. I think this is a good idea. Comments inline. bluhm tests from (heavy) pflow(4) users would be appriciated. Sorry, I don't use pflow(4). diff --git if_pflow.c if_pflow.c index 4f3ac5e..624fdaf 100644 --- if_pflow.c +++ if_pflow.c @@ -28,6 +28,8 @@ #include sys/timeout.h #include sys/ioctl.h #include sys/kernel.h +#include sys/socket.h +#include sys/socketvar.h #include sys/sysctl.h #include net/if.h @@ -94,7 +96,6 @@ int pflow_pack_flow(struct pf_state *, struct pf_state_key *, struct pflow_softc *); int pflow_pack_flow_ipfix(struct pf_state *, struct pf_state_key *, struct pflow_softc *); -int pflow_get_dynport(void); int export_pflow_if(struct pf_state*, struct pf_state_key *, struct pflow_softc *); int copy_flow_to_m(struct pflow_flow *flow, struct pflow_softc *sc); @@ -107,6 +108,8 @@ struct if_clone pflow_cloner = IF_CLONE_INITIALIZER(pflow, pflow_clone_create, pflow_clone_destroy); +extern struct proc proc0; + void pflowattach(int npflow) { @@ -119,22 +122,51 @@ pflow_clone_create(struct if_clone *ifc, int unit) { struct ifnet*ifp; struct pflow_softc *pflowif; + struct socket *so; + struct sockaddr_in *sin; + struct mbuf *m; + int error; + + error = 0; + m = NULL; Useless code, they are set a few lines below. + + error = socreate(AF_INET, so, SOCK_DGRAM, 0); + if (error) + return (error); + + MGET(m, M_WAIT, MT_SONAME); + sin = mtod(m, struct sockaddr_in *); You have to initialialize struct sockaddr_in to 0 to clear the padding. + sin-sin_len = m-m_len = sizeof (struct sockaddr_in); + sin-sin_family = AF_INET; + sin-sin_addr.s_addr = INADDR_ANY; + sin-sin_port = htons(0); + error = sobind(so, m, proc0); + m_freem(m); + if (error) { + soclose(so); + pflowif-so = NULL; You have not set pflowif yet, so don't clear it. + return (error); + } if ((pflowif = malloc(sizeof(*pflowif), - M_DEVBUF, M_NOWAIT|M_ZERO)) == NULL) - return (ENOMEM); - - if ((pflowif-sc_imo.imo_membership = malloc( - (sizeof(struct in_multi *) * IP_MIN_MEMBERSHIPS), M_IPMOPTS, - M_WAITOK|M_ZERO)) == NULL) { - free(pflowif, M_DEVBUF, 0); + M_DEVBUF, M_NOWAIT|M_ZERO)) == NULL) { + soclose(so); + pflowif-so = NULL; You have not set pflowif yet, so don't clear it. return (ENOMEM); } - pflowif-sc_imo.imo_max_memberships = IP_MIN_MEMBERSHIPS; + + pflowif-so = so; + + MGET(pflowif-send_nam, M_WAIT, MT_SONAME); + sin = mtod(pflowif-send_nam, struct sockaddr_in *); memset(sin, 0 , sizeof(*sin)); + sin-sin_len = m-m_len = sizeof (struct sockaddr_in); + sin-sin_family = AF_INET; + sin-sin_addr.s_addr = INADDR_ANY; + sin-sin_port = 0; + pflowif-sc_receiver_ip.s_addr = INADDR_ANY; pflowif-sc_receiver_port = 0; pflowif-sc_sender_ip.s_addr = INADDR_ANY; - pflowif-sc_sender_port = pflow_get_dynport(); pflowif-sc_version = PFLOW_PROTO_DEFAULT; /* ipfix template init */ @@ -244,10 +276,6 @@ pflow_clone_create(struct if_clone *ifc, int unit) if_attach(ifp); if_alloc_sadl(ifp); -#if NBPFILTER 0 - bpfattach(pflowif-sc_if.if_bpf, ifp, DLT_RAW, 0); -#endif - /* Insert into list of pflows */ SLIST_INSERT_HEAD(pflowif_list, pflowif, sc_next); return (0); @@ -257,9 +285,15 @@ int pflow_clone_destroy(struct ifnet *ifp) { struct pflow_softc *sc = ifp-if_softc; - int s; + int s, error; + + error = 0; + if (sc-so != NULL) + error = soclose(sc-so); s = splnet(); + sc-so = NULL; Strange that you close sc-so outside splnet() but set it to NULL within. Either splnet() is not needed or you have a use after free. If pflow can be run at splnet() you have to protect soclose(). + m_freem(sc-send_nam); if (timeout_initialized(sc-sc_tmo)) timeout_del(sc-sc_tmo); if (timeout_initialized(sc-sc_tmo6)) @@ -269,10 +303,9 @@ pflow_clone_destroy(struct ifnet *ifp) pflow_flush(sc); if_detach(ifp); SLIST_REMOVE(pflowif_list, sc, pflow_softc, sc_next); - free(sc-sc_imo.imo_membership, M_IPMOPTS, 0); free(sc, M_DEVBUF, 0); splx(s); - return (0); + return (error); } /* @@ -312,6 +345,9 @@ pflowioctl(struct ifnet *ifp, u_long cmd, caddr_t data) struct pflow_softc *sc =
Re: [PATCH] Fix ospfd segmentation fault on startup
On 20/07/15(Mon) 19:10, Johan Ymerson wrote: On 2015-07-18 16:03:00, Martin Pieuchot wrote: Committed! Thanks and sorry for the delay. Hi! You missed the previous patch Fix ospfd segmentation fault on startup witch prevent ospfd from segfaulting on startup. Without this first patch, ospfd will almost always segfault on startup (instead of just sometime, which it does today). Could you send a single diff for all these issues? Apparently ospf hackers are slacking ;)
Re: [PATCH] Fix ospfd segmentation fault on startup
On Mon, 2015-07-20 at 22:58 +0200, Martin Pieuchot wrote: On 20/07/15(Mon) 19:10, Johan Ymerson wrote: On 2015-07-18 16:03:00, Martin Pieuchot wrote: Committed! Thanks and sorry for the delay. Hi! You missed the previous patch Fix ospfd segmentation fault on startup witch prevent ospfd from segfaulting on startup. Without this first patch, ospfd will almost always segfault on startup (instead of just sometime, which it does today). Could you send a single diff for all these issues? Apparently ospf hackers are slacking ;) Yes, I have it as a single diff. I actually broke it up in two diffs because the two issues are not really related. The second patch only makes the first problem very obvious. It would of course be best if we could make sure we set up event handling (iev_ospfe et al.) before scanning interfaces, but it's kind of a catch 22 here. The event handlers need the interface info to not segfault... So the easy fix was to just check for null pointers in main_imsg_compose_*. /Johan Index: interface.c === RCS file: /cvs/src/usr.sbin/ospfd/interface.c,v retrieving revision 1.75 diff -u -p -r1.75 interface.c --- interface.c 14 May 2012 10:17:21 - 1.75 +++ interface.c 27 May 2015 16:42:51 - @@ -338,8 +338,10 @@ if_act_start(struct iface *iface) struct in_addr addr; struct timeval now; - if (!((iface-flags IFF_UP) - LINK_STATE_IS_UP(iface-linkstate))) + if (!(iface-flags IFF_UP) || + (!LINK_STATE_IS_UP(iface-linkstate) + !(iface-media_type == IFT_CARP + iface-linkstate == LINK_STATE_DOWN))) return (0); if (iface-media_type == IFT_CARP iface-passive == 0) { Index: kroute.c === RCS file: /cvs/src/usr.sbin/ospfd/kroute.c,v retrieving revision 1.98 diff -u -p -r1.98 kroute.c --- kroute.c11 Feb 2015 05:57:44 - 1.98 +++ kroute.c27 May 2015 16:42:51 - @@ -1019,6 +1019,9 @@ if_change(u_short ifindex, int flags, st return; } + /* notify ospfe about interface link state */ + main_imsg_compose_ospfe(IMSG_IFINFO, 0, kif, sizeof(struct kif)); + reachable = (kif-flags IFF_UP) LINK_STATE_IS_UP(kif-link_state); @@ -1026,9 +1029,6 @@ if_change(u_short ifindex, int flags, st return; /* nothing changed wrt nexthop validity */ kif-nh_reachable = reachable; - - /* notify ospfe about interface link state */ - main_imsg_compose_ospfe(IMSG_IFINFO, 0, kif, sizeof(struct kif)); /* update redistribute list */ RB_FOREACH(kr, kroute_tree, krt) { Index: ospfd.c === RCS file: /cvs/src/usr.sbin/ospfd/ospfd.c,v retrieving revision 1.83 diff -u -p -r1.83 ospfd.c --- ospfd.c 10 Feb 2015 05:24:48 - 1.83 +++ ospfd.c 27 May 2015 16:42:51 - @@ -511,13 +511,15 @@ main_dispatch_rde(int fd, short event, v void main_imsg_compose_ospfe(int type, pid_t pid, void *data, u_int16_t datalen) { - imsg_compose_event(iev_ospfe, type, 0, pid, -1, data, datalen); + if (iev_ospfe) + imsg_compose_event(iev_ospfe, type, 0, pid, -1, data, datalen); } void main_imsg_compose_rde(int type, pid_t pid, void *data, u_int16_t datalen) { - imsg_compose_event(iev_rde, type, 0, pid, -1, data, datalen); + if (iev_rde) + imsg_compose_event(iev_rde, type, 0, pid, -1, data, datalen); } void
Re: move pflow(4) to sosend(9)
new diff, should address all comments: diff --git if_pflow.c if_pflow.c index 4f3ac5e..676829d 100644 --- if_pflow.c +++ if_pflow.c @@ -28,6 +28,8 @@ #include sys/timeout.h #include sys/ioctl.h #include sys/kernel.h +#include sys/socket.h +#include sys/socketvar.h #include sys/sysctl.h #include net/if.h @@ -68,10 +70,7 @@ int pflow_clone_destroy(struct ifnet *); void pflow_init_timeouts(struct pflow_softc *); intpflow_calc_mtu(struct pflow_softc *, int, int); void pflow_setmtu(struct pflow_softc *, int); -intpflowoutput(struct ifnet *, struct mbuf *, struct sockaddr *, - struct rtentry *); intpflowioctl(struct ifnet *, u_long, caddr_t); -void pflowstart(struct ifnet *); struct mbuf*pflow_get_mbuf(struct pflow_softc *, u_int16_t); void pflow_flush(struct pflow_softc *); @@ -94,7 +93,6 @@ int pflow_pack_flow(struct pf_state *, struct pf_state_key *, struct pflow_softc *); intpflow_pack_flow_ipfix(struct pf_state *, struct pf_state_key *, struct pflow_softc *); -intpflow_get_dynport(void); intexport_pflow_if(struct pf_state*, struct pf_state_key *, struct pflow_softc *); intcopy_flow_to_m(struct pflow_flow *flow, struct pflow_softc *sc); @@ -107,6 +105,8 @@ struct if_clone pflow_cloner = IF_CLONE_INITIALIZER(pflow, pflow_clone_create, pflow_clone_destroy); +extern struct proc proc0; + void pflowattach(int npflow) { @@ -119,22 +119,48 @@ pflow_clone_create(struct if_clone *ifc, int unit) { struct ifnet*ifp; struct pflow_softc *pflowif; + struct socket *so; + struct sockaddr_in *sin; + struct mbuf *m; + int error; + + error = socreate(AF_INET, so, SOCK_DGRAM, 0); + if (error) + return (error); + + MGET(m, M_WAIT, MT_SONAME); + sin = mtod(m, struct sockaddr_in *); + memset(sin, 0 , sizeof(*sin)); + sin-sin_len = m-m_len = sizeof (struct sockaddr_in); + sin-sin_family = AF_INET; + sin-sin_addr.s_addr = INADDR_ANY; + sin-sin_port = htons(0); + error = sobind(so, m, proc0); + m_freem(m); + if (error) { + soclose(so); + return (error); + } if ((pflowif = malloc(sizeof(*pflowif), - M_DEVBUF, M_NOWAIT|M_ZERO)) == NULL) - return (ENOMEM); - - if ((pflowif-sc_imo.imo_membership = malloc( - (sizeof(struct in_multi *) * IP_MIN_MEMBERSHIPS), M_IPMOPTS, - M_WAITOK|M_ZERO)) == NULL) { - free(pflowif, M_DEVBUF, 0); + M_DEVBUF, M_NOWAIT|M_ZERO)) == NULL) { + soclose(so); return (ENOMEM); } - pflowif-sc_imo.imo_max_memberships = IP_MIN_MEMBERSHIPS; + + pflowif-so = so; + + MGET(pflowif-send_nam, M_WAIT, MT_SONAME); + sin = mtod(pflowif-send_nam, struct sockaddr_in *); + memset(sin, 0 , sizeof(*sin)); + sin-sin_len = m-m_len = sizeof (struct sockaddr_in); + sin-sin_family = AF_INET; + sin-sin_addr.s_addr = INADDR_ANY; + sin-sin_port = 0; + pflowif-sc_receiver_ip.s_addr = INADDR_ANY; pflowif-sc_receiver_port = 0; pflowif-sc_sender_ip.s_addr = INADDR_ANY; - pflowif-sc_sender_port = pflow_get_dynport(); pflowif-sc_version = PFLOW_PROTO_DEFAULT; /* ipfix template init */ @@ -232,8 +258,8 @@ pflow_clone_create(struct if_clone *ifc, int unit) snprintf(ifp-if_xname, sizeof ifp-if_xname, pflow%d, unit); ifp-if_softc = pflowif; ifp-if_ioctl = pflowioctl; - ifp-if_output = pflowoutput; - ifp-if_start = pflowstart; + ifp-if_output = NULL; + ifp-if_start = NULL; ifp-if_type = IFT_PFLOW; IFQ_SET_MAXLEN(ifp-if_snd, IFQ_MAXLEN); ifp-if_hdrlen = PFLOW_HDRLEN; @@ -244,10 +270,6 @@ pflow_clone_create(struct if_clone *ifc, int unit) if_attach(ifp); if_alloc_sadl(ifp); -#if NBPFILTER 0 - bpfattach(pflowif-sc_if.if_bpf, ifp, DLT_RAW, 0); -#endif - /* Insert into list of pflows */ SLIST_INSERT_HEAD(pflowif_list, pflowif, sc_next); return (0); @@ -257,9 +279,12 @@ int pflow_clone_destroy(struct ifnet *ifp) { struct pflow_softc *sc = ifp-if_softc; - int s; + int s, error; + + error = 0; s = splnet(); + m_freem(sc-send_nam); if (timeout_initialized(sc-sc_tmo)) timeout_del(sc-sc_tmo); if (timeout_initialized(sc-sc_tmo6)) @@ -267,41 +292,15 @@ pflow_clone_destroy(struct ifnet *ifp) if (timeout_initialized(sc-sc_tmo_tmpl)) timeout_del(sc-sc_tmo_tmpl); pflow_flush(sc); + if (sc-so != NULL) { + error = soclose(sc-so); + sc-so = NULL; + } if_detach(ifp);
Re: [PATCH] Fix ospfd segmentation fault on startup
On 2015-07-18 16:03:00, Martin Pieuchot wrote: Committed! Thanks and sorry for the delay. Hi! You missed the previous patch Fix ospfd segmentation fault on startup witch prevent ospfd from segfaulting on startup. Without this first patch, ospfd will almost always segfault on startup (instead of just sometime, which it does today). /Johan
Re: tame(1), like nice(1) but for permissions
On Mon, Jul 20, 2015 at 12:04:43PM -0400, Ted Unangst wrote: chroot is probably the best comparision. yes, we provide a chroot(1), but There is no chroot(1). :p practically nothing uses it. everything is instead calling chroot(2) on its own. the things that do use chroot(1) are doing so for specialized namespace reasons, not for sandboxing. I have a huge counter-example: dpb. Specifically, chroot(8) does the nice usercontext thingies that would be cumbersome to do from perl.
Re: doas failsafe
I'm a lowly user but I ++ this, when testing out doas I did this a few times. allow : deny, permit : forbid Is that you, Flynn?
Re: [PATCH] Fix ospfd segmentation fault on startup
On Mon, Jul 20, 2015 at 09:32:20PM +, Johan Ymerson wrote: On Mon, 2015-07-20 at 22:58 +0200, Martin Pieuchot wrote: On 20/07/15(Mon) 19:10, Johan Ymerson wrote: On 2015-07-18 16:03:00, Martin Pieuchot wrote: Committed! Thanks and sorry for the delay. Hi! You missed the previous patch Fix ospfd segmentation fault on startup witch prevent ospfd from segfaulting on startup. Without this first patch, ospfd will almost always segfault on startup (instead of just sometime, which it does today). Could you send a single diff for all these issues? Apparently ospf hackers are slacking ;) Yes, I have it as a single diff. I actually broke it up in two diffs because the two issues are not really related. The second patch only makes the first problem very obvious. It would of course be best if we could make sure we set up event handling (iev_ospfe et al.) before scanning interfaces, but it's kind of a catch 22 here. The event handlers need the interface info to not segfault... So the easy fix was to just check for null pointers in main_imsg_compose_*. /Johan Yes, lets go with this version. OK claudio@ Index: interface.c === RCS file: /cvs/src/usr.sbin/ospfd/interface.c,v retrieving revision 1.75 diff -u -p -r1.75 interface.c --- interface.c 14 May 2012 10:17:21 - 1.75 +++ interface.c 27 May 2015 16:42:51 - @@ -338,8 +338,10 @@ if_act_start(struct iface *iface) struct in_addr addr; struct timeval now; - if (!((iface-flags IFF_UP) - LINK_STATE_IS_UP(iface-linkstate))) + if (!(iface-flags IFF_UP) || + (!LINK_STATE_IS_UP(iface-linkstate) + !(iface-media_type == IFT_CARP + iface-linkstate == LINK_STATE_DOWN))) return (0); if (iface-media_type == IFT_CARP iface-passive == 0) { Index: kroute.c === RCS file: /cvs/src/usr.sbin/ospfd/kroute.c,v retrieving revision 1.98 diff -u -p -r1.98 kroute.c --- kroute.c11 Feb 2015 05:57:44 - 1.98 +++ kroute.c27 May 2015 16:42:51 - @@ -1019,6 +1019,9 @@ if_change(u_short ifindex, int flags, st return; } + /* notify ospfe about interface link state */ + main_imsg_compose_ospfe(IMSG_IFINFO, 0, kif, sizeof(struct kif)); + reachable = (kif-flags IFF_UP) LINK_STATE_IS_UP(kif-link_state); @@ -1026,9 +1029,6 @@ if_change(u_short ifindex, int flags, st return; /* nothing changed wrt nexthop validity */ kif-nh_reachable = reachable; - - /* notify ospfe about interface link state */ - main_imsg_compose_ospfe(IMSG_IFINFO, 0, kif, sizeof(struct kif)); /* update redistribute list */ RB_FOREACH(kr, kroute_tree, krt) { Index: ospfd.c === RCS file: /cvs/src/usr.sbin/ospfd/ospfd.c,v retrieving revision 1.83 diff -u -p -r1.83 ospfd.c --- ospfd.c 10 Feb 2015 05:24:48 - 1.83 +++ ospfd.c 27 May 2015 16:42:51 - @@ -511,13 +511,15 @@ main_dispatch_rde(int fd, short event, v void main_imsg_compose_ospfe(int type, pid_t pid, void *data, u_int16_t datalen) { - imsg_compose_event(iev_ospfe, type, 0, pid, -1, data, datalen); + if (iev_ospfe) + imsg_compose_event(iev_ospfe, type, 0, pid, -1, data, datalen); } void main_imsg_compose_rde(int type, pid_t pid, void *data, u_int16_t datalen) { - imsg_compose_event(iev_rde, type, 0, pid, -1, data, datalen); + if (iev_rde) + imsg_compose_event(iev_rde, type, 0, pid, -1, data, datalen); } void -- :wq Claudio
Re: [PATCH] Fix ospfd segmentation fault on startup
Johan Ymerson(johan.ymer...@transmode.com) on 2015.07.20 21:32:20 +: On Mon, 2015-07-20 at 22:58 +0200, Martin Pieuchot wrote: On 20/07/15(Mon) 19:10, Johan Ymerson wrote: On 2015-07-18 16:03:00, Martin Pieuchot wrote: Committed! Thanks and sorry for the delay. Hi! You missed the previous patch Fix ospfd segmentation fault on startup witch prevent ospfd from segfaulting on startup. Without this first patch, ospfd will almost always segfault on startup (instead of just sometime, which it does today). Could you send a single diff for all these issues? Apparently ospf hackers are slacking ;) Yes, I have it as a single diff. I actually broke it up in two diffs because the two issues are not really related. The second patch only makes the first problem very obvious. It would of course be best if we could make sure we set up event handling (iev_ospfe et al.) before scanning interfaces, but it's kind of a catch 22 here. The event handlers need the interface info to not segfault... So the easy fix was to just check for null pointers in main_imsg_compose_*. /Johan fixed it. ok benno@ Index: interface.c === RCS file: /cvs/src/usr.sbin/ospfd/interface.c,v retrieving revision 1.75 diff -u -p -r1.75 interface.c --- interface.c 14 May 2012 10:17:21 - 1.75 +++ interface.c 27 May 2015 16:42:51 - @@ -338,8 +338,10 @@ if_act_start(struct iface *iface) struct in_addr addr; struct timeval now; - if (!((iface-flags IFF_UP) - LINK_STATE_IS_UP(iface-linkstate))) + if (!(iface-flags IFF_UP) || + (!LINK_STATE_IS_UP(iface-linkstate) + !(iface-media_type == IFT_CARP + iface-linkstate == LINK_STATE_DOWN))) return (0); if (iface-media_type == IFT_CARP iface-passive == 0) { Index: kroute.c === RCS file: /cvs/src/usr.sbin/ospfd/kroute.c,v retrieving revision 1.98 diff -u -p -r1.98 kroute.c --- kroute.c11 Feb 2015 05:57:44 - 1.98 +++ kroute.c27 May 2015 16:42:51 - @@ -1019,6 +1019,9 @@ if_change(u_short ifindex, int flags, st return; } + /* notify ospfe about interface link state */ + main_imsg_compose_ospfe(IMSG_IFINFO, 0, kif, sizeof(struct kif)); + reachable = (kif-flags IFF_UP) LINK_STATE_IS_UP(kif-link_state); @@ -1026,9 +1029,6 @@ if_change(u_short ifindex, int flags, st return; /* nothing changed wrt nexthop validity */ kif-nh_reachable = reachable; - - /* notify ospfe about interface link state */ - main_imsg_compose_ospfe(IMSG_IFINFO, 0, kif, sizeof(struct kif)); /* update redistribute list */ RB_FOREACH(kr, kroute_tree, krt) { Index: ospfd.c === RCS file: /cvs/src/usr.sbin/ospfd/ospfd.c,v retrieving revision 1.83 diff -u -p -r1.83 ospfd.c --- ospfd.c 10 Feb 2015 05:24:48 - 1.83 +++ ospfd.c 27 May 2015 16:42:51 - @@ -511,13 +511,15 @@ main_dispatch_rde(int fd, short event, v void main_imsg_compose_ospfe(int type, pid_t pid, void *data, u_int16_t datalen) { - imsg_compose_event(iev_ospfe, type, 0, pid, -1, data, datalen); + if (iev_ospfe) + imsg_compose_event(iev_ospfe, type, 0, pid, -1, data, datalen); } void main_imsg_compose_rde(int type, pid_t pid, void *data, u_int16_t datalen) { - imsg_compose_event(iev_rde, type, 0, pid, -1, data, datalen); + if (iev_rde) + imsg_compose_event(iev_rde, type, 0, pid, -1, data, datalen); } void --
Re: doas failsafe
I think the failsafe is run su. Visudo(8) style wrapper for doas(1) that would respect the editor preferences... is only a suggestion, no? We're 2015 here. Since it is possible to configure doas to even less than permit :wheel this would in some cases be a fail open. I'm not sure how much exactly flak I'd get about this, but: is the permit word specifically chosen in the DSL for this? P.S. My opinion has zero value but why can't su(1) work this purpose? Not trying to be funny just reasoning about the basics. (I'm not anonymous).
Re: feed l4 information into trunk(4) hash
On 2014/12/12 10:48, Sebastian Benoit wrote: Stuart Henderson(st...@openbsd.org) on 2014.12.11 23:52:44 +: I'm wondering what reception this will get. It feeds TCP/UDP port numbers into the hash for trunk(4) load balancing, so connections between a single pair of hosts will get distributed across NICs. Taken from FreeBSD r232629, they also added SIOC[CS]LAGGHASH ioctls so that the hash type can be configured in ifconfig (l2/l3/l4), I haven't done that but could if there's no general objection to this. i like this, and i think it might be good to have it optional in case it causes problems with other equipment. Revisiting this I'm wondering about the best way to make it optional. We're not using IFF_LINK0 in trunk, would it be reasonable to use that for this purpose, or would people foresee wanting more than just a choice of L3/L4?
Re: move pflow(4) to sosend(9)
On Mon, Jul 20, 2015 at 09:58:03PM +, Florian Obser wrote: + tso = sc-so; + sc-so = so; + soclose(tso); The tso dance is not neccessary. simply soclose(sc-so); sc-so = so; otherwise OK bluhm@
fix iwm(4) newstate task (was: Re: iwm(4): make iwm_newstate() interrupt safe)
On Sun, Jul 19, 2015 at 04:32:39AM +0200, Stefan Sperling wrote: Please test this if you use iwm(4). It should make the driver more reliable, e.g. when bringing the interface up which sometimes fails because of... reasons. Please test this updated diff instead. The previous one had races between the ioctl handler and the newstate function, pointed out by kettenis@. I believe claudio@ has already hit them. I got help from mpi@, too. Index: if_iwm.c === RCS file: /cvs/src/sys/dev/pci/if_iwm.c,v retrieving revision 1.45 diff -u -p -r1.45 if_iwm.c --- if_iwm.c15 Jun 2015 08:06:11 - 1.45 +++ if_iwm.c20 Jul 2015 22:33:16 - @@ -195,14 +195,6 @@ const struct iwm_rate { #define IWM_RIDX_IS_CCK(_i_) ((_i_) IWM_RIDX_OFDM) #define IWM_RIDX_IS_OFDM(_i_) ((_i_) = IWM_RIDX_OFDM) -struct iwm_newstate_state { - struct task ns_wk; - struct ieee80211com *ns_ic; - enum ieee80211_state ns_nstate; - int ns_arg; - int ns_generation; -}; - intiwm_store_cscheme(struct iwm_softc *, uint8_t *, size_t); intiwm_firmware_store_section(struct iwm_softc *, enum iwm_ucode_type, uint8_t *, size_t); @@ -406,13 +398,13 @@ struct ieee80211_node *iwm_node_alloc(st void iwm_calib_timeout(void *); void iwm_setrates(struct iwm_node *); intiwm_media_change(struct ifnet *); -void iwm_newstate_cb(void *); +void iwm_newstate_task(void *); intiwm_newstate(struct ieee80211com *, enum ieee80211_state, int); void iwm_endscan_cb(void *); intiwm_init_hw(struct iwm_softc *); intiwm_init(struct ifnet *); void iwm_start(struct ifnet *); -void iwm_stop(struct ifnet *, int); +void iwm_stop(struct ifnet *); void iwm_watchdog(struct ifnet *); intiwm_ioctl(struct ifnet *, u_long, iwm_caddr_t); const char *iwm_desc_lookup(uint32_t); @@ -425,9 +417,9 @@ int iwm_match(struct device *, void *, v intiwm_preinit(struct iwm_softc *); void iwm_attach_hook(iwm_hookarg_t); void iwm_attach(struct device *, struct device *, void *); -void iwm_init_task(void *); intiwm_activate(struct device *, int); -void iwm_wakeup(struct iwm_softc *); +void iwm_suspend(struct iwm_softc *); +void iwm_resume(struct iwm_softc *); #if NBPFILTER 0 void iwm_radiotap_attach(struct iwm_softc *); @@ -5250,40 +5242,27 @@ iwm_media_change(struct ifnet *ifp) sc-sc_fixed_ridx = ridx; } - if ((ifp-if_flags (IFF_UP | IFF_RUNNING)) == - (IFF_UP | IFF_RUNNING)) { - iwm_stop(ifp, 0); - error = iwm_init(ifp); - } - return error; + /* +* No need to do anything on the hardware side. +* Channel changes will be applied during the +* association sequence in iwm_auth(). +*/ + + return (0); } void -iwm_newstate_cb(void *wk) +iwm_newstate_task(void *arg) { - struct iwm_newstate_state *iwmns = (void *)wk; - struct ieee80211com *ic = iwmns-ns_ic; - enum ieee80211_state nstate = iwmns-ns_nstate; - int generation = iwmns-ns_generation; + struct iwm_softc *sc = arg; + struct ieee80211com *ic = sc-sc_ic; + struct ifnet *ifp = IC2IFP(sc-sc_ic); + struct iwm_newstate_task_arg *task_arg = sc-sc_newstate_task_arg; + enum ieee80211_state nstate = task_arg-state; struct iwm_node *in; - int arg = iwmns-ns_arg; - struct ifnet *ifp = IC2IFP(ic); - struct iwm_softc *sc = ifp-if_softc; int error; - free(iwmns, M_DEVBUF, sizeof(*iwmns)); - - DPRINTF((Prepare to switch state %d-%d\n, ic-ic_state, nstate)); - if (sc-sc_generation != generation) { - DPRINTF((newstate_cb: someone pulled the plug meanwhile\n)); - if (nstate == IEEE80211_S_INIT) { - DPRINTF((newstate_cb: nstate == IEEE80211_S_INIT: calling sc_newstate()\n)); - sc-sc_newstate(ic, nstate, arg); - } - return; - } - - DPRINTF((switching state %d-%d\n, ic-ic_state, nstate)); + sc-sc_newstate_errno = 0; if (ic-ic_state == IEEE80211_S_SCAN nstate != ic-ic_state) iwm_led_blink_stop(sc); @@ -5292,6 +5271,8 @@ iwm_newstate_cb(void *wk) if (ic-ic_state == IEEE80211_S_RUN nstate != ic-ic_state) { iwm_mvm_disable_beacon_filter(sc, (void *)ic-ic_bss); + timeout_del(sc-sc_calib_to); + if (((in = (void *)ic-ic_bss) != NULL)) in-in_assoc = 0; iwm_release(sc, NULL); @@ -5310,8 +5291,9 @@ iwm_newstate_cb(void *wk) if (nstate == IEEE80211_S_SCAN || nstate == IEEE80211_S_AUTH || nstate == IEEE80211_S_ASSOC) { - DPRINTF((Force transition to INIT; MGT=%d\n, arg)); -
Re: doas failsafe
li...@wrant.com wrote: I think the failsafe is run su. Visudo(8) style wrapper for doas(1) that would respect the editor preferences... is only a suggestion, no? We're 2015 here. and vipf after that? there are countless config files, even more dangerous than doas.conf, that you edit at your own peril. Since it is possible to configure doas to even less than permit :wheel this would in some cases be a fail open. I'm not sure how much exactly flak I'd get about this, but: is the permit word specifically chosen in the DSL for this? there's not a of meaning behind permit, other than that it's a word that seems appropriate. P.S. My opinion has zero value but why can't su(1) work this purpose? The semantics of su are different in a couple and people seem to like using sudo. Trying to share code with su risks muddying up that code and introducing mistakes.
fixes for coverity warnings to cat(1)
Hi, Attached is a diff for a couple of issues raised by coverity, obtained from NetBSD src/bin/cat/cat.c r1.53 r1.54 From the commit message in NetBSD CVS: bin/cat/cat.c 976654 Argument cannot be negative (missing check for fileno result, stdout) bin/cat/cat.c 976653 Improper use of negative value (missing check for fileno result, stdin) Diff also adds a skip label used by the changes which appeared in NetBSD at a different revision in the past. Sevan Janiyan From NetBSD cat.c r1.53 r1.54 Index: bin/cat/cat.c === RCS file: /cvs/src/bin/cat/cat.c,v retrieving revision 1.21 diff -u -r1.21 cat.c --- bin/cat/cat.c 16 Jan 2015 06:39:28 - 1.21 +++ bin/cat/cat.c 20 Jul 2015 23:08:00 - @@ -200,15 +200,20 @@ filename = stdin; do { if (*argv) { - if (!strcmp(*argv, -)) + if (!strcmp(*argv, -)) { fd = fileno(stdin); - else if ((fd = open(*argv, O_RDONLY, 0)) 0) { + if (fd 0) + goto skip; + } else if ((fd = open(*argv, O_RDONLY, 0)) 0) { +skip: warn(%s, *argv); rval = 1; ++argv; continue; } filename = *argv++; + } else if (fd 0) { + err(1, stdin); } raw_cat(fd); if (fd != fileno(stdin)) @@ -226,6 +231,8 @@ struct stat sbuf; wfd = fileno(stdout); + if (wfd 0) + err(1, stdout); if (buf == NULL) { if (fstat(wfd, sbuf)) err(1, stdout);
Re: [PATCH] Fix ospfd segmentation fault on startup
commited, thx for your diff. /Benno Johan Ymerson(johan.ymer...@transmode.com) on 2015.07.20 21:32:20 +: On Mon, 2015-07-20 at 22:58 +0200, Martin Pieuchot wrote: On 20/07/15(Mon) 19:10, Johan Ymerson wrote: On 2015-07-18 16:03:00, Martin Pieuchot wrote: Committed! Thanks and sorry for the delay. Hi! You missed the previous patch Fix ospfd segmentation fault on startup witch prevent ospfd from segfaulting on startup. Without this first patch, ospfd will almost always segfault on startup (instead of just sometime, which it does today). Could you send a single diff for all these issues? Apparently ospf hackers are slacking ;) Yes, I have it as a single diff. I actually broke it up in two diffs because the two issues are not really related. The second patch only makes the first problem very obvious. It would of course be best if we could make sure we set up event handling (iev_ospfe et al.) before scanning interfaces, but it's kind of a catch 22 here. The event handlers need the interface info to not segfault... So the easy fix was to just check for null pointers in main_imsg_compose_*. /Johan Index: interface.c === RCS file: /cvs/src/usr.sbin/ospfd/interface.c,v retrieving revision 1.75 diff -u -p -r1.75 interface.c --- interface.c 14 May 2012 10:17:21 - 1.75 +++ interface.c 27 May 2015 16:42:51 - @@ -338,8 +338,10 @@ if_act_start(struct iface *iface) struct in_addr addr; struct timeval now; - if (!((iface-flags IFF_UP) - LINK_STATE_IS_UP(iface-linkstate))) + if (!(iface-flags IFF_UP) || + (!LINK_STATE_IS_UP(iface-linkstate) + !(iface-media_type == IFT_CARP + iface-linkstate == LINK_STATE_DOWN))) return (0); if (iface-media_type == IFT_CARP iface-passive == 0) { Index: kroute.c === RCS file: /cvs/src/usr.sbin/ospfd/kroute.c,v retrieving revision 1.98 diff -u -p -r1.98 kroute.c --- kroute.c11 Feb 2015 05:57:44 - 1.98 +++ kroute.c27 May 2015 16:42:51 - @@ -1019,6 +1019,9 @@ if_change(u_short ifindex, int flags, st return; } + /* notify ospfe about interface link state */ + main_imsg_compose_ospfe(IMSG_IFINFO, 0, kif, sizeof(struct kif)); + reachable = (kif-flags IFF_UP) LINK_STATE_IS_UP(kif-link_state); @@ -1026,9 +1029,6 @@ if_change(u_short ifindex, int flags, st return; /* nothing changed wrt nexthop validity */ kif-nh_reachable = reachable; - - /* notify ospfe about interface link state */ - main_imsg_compose_ospfe(IMSG_IFINFO, 0, kif, sizeof(struct kif)); /* update redistribute list */ RB_FOREACH(kr, kroute_tree, krt) { Index: ospfd.c === RCS file: /cvs/src/usr.sbin/ospfd/ospfd.c,v retrieving revision 1.83 diff -u -p -r1.83 ospfd.c --- ospfd.c 10 Feb 2015 05:24:48 - 1.83 +++ ospfd.c 27 May 2015 16:42:51 - @@ -511,13 +511,15 @@ main_dispatch_rde(int fd, short event, v void main_imsg_compose_ospfe(int type, pid_t pid, void *data, u_int16_t datalen) { - imsg_compose_event(iev_ospfe, type, 0, pid, -1, data, datalen); + if (iev_ospfe) + imsg_compose_event(iev_ospfe, type, 0, pid, -1, data, datalen); } void main_imsg_compose_rde(int type, pid_t pid, void *data, u_int16_t datalen) { - imsg_compose_event(iev_rde, type, 0, pid, -1, data, datalen); + if (iev_rde) + imsg_compose_event(iev_rde, type, 0, pid, -1, data, datalen); } void --
Re: doas failsafe
I think the failsafe is run su. Visudo(8) style wrapper for doas(1) that would respect the editor preferences... is only a suggestion, no? We're 2015 here. and vipf after that? there are countless config files, even more dangerous than doas.conf, that you edit at your own peril. With respect, Ted, I hope it was clear the intention was to bring into attention the inadequacy of the $visualsth concept as a means of safety. Since it is possible to configure doas to even less than permit :wheel this would in some cases be a fail open. I'm not sure how much exactly flak I'd get about this, but: is the permit word specifically chosen in the DSL for this? there's not a of meaning behind permit, other than that it's a word that seems appropriate. So why can't allow fit as opposite to deny? (normally silence means no change in security model, hopefully). Can we formalise the DSL, or read about it and prevent me from making incoherent guesses? P.S. My opinion has zero value but why can't su(1) work this purpose? The semantics of su are different in a couple and people seem to like using sudo. Trying to share code with su risks muddying up that code and introducing mistakes. Yet it may be the same feel place to be of something dealing with who's what doing why when escalation. Please have others say about it, I'm nobody of significance to suggest here.
Re: doas failsafe
On Mon, Jul 20, 2015 at 04:36:45PM -0700, lists wrote: So why can't allow fit as opposite to deny? (normally silence means no change in security model, hopefully). I'm a lowly user but I ++ this, when testing out doas I did this a few times. allow : deny, permit : forbid
Re: doas failsafe
On 2015/07/20 19:18, Ted Unangst wrote: li...@wrant.com wrote: I think the failsafe is run su. Visudo(8) style wrapper for doas(1) that would respect the editor preferences... is only a suggestion, no? We're 2015 here. and vipf after that? there are countless config files, even more dangerous than doas.conf, that you edit at your own peril. I don't think we need the wrapper, but a config-check mode like pfctl has could be very useful.