The flag was added in b75a1171d8 for the sake of Varnish. However, that
idea didn't work. Quoting email from Poul-Henning:
"We had to give up sendfile(), the overhead of keeping track of everything
between the network stack and VM system made ate any gain we saw. ... I
dont think we ever shipped a version where sendfile was enabled by
default."
PR: 287348
The O_RESOLVE_BENEATH openat(2) flag restricts name lookups such that
they remain under the directory referenced by the dirfd. This commit
introduces an implicit version of the flag, FD_RESOLVE_BENEATH, stored
in the file descriptor entry. When the flag is set, any lookup relative
to that fd automatically has O_RESOLVE_BENEATH semantics. Furthermore,
the flag is sticky, meaning that it cannot be cleared, and it is copied
by dup() and openat().
File descriptors with FD_RESOLVE_BENEATH set may not be passed to
fchdir(2) or fchroot(2). Various fd lookup routines are modified to
return fd flags to the caller.
This flag will be used to address a case where jails with different root
directories and the ability to pass SCM_RIGHTS messages across the jail
boundary can transfer directory fds in such as way as to allow a
filesystem escape.
PR: 262180
Reviewed by: kib
MFC after: 3 weeks
Differential Revision: https://reviews.freebsd.org/D50371
The practical scenario that leads to this is porch(1) spawning some
utility and sending it a SIGSTOP as a debugging aide. The user then
attaches a debugger and walks through how some specific input is
processed, then detaches to allow the script to continue. When ptrace
is detached, the process resumes execution but the parent is never
notified and may be stuck in wait(2) for it to continue or terminate.
Other platforms seem to re-suspend the process after the debugger is
detached, but neither behavior seems unreasonable. Just notifying the
parent that the child has resumed is a relatively low-risk departure
from our current behavior and had apparently been considered in the
past, based on pre-existing comments.
Move p_flag and p_xsig handling into childproc_continued(), as just
sending the SIGCHLD here isn't really useful without P_CONTINUED set
and the other caller already sets these up as well.
Reviewed by: kib, markj
Differential Revision: https://reviews.freebsd.org/D50917
Provide a clock through clock_gettime() that returns the current TAI
time (UTC without leap seconds) as a complement to CLOCK_REALTIME. This
provides compatibility with Linux, which also provides a CLOCK_TAI since
kernel 2.6.26, and this seems to be becoming the standard way to acquire
TAI time. Unlike Linux, this code will return EINVAL if the TAI offset
(set by ntpd, ptpd, etc.) is not known since it seems pathological for
CLOCK_TAI to silently give the wrong (UTC) time if the offset is not
known as it does on Linux.
Reviewed by: imp
Differential Revision: https://reviews.freebsd.org/D46268
Commit 2ec2ba7e23 added support for the O_NAMEDATTR flag to
the open(2) and openat(2) syscalls for main.
This patch updates the man page for this flag.
Another man page that explains named attributes will
be introduced in a future commit.
This is a content change.
Reviewed by: emaste (earlier version), kib (earlier version)
Differential Revision: https://reviews.freebsd.org/D49691
Fixes: 2ec2ba7e23 ("vfs: Add VFS/syscall support for Solaris style extended attributes")
Several manual pages for releng/14.3 incorrectly claim that features
were first introduced in FreeBSD 15.0.
I discovered these by running:
git checkout origin/releng/14.3
git grep -F '.Fx 15.0'
MFC After: 3 days
Reviewed by: imp, ziaee
Pull Request: https://github.com/freebsd/freebsd-src/pull/1685
Commit 0f12c3cd0d adds a new pathconf(2) name called
_PC_HAS_NAMEDATTR.
This patch documents it in the man page.
This is a content change.
Reviewed by: ziaee (manpages)
Differential Revision: https://reviews.freebsd.org/D50141
Fixes: 2ec2ba7e23 ("vfs: Add VFS/syscall support for Solaris style extended attributes")
Don't apply tc_precexp and TIMESEL() that uses sbt_timethreshold (both
derivatives of kern.timecounter.alloweddeviation) to sleep callout when
processing the default and precise clocks. The default timer deviation of
5% is our internal optimization in the kernel, and we shouldn't leak that
into the POSIX APIs. Note that application doesn't have any control to
cancel the deviation, only a superuser can change the global tunable [with
side effects].
Leave the deviation for CLOCK_*_FAST and CLOCK_SECOND that are documented
as imprecise.
Provide a sysctl kern.timecounter.nanosleep_precise that allows to restore
the previous behavior.
Improve documentation.
Reviewed by: ziaee, vangyzen, imp, kib
Differential Revision: https://reviews.freebsd.org/D50075
The headers contain constants that start with PROC_LOGSIGEXIT_CTL_*, but the
man page elided the _CTL portion.
Fixes: dabf006 ("Add per-process flag to disable logsigexit")
Reviewed by: imp, jlduran
Pull Request: https://github.com/freebsd/freebsd-src/pull/1610
This patch updates the man page for the _PC_NAMEDATTR_ENABLED flag.
Another man page that explains named attributes will
be introduced in a future commit.
This is a content change.
Fixes: 2ec2ba7e23 ("vfs: Add VFS/syscall support for Solaris style extended attributes")
When the file system does not support symbolic links (like in the case
of MSDOS), symlink() returns -1 and sets errno to EOPNOTSUPP.
Document this behavior.
Reviewed by: glebius, markj
MFC after: 3 days
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D49803
This patch updates the man page for the MNT_NAMEDATTR flag.
Another man page that explains named attributes will
be introduced in a future commit.
This is a content change.
Reviewed by: manpages (zaiee)
Fixes: 2ec2ba7e23 ("vfs: Add VFS/syscall support for Solaris style extended attributes")
Differential Revision: https://reviews.freebsd.org/D49719
This patch updates the man page for the O_NAMEDATTR flag.
Another man page that explains named attributes will
be introduced in a future commit.
This is a content change.
Reviewed by: manpages (zaiee)
Fixes: 2ec2ba7e ("Add support for Solaris style extended attr")
Differential Revision: https://reviews.freebsd.org/D49718
The ones that were effectively unchanged from
d97e44784bb5a^..e24279e0f9e did not have `.Dd` bumped. Only
the ones that had a net content change between those
revisions.
MFC after: 2 weeks
MFC with: d97e44784be24279e0f9
aio(4) is a hard requirement in the kernel as of f3215338ef. The
scenario that the patch was submitted for is no longer possible.
This isn't a straight up revert since the previous change also addressed
some minor issues.
PR: 190942
Reported by: asomers
MFC after: 2 weeks
MFC with: d97e44784b
Fixes: d97e44784b ("aio_*(2): mention ENOSYS under ERRORS")
Differential Revision: https://reviews.freebsd.org/D49541
ENOSYS can occur if aio(4) is not loaded in the kernel. Document this
behavior so consumers on FreeBSD can better understand that this is a
possible scenario.
Clean up the manpages slightly while here:
- Sort `ERRORS` by errno(3).
- Use `.Fx` instead of `FreeBSD`.
MFC after: 2 weeks
Reviewed by: ziaee
PR: 190942
Differential Revision: https://reviews.freebsd.org/D49502
Previously, __realpathat was in libc and libsys (as is currently
standard), but not exported from libc which meant the stub in libc was
not filtered and thus libc's copy of the syscall was used. This broke
an upcoming change to CheriBSD limiting syscalls to libsys.
The realpath(3) implementation now uses __sys___realpathat so there are no
consumers of __realpathat. Switch it to PSEUDO (only _foo and __sys_foo
symbols) and remove __realpathat from Symbol.map.
This is a corrected version of 58d43a3cd7.
Reviewed by: kib
Differential Revision: https://reviews.freebsd.org/D49049
Previously, __realpathat was in libc and libsys (as is currently
standard), but not exported from libc which meant the stub in libc was
not filtered and thus libc's copy of the syscall was used. This broke
an upcoming change to CheriBSD limiting syscalls to libsys.
The realpath(3) implementation now uses __sys___realpathat so there are no
consumers of __realpathat. Switch it to PSEUDO (only _foo and __sys_foo
symbols) and remove __realpathat from Symbol.map.
Reviewed by: kib
Differential Revision: https://reviews.freebsd.org/D49049
Clarify the RETURN VALUES section with improved structure,
the condition of the return value 0, and the setting of errno.
PR: 174581
Reviewed by: jhb, ziaee
Approved by: mhorne (mentor)
Differential Revision: https://reviews.freebsd.org/D48955
The SO_SETFIB option can be used to set a socket's FIB number, but there
is no way to retrieve it. Rename SO_SETFIB to SO_FIB and implement a
handler for it for getsockopt(2).
Reviewed by: glebius
MFC after: 2 weeks
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D48834
- Add fstatfs(), fchdir(), fchroot(), extattr_*_fd(), cap_*_get(),
cap_*_limit() to the list of syscalls that can take an O_PATH fd.
- Remove readlinkat() from the list, since it is already discussed
in the first few lines of the paragraph. It was originally added
to the list when readlinkat() adds support for non-dir fd with
an empty relative path (as if with AT_EMPTY_PATH), however,
such use case is also discussed in the next paragraph.
- Add funlinkat() to the list, since it accepts an extra fd
(of the file to be unlinked), which is worth extra mentioning.
- Fix a syntax issue which causes a bogus space to be rendered
before a closing parentheses.
Signed-off-by: CismonX <admin@cismon.net>
Reviewed by: markj, jhb
MFC after: 2 weeks
Pull Request: https://github.com/freebsd/freebsd-src/pull/1564
POSIX used to specify that munmap shall fail with EINVAL if the addr
argument is not a multiple of the page size, but that was changed to
may fail. Note that we conform to contemporary POSIX and include a
brief note for portable programs.
Reviewed by: brooks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D48481
We previously claimed that non-page-aligned addresses would return
EINVAL, but the address is in fact rounded down to the page boundary.
Reported by: Harald Eilertsen <haraldei@anduin.net>
Reviewed by: brooks
Sponsored by: The FreeBSD Foundation
Fixes: dabee6fecc ("kern_descrip.c: add fdshare()/fdcopy()")
Differential Revision: https://reviews.freebsd.org/D48465
- Use a typical tagged list for the open flags instead of a literal
block. This permits using markup in the flag descriptions. Also,
drop the offset to avoid indenting the entire list.
- Note that O_RESOLVE_BENEATH only applies to openat(2)
- Use a clearer description of O_CLOEXEC (what it means, not the
internal flag it sets)
- Note that exactly one permission flag is required.
- Split up a paragraph on various flags so that each flag gets its own
paragraph. Some flags already had their own paragraph, so this is
more consistent. It also makes it clearer which flag a sentence is
talking about when a flag has more than one sentence.
- Appease some errors from igor and man2ps
- In the discussion about a returned directory descriptor opened with
O_SEARCH, avoid the use of Fa fd since the descriptor in question is
a return value and not an argument to open or openat.
- Various and sundry markup and language tweaks
Reviewed by: kib, emaste
Differential Revision: https://reviews.freebsd.org/D48253
- Use consistent language to describe user values unchanged by the
kernel.
- Replace passive language with active in a few places.
- Add a history note for kqueuex() and kqueue1().
- Add an MLINK and synopsis for kqueue1().
- Various wording and markup tweaks.
Reviewed by: emaste
Differential Revision: https://reviews.freebsd.org/D48203
The SUS doesn't mention this error code as a possible one [1]. The FreeBSD
manual page specifies a possible ECONNRESET for close(2):
[ECONNRESET] The underlying object was a stream socket that was
shut down by the peer before all pending data was
delivered.
In the past it had been EINVAL (see 21367f630d), and this EINVAL was
added as a safety measure in 623dce13c6. After conversion to
ECONNRESET it had been documented in the manual page in 78e3a7fdd5, but
I bet wasn't ever tested to actually be ever returned, cause the
tcp-testsuite[2] didn't exist back then. So documentation is incorrect
since 2006, if my bet wins. Anyway, in the modern FreeBSD the condition
described above doesn't end up with ECONNRESET error code from close(2).
The error condition is reported via SO_ERROR socket option, though. This
can be checked using the tcp-testsuite, temporarily disabling the
getsockopt(SO_ERROR) lines using sed command [3]. Most of these
getsockopt(2)s are followed by '+0.00 close(3) = 0', which will confirm
that close(2) doesn't return ECONNRESET even on a socket that has the
error stored, neither it is returned in the case described in the manual
page. The latter case is covered by multiple tests residing in tcp-
testsuite/state-event-engine/rcv-rst-*.
However, the deleted block of code could be entered in a race condition
between close(2) and processing of incoming packet, when connection had
already been half-closed with shutdown(SHUT_WR) and sits in TCPS_LAST_ACK.
This was reported in the bug 146845. With the block deleted, we will
continue into tcp_disconnect() which has proper handling of INP_DROPPED.
The race explanation follows. The connection is in TCPS_LAST_ACK. The
network input thread acquires the tcpcb lock first, sets INP_DROPPED,
acquires the socket lock in soisdisconnected() and clears SS_ISCONNECTED.
Meanwhile, the syscall thread goes through sodisconnect() which checks for
SS_ISCONNECTED locklessly(!). The check passes and the thread blocks on
the tcpcb lock in tcp_usr_disconnect(). Once input thread releases the
lock, the syscall thread observes INP_DROPPED and returns ECONNRESET.
- Thread 1: tcp_do_segment()->tcp_close()->in_pcbdrop(),soisdisconnected()
- Thread 2: sys_close()...->soclose()->sodisconnect()->tcp_usr_disconnect()
Note that the lockless operation in sodisconnect() isn't correct, but
enforcing the socket lock there will not fix the problem.
[1] https://pubs.opengroup.org/onlinepubs/9799919799/
[2] https://github.com/freebsd-net/tcp-testsuite
[3] sed -i "" -Ee '/\+0\.00 getsockopt\(3, SOL_SOCKET, SO_ERROR, \[ECONNRESET\]/d' $(grep -lr ECONNRESET tcp-testsuite)
PR: 146845
Reviewed by: tuexen, rrs, imp
Differential Revision: https://reviews.freebsd.org/D48148
This new system call allows to set all necessary credentials of
a process in one go: Effective, real and saved UIDs, effective, real and
saved GIDs, supplementary groups and the MAC label. Its advantage over
standard credential-setting system calls (such as setuid(), seteuid(),
etc.) is that it enables MAC modules, such as MAC/do, to restrict the
set of credentials some process may gain in a fine-grained manner.
Traditionally, credential changes rely on setuid binaries that call
multiple credential system calls and in a specific order (setuid() must
be last, so as to remain root for all other credential-setting calls,
which would otherwise fail with insufficient privileges). This
piecewise approach causes the process to transiently hold credentials
that are neither the original nor the final ones. For the kernel to
enforce that only certain transitions of credentials are allowed, either
these possibly non-compliant transient states have to disappear (by
setting all relevant attributes in one go), or the kernel must delay
setting or checking the new credentials. Delaying setting credentials
could be done, e.g., by having some mode where the standard system calls
contribute to building new credentials but without committing them. It
could be started and ended by a special system call. Delaying checking
could mean that, e.g., the kernel only verifies the credentials
transition at the next non-credential-setting system call (we just
mention this possibility for completeness, but are certainly not
endorsing it).
We chose the simpler approach of a new system call, as we don't expect
the set of credentials one can set to change often. It has the
advantages that the traditional system calls' code doesn't have to be
changed and that we can establish a special MAC protocol for it, by
having some cleanup function called just before returning (this is
a requirement for MAC/do), without disturbing the existing ones.
The mac_cred_check_setcred() hook is passed the flags received by
setcred() (including the version) and both the old and new kernel's
'struct ucred' instead of 'struct setcred' as this should simplify
evolving existing hooks as the 'struct setcred' structure evolves. The
mac_cred_setcred_enter() and mac_cred_setcred_exit() hooks are always
called by pairs around potential calls to mac_cred_check_setcred().
They allow MAC modules to allocate/free data they may need in their
mac_cred_check_setcred() hook, as the latter is called under the current
process' lock, rendering sleepable allocations impossible. MAC/do is
going to leverage these in a subsequent commit. A scheme where
mac_cred_check_setcred() could return ERESTART was considered but is
incompatible with proper composition of MAC modules.
While here, add missing includes and declarations for standalone
inclusion of <sys/ucred.h> both from kernel and userspace (for the
latter, it has been working thanks to <bsm/audit.h> already including
<sys/types.h>).
Reviewed by: brooks
Approved by: markj (mentor)
Relnotes: yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D47618
Note in the manpage that the 2024 edition finally added ppoll(), and
also add the appropriate declarations for the correct versions of
_POSIX_C_SOURCE (via __POSIX_VISIBLE).
Differential Revision: https://reviews.freebsd.org/D48043
