Browse Source

Merge branch 'freebsd/current/master' into hardened/current/master

* freebsd/current/master:
  inetd: convert remaining bzero(3) to memset(3), NFC
  inetd: track all child pids, regardless of maxchild spec
  inetd: add some macros for checking child limits, NFC
  vmgenid(4): Integrate as a random(4) source
hardened/current/master
HardenedBSD Sync Service 6 months ago
parent
commit
2e78801bba
7 changed files with 83 additions and 38 deletions
  1. +7
    -0
      sys/dev/random/fortuna.c
  2. +1
    -0
      sys/dev/random/random_harvestq.c
  3. +22
    -0
      sys/dev/vmgenc/vmgenc_acpi.c
  4. +1
    -0
      sys/sys/random.h
  5. +0
    -1
      usr.sbin/inetd/Makefile
  6. +41
    -36
      usr.sbin/inetd/inetd.c
  7. +11
    -1
      usr.sbin/inetd/inetd.h

+ 7
- 0
sys/dev/random/fortuna.c View File

@@ -361,6 +361,13 @@ random_fortuna_process_event(struct harvest_event *event)
* during accumulation/reseeding and reading/regating.
*/
pl = event->he_destination % RANDOM_FORTUNA_NPOOLS;
/*
* If a VM generation ID changes (clone and play or VM rewind), we want
* to incorporate that as soon as possible. Override destingation pool
* for immediate next use.
*/
if (event->he_source == RANDOM_PURE_VMGENID)
pl = 0;
/*
* We ignore low entropy static/counter fields towards the end of the
* he_event structure in order to increase measurable entropy when

+ 1
- 0
sys/dev/random/random_harvestq.c View File

@@ -354,6 +354,7 @@ static const char *random_source_descr[ENTROPYSOURCE] = {
[RANDOM_PURE_CCP] = "PURE_CCP",
[RANDOM_PURE_DARN] = "PURE_DARN",
[RANDOM_PURE_TPM] = "PURE_TPM",
[RANDOM_PURE_VMGENID] = "VMGENID",
/* "ENTROPYSOURCE" */
};


+ 22
- 0
sys/dev/vmgenc/vmgenc_acpi.c View File

@@ -52,12 +52,14 @@ __FBSDID("$FreeBSD$");
#include <sys/malloc.h>
#include <sys/module.h>
#include <sys/mutex.h>
#include <sys/random.h>
#include <sys/sysctl.h>
#include <sys/systm.h>

#include <contrib/dev/acpica/include/acpi.h>

#include <dev/acpica/acpivar.h>
#include <dev/random/random_harvestq.h>
#include <dev/vmgenc/vmgenc_acpi.h>

#ifndef ACPI_NOTIFY_STATUS_CHANGED
@@ -79,6 +81,20 @@ struct vmgenc_softc {
uint8_t vmg_cache_guid[GUID_BYTES];
};

static void
vmgenc_harvest_all(const void *p, size_t sz)
{
size_t nbytes;

while (sz > 0) {
nbytes = MIN(sz,
sizeof(((struct harvest_event *)0)->he_entropy));
random_harvest_direct(p, nbytes, RANDOM_PURE_VMGENID);
p = (const char *)p + nbytes;
sz -= nbytes;
}
}

static void
vmgenc_status_changed(void *context)
{
@@ -97,6 +113,8 @@ vmgenc_status_changed(void *context)
/* Update cache. */
memcpy(sc->vmg_cache_guid, guid, GUID_BYTES);

vmgenc_harvest_all(sc->vmg_cache_guid, sizeof(sc->vmg_cache_guid));

EVENTHANDLER_INVOKE(acpi_vmgenc_event);
acpi_UserNotify("VMGenerationCounter", acpi_get_handle(dev), 0);
}
@@ -219,6 +237,9 @@ vmgenc_attach(device_t dev)
memcpy(sc->vmg_cache_guid, __DEVOLATILE(void *, sc->vmg_pguid),
sizeof(sc->vmg_cache_guid));

random_harvest_register_source(RANDOM_PURE_VMGENID);
vmgenc_harvest_all(sc->vmg_cache_guid, sizeof(sc->vmg_cache_guid));

AcpiInstallNotifyHandler(h, ACPI_DEVICE_NOTIFY, vmgenc_notify, dev);
return (0);
}
@@ -238,3 +259,4 @@ static driver_t vmgenc_driver = {
static devclass_t vmgenc_devclass;
DRIVER_MODULE(vmgenc, acpi, vmgenc_driver, vmgenc_devclass, NULL, NULL);
MODULE_DEPEND(vmgenc, acpi, 1, 1, 1);
MODULE_DEPEND(vemgenc, random_harvestq, 1, 1, 1);

+ 1
- 0
sys/sys/random.h View File

@@ -102,6 +102,7 @@ enum random_entropy_source {
RANDOM_PURE_CCP,
RANDOM_PURE_DARN,
RANDOM_PURE_TPM,
RANDOM_PURE_VMGENID,
ENTROPYSOURCE
};
_Static_assert(ENTROPYSOURCE <= 32,

+ 0
- 1
usr.sbin/inetd/Makefile View File

@@ -9,7 +9,6 @@ MAN= inetd.8
MLINKS= inetd.8 inetd.conf.5
SRCS= inetd.c builtins.c

WARNS?= 3
CFLAGS+= -DLOGIN_CAP
#CFLAGS+= -DSANITY_CHECK


+ 41
- 36
usr.sbin/inetd/inetd.c View File

@@ -410,7 +410,7 @@ main(int argc, char **argv)
*/
servname = (hostname == NULL) ? "0" /* dummy */ : NULL;

bzero(&hints, sizeof(struct addrinfo));
memset(&hints, 0, sizeof(struct addrinfo));
hints.ai_flags = AI_PASSIVE;
hints.ai_family = AF_UNSPEC;
hints.ai_socktype = SOCK_STREAM; /* dummy */
@@ -922,25 +922,34 @@ flag_signal(int signo)
static void
addchild(struct servtab *sep, pid_t pid)
{
if (sep->se_maxchild <= 0)
return;
struct stabchild *sc;
#ifdef SANITY_CHECK
if (sep->se_numchild >= sep->se_maxchild) {
if (SERVTAB_EXCEEDS_LIMIT(sep)) {
syslog(LOG_ERR, "%s: %d >= %d",
__func__, sep->se_numchild, sep->se_maxchild);
exit(EX_SOFTWARE);
}
#endif
sep->se_pids[sep->se_numchild++] = pid;
if (sep->se_numchild == sep->se_maxchild)
sc = malloc(sizeof(*sc));
if (sc == NULL) {
syslog(LOG_ERR, "malloc: %m");
exit(EX_OSERR);
}
memset(sc, 0, sizeof(*sc));
sc->sc_pid = pid;
LIST_INSERT_HEAD(&sep->se_children, sc, sc_link);
++sep->se_numchild;
if (SERVTAB_AT_LIMIT(sep))
disable(sep);
}

static void
reapchild(void)
{
int k, status;
int status;
pid_t pid;
struct stabchild *sc;
struct servtab *sep;

for (;;) {
@@ -953,14 +962,17 @@ reapchild(void)
WIFEXITED(status) ? WEXITSTATUS(status)
: WTERMSIG(status));
for (sep = servtab; sep; sep = sep->se_next) {
for (k = 0; k < sep->se_numchild; k++)
if (sep->se_pids[k] == pid)
LIST_FOREACH(sc, &sep->se_children, sc_link) {
if (sc->sc_pid == pid)
break;
if (k == sep->se_numchild)
}
if (sc == NULL)
continue;
if (sep->se_numchild == sep->se_maxchild)
if (SERVTAB_AT_LIMIT(sep))
enable(sep);
sep->se_pids[k] = sep->se_pids[--sep->se_numchild];
LIST_REMOVE(sc, sc_link);
free(sc);
--sep->se_numchild;
if (WIFSIGNALED(status) || WEXITSTATUS(status))
syslog(LOG_WARNING,
"%s[%d]: exited, %s %u",
@@ -1032,25 +1044,20 @@ config(void)
sep->se_nomapped = new->se_nomapped;
sep->se_reset = 1;
}
/* copy over outstanding child pids */
if (sep->se_maxchild > 0 && new->se_maxchild > 0) {
new->se_numchild = sep->se_numchild;
if (new->se_numchild > new->se_maxchild)
new->se_numchild = new->se_maxchild;
memcpy(new->se_pids, sep->se_pids,
new->se_numchild * sizeof(*new->se_pids));
}
SWAP(pid_t *, sep->se_pids, new->se_pids);
sep->se_maxchild = new->se_maxchild;
sep->se_numchild = new->se_numchild;

/*
* The children tracked remain; we want numchild to
* still reflect how many jobs are running so we don't
* throw off our accounting.
*/
sep->se_maxcpm = new->se_maxcpm;
sep->se_maxchild = new->se_maxchild;
resize_conn(sep, new->se_maxperip);
sep->se_maxperip = new->se_maxperip;
sep->se_bi = new->se_bi;
/* might need to turn on or off service now */
if (sep->se_fd >= 0) {
if (sep->se_maxchild > 0
&& sep->se_numchild == sep->se_maxchild) {
if (SERVTAB_EXCEEDS_LIMIT(sep)) {
if (FD_ISSET(sep->se_fd, &allsock))
disable(sep);
} else {
@@ -1950,13 +1957,7 @@ more:
else
sep->se_maxchild = 1;
}
if (sep->se_maxchild > 0) {
sep->se_pids = malloc(sep->se_maxchild * sizeof(*sep->se_pids));
if (sep->se_pids == NULL) {
syslog(LOG_ERR, "malloc: %m");
exit(EX_OSERR);
}
}
LIST_INIT(&sep->se_children);
argc = 0;
for (arg = skip(&cp); cp; arg = skip(&cp))
if (argc < MAXARGV) {
@@ -1981,6 +1982,7 @@ more:
static void
freeconfig(struct servtab *cp)
{
struct stabchild *sc;
int i;

if (cp->se_service)
@@ -1997,8 +1999,11 @@ freeconfig(struct servtab *cp)
#endif
if (cp->se_server)
free(cp->se_server);
if (cp->se_pids)
free(cp->se_pids);
while (!LIST_EMPTY(&cp->se_children)) {
sc = LIST_FIRST(&cp->se_children);
LIST_REMOVE(sc, sc_link);
free(sc);
}
for (i = 0; i < MAXARGV; i++)
if (cp->se_argv[i])
free(cp->se_argv[i]);
@@ -2288,7 +2293,7 @@ cpmip(const struct servtab *sep, int ctrl)
if (chBest->ch_Service)
free(chBest->ch_Service);
chBest->ch_Service = strdup(sep->se_service);
bzero(chBest->ch_Times, sizeof(chBest->ch_Times));
memset(chBest->ch_Times, 0, sizeof(chBest->ch_Times));
}
#ifdef INET6
if ((rss.ss_family == AF_INET6 &&
@@ -2302,7 +2307,7 @@ cpmip(const struct servtab *sep, int ctrl)
if (chBest->ch_Service)
free(chBest->ch_Service);
chBest->ch_Service = strdup(sep->se_service);
bzero(chBest->ch_Times, sizeof(chBest->ch_Times));
memset(chBest->ch_Times, 0, sizeof(chBest->ch_Times));
}
#endif
chBest->ch_LTime = t;

+ 11
- 1
usr.sbin/inetd/inetd.h View File

@@ -66,6 +66,11 @@ struct conninfo {

#define PERIPSIZE 256

struct stabchild {
LIST_ENTRY(stabchild) sc_link;
pid_t sc_pid;
};

struct servtab {
char *se_service; /* name of service */
int se_socktype; /* type of socket to use */
@@ -74,7 +79,6 @@ struct servtab {
int se_maxchild; /* max number of children */
int se_maxcpm; /* max connects per IP per minute */
int se_numchild; /* current number of children */
pid_t *se_pids; /* array of child pids */
char *se_user; /* user name to run as */
char *se_group; /* group name to run as */
#ifdef LOGIN_CAP
@@ -119,11 +123,17 @@ struct servtab {
} se_flags;
int se_maxperip; /* max number of children per src */
LIST_HEAD(, conninfo) se_conn[PERIPSIZE];
LIST_HEAD(, stabchild) se_children;
};

#define se_nomapped se_flags.se_nomapped
#define se_reset se_flags.se_reset

#define SERVTAB_AT_LIMIT(sep) \
((sep)->se_maxchild > 0 && (sep)->se_numchild == (sep)->se_maxchild)
#define SERVTAB_EXCEEDS_LIMIT(sep) \
((sep)->se_maxchild > 0 && (sep)->se_numchild >= (sep)->se_maxchild)

int check_loop(const struct sockaddr *, const struct servtab *sep);
void inetd_setproctitle(const char *, int);
struct servtab *tcpmux(int);

Loading…
Cancel
Save