syslogd: Improve handling of configuration errors

Make parse_selector() print a warning to stderr and continue parsing the
config if it encounters an invalid facility or priority. Note that
because

syslogd: Improve handling of configuration errors

Make parse_selector() print a warning to stderr and continue parsing the
config if it encounters an invalid facility or priority. Note that
because the parsing is done from a casper service, there isn't a good
mechanism to log errors; the warnings are visible only when syslogd is
started in debug mode.

Reported by: Doug Hardie <bc979@lafn.org>
MFC after: 1 week
Fixes: f4b4a10abb26 ("syslogd: Move selector parsing into its own function")
Reviewed by: jfree, jlduran, eugen, delphij
Differential Revision: https://reviews.freebsd.org/D55033

show more ...

syslogd: Terminate pipe processes gracefully

Pipe actions spawn a process based on the command provided in the
syslogd configuration file. When a HUP signal is received, enter
the process into the d

syslogd: Terminate pipe processes gracefully

Pipe actions spawn a process based on the command provided in the
syslogd configuration file. When a HUP signal is received, enter
the process into the deadq instead of immediately killing it.
This matches the behavior of syslogd prior to it being Capsicumized.

Fixes: d2d180fb7736

show more ...

syslogd: Make some code more clear.

This moves some math to where it logically makes more sense for skipping
over the ": " separator in the message formatted "app[PID]: MSG".

No functional change.

syslogd: Make some code more clear.

This moves some math to where it logically makes more sense for skipping
over the ": " separator in the message formatted "app[PID]: MSG".

No functional change.

Fixes: 18bcf5a0 ("Restore local kernel "prog" filtering")
Sponsored by: Dell Inc.

show more ...

syslogd: EAGAIN and ECONNREFUSED are not permanently fatal

When we're forwarding syslog messages to a remote host we can get temporary
failures such as EAGAIN or ECONNREFUSED from the sendmsg() call

syslogd: EAGAIN and ECONNREFUSED are not permanently fatal

When we're forwarding syslog messages to a remote host we can get temporary
failures such as EAGAIN or ECONNREFUSED from the sendmsg() call. These are not
fatal. Future attempts to send might succeed. Don't mark the remote target as
F_UNUSED so we'll try to log again on future messages.

While here remove the commented out ENOBUFS case, because we actually handle
that (by ignoring it, so we retry with future logs).

Reviewed by: markj, jfree
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D51995

show more ...

syslogd: Fix function return test

Looks like during the capsicum setup the return value for cap_syslogd
is checked twice rather than checking the return value of cap_net
after initializing the caspe

syslogd: Fix function return test

Looks like during the capsicum setup the return value for cap_syslogd
is checked twice rather than checking the return value of cap_net
after initializing the casper service.

Signed-off-by: Nathan Huff <nhuff@acm.org>
Fixes: 897240c7d666 ("syslogd: Enter capability mode")
Pull-request: https://github.com/freebsd/freebsd-src/pull/1796

show more ...

syslogd: Ensure that forwarded messages are sent from port 514

Prior to commit 4ecbee2760f7, syslogd used its listening socket(s) to
forward messages to remote hosts, when so configured. As a conse

syslogd: Ensure that forwarded messages are sent from port 514

Prior to commit 4ecbee2760f7, syslogd used its listening socket(s) to
forward messages to remote hosts, when so configured. As a consequence,
they are sent from the address+port to which those sockets are bound,
typically 0.0.0.0:514.

When in capability mode, sendto() is not permitted, so we instead
pre-create sockets and connect them to the forwarding addresses, letting
the kernel pick an ephemeral source port. However, this doesn't match
syslogd's previous behaviour, breaking some setups.

So, restore the old behaviour by binding forwarding sockets to the
addresses on which syslogd is listening. Since we cannot use the same
sockets for receiving messages and also for forwarding them, use
SO_REUSEPORT to enable duplicate bindings to port 514, relying on the
existing behaviour that the first socket bound to that port is the one
that actually receives messages.

Add some regression tests to cover this and related functionality of
syslogd's -a option.

Reviewed by: jfree
Reported by: Michael Butler <imb@protected-networks.net>
Fixes: 4ecbee2760f7 ("syslogd: Open forwarding socket descriptors")
Differential Revision: https://reviews.freebsd.org/D48222

show more ...

syslogd: Fix resource leaks

- nvlist_append_nvlist_array() makes a copy of the input nvlist, so the
pattern of nvlist_append_nvlist_array(... cfline(...)) would leak
memory and descriptors. Pas

syslogd: Fix resource leaks

- nvlist_append_nvlist_array() makes a copy of the input nvlist, so the
pattern of nvlist_append_nvlist_array(... cfline(...)) would leak
memory and descriptors. Pass the entire config nvlist to cfline()
instead since this is needed for a future change.
- In parse_action(), free the linked list returned by getaddrinfo().
- Remove some checks at the beginning of close_filed(). For some log
types we'll always have f->f_file == -1, in which case we wouldn't
release other resources, such as forwarding sockets.
- After converting a filed to an nvlist, free the filed resources.

Fixes: 2567168dc498 ("syslogd: Refresh configuration using libcasper")
Reviewed by: jfree
Differential Revision: https://reviews.freebsd.org/D48250

show more ...

syslogd: Add rfc3164-strict format option

The syslogd bsd/rfc3164 message format does not strictly conform to the
format recommended in RFC 3164 when syslog messages are forwarded from
remote hosts.

syslogd: Add rfc3164-strict format option

The syslogd bsd/rfc3164 message format does not strictly conform to the
format recommended in RFC 3164 when syslog messages are forwarded from
remote hosts.

The new rfc3164-strict format generates messages that conform with the
RFC 3164 recommended format. The existing format is maintained for
backwards compatibility.

PR: 220246
Reviewed by: markj
MFC after: 3 weeks
Pull Request: https://github.com/freebsd/freebsd-src/pull/1536

show more ...

syslogd: Fix issues reported by gcc

- When forwaring a message, don't assume that f->f_num_addr_fds > 0.
- Avoid calling free() on a stack-allocated object.

Fixes: 4ecbee2760f7 ("syslogd: Open forw

syslogd: Fix issues reported by gcc

- When forwaring a message, don't assume that f->f_num_addr_fds > 0.
- Avoid calling free() on a stack-allocated object.

Fixes: 4ecbee2760f7 ("syslogd: Open forwarding socket descriptors")
Fixes: f4b4a10abb26 ("syslogd: Move selector parsing into its own function")

Reviewed by: jfree
Differential Revision: https://reviews.freebsd.org/D47844

show more ...

syslogd: Open forwarding socket descriptors

Previously, when forwarding a message to a remote address, the target's
addrinfo was saved at config-parse-time. When message-deliver-time came,
the messa

syslogd: Open forwarding socket descriptors

Previously, when forwarding a message to a remote address, the target's
addrinfo was saved at config-parse-time. When message-deliver-time came,
the message's addrinfo was passed into sendmsg(2) and delivered by the
first available inet socket.

Passing an addrinfo into sendmsg(2) is prohibited in Capsicum capability
mode, so sockets are now opened and connected to their remote peers at
config-parse-time when executing outside of the capability sandbox.

These connected socket descriptors are saved and passed into sendmsg(2),
allowing forwarding to be performed inside of the capability sandbox.

Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D47104

show more ...

syslogd: Watch for dead pipe processes

For each new pipe process, add its process descriptor into the kqueue
with the EVFILT_PROCDESC filter and NOTE_EXIT event. When the pipe
process exits, the mai

syslogd: Watch for dead pipe processes

For each new pipe process, add its process descriptor into the kqueue
with the EVFILT_PROCDESC filter and NOTE_EXIT event. When the pipe
process exits, the main kqueue loop will catch this, logging exit errors
and cleaning up the pipe process' filed node.

Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D41477

show more ...

syslogd: Enter capability mode

Create syslogd_cap_enter() function, which puts syslogd in capability
mode and opens necessary libcasper channels for resource acquisition.
The `syslogd.casper` and `s

syslogd: Enter capability mode

Create syslogd_cap_enter() function, which puts syslogd in capability
mode and opens necessary libcasper channels for resource acquisition.
The `syslogd.casper` and `system.net` services are used.

Substitute capability-mode-unfriendly functions with their libcasper
`cap_` equivalents.

Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D41467

show more ...

syslogd: Block timezone updating in capability mode

Do not update local timezone data upon reload when syslogd is compiled
with libcasper support. Timezone files are pre-fetched using the
caph_cache

syslogd: Block timezone updating in capability mode

Do not update local timezone data upon reload when syslogd is compiled
with libcasper support. Timezone files are pre-fetched using the
caph_cache_tzdata() function before entering capability mode. Attempts
to re-fetch these files will result in a capability violation.

Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D41466

show more ...

syslogd: Log messages using libcasper

Some logging operations require access to external resources to
complete. Logging to F_WALL requires on-demand access to the user
accounting database. Logging t

syslogd: Log messages using libcasper

Some logging operations require access to external resources to
complete. Logging to F_WALL requires on-demand access to the user
accounting database. Logging to F_CONSOLE requires access to the
console. Logging to F_PIPE prompts execution of a command outside
of capability mode.

These operations cannot be performed in capability mode, so the
"p_open", "ttymsg", and "wallmsg" commands may be sent to libcasper to
circumvent these limitations.

Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D41465

show more ...

syslogd: Refresh configuration using libcasper

When a SIGHUP signal is sent to syslogd, the configuration is reparsed,
leading to new resource acquisition.

If syslogd is running in capability mode

syslogd: Refresh configuration using libcasper

When a SIGHUP signal is sent to syslogd, the configuration is reparsed,
leading to new resource acquisition.

If syslogd is running in capability mode and a SIGHUP is received, new
resources cannot be acquired. To mitigate this issue, libcasper is used
to parse the configuration.

The libcasper process runs outside of capability mode and is capable of
parsing syslogd's configuration and obtaining new resources. These
resources are then sent to the syslogd process via nvlist.

Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D41464

show more ...

syslogd: Use anonymous union in struct filed

Do not use macros to access unioned struct members. Use an anonymous
union and access union member names directly.

Reviewed by: markj
Differential Revis

syslogd: Use anonymous union in struct filed

Do not use macros to access unioned struct members. Use an anonymous
union and access union member names directly.

Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D41703

show more ...

syslogd: Create syslogd libcasper service

Once in capability mode, resource acquisition is not possible. To
mitigate this, introduce a libcasper service that is responsible for
fetching and returnin

syslogd: Create syslogd libcasper service

Once in capability mode, resource acquisition is not possible. To
mitigate this, introduce a libcasper service that is responsible for
fetching and returning new, requested resources to syslogd.

Some resources must be packed into an nvlist to be properly transferred
between syslogd and the libcasper process. The filed_to_nvlist() and
nvlist_to_filed() functions are included to ease the packing process for
filed structures.

Two additional syslogd.h and syslogd_cap.h header files are included
with shared declarations.

Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D41463

show more ...

syslogd: Fix handling of unix socket modes

When bind() is called, the process umask is applied, so one has to
either clear the umask before binding or call chmod() to add permissions
after the fact.

syslogd: Fix handling of unix socket modes

When bind() is called, the process umask is applied, so one has to
either clear the umask before binding or call chmod() to add permissions
after the fact. Do the former here to ensure that the socket always has
the correct mode.

Reported by: Lexi Winter <lexi@le-fay.org>
Fixes: 2b8c3a05e0a6 ("syslogd: Set unix socket modes atomically")

show more ...

syslogd: Set unix socket modes atomically

Take advantage of the ability to atomically set unix socket modes to
ensure that /var/run/logpriv always has mode 0600.

MFC after: 1 month

syslogd: Ignore getaddrinfo() errors if -ss is specified

This can arise if the jail doesn't have networking configured, and if
-ss is specified, syslogd won't listen on port 514 anyway.

Add a regre

syslogd: Ignore getaddrinfo() errors if -ss is specified

This can arise if the jail doesn't have networking configured, and if
-ss is specified, syslogd won't listen on port 514 anyway.

Add a regression test case for this as well.

PR: 238006
MFC after: 1 month

show more ...

Remove copyright strings ifdef'd out

We've ifdef'd out the copyright strings for some time now. Go ahead and
remove the ifdefs. Plus whatever other detritis was left over from other
recent removals.

Remove copyright strings ifdef'd out

We've ifdef'd out the copyright strings for some time now. Go ahead and
remove the ifdefs. Plus whatever other detritis was left over from other
recent removals. These copyright strings are present in the comments and
are largely from CSRG's attempt at adding their copyright to every
binary file (which modern interpretations of the license doesn't
require).

Sponsored by: Netflix

show more ...

usr.sbin: Remove ancient SCCS tags.

Remove ancient SCCS tags from the tree, automated scripting, with two
minor fixup to keep things compiling. All the common forms in the tree
were removed with a p

usr.sbin: Remove ancient SCCS tags.

Remove ancient SCCS tags from the tree, automated scripting, with two
minor fixup to keep things compiling. All the common forms in the tree
were removed with a perl script.

Sponsored by: Netflix

show more ...

syslogd: Keep console and tty descriptors open

Console and tty descriptors are initially opened in parse_action() to
determine whether they are valid using isatty(). That descriptor is then
closed b

syslogd: Keep console and tty descriptors open

Console and tty descriptors are initially opened in parse_action() to
determine whether they are valid using isatty(). That descriptor is then
closed because it is never accessed by syslogd again; ttymsg() will reopen
the tty/console under a new descriptor when needed.

If the user attempts to log to a tty that is inactive outside of
syslogd, then syslogd must keep that descriptor open so the tty remains
accessible. For example, logging to `/dev/ttyvb` requires the initial
`/dev/ttyvb` descriptor to stay open so the user can view its buffer at
any time via CTRL+ALT+F12.

As a result, console and tty descriptors must remain open until a
potential configuration reload or a system shutdown. The given
descriptor will be closed in close_filed() in such circumstances.

PR: 274454
Fixes: c3175a6e1c5a ("syslogd: Do not open console descriptor")
Reported by: Trond Endrestøl <Trond.Endrestol@ximalas.info>
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D42215

show more ...

syslogd: Do not add shutdown sockets to the kqueue

If syslogd is in secure mode, all INET sockets are shutdown. Do not
add these to the kqueue because we can't read from them.

Also, remove the list

syslogd: Do not add shutdown sockets to the kqueue

If syslogd is in secure mode, all INET sockets are shutdown. Do not
add these to the kqueue because we can't read from them.

Also, remove the listen() call when setting up sockets. Syslogd
exclusively uses SOCK_DGRAM sockets, so calling listen() is useless.

Reviewed by: markj
MFC after: 3 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D41526

show more ...

syslogd: Use pipe to communicate with daemon

Previously, syslogd's daemon process would signal that it had finished
initialization using SIGALRM. In capability mode, signal delivery is not
allowed,

syslogd: Use pipe to communicate with daemon

Previously, syslogd's daemon process would signal that it had finished
initialization using SIGALRM. In capability mode, signal delivery is not
allowed, so use a pipe to indicate that it is ready to accept messages.

Reviewed by: markj
MFC after: 3 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D41459

show more ...