From owner-trustedbsd-cvs@FreeBSD.ORG Thu Aug 24 20:04:20 2006 Return-Path: X-Original-To: trustedbsd-cvs@freebsd.org Delivered-To: trustedbsd-cvs@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3C2AB16A4DE for ; Thu, 24 Aug 2006 20:04:20 +0000 (UTC) (envelope-from owner-perforce@freebsd.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3343743D68 for ; Thu, 24 Aug 2006 20:04:12 +0000 (GMT) (envelope-from owner-perforce@freebsd.org) Received: from mx2.freebsd.org (mx2.freebsd.org [216.136.204.119]) by cyrus.watson.org (Postfix) with ESMTP id 5B0D246D78 for ; Thu, 24 Aug 2006 16:04:11 -0400 (EDT) Received: from hub.freebsd.org (hub.freebsd.org [216.136.204.18]) by mx2.freebsd.org (Postfix) with ESMTP id 3A51155C6D; Thu, 24 Aug 2006 20:04:10 +0000 (GMT) (envelope-from owner-perforce@freebsd.org) Received: by hub.freebsd.org (Postfix, from userid 32767) id 357C816A4E1; Thu, 24 Aug 2006 20:04:10 +0000 (UTC) X-Original-To: perforce@freebsd.org Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 119E716A4DF for ; Thu, 24 Aug 2006 20:04:10 +0000 (UTC) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 33A1C43D73 for ; Thu, 24 Aug 2006 20:04:06 +0000 (GMT) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id k7OK46nE031137 for ; Thu, 24 Aug 2006 20:04:06 GMT (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.6/8.13.4/Submit) id k7OK45Qu031134 for perforce@freebsd.org; Thu, 24 Aug 2006 20:04:05 GMT (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Date: Thu, 24 Aug 2006 20:04:05 GMT Message-Id: <200608242004.k7OK45Qu031134@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f From: Robert Watson To: Perforce Change Reviews Cc: Subject: PERFORCE change 104983 for review X-BeenThere: trustedbsd-cvs@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD CVS and Perforce commit message list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Aug 2006 20:04:20 -0000 http://perforce.freebsd.org/chv.cgi?CH=104983 Change 104983 by rwatson@rwatson_zoo on 2006/08/24 20:03:28 Integrate TrustedBSD audit3 branch from TrustedBSD base branch: - Loop back audit pipe kqueue support. Affected files ... .. //depot/projects/trustedbsd/audit3/Makefile.inc1#14 integrate .. //depot/projects/trustedbsd/audit3/gnu/usr.bin/Makefile#8 integrate .. //depot/projects/trustedbsd/audit3/release/doc/en_US.ISO8859-1/relnotes/common/new.sgml#16 integrate .. //depot/projects/trustedbsd/audit3/sbin/fsdb/fsdb.8#6 integrate .. //depot/projects/trustedbsd/audit3/share/man/man4/fast_ipsec.4#4 integrate .. //depot/projects/trustedbsd/audit3/share/man/man4/ipsec.4#4 integrate .. //depot/projects/trustedbsd/audit3/share/mk/bsd.port.mk#3 integrate .. //depot/projects/trustedbsd/audit3/sys/kern/vfs_mount.c#18 integrate .. //depot/projects/trustedbsd/audit3/sys/netgraph/bluetooth/socket/ng_btsocket_rfcomm.c#7 integrate .. //depot/projects/trustedbsd/audit3/sys/netgraph/ng_fec.c#6 integrate .. //depot/projects/trustedbsd/audit3/sys/security/audit/audit_pipe.c#28 integrate Differences ... ==== //depot/projects/trustedbsd/audit3/Makefile.inc1#14 (text+ko) ==== @@ -1,5 +1,5 @@ # -# $FreeBSD: src/Makefile.inc1,v 1.553 2006/08/22 07:51:05 ru Exp $ +# $FreeBSD: src/Makefile.inc1,v 1.554 2006/08/24 17:02:26 imp Exp $ # # Make command line options: # -DNO_CLEANDIR run ${MAKE} clean, instead of ${MAKE} cleandir @@ -1032,8 +1032,9 @@ .for _lib in ${_startup_libs} ${_prebuild_libs:Nlib/libpam} ${_generic_libs} ${_lib}__L: .PHONY .if exists(${.CURDIR}/${_lib}) - ${_+_}@${ECHODIR} "===> ${_lib} (depend,all,install)"; \ + ${_+_}@${ECHODIR} "===> ${_lib} (obj,depend,all,install)"; \ cd ${.CURDIR}/${_lib}; \ + ${MAKE} DIRPRFX=${_lib}/ obj; \ ${MAKE} DIRPRFX=${_lib}/ depend; \ ${MAKE} DIRPRFX=${_lib}/ all; \ ${MAKE} DIRPRFX=${_lib}/ install @@ -1044,8 +1045,9 @@ # static PAM library, and dynamic PAM library before dynamic PAM # modules. lib/libpam__L: .PHONY - ${_+_}@${ECHODIR} "===> lib/libpam (depend,all,install)"; \ + ${_+_}@${ECHODIR} "===> lib/libpam (obj,depend,all,install)"; \ cd ${.CURDIR}/lib/libpam; \ + ${MAKE} DIRPRFX=lib/libpam/ obj; \ ${MAKE} DIRPRFX=lib/libpam/ depend; \ ${MAKE} DIRPRFX=lib/libpam/ -D_NO_LIBPAM_SO_YET all; \ ${MAKE} DIRPRFX=lib/libpam/ -D_NO_LIBPAM_SO_YET install ==== //depot/projects/trustedbsd/audit3/gnu/usr.bin/Makefile#8 (text+ko) ==== @@ -1,4 +1,4 @@ -# $FreeBSD: src/gnu/usr.bin/Makefile,v 1.89 2006/08/21 18:25:43 marcel Exp $ +# $FreeBSD: src/gnu/usr.bin/Makefile,v 1.90 2006/08/24 15:46:29 marcel Exp $ .include @@ -24,7 +24,7 @@ sort \ ${_texinfo} -.if ${MACHINE_ARCH} == "arm" || ${MACHINE_ARCH} == "powerpc" +.if ${MACHINE_ARCH} == "arm" MK_GDB= no # not yet .endif ==== //depot/projects/trustedbsd/audit3/release/doc/en_US.ISO8859-1/relnotes/common/new.sgml#16 (text+ko) ==== @@ -3,7 +3,7 @@ The &os; Project - $FreeBSD: src/release/doc/en_US.ISO8859-1/relnotes/common/new.sgml,v 1.963 2006/08/23 03:42:36 gshapiro Exp $ + $FreeBSD: src/release/doc/en_US.ISO8859-1/relnotes/common/new.sgml,v 1.964 2006/08/24 14:45:56 bmah Exp $ 2000 @@ -350,9 +350,9 @@ implemented. &os; now runs on the Xbox, whose architecture is nearly identical - to the i386. For details of the latest development, - see - and . + to the i386. For details of the latest development, see + . + &merged; Boot Loader Changes @@ -767,6 +767,13 @@ for example, by using tagged rule option. For more details, see &man.ipfw.8;. + The IPFIREWALL_FORWARD_EXTENDED kernel + option has been removed. This option was used to permit + &man.ipfw.4; to redirect packets with local destinations. + This behavior is now always enabled when + the IPFIREWALL_FORWARD kernel option is + enabled. &merged; + The ip6fw(8) packet filter has been removed. Since &man.ipfw.4; has gained IPv6 support, it should be used instead. Please note that some rules might need to be adjusted. @@ -1084,6 +1091,10 @@ flag, which causes it to ignore files and directories with the nodump flag set. &merged; + The &man.fsdb.8; utility now supports changing the birth + time of files on UFS2 file systems using the new + the btime command. + The &man.find.1; program now supports and other related primaries, which can be used to create expressions based on a file's creation time. &merged; @@ -1557,7 +1568,7 @@ &merged; IPFilter has been updated from - 4.1.8 to 4.1.13. + 4.1.8 to 4.1.13. &merged; less has been updated from v381 to v394. ==== //depot/projects/trustedbsd/audit3/sbin/fsdb/fsdb.8#6 (text+ko) ==== @@ -26,9 +26,9 @@ .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.\" $FreeBSD: src/sbin/fsdb/fsdb.8,v 1.30 2006/08/23 22:44:00 ceri Exp $ +.\" $FreeBSD: src/sbin/fsdb/fsdb.8,v 1.31 2006/08/24 09:14:02 ceri Exp $ .\" -.Dd August 23, 2006 +.Dd August 24, 2006 .Dt FSDB 8 .Os .Sh NAME @@ -224,6 +224,9 @@ or .Va atimensec field will be set to zero. +Note that +.Cm btime +is available on UFS2 file systems only. .Pp .It Cm quit , q , exit , Em Exit the program. ==== //depot/projects/trustedbsd/audit3/share/man/man4/fast_ipsec.4#4 (text+ko) ==== @@ -22,9 +22,9 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF .\" THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $FreeBSD: src/share/man/man4/fast_ipsec.4,v 1.4 2006/06/26 22:30:07 thompsa Exp $ +.\" $FreeBSD: src/share/man/man4/fast_ipsec.4,v 1.5 2006/08/24 17:07:19 danger Exp $ .\" -.Dd January 20, 2003 +.Dd August 24, 2006 .Dt FAST_IPSEC 4 .Os .Sh NAME @@ -32,6 +32,7 @@ .Nd hardware-accelerated IP Security Protocols .Sh SYNOPSIS .Cd "options FAST_IPSEC" +.Cd "options IPSEC_FILTERGIF" .Cd "device crypto" .Pp .Bl -item -compact @@ -69,6 +70,11 @@ The user should refer to .Xr ipsec 4 for basic information on setting up and using these protocols. +Note that it is not currently possible to use +.Nm +in conjuction with the +.Tn "KAME IPsec" +implementation. .Pp System configuration requires the .Xr crypto 4 @@ -83,6 +89,12 @@ .Dq enc0 , to perform packet filtering before outbound encryption and after decapsulation inbound. +.Pp +To properly filter +.Xr gif 4 +tunnels with firewalls, add +.Cd "options IPSEC_FILTERGIF" +to the kernel configuration file. .Sh DIAGNOSTICS To be added. .Sh SEE ALSO ==== //depot/projects/trustedbsd/audit3/share/man/man4/ipsec.4#4 (text+ko) ==== @@ -27,9 +27,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $FreeBSD: src/share/man/man4/ipsec.4,v 1.18 2006/02/14 13:20:09 gnn Exp $ +.\" $FreeBSD: src/share/man/man4/ipsec.4,v 1.19 2006/08/24 17:07:19 danger Exp $ .\" -.Dd February 14, 2006 +.Dd August 24, 2006 .Dt IPSEC 4 .Os .Sh NAME @@ -39,6 +39,10 @@ .In sys/types.h .In netinet/in.h .In netinet6/ipsec.h +.Cd "options IPSEC" +.Cd "options IPSEC_DEBUG" +.Cd "options IPSEC_ESP" +.Cd "options IPSEC_FILTERGIF" .Sh DESCRIPTION .Nm is a security protocol implemented within the Internet Protocol layer @@ -253,6 +257,7 @@ .Xr ioctl 2 , .Xr socket 2 , .Xr ipsec_set_policy 3 , +.Xr fast_ipsec 4 , .Xr icmp6 4 , .Xr intro 4 , .Xr ip6 4 , ==== //depot/projects/trustedbsd/audit3/share/mk/bsd.port.mk#3 (text+ko) ==== @@ -1,7 +1,10 @@ -# $FreeBSD: src/share/mk/bsd.port.mk,v 1.307 2004/07/02 20:47:18 eik Exp $ +# $FreeBSD: src/share/mk/bsd.port.mk,v 1.308 2006/08/24 18:04:49 obrien Exp $ PORTSDIR?= /usr/ports BSDPORTMK?= ${PORTSDIR}/Mk/bsd.port.mk +# Needed to keep bsd.own.mk from reading in /etc/src.conf when building ports. +SRCCONF= /dev/null + .include .include "${BSDPORTMK}" ==== //depot/projects/trustedbsd/audit3/sys/kern/vfs_mount.c#18 (text+ko) ==== @@ -35,7 +35,7 @@ */ #include -__FBSDID("$FreeBSD: src/sys/kern/vfs_mount.c,v 1.228 2006/06/27 14:46:31 jhb Exp $"); +__FBSDID("$FreeBSD: src/sys/kern/vfs_mount.c,v 1.229 2006/08/24 18:52:28 marius Exp $"); #include #include @@ -694,14 +694,13 @@ if (errmsg_pos != -1 && ((2 * errmsg_pos + 1) < fsoptions->uio_iovcnt) && errmsg_len > 0 && errmsg != NULL) { if (fsoptions->uio_segflg == UIO_SYSSPACE) { - strncpy(fsoptions->uio_iov[2 * errmsg_pos + 1].iov_base, - errmsg, + bcopy(errmsg, + fsoptions->uio_iov[2 * errmsg_pos + 1].iov_base, fsoptions->uio_iov[2 * errmsg_pos + 1].iov_len); } else { - copystr(errmsg, + copyout(errmsg, fsoptions->uio_iov[2 * errmsg_pos + 1].iov_base, - fsoptions->uio_iov[2 * errmsg_pos + 1].iov_len, - NULL); + fsoptions->uio_iov[2 * errmsg_pos + 1].iov_len); } } ==== //depot/projects/trustedbsd/audit3/sys/netgraph/bluetooth/socket/ng_btsocket_rfcomm.c#7 (text+ko) ==== @@ -28,7 +28,7 @@ * SUCH DAMAGE. * * $Id: ng_btsocket_rfcomm.c,v 1.28 2003/09/14 23:29:06 max Exp $ - * $FreeBSD: src/sys/netgraph/bluetooth/socket/ng_btsocket_rfcomm.c,v 1.22 2006/07/24 15:20:07 rwatson Exp $ + * $FreeBSD: src/sys/netgraph/bluetooth/socket/ng_btsocket_rfcomm.c,v 1.23 2006/08/24 16:51:02 emax Exp $ */ #include @@ -1220,7 +1220,8 @@ ng_btsocket_rfcomm_session_p s = NULL; struct sockaddr_l2cap l2sa; struct sockopt l2sopt; - int mtu, error; + int error; + u_int16_t mtu; mtx_assert(&ng_btsocket_rfcomm_sessions_mtx, MA_OWNED); ==== //depot/projects/trustedbsd/audit3/sys/netgraph/ng_fec.c#6 (text+ko) ==== @@ -34,7 +34,7 @@ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF * THE POSSIBILITY OF SUCH DAMAGE. * - * $FreeBSD: src/sys/netgraph/ng_fec.c,v 1.26 2005/11/11 16:04:57 ru Exp $ + * $FreeBSD: src/sys/netgraph/ng_fec.c,v 1.27 2006/08/24 19:50:00 ru Exp $ */ /*- * Copyright (c) 1996-1999 Whistle Communications, Inc. @@ -1093,6 +1093,7 @@ char ifname[NG_FEC_FEC_NAME_MAX + 1]; struct ifnet *ifp; priv_p priv; + const uint8_t eaddr[ETHER_ADDR_LEN] = {0, 0, 0, 0, 0, 0}; struct ng_fec_bundle *b; int error = 0; @@ -1143,7 +1144,7 @@ log(LOG_WARNING, "%s: can't acquire netgraph name\n", ifname); /* Attach the interface */ - ether_ifattach(ifp, IF_LLADDR(priv->ifp)); + ether_ifattach(ifp, eaddr); callout_handle_init(&priv->fec_ch); /* Override output method with our own */ ==== //depot/projects/trustedbsd/audit3/sys/security/audit/audit_pipe.c#28 (text+ko) ==== @@ -25,7 +25,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $FreeBSD: src/sys/security/audit/audit_pipe.c,v 1.7 2006/06/05 14:48:17 rwatson Exp $ + * $FreeBSD: src/sys/security/audit/audit_pipe.c,v 1.8 2006/08/24 17:42:38 rwatson Exp $ */ #include