These were reported by `mandoc -T lint ...` as errors.
The rendered output (in ascii and html) is not affected by this commit.
Additional clarification: there was a non-breaking space in
lib/libcasper/services/cap_grp/cap_grp.3.
Signed-off-by: Graham Percival <gperciva@tarsnap.com>
Reviewed by: mhorne
MFC after: 3 days
Sponsored by: Tarsnap Backup Inc.
Pull Request: https://github.com/freebsd/freebsd-src/pull/1449
These were reported by `mandoc -T lint` as
ERROR: skipping unknown macro
When these pages were rendered with `man`, the "unknown macro" meant
that the entire line was omitted from the output.
Obvious typos in:
lib/libsys/swapon.2
lib/libsys/procctl.2
share/man/man9/firmware.9
lib/libcasper/services/cap_net/cap_net.3: 'mode' describes a function
argument.
lib/libsys/statfs.2: there's no .Tm command ("trademark?"), and
.Tn ("tradename") is deprecated, so remove the macro entirely.
usr.sbin/mfiutil/mfiutil.8: man was interpreting '/dev/' as a macro
(which it didn't recognize).
share/man/man4/qat.4: same issue as above, but with '0'. In this case,
given the context of the previous line, rewriting as "Value '0'"
seemed more appropriate.
usr.sbin/mlx5tool/mlx5tool.8: typo in .Xr
Signed-off-by: Graham Percival <gperciva@tarsnap.com>
Sponsored by: Tarsnap Backup Inc.
Reviewed by: concussious, imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/1417
Capability rights passed to cap_rights_* are not simple bitmaks and
cannot be ORed together in general (although it will work for certain
subsets of rights).
PR: 277057
Fixes: faaf43b2a7 ("fileargs: add tests")
Sponsored by: The FreeBSD Foundation
And neither are most libcasper services' functions, because internally
they all use cap_xfer_nvlist. cap_xfer_nvlist sends and then receives
data over a unix domain socket and associated with the cap_channel_t
argument. So absent synchronization, two threads may not use the same
cap_channel_t argument or they risk receiving the other's reply.
MFC after: 2 weeks
Sponsored by: Axcient
Reviewed by: oshogbo
Differential Revision: https://reviews.freebsd.org/D42928
This line appears to have been copied from cap_sysctl.3. While I'm
here, reorder and reword the description of cap_net_limit a bit.
[skip ci]
MFC after: 2 weeks
Sponsored by: Axcient
Reviewed by: oshogbo
Differential Revision: https://reviews.freebsd.org/D42919
Apply the following automated changes to try to eliminate
no-longer-needed sys/cdefs.h includes as well as now-empty
blank lines in a row.
Remove /^#if.*\n#endif.*\n#include\s+<sys/cdefs.h>.*\n/
Remove /\n+#include\s+<sys/cdefs.h>.*\n+#if.*\n#endif.*\n+/
Remove /\n+#if.*\n#endif.*\n+/
Remove /^#if.*\n#endif.*\n/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/types.h>/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/param.h>/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/capsicum.h>/
Sponsored by: Netflix
GCC 13 incorrectly thinks a call to free after a failed realloc is a
use after free.
lib/libcasper/services/cap_grp/cap_grp.c: In function 'group_resize':
lib/libcasper/services/cap_grp/cap_grp.c:65:17: error: pointer 'buf' may be used after 'realloc' [-Werror=use-after-free]
65 | free(buf);
| ^~~~~~~~~
lib/libcasper/services/cap_grp/cap_grp.c:63:19: note: call to 'realloc' here
63 | gbuffer = realloc(buf, gbufsize);
| ^~~~~~~~~~~~~~~~~~~~~~
Reviewed by: imp, emaste
Differential Revision: https://reviews.freebsd.org/D42576
Previously, while checking name2addr capabilities, we mistakenly used
the addr2name set. This error could cause a process to inadvertently
reset its limitations.
Reported by: Shawn Webb <shawn.webb@hardenedbsd.org>
The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch
up to that fact and revert to their recommended match of BSD-2-Clause.
Discussed with: pfg
MFC After: 3 days
Sponsored by: Netflix
When testing cap_connect() and name/addr lookup functions, skip tests if
we fail and the error is not ENOTCAPABLE. This makes the tests amenable
to running in CI without Internet connectivity.
Reviewed by: oshogbo
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D39242
If a malicious casper process sent a host or service string that was
too long, cap_getnameinfo would overrun the caller's buffer by one byte.
The backends for this function needlessly allocated one extra byte
for these buffers. This was harmless, but could be confusing to readers.
Reported by: Coverity (an internal run at Dell)
Reviewed by: oshogbo, emaste
MFC after: 1 week
Sponsored by: Dell EMC Isilon
Differential Revision: https://reviews.freebsd.org/D39347
The cap_dns tests require Internet access. Currently they fail when
that's not available, which for CI purposes is undesirable. Let's
instead skip the tests if none of the non-casper name/addr lookups
succeed.
To that end:
- Convert the tests to ATF so that skipping is easier to implement.
- Break up the tests into separate test cases.
- If one of the system (i.e., non-casper) lookup functions fails, skip
the test if all of them failed, otherwise fail the tests, since
partial failure indicates something is flaky and deserves a closer
look.
Reviewed by: oshogbo
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D39241
These tests fail spuriously when run in parallel, since some of them
write a value to a global sysctl, read it back, and expect to see the
written value. These tests complete quite quickly in any case.
MFC after: 1 week
These libraries are linked to directly by applications rather than
opened at runtime via dlopen().
Discussed with: oshogbo
Reviewed by: markj, emaste
Differential Revision: https://reviews.freebsd.org/D39245
* Correct some function prototypes which were documented with the wrong
pointer type.
* Clarify return values and requirements for freeing the limit handle.
MFC after: 1 week
Sponsored by: Axcient
Reviewed by: oshogbo
Differential Revision: https://reviews.freebsd.org/D37586
Summary: The manual pages need a bit of editing for language and clarity.
Reviewers: oshogbo, #manpages
Subscribers: imp
Differential Revision: https://reviews.freebsd.org/D32976
- inserting missing end of block: Sh breaks Bl
- moving content out of list: Pp
- missing comma before name: Nm cap_*
- comma in function argument: cap_*
- skipping paragraph macro: Pp after Sh
- sections out of conventional order: Sh AUTHORS
Reviewed by: bcr
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D31144
Create a casper service for netdb functions.
Initially only cap_getprotobyname is implemented.
This is needed for capsicumizing sockstat.
Reviewed by: oshogbo, bcr (manpages)
Relnotes: yes
Differential Revision: https://reviews.freebsd.org/D24832
- Correct the type of the sysctl value.
- Initialize the oldsize parameter to cap_sysctlbyname()
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
In situations when the current file name wasn't the first element on
the list we were cleaning the current name too early.
This might cause us to pre-cache the same file twice.
Some tests verify that the capgrp capability does not permit calls to
setgrent(3), but all tests need to ensure that they reset the
capability's group database handle, otherwise the local process and
casper process will be out of sync.
The cap_pwd tests already handle this.
Sponsored by: The FreeBSD Foundation
MFC after: 1 month
In libcasper, the first argument to the function is a structure that
represents a connection to Casper. On systems without Casper, macros
are used to interpose the Casper functions to standard libc ones.
This may cause errors/warnings that the variable is not used.
With the inline function, there is no such problem.
When compiling without casper these API calls result in unused variable warnings.
Using #defines was lovely in the past but unfortunately it triggers warnings
which can cascade into errors.
Instead, just inline with some fallthrough functions and keep things happy.
Tested:
* gcc-6 targeting mips32, with casper disabled
Reviewed by: emaste
Differential Revision: https://reviews.freebsd.org/D26762
The current default is provided in various Makefile.inc in some top-level
directories and covers a good portion of the tree, but doesn't cover parts
of the build a little deeper (e.g. libcasper).
Provide a default in src.sys.mk and set WARNS to it in bsd.sys.mk if that
variable is defined. This lets us relatively cleanly provide a default WARNS
no matter where you're building in the src tree without breaking things
outside of the tree.
Crunchgen has been updated as a bootstrap tool to work on this change
because it needs r365605 at a minimum to succeed. The cleanup necessary to
successfully walk over this change on WITHOUT_CLEAN builds has been added.
There is a supplemental project to this to list all of the warnings that are
encountered when the environment has WARNS=6 NO_WERROR=yes:
https://warns.kevans.dev -- this project will hopefully eventually go away
in favor of CI doing a much better job than it.
Reviewed by: emaste, brooks, ngie (all earlier version)
Reviewed by: emaste, arichardson (depend-cleanup.sh change)
Differential Revision: https://reviews.freebsd.org/D26455
The service handler for fileargs_open() tries to pre-open multiple files
and pass descriptors for each back to the sandboxed process in a single
message. This is to amortize the cost of round-trips between the two
processes.
The service process adds a "cache" nvlist to the reply to "open",
containing file descriptors for pre-opened files. However, when adding
that nvlist to the reply, it was making a copy, effectively leaking the
cached descriptors.
While here, fix spelling in a local variable name.
PR: 241226
Reviewed by: oshogbo
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D25095
