rc.d: add a service jails config to all base system services

This gives more permissions to services (e.g. network access to
services which require this) when they are started as an automatic
servic

rc.d: add a service jails config to all base system services

This gives more permissions to services (e.g. network access to
services which require this) when they are started as an automatic
service jail.

The sshd patch is important for the sshd-related functionality as
described in the man-page in the service jails part.

The location of the added env vars is supposed to allow overriding them
in rc.conf, and to hard-disable the use of svcj for some parts where it
doesn't make sense or will not work.

Only a subset of all of the services are fully tested (I'm running this
since more than a year with various services started as service jails).
The untested parts should be most of the time ok, in some edge-cases
more permissions are needed inside the service jail.
Differential Revision: https://reviews.freebsd.org/D40371

show more ...

Remove $FreeBSD$: one-line sh pattern

Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/

rc.d/random: add support for zero harvest_mask

Replace the check for zero harvest_mask with new check for empty string.
This allows one to specify harvest_mask="0" that disables harversting
entropy

rc.d/random: add support for zero harvest_mask

Replace the check for zero harvest_mask with new check for empty string.
This allows one to specify harvest_mask="0" that disables harversting
entropy from all but "pure" sources. Exact bit values for "pure" sources
differ for stable/12 and later branches, so it is handy to use zero.
The check for zero pre-dates introduction of "pure" non-maskable sources
Use empty string to disable altering sysctl kern.random.harvest.mask.

Note that notion of "pure" random sources is not documented in user level
manual pages yet. Still, it helps to extend battery life for hardware
with embedded "Intel Secure Key RNG" by disabling all other sources.

Note that no defaults changed and default behaviour is not affected.

Reported by: Dmitry Luhtionov

show more ...

save-entropy(8), rc.d/random: Set nodump flag

Tag saved entropy files as "nodump," to signal that the files should not be
backed up by dump(8) or other automated backup software that honors the file

save-entropy(8), rc.d/random: Set nodump flag

Tag saved entropy files as "nodump," to signal that the files should not be
backed up by dump(8) or other automated backup software that honors the file
flag.

Do not produce an error if the target file resides on a filesystem that does
not support file flags (e.g., msdos /boot).

Reviewed by: delphij
Sponsored by: Dell EMC Isilon
Differential Revision: https://reviews.freebsd.org/D20358

show more ...

random(4): Attempt to persist entropy promptly

The goal of saving entropy in Fortuna is two-fold: (1) to provide early
availability of the random device (unblocking) on next boot; and (2), to
have k

random(4): Attempt to persist entropy promptly

The goal of saving entropy in Fortuna is two-fold: (1) to provide early
availability of the random device (unblocking) on next boot; and (2), to
have known, high-quality entropy available for that initial seed. We know
it is high quality because it's output taken from Fortuna.

The FS&K paper makes it clear that Fortuna unblocks when enough bits have
been input that the output //may// be safely seeded. But they emphasize
that the quality of various entropy sources is unknown, and a saved entropy
file is essential for both availability and ensuring initial
unpredictability.

In FreeBSD we persist entropy using two mechanisms:

1. The /etc/rc.d/random shutdown() function, which is used for ordinary
shutdowns and reboots; and,

2. A cron job that runs every dozen minutes or so to persist new entropy, in
case the system suffers from power loss or a crash (bypassing the
ordinary shutdown path).

Filesystems are free to cache dirty data indefinitely, with arbitrary flush
policy. Fsync must be used to ensure the data is persisted, especially for
the cron job save-entropy, whose entire goal is power loss and crash safe
entropy persistence.

Ordinary shutdown may not need the fsync because unmount should flush out
the dirty entropy file shortly afterwards. But it is always possible power
loss or crash occurs during the short window after rc.d/random shutdown runs
and before the filesystem is unmounted, so the additional fsync there seems
harmless.

PR: 230876
Reviewed by: delphij, markj, markm
Approved by: secteam (delphij)
Differential Revision: https://reviews.freebsd.org/D19742

show more ...

Move the rc framework out of sbin/init into libexec/rc.

The reasons for this are forward looking to pkgbase:
* /sbin/init is a special binary; try not to replace it with
every package update bec

Move the rc framework out of sbin/init into libexec/rc.

The reasons for this are forward looking to pkgbase:
* /sbin/init is a special binary; try not to replace it with
every package update because an rc script was touched.
(a follow-up commit will make init its own package)
* having rc in its own place will allow more easy replacement
of the rc framework with alternatives, such as openrc.

Discussed with: brd (during BSDCam), kmoore
Requested by: cem, bz
PR: 231522
Approved by: re (gjb)

show more ...

Move rc startup scripts from etc/ to sbin/init/

This keeps most startup scripts as CONFS per discussion on src-committers from
back during BSDCan.

Approved by: will (mentor)
Differential Revision:

Move rc startup scripts from etc/ to sbin/init/

This keeps most startup scripts as CONFS per discussion on src-committers from
back during BSDCan.

Approved by: will (mentor)
Differential Revision: https://reviews.freebsd.org/D16466

show more ...

Tighten /entropy permissions.

PR: 219527
Reported by: Lu Tung-Pin <lutungpin at openmailbox.org>
Submitted by: jilles
MFC after: 3 days

Cosmetics: add missing space after the ':' in etc/rc.d/random.

MFC after: 1 month
Sponsored by: The FreeBSD Foundation

- Add descriptions to most of the rc scripts. Those are mostly taken from their
daemon's manpage and probably improved.
- Consistently use "filesystem" not "file system".

Approved by: bapt, brueff

- Add descriptions to most of the rc scripts. Those are mostly taken from their
daemon's manpage and probably improved.
- Consistently use "filesystem" not "file system".

Approved by: bapt, brueffer
Differential Revision: D452

show more ...

Address review.

Differential Revision: https://reviews.freebsd.org/D2924

Updated random(4) boot/shutdown scripting.
Fix the man pages as well.

Differential Revision: https://reviews.freebsd.org/D2924
Approved by: so (delphij)

Get rid of the postrandom script. It was born in a time when the
random script ran before filesystems were mounted, which is no
longer the case.

In random_start(), immediately delete each file that

Get rid of the postrandom script. It was born in a time when the
random script ran before filesystems were mounted, which is no
longer the case.

In random_start(), immediately delete each file that is fed into
/dev/random, and recreate the default entropy file immediately
after reading and deleting it. The logic used in random_stop()
to determine which file to write to should probably be factored
out and used here as well.

show more ...

This is the much-discussed major upgrade to the random(4) device, known to you all as /dev/random.

This code has had an extensive rewrite and a good series of reviews, both by the author and other p

This is the much-discussed major upgrade to the random(4) device, known to you all as /dev/random.

This code has had an extensive rewrite and a good series of reviews, both by the author and other parties. This means a lot of code has been simplified. Pluggable structures for high-rate entropy generators are available, and it is most definitely not the case that /dev/random can be driven by only a hardware souce any more. This has been designed out of the device. Hardware sources are stirred into the CSPRNG (Yarrow, Fortuna) like any other entropy source. Pluggable modules may be written by third parties for additional sources.

The harvesting structures and consequently the locking have been simplified. Entropy harvesting is done in a more general way (the documentation for this will follow). There is some GREAT entropy to be had in the UMA allocator, but it is disabled for now as messing with that is likely to annoy many people.

The venerable (but effective) Yarrow algorithm, which is no longer supported by its authors now has an alternative, Fortuna. For now, Yarrow is retained as the default algorithm, but this may be changed using a kernel option. It is intended to make Fortuna the default algorithm for 11.0. Interested parties are encouraged to read ISBN 978-0-470-47424-2 "Cryptography Engineering" By Ferguson, Schneier and Kohno for Fortuna's gory details. Heck, read it anyway.

Many thanks to Arthur Mesh who did early grunt work, and who got caught in the crossfire rather more than he deserved to.

My thanks also to folks who helped me thresh this out on whiteboards and in the odd "Hallway track", or otherwise.

My Nomex pants are on. Let the feedback commence!

Reviewed by: trasz,des(partial),imp(partial?),rwatson(partial?)
Approved by: so(des)

show more ...

Simply things so that "#REQUIRE: FILESYSTEMS" means the file
systems are fully "ready to go".

'FILESYSTEMS' states: "This is a dummy dependency, for services which
require file systems to be mounted

Simply things so that "#REQUIRE: FILESYSTEMS" means the file
systems are fully "ready to go".

'FILESYSTEMS' states: "This is a dummy dependency, for services which
require file systems to be mounted before starting." However, we have
'var' which is was run after 'FILESYSTEMS' and can mount /var if it
already isn't mounted. Furthermore, several scripts cannot use /var
until 'cleanvar' has done its thing. Thus "FILESYSTEMS" hasn't really
meant all critical file systems are fully usable.

show more ...

Remove old entropy seeding after consumption initializing /dev/random PRNG.
Not doing so opens us up to replay attacks.

Submitted by: Arthur Mesh <arthurmesh@gmail.com>
Sponsored by: Juniper Networks

As previously discussed, add the svn:executable property to all scripts

Get rid of chatter for failed commands if the filesystem is read-only.
Include /var/db/entropy-file in the reseeding if present. It is used for
last-ditch efforts to save entropy and thus should als

Get rid of chatter for failed commands if the filesystem is read-only.
Include /var/db/entropy-file in the reseeding if present. It is used for
last-ditch efforts to save entropy and thus should also be used to seed
the RNG when starting. Print a warning instead of an error if writing the
file fails -- err() exits, preventing the umask from being restored.
Also, since there's not much that can be done about it, notifying the user
is all that's needed.

MFC after: 2 weeks

show more ...

The alternative suggested for /entropy as a shutdown
save file was /var/db/entropy, which also happens to
be the directory where the individual entropy files
created by /usr/libexec/save-entropy are

The alternative suggested for /entropy as a shutdown
save file was /var/db/entropy, which also happens to
be the directory where the individual entropy files
created by /usr/libexec/save-entropy are stored.
Change the suggestion to be /var/db/entropy-file
instead.

In an error condition where the shutdown file is not
created, the error message accessed a variable that
doesn't exist.

PR: conf/75722
Submitted by: Nicolas Rachinsky <list@rachinsky.de>

show more ...

Remove the requirement for the FreeBSD keyword as it no longer
makes any sense.

Discussed with: dougb, brooks
MFC after: 3 days

Catch up with diskless split "diskless" is no longer provided.

Suggested by: cperciva

Mark scripts as not usable inside a jail by adding keyword 'nojail'.

Some suggestions from: rwatson, Ruben de Groot <mail25@bzerk.org>

Fix typo in comment, s/reebots/reboots/

PR: 62481
Submitted by: Ulrich Spoerlein <q at uni.de>

o Hook the new files up to the build.
o Make sure all the scripts reference rc.d/netif and not rc.d/network1

Approved by: markm (mentor)

Fix style bugs:
* Space -> tabs conversion.
* Removed blanks before semicolon in "if ... ; then".
* Proper indentation of misindented lines.
* Put a full stop after some comments.
* Removed whitespac

Fix style bugs:
* Space -> tabs conversion.
* Removed blanks before semicolon in "if ... ; then".
* Proper indentation of misindented lines.
* Put a full stop after some comments.
* Removed whitespace at end of line.

Approved by: silence from gordon

show more ...