When a non-zero PID value is passed to procctl(2), procctl verifies that
the caller has the right to observe the target. We should treat passing
in the caller's own PID as the same as passing in 0, in which the
cansee/candebug check is bypassed.

This fixes in a more general fashion the bug that OpenSSH manifest,
which I had fixed in commit cc791ab8

.
Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org>

When procctl is passed getpid(), it performs an additional check to see
whether the process can be seen or debugged. In the case of the sftpd
server, the sftpd server switches UID/GID to that of the to-be-logged-in
user account.

Since HardenedBSD sets the security.bsd.unprivileged_proc_debug sysctl
node to 0 by default (FreeBSD leaves it at 1), procctl's cansee/candebug
check fails. This cascades down to the sftpd process, causing sftpd to
deny the connection.

To circumvent the cansee/candebug check, procctl callers can pass in 0
as the target PID, which tells procctl to act on the caller itself. As
such, the cansee/candebug check is bypassed, since it's okay to use
procctl on oneself.

To fix this problem, have OpenSSH pass in 0 as the target PID.
Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org>

These routines are used internally by GEOM to dispatch I/O requests to a
provider, typically for tasting or for updating GEOM class metadata
blocks.

These routines assumed that partial I/O did not occur without setting
BIO_ERROR, but this is possible in at least two cases:
- Some or all of the I/O range is beyond the provider's mediasize.
  In this scenario g_io_check() truncates the bounds of the request
  before it is handed to the target provider.
- A read from vnode-backed md(4) device returns EOF (the backing vnode
  is allowed to be smaller than the device itself) or partial vnode I/O
  occurs.
In these scenarios g_read_data() could return a partially uninitialized
buffer.  Many consumers are not affected by the first case, since the
offsets used for provider metadata or tasting are relative to the
provider's mediasize, but in some cases metadata is read at fixed
offsets, such as when searching for a UFS superblock using the offsets
defined by SBLOCKSEARCH.

Thus, modify the routines to explicitly check for a non-zero residual
and return EIO in that case.  Remove a related check from the
DIOCGDELETE ioctl handler, it is handled within g_delete_data() now.

Reviewed by:	mav, imp, kib
Reported by:	KMSAN
MFC after:	2 weeks
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D31293

MFC after:	1 week
Sponsored by:	The FreeBSD Foundation

Reviewed by:	asomers
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D33957

tc_counter_mask is an unsigned int and in the TSC timecounter is equal
to UINT_MAX, so the addition tc->tc_counter_mask + 1 can overflow to 0,
resulting in a hang during boot.

Fixes:		c2705cea ("x86: Speed up clock calibration")
Reviewed by:	cperciva
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D33956

I guess nobody used this in the last decade, and you can get
similar results with the time(1) command.

This fix (harmless) integer overflows for larger partitions (>2TB)

PR: 223023

This reverts commit 7cafe89f

. We don't
use FreeBSD's AS{L}R implementation.
Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org>

Noted by:	Dave Baukus <daveb@spectralogic.com>
PR:	261346
MFC after:	3 days
Sponsored by:	The FreeBSD Foundation

clang warns that p is set-but-not-used, so let's use it.

The tests require SES hardware.  Without it, the test cases will be
skipped.

Reviewed by:	ken
Differential Revision: https://reviews.freebsd.org/D31809
Sponsored by:	Axcient
MFC after:	2 weeks

MFC after:	2 weeks
Sponsored by:	Axcient

Using locate -m on a database > 2GB should work now.

PR: 261277

* Prefer variables of small scope rather than large scope
* Remove a magic number
* style(9) for return statements
* Remove the get_enc_status method, which never did anything
* Fix a variable type in the handle_string method
* Proofread some comments

MFC after:	2 weeks
Sponsored by:	Spectra Logic, Axcient
Reviewed by:	ken, mav
Differential Revision: https://reviews.freebsd.org/D31686

The kern.elf64.aslr.pie_enable and kern.elf32.aslr.pie_enable sysctls
control the default setting for PIE binary address randomization, but
it is possible to enable or disable ASLR on a per-process basis.  Use
procctl(2) to query whether ASLR is enabled.

(Note that with ASLR enabled but sysctl kern.elf64.aslr.pie_enable=0
a PIE binary will in effect have randomization disabled, and be
functional with msan.  This is not intended as as a user-facing control
though.  The user can use proccontrol(1) to disable aslr for the
process.)

Approved by:	dim
Obtained from:	LLVM 64de0064f315f57044294879d9ff4eacb454d45b
MFC after:	2 weeks
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D33933

pthread_create() returns 0 on success or an error number on failure.

Reviewed by:	khng, markj
Differential Revision:	https://reviews.freebsd.org/D33930

vt_fini_logos() calls vtbuf_grow(), which reallocates the console
window's buffer using malloc(M_WAITOK).  Because vt_fini_logos() is
called via a callout, we end up panicking if INVARIANTS is enabled.

Fix the problem simply by clearing the logos using a timed taskqueue.
taskqueue_thread is formally allowed to sleep; of course, if we actually
end up sleeping to satisfy the allocation, then we have bigger problems.

PR:		260896
Reviewed by:	emaste
MFC after:	2 weeks
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D33932

The Branch Target Identification (BTI) Armv8-A extension adds new
instructions that can be placed where we may indirrectly branch to,
e.g. at the start of a function called via a function pointer. We can't
emulate these in DTrace as the kernel will have raised a different
exception before the DTrace handler has run.

Skip over the BTI instruction if it's used as the first instruction in
a function.

Sponsored by:	The FreeBSD Foundation

When running the installer, in particular disextract (which is so far
the only part converted to bsddialog), on serial console or vt100 or
actually any terminal without color support, it failed to start.

This change makes bsddialog fallback on the black and white theme.

This is incorporated in newer version of bsddialog which will be
imported soon.

PR:		261272
Reported by:	thj
Differential Revision:	https://reviews.freebsd.org/D33920

A lower-bound segment check is necessary in vm_phys_alloc_seg_contig.
Add one.

Reported by:	jenkins
Reviewed by:	alc
Fixes:	da92ecbc vm_phys: fix seg->end test in alloc_seg_contig
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D33945

Apply a new delta specific for the RTLD, in similar fashion as the PIE
execution base.

Previously, the same delta we used for regular mmap calls was used,
which placed the RTLD next to all the other shared objects. This is
somewhat undesireable as the RTLD contains a lot of sensitive
information.

This commit sets up a new delta just for the RTLD, using the same level
of entropy as the mmap delta.

Before:

```
81137      0x2bfd6929000      0x2bfd6956000 r--   33  208 168   0 CN--- vn /usr/local/bin/rzsh
81137      0x2bfd6956000      0x2bfd69ff000 r-x  169  208 168   0 CN--- vn /usr/local/bin/rzsh
81137      0x2bfd69ff000      0x2bfd6a01000 r--    2    0   1   0 CN--- vn /usr/local/bin/rzsh
81137      0x2bfd6a01000      0x2bfd6a07000 rw-    6    0   1   0 CN--- vn /usr/local/bin/rzsh
81137      0x2bfd6a07000      0x2bfd6a0d000 rw-    6    6   1   0 C---- df
81137      0x3c8c2c39000      0x3c8c2c3f000 r--    6   30 632   0 CN--- vn /libexec/ld-elf.so.1
81137      0x3c8c2c3f000      0x3c8c2c57000 r-x   24   30 632   0 CN--- vn /libexec/ld-elf.so.1
81137      0x3c8c2c57000      0x3c8c2c58000 r--    1    0   1   0 CN--- vn /libexec/ld-elf.so.1
81137      0x3c8c2c58000      0x3c8c2c59000 rw-    1    0   1   0 CN--- vn /libexec/ld-elf.so.1
81137      0x3c8c2c59000      0x3c8c2c5b000 rw-    2    2   1   0 CN--- df
81137      0x3c8c2c5b000      0x3c8c2c73000 rw-   21   21   1   0 CN--- df
81137      0x3c8c2c74000      0x3c8c2c76000 r--    2    2 144   0 CN--- vn /usr/local/lib/zsh/5.8/zsh/langinfo.so
```

After:

```
60476        0xb7795c000        0xb77989000 r--   33  208  12   0 CN--- vn /usr/local/bin/zsh
60476        0xb77989000        0xb77a32000 r-x  169  208  12   0 CN--- vn /usr/local/bin/zsh
60476        0xb77a32000        0xb77a34000 r--    2    0   1   0 CN--- vn /usr/local/bin/zsh
60476        0xb77a34000        0xb77a3a000 rw-    6    0   1   0 CN--- vn /usr/local/bin/zsh
60476        0xb77a3a000        0xb77a40000 rw-    6    6   1   0 C---- df
60476      0x1ee19122000      0x1ee19128000 r--    6   30  95   0 CN--- vn /libexec/ld-elf.so.1
60476      0x1ee19128000      0x1ee19140000 r-x   24   30  95   0 CN--- vn /libexec/ld-elf.so.1
60476      0x1ee19140000      0x1ee19141000 r--    1    0   1   0 CN--- vn /libexec/ld-elf.so.1
60476      0x1ee19141000      0x1ee19142000 rw-    1    0   1   0 CN--- vn /libexec/ld-elf.so.1
60476      0x1ee19142000      0x1ee19144000 rw-    2    2   1   0 CN--- df
60476      0x3b2db385000      0x3b2db39d000 rw-   21   21   1   0 CN--- df
60476      0x3b2db39e000      0x3b2db3a0000 r--    2    2  12   0 CN--- vn /usr/local/lib/zsh/5.8/zsh/langinfo.so
```
Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org>
MFC-to:		13-STABLE
MFC-to:		12-STABLE

MFC after:	Never
Reviewed by:	khng
Differential Revision: https://reviews.freebsd.org/D33800

Before this change bufdaemon and bufspacedaemon threads used
kthread_shutdown() to stop activity on system shutdown.  The problem is
that kthread_shutdown() has no idea about the wait channel and lock used
by specific thread to wake them up reliably.  As result, up to 9 threads
could consume up to 9 seconds to shutdown for no good reason.

This change introduces specific shutdown functions, knowing how to
properly wake up specific threads, reducing wait for those threads on
shutdown/reboot from average 4 seconds to effectively zero.

MFC after:	2 weeks
Reviewed by:	kib, markj
Differential Revision:  https://reviews.freebsd.org/D33936

This addresses the following boot message:
    /etc/rc: WARNING: $zfskeys_enable is not set properly - see rc.conf(5).

Reported by:    Mark Millard
Sponsored by:   Modirum MDPay
Sponsored by:   Klara Inc.
Fixes: bfb7a31b ("rc: Hook zfskeys to the build")
Fixes: 33ff3979 ("Add zfskeys rc.d script for auto-loading encryption keys")

Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org>

Conflicts:
	sys/vm/vm_map.c (unresolved)

Usually, the merge conflict resolution commit is self-explanitory. This
commit, however, needs extra comments.

In FreeBSD commit 706f4a81

, FreeBSD
introduced a helper macro for getting the (new to that commit)
per-process psstrings. FreeBSD did this to support randomizing the stack
top address.

The macro itself is useful, though the FreeBSD version of it points to
their version of per-process psstrings. I've changed the macro to use
HardenedBSD's version (proc->p_psstrings). Those places in the kernel
that conflicted with our per-process psstrings and theirs, I switched to
using the new macro. There's a few places where merge conflicts did not
happen and that still should be changed (though leaving them as-is is
harmless).

To simplify life for HardenedBSD, I've removed a good chunk of the
FreeBSD AS{L}R support in the ELF image activator. This drastically
simplifies the code, and helps prevent potential bugs. There's a lot of
other places which need the same type of removal/simplification.

FreeBSD plans to merge into 13-STABLE their new stack randomization
work in two weeks. Prior to that, I plan to finish the work to migrate
us to the new per-process psstrings macro and to remove all traces of
FreeBSD's AS{L}R implementation. I'll merge that work into 13-STABLE
prior to resolving the inevitable merge conflict from FreeBSD's MFC.
Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org>

Sponsored by:	The FreeBSD Foundation

These ciphers are now supported via OCF or 'struct enc_xform'.

Reviewed by:	markj
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D33889

This is a synchronous software API which wraps the existing software
implementation shared with OCF.  Note that this will not currently
use optimized backends (such as ossl(4)) but may be appropriate for
operations on small buffers.

Reviewed by:	markj
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D33524

Reviewed by:	imp, allanjude, jhb
Differential Revision:	https://reviews.freebsd.org/D33403