From owner-p4-projects@FreeBSD.ORG Fri Dec 4 10:12:14 2009 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 0F1571065679; Fri, 4 Dec 2009 10:12:14 +0000 (UTC) Delivered-To: perforce@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AE55E106566C for ; Fri, 4 Dec 2009 10:12:13 +0000 (UTC) (envelope-from marinosi@FreeBSD.org) Received: from repoman.freebsd.org (repoman.freebsd.org [IPv6:2001:4f8:fff6::29]) by mx1.freebsd.org (Postfix) with ESMTP id 99A4E8FC17 for ; Fri, 4 Dec 2009 10:12:13 +0000 (UTC) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.14.3/8.14.3) with ESMTP id nB4ACDra002590 for ; Fri, 4 Dec 2009 10:12:13 GMT (envelope-from marinosi@FreeBSD.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.14.3/8.14.3/Submit) id nB4ACD4Z002588 for perforce@freebsd.org; Fri, 4 Dec 2009 10:12:13 GMT (envelope-from marinosi@FreeBSD.org) Date: Fri, 4 Dec 2009 10:12:13 GMT Message-Id: <200912041012.nB4ACD4Z002588@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to marinosi@FreeBSD.org using -f From: Ilias Marinos To: Perforce Change Reviews Precedence: bulk Cc: Subject: PERFORCE change 171374 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Dec 2009 10:12:14 -0000 http://p4web.freebsd.org/chv.cgi?CH=171374 Change 171374 by marinosi@revolver on 2009/12/04 10:11:14 Integrate and some debugging code. Affected files ... .. //depot/projects/soc2009/marinosi_appaudit/src/ObsoleteFiles.inc#5 integrate .. //depot/projects/soc2009/marinosi_appaudit/src/etc/Makefile#4 integrate .. //depot/projects/soc2009/marinosi_appaudit/src/etc/defaults/rc.conf#5 integrate .. //depot/projects/soc2009/marinosi_appaudit/src/etc/rc.d/Makefile#5 integrate .. //depot/projects/soc2009/marinosi_appaudit/src/etc/rc.d/ip6fw#3 delete .. //depot/projects/soc2009/marinosi_appaudit/src/etc/rc.d/ipfw#3 integrate .. //depot/projects/soc2009/marinosi_appaudit/src/etc/rc.firewall#2 integrate .. //depot/projects/soc2009/marinosi_appaudit/src/etc/rc.firewall6#2 delete .. //depot/projects/soc2009/marinosi_appaudit/src/lib/libutil/libutil.h#2 integrate .. //depot/projects/soc2009/marinosi_appaudit/src/sys/amd64/amd64/mca.c#2 integrate .. //depot/projects/soc2009/marinosi_appaudit/src/sys/amd64/include/mca.h#2 integrate .. //depot/projects/soc2009/marinosi_appaudit/src/sys/cam/scsi/scsi_cd.c#4 integrate .. //depot/projects/soc2009/marinosi_appaudit/src/sys/compat/freebsd32/syscalls.master#6 edit .. //depot/projects/soc2009/marinosi_appaudit/src/sys/dev/if_ndis/if_ndis.c#4 integrate .. //depot/projects/soc2009/marinosi_appaudit/src/sys/i386/i386/mca.c#2 integrate .. //depot/projects/soc2009/marinosi_appaudit/src/sys/i386/include/mca.h#2 integrate .. //depot/projects/soc2009/marinosi_appaudit/src/sys/netinet/in.h#4 integrate .. //depot/projects/soc2009/marinosi_appaudit/src/sys/netinet/ip_carp.c#4 integrate .. //depot/projects/soc2009/marinosi_appaudit/src/sys/netinet/ipfw/ip_dummynet.c#3 integrate .. //depot/projects/soc2009/marinosi_appaudit/src/sys/netinet/ipfw/ip_fw2.c#4 integrate .. //depot/projects/soc2009/marinosi_appaudit/src/sys/netinet/raw_ip.c#4 integrate .. //depot/projects/soc2009/marinosi_appaudit/src/sys/security/audit/audit.c#27 edit .. //depot/projects/soc2009/marinosi_appaudit/src/sys/security/audit/audit_worker.c#14 edit .. //depot/projects/soc2009/marinosi_appaudit/src/sys/sys/param.h#5 integrate Differences ... ==== //depot/projects/soc2009/marinosi_appaudit/src/ObsoleteFiles.inc#5 (text+ko) ==== @@ -1,5 +1,5 @@ # -# $FreeBSD: src/ObsoleteFiles.inc,v 1.213 2009/11/18 00:56:05 delphij Exp $ +# $FreeBSD: src/ObsoleteFiles.inc,v 1.214 2009/12/02 15:05:26 ume Exp $ # # This file lists old files (OLD_FILES), libraries (OLD_LIBS) and # directories (OLD_DIRS) which should get removed at an update. Recently @@ -14,6 +14,9 @@ # The file is partitioned: OLD_FILES first, then OLD_LIBS and OLD_DIRS last. # +# 20091202: unify rc.firewall and rc.firewall6. +OLD_FILES+=etc/rc.d/ip6fw +OLD_FILES+=etc/rc.firewall6 # 20091117: removal of rc.early(8) link OLD_FILES+=usr/share/man/man8/rc.early.8.gz # 20091027: pselect.3 implemented as syscall ==== //depot/projects/soc2009/marinosi_appaudit/src/etc/Makefile#4 (text+ko) ==== @@ -1,5 +1,5 @@ # from: @(#)Makefile 5.11 (Berkeley) 5/21/91 -# $FreeBSD: src/etc/Makefile,v 1.377 2009/11/13 11:26:44 ed Exp $ +# $FreeBSD: src/etc/Makefile,v 1.378 2009/12/02 15:05:26 ume Exp $ .include @@ -15,7 +15,7 @@ inetd.conf libalias.conf login.access login.conf mac.conf motd \ netconfig network.subr networks newsyslog.conf nsswitch.conf \ phones profile protocols \ - rc rc.bsdextended rc.firewall rc.firewall6 rc.initdiskless \ + rc rc.bsdextended rc.firewall rc.initdiskless \ rc.sendmail rc.shutdown \ rc.subr remote rpc services shells \ sysctl.conf syslog.conf ==== //depot/projects/soc2009/marinosi_appaudit/src/etc/defaults/rc.conf#5 (text+ko) ==== @@ -15,7 +15,7 @@ # For a more detailed explanation of all the rc.conf variables, please # refer to the rc.conf(5) manual page. # -# $FreeBSD: src/etc/defaults/rc.conf,v 1.363 2009/10/21 09:43:22 brueffer Exp $ +# $FreeBSD: src/etc/defaults/rc.conf,v 1.364 2009/12/02 15:05:26 ume Exp $ ############################################################## ### Important initial Boot-time options #################### @@ -118,7 +118,10 @@ firewall_quiet="NO" # Set to YES to suppress rule display firewall_logging="NO" # Set to YES to enable events logging firewall_flags="" # Flags passed to ipfw when type is a file -firewall_client_net="192.0.2.0/24" # Network address for "client" firewall. +firewall_client_net="192.0.2.0/24" # IPv4 Network address for "client" + # firewall. +#firewall_client_net_ipv6="2001:db8:2:1::/64" # IPv6 network prefix for + # "client" firewall. firewall_simple_iif="ed1" # Inside network interface for "simple" # firewall. firewall_simple_inet="192.0.2.16/28" # Inside network address for "simple" @@ -127,12 +130,22 @@ # firewall. firewall_simple_onet="192.0.2.0/28" # Outside network address for "simple" # firewall. +#firewall_simple_iif_ipv6="ed1" # Inside IPv6 network interface for "simple" + # firewall. +#firewall_simple_inet_ipv6="2001:db8:2:800::/56" # Inside IPv6 network prefix + # for "simple" firewall. +#firewall_simple_oif_ipv6="ed0" # Outside IPv6 network interface for "simple" + # firewall. +#firewall_simple_onet_ipv6="2001:db8:2:0::/56" # Outside IPv6 network prefix + # for "simple" firewall. firewall_myservices="" # List of TCP ports on which this host # offers services for "workstation" firewall. firewall_allowservices="" # List of IPs which have access to # $firewall_myservices for "workstation" # firewall. -firewall_trusted="" # List of IPs which have full access to this +firewall_trusted="" # List of IPv4s which have full access to this + # host for "workstation" firewall. +firewall_trusted_ipv6="" # List of IPv6s which have full access to this # host for "workstation" firewall. firewall_logdeny="NO" # Set to YES to log default denied incoming # packets for "workstation" firewall. @@ -472,13 +485,6 @@ # faithd(8) setup. ipv6_ipv4mapping="NO" # Set to "YES" to enable IPv4 mapped IPv6 addr # communication. (like ::ffff:a.b.c.d) -ipv6_firewall_enable="NO" # Set to YES to enable IPv6 firewall - # functionality -ipv6_firewall_script="/etc/rc.firewall6" # Which script to run to set up the IPv6 firewall -ipv6_firewall_type="UNKNOWN" # IPv6 Firewall type (see /etc/rc.firewall6) -ipv6_firewall_quiet="NO" # Set to YES to suppress rule display -ipv6_firewall_logging="NO" # Set to YES to enable events logging -ipv6_firewall_flags="" # Flags passed to ip6fw when type is a file ipv6_ipfilter_rules="/etc/ipf6.rules" # rules definition file for ipfilter, # see /usr/src/contrib/ipfilter/rules # for examples ==== //depot/projects/soc2009/marinosi_appaudit/src/etc/rc.d/Makefile#5 (text+ko) ==== @@ -1,4 +1,4 @@ -# $FreeBSD: src/etc/rc.d/Makefile,v 1.101 2009/09/12 22:13:41 hrs Exp $ +# $FreeBSD: src/etc/rc.d/Makefile,v 1.102 2009/12/02 15:05:26 ume Exp $ .include @@ -15,7 +15,7 @@ hcsecd \ hostapd hostid hostid_save hostname \ inetd initrandom \ - ip6addrctl ip6fw ipfilter ipfs ipfw ipmon \ + ip6addrctl ipfilter ipfs ipfw ipmon \ ipnat ipsec ipxrouted \ jail \ kadmind kerberos keyserv kldxref kpasswdd \ ==== //depot/projects/soc2009/marinosi_appaudit/src/etc/rc.d/ipfw#3 (text+ko) ==== @@ -1,6 +1,6 @@ #!/bin/sh # -# $FreeBSD: src/etc/rc.d/ipfw,v 1.21 2009/06/26 01:04:50 dougb Exp $ +# $FreeBSD: src/etc/rc.d/ipfw,v 1.22 2009/12/02 15:05:26 ume Exp $ # # PROVIDE: ipfw @@ -17,6 +17,8 @@ stop_cmd="ipfw_stop" required_modules="ipfw" +set_rcvar_obsolete ipv6_firewall_enable + ipfw_prestart() { if checkyesno dummynet_enable; then @@ -61,7 +63,13 @@ # Enable the firewall # if ! ${SYSCTL_W} net.inet.ip.fw.enable=1 1>/dev/null 2>&1; then - warn "failed to enable firewall" + warn "failed to enable IPv4 firewall" + fi + if afexists inet6; then + if ! ${SYSCTL_W} net.inet6.ip6.fw.enable=1 1>/dev/null 2>&1 + then + warn "failed to enable IPv6 firewall" + fi fi } @@ -70,6 +78,9 @@ # Disable the firewall # ${SYSCTL_W} net.inet.ip.fw.enable=0 + if afexists inet6; then + ${SYSCTL_W} net.inet6.ip6.fw.enable=0 + fi if [ -f /etc/rc.d/natd ] ; then /etc/rc.d/natd quietstop fi ==== //depot/projects/soc2009/marinosi_appaudit/src/etc/rc.firewall#2 (text+ko) ==== @@ -23,7 +23,7 @@ # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # -# $FreeBSD: src/etc/rc.firewall,v 1.60 2008/08/15 19:20:59 jhb Exp $ +# $FreeBSD: src/etc/rc.firewall,v 1.61 2009/12/02 15:05:26 ume Exp $ # # @@ -85,12 +85,42 @@ ${fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny all from any to 127.0.0.0/8 ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any + if [ $ipv6_available -eq 0 ]; then + ${fwcmd} add 400 deny all from any to ::1 + ${fwcmd} add 500 deny all from ::1 to any + fi +} + +setup_ipv6_mandatory () { + [ $ipv6_available -eq 0 ] || return 0 + + ############ + # Only in rare cases do you want to change these rules + # + # ND + # + # DAD + ${fwcmd} add pass ipv6-icmp from :: to ff02::/16 + # RS, RA, NS, NA, redirect... + ${fwcmd} add pass ipv6-icmp from fe80::/10 to fe80::/10 + ${fwcmd} add pass ipv6-icmp from fe80::/10 to ff02::/16 + + # Allow ICMPv6 destination unreach + ${fwcmd} add pass ipv6-icmp from any to any icmp6types 1 + + # Allow NS/NA/toobig (don't filter it out) + ${fwcmd} add pass ipv6-icmp from any to any icmp6types 2,135,136 } if [ -n "${1}" ]; then firewall_type="${1}" fi +. /etc/rc.subr +. /etc/network.subr +afexists inet6 +ipv6_available=$? + ############ # Set quiet mode if requested # @@ -109,6 +139,7 @@ ${fwcmd} -f flush setup_loopback +setup_ipv6_mandatory ############ # Network Address Translation. All packets are passed to natd(8) @@ -166,11 +197,13 @@ # against people from outside your own network. # # Configuration: - # firewall_client_net: Network address of local network. + # firewall_client_net: Network address of local IPv4 network. + # firewall_client_net_ipv6: Network address of local IPv6 network. ############ # set this to your local network net="$firewall_client_net" + net6="$firewall_client_net_ipv6" # Allow limited broadcast traffic from my own net. ${fwcmd} add pass all from ${net} to 255.255.255.255 @@ -178,6 +211,16 @@ # Allow any traffic to or from my own net. ${fwcmd} add pass all from me to ${net} ${fwcmd} add pass all from ${net} to me + if [ -n "$net6" ]; then + ${fwcmd} add pass all from me6 to ${net6} + ${fwcmd} add pass all from ${net6} to me6 + fi + + if [ -n "$net6" ]; then + # Allow any link-local multicast traffic + ${fwcmd} add pass all from fe80::/10 to ff02::/16 + ${fwcmd} add pass all from ${net6} to ff02::/16 + fi # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established @@ -212,23 +255,38 @@ # on the inside at this machine for those services. # # Configuration: - # firewall_simple_iif: Inside network interface. - # firewall_simple_inet: Inside network address. - # firewall_simple_oif: Outside network interface. - # firewall_simple_onet: Outside network address. + # firewall_simple_iif: Inside IPv4 network interface. + # firewall_simple_inet: Inside IPv4 network address. + # firewall_simple_oif: Outside IPv4 network interface. + # firewall_simple_onet: Outside IPv4 network address. + # firewall_simple_iif_ipv6: Inside IPv6 network interface. + # firewall_simple_inet_ipv6: Inside IPv6 network prefix. + # firewall_simple_oif_ipv6: Outside IPv6 network interface. + # firewall_simple_onet_ipv6: Outside IPv6 network prefix. ############ # set these to your outside interface network oif="$firewall_simple_oif" onet="$firewall_simple_onet" + oif6="${firewall_simple_oif_ipv6:-$firewall_simple_oif}" + onet6="$firewall_simple_onet_ipv6" # set these to your inside interface network iif="$firewall_simple_iif" inet="$firewall_simple_inet" + iif6="${firewall_simple_iif_ipv6:-$firewall_simple_iif}" + inet6="$firewall_simple_inet_ipv6" # Stop spoofing ${fwcmd} add deny all from ${inet} to any in via ${oif} ${fwcmd} add deny all from ${onet} to any in via ${iif} + if [ -n "$inet6" ]; then + ${fwcmd} add deny all from ${inet6} to any in via ${oif6} + if [ -n "$onet6" ]; then + ${fwcmd} add deny all from ${onet6} to any in \ + via ${iif6} + fi + fi # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} @@ -254,7 +312,7 @@ case ${natd_enable} in [Yy][Ee][Ss]) if [ -n "${natd_interface}" ]; then - ${fwcmd} add divert natd all from any to any via ${natd_interface} + ${fwcmd} add divert natd ip4 from any to any via ${natd_interface} fi ;; esac @@ -273,6 +331,55 @@ ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif} ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif} + if [ -n "$inet6" ]; then + # Stop unique local unicast address on the outside interface + ${fwcmd} add deny all from fc00::/7 to any via ${oif6} + ${fwcmd} add deny all from any to fc00::/7 via ${oif6} + + # Stop site-local on the outside interface + ${fwcmd} add deny all from fec0::/10 to any via ${oif6} + ${fwcmd} add deny all from any to fec0::/10 via ${oif6} + + # Disallow "internal" addresses to appear on the wire. + ${fwcmd} add deny all from ::ffff:0.0.0.0/96 to any \ + via ${oif6} + ${fwcmd} add deny all from any to ::ffff:0.0.0.0/96 \ + via ${oif6} + + # Disallow packets to malicious IPv4 compatible prefix. + ${fwcmd} add deny all from ::224.0.0.0/100 to any via ${oif6} + ${fwcmd} add deny all from any to ::224.0.0.0/100 via ${oif6} + ${fwcmd} add deny all from ::127.0.0.0/104 to any via ${oif6} + ${fwcmd} add deny all from any to ::127.0.0.0/104 via ${oif6} + ${fwcmd} add deny all from ::0.0.0.0/104 to any via ${oif6} + ${fwcmd} add deny all from any to ::0.0.0.0/104 via ${oif6} + ${fwcmd} add deny all from ::255.0.0.0/104 to any via ${oif6} + ${fwcmd} add deny all from any to ::255.0.0.0/104 via ${oif6} + + ${fwcmd} add deny all from ::0.0.0.0/96 to any via ${oif6} + ${fwcmd} add deny all from any to ::0.0.0.0/96 via ${oif6} + + # Disallow packets to malicious 6to4 prefix. + ${fwcmd} add deny all from 2002:e000::/20 to any via ${oif6} + ${fwcmd} add deny all from any to 2002:e000::/20 via ${oif6} + ${fwcmd} add deny all from 2002:7f00::/24 to any via ${oif6} + ${fwcmd} add deny all from any to 2002:7f00::/24 via ${oif6} + ${fwcmd} add deny all from 2002:0000::/24 to any via ${oif6} + ${fwcmd} add deny all from any to 2002:0000::/24 via ${oif6} + ${fwcmd} add deny all from 2002:ff00::/24 to any via ${oif6} + ${fwcmd} add deny all from any to 2002:ff00::/24 via ${oif6} + + ${fwcmd} add deny all from 2002:0a00::/24 to any via ${oif6} + ${fwcmd} add deny all from any to 2002:0a00::/24 via ${oif6} + ${fwcmd} add deny all from 2002:ac10::/28 to any via ${oif6} + ${fwcmd} add deny all from any to 2002:ac10::/28 via ${oif6} + ${fwcmd} add deny all from 2002:c0a8::/32 to any via ${oif6} + ${fwcmd} add deny all from any to 2002:c0a8::/32 via ${oif6} + + ${fwcmd} add deny all from ff05::/16 to any via ${oif6} + ${fwcmd} add deny all from any to ff05::/16 via ${oif6} + fi + # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established @@ -291,7 +398,11 @@ ${fwcmd} add pass tcp from any to me 80 setup # Reject&Log all setup of incoming connections from the outside - ${fwcmd} add deny log tcp from any to any in via ${oif} setup + ${fwcmd} add deny log ip4 from any to any in via ${oif} setup proto tcp + if [ -n "$inet6" ]; then + ${fwcmd} add deny log ip6 from any to any in via ${oif6} \ + setup proto tcp + fi # Allow setup of any other TCP connection ${fwcmd} add pass tcp from any to any setup @@ -313,7 +424,7 @@ # offers services. # firewall_allowservices: List of IPs which has access to # $firewall_myservices. - # firewall_trusted: List of IPs which has full access + # firewall_trusted: List of IPv4s which has full access # to this host. Be very carefull # when setting this. This option can # seriously degrade the level of @@ -324,25 +435,44 @@ # firewall_nologports: List of TCP/UDP ports for which # denied incomming packets are not # logged. - + # firewall_trusted_ipv6: List of IPv6s which has full access + # to this host. Be very carefull + # when setting this. This option can + # seriously degrade the level of + # protection provided by the firewall. + # Allow packets for which a state has been built. ${fwcmd} add check-state # For services permitted below. ${fwcmd} add pass tcp from me to any established + if [ $ipv6_available -eq 0 ]; then + ${fwcmd} add pass tcp from me6 to any established + fi # Allow any connection out, adding state for each. ${fwcmd} add pass tcp from me to any setup keep-state ${fwcmd} add pass udp from me to any keep-state ${fwcmd} add pass icmp from me to any keep-state + if [ $ipv6_available -eq 0 ]; then + ${fwcmd} add pass tcp from me6 to any setup keep-state + ${fwcmd} add pass udp from me6 to any keep-state + ${fwcmd} add pass ipv6-icmp from me6 to any keep-state + fi # Allow DHCP. ${fwcmd} add pass udp from 0.0.0.0 68 to 255.255.255.255 67 out ${fwcmd} add pass udp from any 67 to me 68 in ${fwcmd} add pass udp from any 67 to 255.255.255.255 68 in + if [ $ipv6_available -eq 0 ]; then + ${fwcmd} add pass udp from fe80::/10 to me6 546 in + fi # Some servers will ping the IP while trying to decide if it's # still in use. ${fwcmd} add pass icmp from any to any icmptype 8 + if [ $ipv6_available -eq 0 ]; then + ${fwcmd} add pass ipv6-icmp from any to any icmp6type 128,129 + fi # Allow "mandatory" ICMP in. ${fwcmd} add pass icmp from any to any icmptype 3,4,11 @@ -361,6 +491,9 @@ for i in ${firewall_allowservices} ; do for j in ${firewall_myservices} ; do ${fwcmd} add pass tcp from $i to me $j + if [ $ipv6_available -eq 0 ]; then + ${fwcmd} add pass tcp from $i to me6 $j + fi done done @@ -370,7 +503,10 @@ for i in ${firewall_trusted} ; do ${fwcmd} add pass ip from $i to me done - + for i in ${firewall_trusted_ipv6} ; do + ${fwcmd} add pass all from $i to me6 + done + ${fwcmd} add 65000 count ip from any to any # Drop packets to ports where we don't want logging ==== //depot/projects/soc2009/marinosi_appaudit/src/lib/libutil/libutil.h#2 (text+ko) ==== @@ -33,12 +33,40 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $FreeBSD: src/lib/libutil/libutil.h,v 1.49 2008/12/02 06:50:26 peter Exp $ + * $FreeBSD: src/lib/libutil/libutil.h,v 1.50 2009/12/02 15:56:18 ed Exp $ */ #ifndef _LIBUTIL_H_ #define _LIBUTIL_H_ +#include +#include + +#ifndef _GID_T_DECLARED +typedef __gid_t gid_t; +#define _GID_T_DECLARED +#endif + +#ifndef _INT64_T_DECLARED +typedef __int64_t int64_t; +#define _INT64_T_DECLARED +#endif + +#ifndef _PID_T_DECLARED +typedef __pid_t pid_t; +#define _PID_T_DECLARED +#endif + +#ifndef _SIZE_T_DECLARED +typedef __size_t size_t; +#define _SIZE_T_DECLARED +#endif + +#ifndef _UID_T_DECLARED +typedef __uid_t uid_t; +#define _UID_T_DECLARED +#endif + #define PROPERTY_MAX_NAME 64 #define PROPERTY_MAX_VALUE 512 ==== //depot/projects/soc2009/marinosi_appaudit/src/sys/amd64/amd64/mca.c#2 (text+ko) ==== @@ -30,7 +30,7 @@ */ #include -__FBSDID("$FreeBSD: src/sys/amd64/amd64/mca.c,v 1.3 2009/05/20 16:11:22 jhb Exp $"); +__FBSDID("$FreeBSD: src/sys/amd64/amd64/mca.c,v 1.4 2009/12/02 15:45:55 avg Exp $"); #include #include @@ -117,48 +117,6 @@ return (SYSCTL_OUT(req, &record, sizeof(record))); } -static struct mca_record * -mca_record_entry(int bank) -{ - struct mca_internal *rec; - uint64_t status; - u_int p[4]; - - status = rdmsr(MSR_MC_STATUS(bank)); - if (!(status & MC_STATUS_VAL)) - return (NULL); - - rec = malloc(sizeof(*rec), M_MCA, M_NOWAIT | M_ZERO); - if (rec == NULL) { - printf("MCA: Unable to allocate space for an event.\n"); - return (NULL); - } - - /* Save exception information. */ - rec->rec.mr_status = status; - if (status & MC_STATUS_ADDRV) - rec->rec.mr_addr = rdmsr(MSR_MC_ADDR(bank)); - if (status & MC_STATUS_MISCV) - rec->rec.mr_misc = rdmsr(MSR_MC_MISC(bank)); - rec->rec.mr_tsc = rdtsc(); - rec->rec.mr_apic_id = PCPU_GET(apic_id); - - /* - * Clear machine check. Don't do this for uncorrectable - * errors so that the BIOS can see them. - */ - if (!(rec->rec.mr_status & (MC_STATUS_PCC | MC_STATUS_UC))) { - wrmsr(MSR_MC_STATUS(bank), 0); - do_cpuid(0, p); - } - - mtx_lock_spin(&mca_lock); - STAILQ_INSERT_TAIL(&mca_records, rec, link); - mca_count++; - mtx_unlock_spin(&mca_lock); - return (&rec->rec); -} - static const char * mca_error_ttype(uint16_t mca_error) { @@ -219,11 +177,13 @@ } /* Dump details about a single machine check. */ -static void -mca_log(struct mca_record *rec) +static void __nonnull(1) +mca_log(const struct mca_record *rec) { uint16_t mca_error; + printf("MCA: bank %d, status 0x%016llx\n", rec->mr_bank, + (long long)rec->mr_status); printf("MCA: CPU %d ", rec->mr_apic_id); if (rec->mr_status & MC_STATUS_UC) printf("UNCOR "); @@ -329,6 +289,59 @@ printf("MCA: Address 0x%llx\n", (long long)rec->mr_addr); } +static int __nonnull(2) +mca_check_status(int bank, struct mca_record *rec) +{ + uint64_t status; + u_int p[4]; + + status = rdmsr(MSR_MC_STATUS(bank)); + if (!(status & MC_STATUS_VAL)) + return (0); + + /* Save exception information. */ + rec->mr_status = status; + rec->mr_bank = bank; + rec->mr_addr = 0; + if (status & MC_STATUS_ADDRV) + rec->mr_addr = rdmsr(MSR_MC_ADDR(bank)); + rec->mr_misc = 0; + if (status & MC_STATUS_MISCV) + rec->mr_misc = rdmsr(MSR_MC_MISC(bank)); + rec->mr_tsc = rdtsc(); + rec->mr_apic_id = PCPU_GET(apic_id); + + /* + * Clear machine check. Don't do this for uncorrectable + * errors so that the BIOS can see them. + */ + if (!(rec->mr_status & (MC_STATUS_PCC | MC_STATUS_UC))) { + wrmsr(MSR_MC_STATUS(bank), 0); + do_cpuid(0, p); + } + return (1); +} + +static void __nonnull(1) +mca_record_entry(const struct mca_record *record) +{ + struct mca_internal *rec; + + rec = malloc(sizeof(*rec), M_MCA, M_NOWAIT); + if (rec == NULL) { + printf("MCA: Unable to allocate space for an event.\n"); + mca_log(record); + return; + } + + rec->rec = *record; + rec->logged = 0; + mtx_lock_spin(&mca_lock); + STAILQ_INSERT_TAIL(&mca_records, rec, link); + mca_count++; + mtx_unlock_spin(&mca_lock); +} + /* * This scans all the machine check banks of the current CPU to see if * there are any machine checks. Any non-recoverable errors are @@ -341,7 +354,7 @@ static int mca_scan(int mcip) { - struct mca_record *rec; + struct mca_record rec; uint64_t mcg_cap, ucmask; int count, i, recoverable; @@ -354,13 +367,13 @@ ucmask |= MC_STATUS_OVER; mcg_cap = rdmsr(MSR_MCG_CAP); for (i = 0; i < (mcg_cap & MCG_CAP_COUNT); i++) { - rec = mca_record_entry(i); - if (rec != NULL) { + if (mca_check_status(i, &rec)) { count++; - if (rec->mr_status & ucmask) { + if (rec.mr_status & ucmask) { recoverable = 0; - mca_log(rec); + mca_log(&rec); } + mca_record_entry(&rec); } } return (mcip ? recoverable : count); ==== //depot/projects/soc2009/marinosi_appaudit/src/sys/amd64/include/mca.h#2 (text+ko) ==== @@ -24,7 +24,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $FreeBSD: src/sys/amd64/include/mca.h,v 1.1 2009/05/13 17:53:04 jhb Exp $ + * $FreeBSD: src/sys/amd64/include/mca.h,v 1.2 2009/12/02 15:45:55 avg Exp $ */ #ifndef __MACHINE_MCA_H__ @@ -36,6 +36,7 @@ uint64_t mr_misc; uint64_t mr_tsc; int mr_apic_id; + int mr_bank; }; #ifdef _KERNEL ==== //depot/projects/soc2009/marinosi_appaudit/src/sys/cam/scsi/scsi_cd.c#4 (text+ko) ==== @@ -46,7 +46,7 @@ */ #include -__FBSDID("$FreeBSD: src/sys/cam/scsi/scsi_cd.c,v 1.112 2009/11/14 20:13:38 mav Exp $"); +__FBSDID("$FreeBSD: src/sys/cam/scsi/scsi_cd.c,v 1.113 2009/12/02 16:08:33 scottl Exp $"); #include "opt_cd.h" @@ -2673,12 +2673,10 @@ authinfo = (struct dvd_authinfo *)addr; - cam_periph_lock(periph); if (cmd == DVDIOCREPORTKEY) error = cdreportkey(periph, authinfo); else error = cdsendkey(periph, authinfo); - cam_periph_unlock(periph); break; } case DVDIOCREADSTRUCTURE: { @@ -2686,9 +2684,7 @@ dvdstruct = (struct dvd_struct *)addr; - cam_periph_lock(periph); error = cdreaddvdstructure(periph, dvdstruct); - cam_periph_unlock(periph); break; } @@ -3732,8 +3728,6 @@ databuf = NULL; lba = 0; - ccb = cdgetccb(periph, CAM_PRIORITY_NORMAL); - switch (authinfo->format) { case DVD_REPORT_AGID: length = sizeof(struct scsi_report_key_data_agid); @@ -3759,9 +3753,7 @@ length = 0; break; default: - error = EINVAL; - goto bailout; - break; /* NOTREACHED */ + return (EINVAL); } if (length != 0) { @@ -3769,6 +3761,8 @@ } else databuf = NULL; + cam_periph_lock(periph); + ccb = cdgetccb(periph, CAM_PRIORITY_NORMAL); scsi_report_key(&ccb->csio, /* retries */ 1, @@ -3869,12 +3863,14 @@ goto bailout; break; /* NOTREACHED */ } + bailout: + xpt_release_ccb(ccb); + cam_periph_unlock(periph); + if (databuf != NULL) free(databuf, M_DEVBUF); - xpt_release_ccb(ccb); - return(error); } @@ -3889,8 +3885,6 @@ error = 0; databuf = NULL; - ccb = cdgetccb(periph, CAM_PRIORITY_NORMAL); - switch(authinfo->format) { case DVD_SEND_CHALLENGE: { struct scsi_report_key_data_challenge *challenge_data; @@ -3942,11 +3936,12 @@ break; } default: - error = EINVAL; - goto bailout; - break; /* NOTREACHED */ + return (EINVAL); } + cam_periph_lock(periph); + ccb = cdgetccb(periph, CAM_PRIORITY_NORMAL); + scsi_send_key(&ccb->csio, /* retries */ 1, /* cbfcnp */ cddone, @@ -3961,13 +3956,12 @@ error = cdrunccb(ccb, cderror, /*cam_flags*/CAM_RETRY_SELTO, /*sense_flags*/SF_RETRY_UA); -bailout: + xpt_release_ccb(ccb); + cam_periph_unlock(periph); if (databuf != NULL) free(databuf, M_DEVBUF); - xpt_release_ccb(ccb); - return(error); } @@ -3985,8 +3979,6 @@ /* The address is reserved for many of the formats */ address = 0; - ccb = cdgetccb(periph, CAM_PRIORITY_NORMAL); - switch(dvdstruct->format) { case DVD_STRUCT_PHYSICAL: length = sizeof(struct scsi_read_dvd_struct_data_physical); @@ -4004,13 +3996,7 @@ length = sizeof(struct scsi_read_dvd_struct_data_manufacturer); break; case DVD_STRUCT_CMI: - error = ENODEV; - goto bailout; -#ifdef notyet - length = sizeof(struct scsi_read_dvd_struct_data_copy_manage); - address = dvdstruct->address; -#endif - break; /* NOTREACHED */ + return (ENODEV); case DVD_STRUCT_PROTDISCID: length = sizeof(struct scsi_read_dvd_struct_data_prot_discid); break; @@ -4027,21 +4013,9 @@ length = sizeof(struct scsi_read_dvd_struct_data_spare_area); break; case DVD_STRUCT_RMD_LAST: - error = ENODEV; - goto bailout; -#ifdef notyet - length = sizeof(struct scsi_read_dvd_struct_data_rmd_borderout); - address = dvdstruct->address; -#endif - break; /* NOTREACHED */ + return (ENODEV); case DVD_STRUCT_RMD_RMA: - error = ENODEV; - goto bailout; -#ifdef notyet - length = sizeof(struct scsi_read_dvd_struct_data_rmd); - address = dvdstruct->address; -#endif - break; /* NOTREACHED */ + return (ENODEV); case DVD_STRUCT_PRERECORDED: length = sizeof(struct scsi_read_dvd_struct_data_leadin); break; @@ -4049,13 +4023,7 @@ length = sizeof(struct scsi_read_dvd_struct_data_disc_id); break; case DVD_STRUCT_DCB: - error = ENODEV; - goto bailout; -#ifdef notyet - length = sizeof(struct scsi_read_dvd_struct_data_dcb); - address = dvdstruct->address; -#endif - break; /* NOTREACHED */ + return (ENODEV); case DVD_STRUCT_LIST: /* * This is the maximum allocation length for the READ DVD @@ -4067,9 +4035,7 @@ length = 65535; break; default: - error = EINVAL; - goto bailout; - break; /* NOTREACHED */ + return (EINVAL); } if (length != 0) { @@ -4077,6 +4043,9 @@ } else databuf = NULL; + cam_periph_lock(periph); + ccb = cdgetccb(periph, CAM_PRIORITY_NORMAL); + scsi_read_dvd_structure(&ccb->csio, /* retries */ 1, /* cbfcnp */ cddone, @@ -4164,13 +4133,14 @@ min(sizeof(dvdstruct->data), dvdstruct->length)); break; } + bailout: + xpt_release_ccb(ccb); + cam_periph_unlock(periph); if (databuf != NULL) free(databuf, M_DEVBUF); - xpt_release_ccb(ccb); - return(error); } ==== //depot/projects/soc2009/marinosi_appaudit/src/sys/compat/freebsd32/syscalls.master#6 (text+ko) ==== @@ -913,6 +913,6 @@ fd_set *ou, fd_set *ex, \ const struct timespec32 *ts, \ const sigset_t *sm); } -523 AUE_AUDITON NOPROTO { int auditon(int cmd, char *name, \ +523 AUE_AUDITON NOPROTO { int auditon_slice(int cmd, char *name, \ void *data, u_int length); } 524 AUE_AUDITCTL NOPROTO { int auditctl_slice(char *as_name, char *path); } ==== //depot/projects/soc2009/marinosi_appaudit/src/sys/dev/if_ndis/if_ndis.c#4 (text+ko) ==== @@ -34,7 +34,7 @@ */ #include -__FBSDID("$FreeBSD: src/sys/dev/if_ndis/if_ndis.c,v 1.171 2009/11/02 11:07:42 rpaulo Exp $"); +__FBSDID("$FreeBSD: src/sys/dev/if_ndis/if_ndis.c,v 1.172 2009/12/02 16:26:18 jhb Exp $"); #include #include @@ -3222,14 +3222,8 @@ static void ndis_scan(void *arg) { - struct ndis_softc *sc = arg; - struct ieee80211com *ic; - struct ieee80211vap *vap; - - ic = sc->ifp->if_l2com; - vap = TAILQ_FIRST(&ic->ic_vaps); + struct ieee80211vap *vap = arg; - ndis_scan_results(sc); ieee80211_scan_done(vap); } @@ -3377,7 +3371,7 @@ return; } /* Set a timer to collect the results */ - callout_reset(&sc->ndis_scan_callout, hz * 3, ndis_scan, sc); + callout_reset(&sc->ndis_scan_callout, hz * 3, ndis_scan, vap); } static void @@ -3401,5 +3395,7 @@ static void ndis_scan_end(struct ieee80211com *ic) { - /* ignore */ + struct ndis_softc *sc = ic->ic_ifp->if_softc; + + ndis_scan_results(sc); } ==== //depot/projects/soc2009/marinosi_appaudit/src/sys/i386/i386/mca.c#2 (text+ko) ==== >>> TRUNCATED FOR MAIL (1000 lines) <<<