Stable release: HardenedBSD-stable 11-STABLE v1000048.1

Submitted by op on

HardenedBSD-11-STABLE-v1100048.1 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • Restrict permissions on /dev/ksyms to 0400. (0781c590d2a5138c4c4ba5c214a6f4dbffa25f85) [FreeBSD-SA-Candidate]
  • ZFS updates
  • Add virtio-console support to bhyve (eaaa8cd970f11a0785780896a3e106958bd87fe7)
  • Update to libarchive 3.3.2

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100048.1-amd64-bootonly.iso) = c487f5693e2fac4d722a6cf72084e7fca243ef1864bfa9966c3a3e1fe621c0a92e6496bdf06845b3a6ab66e087df061701f9bc4f00921481ae45e328b026ef17
SHA512 (HardenedBSD-11-STABLE-v1100048.1-amd64-disc1.iso) = 12dc23a7b121b83c5fdcde13eb75456b7d0ab1c47d7591346771ca37533415cebae81c0245a51afe467a9fcb1a342781823a3cf6e971d13fb050b511a835da4a
SHA512 (HardenedBSD-11-STABLE-v1100048.1-amd64-memstick.img) = 28f7d76b8e3ed76a46bd3d1378074171173d0504f8a20cea87d22380a6c4d0e2713f7d20cbe58d5a97632eaabe395b393d4b85dd9d5f29835d85f5fba3e5eb9a
SHA512 (HardenedBSD-11-STABLE-v1100048.1-amd64-mini-memstick.img) = b4c48c49ff4ce4b1ff40f92ce977699ed03e59eff633d20e9fd81712d2980d91edd65665b190d990f109937a0676a3489aa9c3de9044405781b6af5ff5acee76

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlmBLeoACgkQgZsRom/9
GI1HRg/9FRZb0k5hO63oKoVpUL1Qq0lCx7A9tLRwklDAR7uyIPlJNgZFuLMCThOo
AvJYRQ/gmpIVagTTjAZJL4lr786eBX3SxAy/dqxa3DtTgxqoVNHiIZD82WVhkVAr
Ih4U3W4b8RzTRneEjJaSxNlXgwcY8Nitxl6LQMojPOmo+/pBE5FqvkaHC3vMQOZB
RjoubIA6S/fYBxf0Hsdx/ZKpR3FJdsYB345ANSavmQx+y2rcZ3/cUYEPn3dJKy3I
oQVmYS1IzRJFtdcLXUMOqV6y1BGvQoyRvdggr7N3akmxGBFOYTseLzED8F6CipgT
Jwk0sLKuwNtMbHQ0Dpnrk79rJowcoOuj9l6AeTMDyLxrY1NKuqBPL19y5zxZsLhK
u7P9uufgbKG8oty2g/2DOrIODxBETtiPvvvnGLmvb3hL/67VSBEa3wNJ1OnDR8+Q
XD2026MAFPpdJn9olMQFxNp4YT5PvU2TKT6kGdOe8D9vznGjwevrKsi2IL/tojnf
lHoKyC+N3FzGae59q3B8HzNF97sIV0Yx9cPDoSE0QQRMDFAcrsgv1YnGgBeOqP12
RvmOH8PgnGX41JaD5iAZoUUhpGhjehk6/7l33l04k9y+gTaQ9tQRq9gGJ4thNXjn
PJJ7uoMGRZG6W18K+MlNnyLdtYQnao7UPoZuG5asb75op3ha1mY=
=O8kk
-----END PGP SIGNATURE-----


Changelog:

Oliver Pinter + (47):

  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master


Shawn Webb (2):

  • Merge remote-tracking branch 'origin/freebsd/11-stable/master' into hardened/11-stable/master
  • HBSD: Resolve merge conflict


ae (1):

  • MFC r321203: Add HPE FlexFabric 10Gb 4-port 536FLR-T device id to the bxe(4) driver.


alc (8):

  • MFC r315597 Style fixes. In particular, the variable "bogus" is used like a Boolean. Define it as such.
  • MFC r320498 Clear the MAP_WIREFUTURE flag on the vm map in exec_new_vmspace() when it recycles the current vm space. Otherwise, an mlockall(MCL_FUTURE) could still be in effect on the process after an execve(2), which violates the specification for mlockall(2).
  • MFC r315621 Use IDX_TO_OFF(), not ptoa(), when converting the difference between two vm_pindex_t's into a vm_ooffset_t.
  • MFC r320546 When "force" is specified to pmap_invalidate_cache_range(), the given start address is not required to be page aligned. However, the loop within pmap_invalidate_cache_range() that performs the actual cache line invalidations requires that the starting address be truncated to a multiple of the cache line size. This change corrects an error in that truncation.
  • MFC r319756 Style and comment fixes
  • MFC r320319 Increase the pageout cluster size to 32 pages.
  • MFC r319905
  • MFC r320077 Change blist_alloc()'s allocation policy from first-fit to next-fit so that disk writes are more likely to be sequential. This change is beneficial on both the solid state and mechanical disks that I've tested. (A similar change in allocation policy was made by DragonFly BSD in 2013 to speed up Poudriere with "stressful memory parameters".)


avos (1):

  • MFC r321401: net80211: do not allow to unload rate control module if it is still in use.


bapt (2):

  • MFC r320988:
  • MFC r320267, r320270-r320271, r320478


bcr (1):

  • MFC r321023:


bdrewery (4):

  • MFC r320806:
  • MFC r320883:
  • MFC r320292:
  • MFC r320273:


davidcs (3):

  • MFC 320694 Allow MTU changes without ifconfig down/up
  • MFC 320705 Release mtx hw_lock before calling pause() in qla_stop() and qla_error_recovery()
  • MFC 321233 Raise the watchdog timer interval to 2 ticks, there by guaranteeing that it fires between 1ms and 2ms. ` Treat two consecutive occurrences of Heartbeat failures as a legitimate Heartbeat failure


dchagin (4):

  • MFC r320814:
  • MFC r321366:
  • MFC r320836:
  • MFC r320837:


delphij (3):

  • MFC r320986:
  • MFC r320433:
  • MFC r320468:


dim (3):

  • MFC r321305:
  • MFC r321306:
  • MFC r321342:


ed (1):

  • MFC r320240:


emaste (18):

  • MFC r320056: arm: set appropriate section flags for .init_pagetable
  • MFC r320065: arm: add .arch_extension sec for smc instruction
  • MFC r319219: add a sanity check before installworld on the running system
  • MFC r319516: tsan: set noexec stack on aarch64
  • MFC r319890: Correct bitwise test in mac_bsdextended ugidfw_rule_valid()
  • MFC r320235: retire arm64 kernel module linker workaround
  • MFC r313547, r313777: fix mouse selection when vt(4) scrolls
  • readelf: fix printing of DT_FILTER and some other DT_* values
  • MFC r321218: zfs: Fix a typo in the delay_min_dirty_percent sysctl description
  • MFC r319718: arm64: add ".arch armv8-a+crc" to allow use of crc instructions
  • MFC r312857: Use cross-NM (XNM) in compat32 build
  • MFC r316055: makefs: sort roundup with the other off_t members in fsinfo_t
  • MFC r319513: linux vdso: pass -fPIC to the assembler, not linker
  • MFC r321302: add arm64 objcopy output target for embedfs
  • MFC r321294: acpidump: use C99 designated initializers
  • MFC r321299: acpidump: add GIC ITS srat type
  • revert r321601, it depends on an ACPICA update not yet merged
  • MFC r321436: ar: handle partial writes from archive_write_data


gjb (10):

  • MFC r320969: Fix a missing comment marker.
  • - Set stable/11 from -PRERELEASE back to -STABLE. - Update version entities in release.ent.
  • - Fix the 'release.prev' entity for the 11.1-RELEASE errata. - Prune stale entries from 11.0-RELEASE. - Bump copyright year.
  • Prune one more missed entry from 11.0-RELEASE.
  • Fix a typo.
  • Trim stale entries from 11.0.
  • Mention arm64 lacking EFI RTC support, and a workaround.
  • Document a late-discovered issue where 'root on ZFS' installations on arm64 fail to find the root pool.
  • Add a note regarding VirtualBox vboxguest panics during 11.1-RC2.
  • Add an errata entry to reflect an incorrect attribution for r315330.


jhb (1):

  • MFC 321075: Set the current vnet pointer in the socket buffer AIO handler.


ken (1):

  • MFC r321207: ------------------------------------------------------------------------ r321207 | ken | 2017-07-19 09:39:01 -0600 (Wed, 19 Jul 2017) | 14 lines


kib (14):

  • MFC r320989: Language improvements.
  • MFC r320868: Fix warnings, adjust style.
  • MFC r320936,r320937,r320938: Fix size argument to vm_pager_allocate().
  • MFC r320982: Correct sysent flags for dynamically loaded syscalls.
  • MFC r321173: Convert assertion that only vmspace owner grows the stack, into a check blocking grow from other processes accesses.
  • MFC r319871: Make struct syscall_args visible to userspace compilation environment from machine/proc.h, consistently on all architectures.
  • MFC r319873: Move struct syscall_args syscall arguments parameters container into struct thread.
  • MFC r319874: Print unimplemented syscall number to the ctty on SIGSYS, if enabled by the knob kern.lognosys.
  • MFC r319875: Add ptrace(PT_GET_SC_ARGS) command to return debuggee' current syscall arguments.
  • MFC r319876: Update scescx test to print syscall number and arguments.
  • MFC r321247: Add pctrie_init() and vm_radix_init() to initialize generic pctrie and vm_radix trie.
  • MFC r321217: Remove unused function swap_pager_isswapped().
  • MFC r314319 (by oshogbo): Don't try to open devices in the gettc() function which will always fail in the Capability mode. Instead silently fallback to the syscall method, which is done for example in the gettimeofday(2) function.
  • MFC r321371: Do not allocate struct kinfo_vmobject on stack.


kp (2):

  • MFC r312943
  • MFC r321370


markj (9):

  • MFC r320895: Don't dlclose NSS modules from nss_atexit().
  • MFC r320918, r321035: Have mkdumpheader() handle version string truncation.
  • MFC r321356: Fix top(1) output when zfs.ko is loaded but ZFS is not in use.
  • MFC r320896: Add a subroutine for comparing kerneldump identifiers.
  • Include stdbool.h for r321447.
  • MFC r321228: Allow matches of truncated version strings.
  • MFC r321437: Fix style and wrap lines to 80 columns in savecore.c.
  • MFC r321639: Restrict permissions on /dev/ksyms to 0400.
  • MFC r321640: Fix style bugs in ksyms.c.


mav (74):

  • MFC r320729: Add GEOM::descr attribute for symmetry with GEOM::ident.
  • MFC r302850: Make PCI interupts allocation static when using bootrom (UEFI).
  • Revert unexpected changes leaked into r321411.
  • MFC r305898, r309120, r309121 (by jceel): Add virtio-console support to bhyve.
  • MFC r302843: Increase number of I/O APIC pins from 24 to 32 to give PCI up to 16 IRQs.
  • MFC r303630 (by allanjude): Make boot code and loader check for unsupported ZFS feature flags
  • MFC r305701 (by allanjude): MFV r268120: 4936 lz4 could theoretically overflow a pointer with a certain input
  • MFC r309096 (by avg): MFV r308989: 6428 set canmount=off on unmounted filesystem tries to unmount children
  • MFC r312535: MFV 312436
  • MFC r313813: MFV 313786
  • MFC r314112 (by tsoome): loader: update symlink support in zfs reader
  • Fix mismerge in r321525.
  • MFC r314267: MFV 314243
  • MFC r314280: MFV 314276
  • MFC r315896: MFV r315290, r315291: 7303 dynamic metaslab selection
  • MFC r316037: MFV: 315989
  • MFC r317235: MFV 316868
  • MFC r317237: MFV 316870
  • MFC r317238: MFV 316871
  • MFC r317267: MFV 316891
  • MFC r317414: MFV 316894
  • MFC r317507: MFV 316895
  • MFC r317511: MFV 316896
  • MFC r317522: MFV 316897
  • MFC r317527: MFV 316898
  • MFC r317533: MFV 316900
  • MFC r317541: MFV 316905
  • MFC r317648: Fix misport of compressed ZFS send/recv from 317414
  • MFC r318812: MFV r316860: 7545 zdb should disable reference tracking
  • MFC r318814: MFC r316904: 7729 libzfs_core`lzc_rollback() leaks result nvl
  • MFC r318818: MFV r316907: 1300 filename normalization doesn't work for removes
  • MFC r318819: MFV r316908: 7541 zpool import/tryimport ioctl returns ENOMEM because provided buffer is too small for config
  • MFC r318821: MFV r316912: 7793 ztest fails assertion in dmu_tx_willuse_space
  • MFC r318822: MFC r316913: 7869 panic in bpobj_space(): null pointer dereference
  • MFC r318823: MFC r316914: 7801 add more by-dnode routines
  • MFC r318824: MFV r316915: 7801 add more by-dnode routines (lint)
  • MFC r318827: MFV r316916: 7970 zfs_arc_num_sublists_per_state should be common to all multilists
  • MFC r318828: MFV r316917: 7968 multi-threaded spa_sync()
  • MFC r318829: MFV r316920: 8023 Panic destroying a metaslab deferred range tree
  • MFC r318831: MFV r316922: 5380 receive of a send -p stream doesn't need to try renaming snapshots
  • MFC r318833: MFV r316925: 6101 attempt to lzc_create() a filesystem under a volume results in a panic
  • MFC r318920: MFV r316924: 8061 sa_find_idx_tab can be declared more type-safely
  • MFC r318921: MFV r316928: 7256 low probability race in zfs_get_data
  • MFC r318923: zfs_putpages: assert that sa_bulk_update() must succeed
  • MFC r318924 (by avg): arc_init: make code closer to upstream by introducing 'allmem' variable
  • MFC r318925: MFV r316929: 6914 kernel virtual memory fragmentation leads to hang
  • MFC r318928: MFV r318927: 8025 dbuf_read() creates unnecessary zio_root() for bonus buf
  • MFC r318930: MFV r318929: 7786 zfs`vdev_online() needs better notification about state changes
  • MFC r318932: MFV r318931: 8063 verify that we do not attempt to access inactive txg
  • MFC r318935: MFV r318934: 8070 Add some ZFS comments
  • MFC r318945: MFV r318944: 8265 Reserve send stream flag for large dnode feature
  • MFC r319672 (by allanjude): New sentences start on new lines, fix two violations
  • MFC r319748: MFV r319738: 8155 simplify dmu_write_policy handling of pre-compressed buffers
  • MFC r319749: MFV r319739: 8005 poor performance of 1MB writes on certain RAID-Z configuration s
  • MFC r319750: MFV r319741: 8156 dbuf_evict_notify() does not need dbuf_evict_lock
  • MFC r319751: MFV r319740: 8168 NULL pointer dereference in zfs_create()
  • MFC r319947: MFV r319945,r319946: 8264 want support for promoting datasets in libzfs_core
  • MFC r319949: MFV r319948: 5428 provide fts(), reallocarray(), and strtonum()
  • MFC r319953: MFV r319951: 8311 ZFS_READONLY is a little too strict
  • MFC r320153: revert r315852 which introduced zio_buf_alloc_nowait for use in vdev_queue_aggregate
  • MFC r320156, r320185, r320186, r320262, r320452, r321111: MFV r318946: 8021 ARC buf data scatter-ization
  • MFC r320237: MFV r318947: 7578 Fix/improve some aspects of ZIL writing.
  • MFC r320238: MFV r319742: 8056 zfs send size estimate is inaccurate for some zvols
  • MFC r320239: MFV r319950: 5220 L2ARC does not support devices that do not provide 512B access
  • MFC r320352: zfs: port vdev_file part of illumos change 3306
  • MFC r320152 (by avg): fstyp: move sys/ include path after zfs include paths
  • MFC r307865 (by tsoome): loader should boot pre-feature flags pools.
  • MFC r314504 (by tsoome): loader: r314112 did introduce dereference freed pointer entry
  • MFC r320492: Polish target_id/target_lun setting for ATIOs/INOTs.
  • MFC r320574: Slightly unify SNS requests for post- and pre-24xx.
  • MFC r320575: Move comment respecting previous commit.
  • MFC r320604, r320865: Switch fabric scans from GID_FT to GID_PT+GFF_ID/GFT_ID.
  • MFC r320493: Unify INOT/ATIO setup.
  • MFC r320495: Allow status aggregation for ramdisk reads.


mm (1):

  • MFC r320927,320931,320932: Bump libarchive to 3.3.2


ngie (72):

  • MFC r318325:
  • MFC r319834,r319841,r320723,r320724:
  • MFC r319928:
  • MFC r319855,r319856,r319858:
  • MFC r319857:
  • MFC r320172,r320173:
  • MFC r318180:
  • MFC r319846:
  • MFC r319836:
  • MFC r307873,r314397,r314399,r314419,r314420,r314533,r316553:
  • MFC r321109:
  • MFC r316557:
  • MFC r316549,r316550,r316551,r316554:
  • MFC r316558:
  • MFC r318705,r318711:
  • MFC r318257,r318278:
  • MFC r319844,r319845:
  • MFC r318695:
  • MFC r318701,r319842:
  • MFC r303212,r319642,r319830:
  • MFC r319850:
  • MFC r318255:
  • MFC r319800,r319806:
  • MFC r302500,r319339,r319543,r319544,r319551,r321138:
  • MFC r316552,r319662:
  • MFC r319048,r319049,r319051,r319054:
  • MFC r318715,r318717,r318718,r318719,r318720,r318721:
  • MFC r318710:
  • MFC r318704,r318708,r318709:
  • MFC r318280:
  • MFC r318707:
  • MFC r318703:
  • MFC r318712:
  • MFC r318706:
  • MFC r318702:
  • MFC r319026:
  • MFC r319063:
  • MFC r319293:
  • MFC r318693,r318694:
  • MFC r318722:
  • MFC r316817:
  • MFC r318723:
  • MFC r312521,r313397:
  • Relnotes: yes (subtle output/behavior change)
  • MFC r316602:
  • MFC r316600:
  • MFC r316601:
  • MFC note: cnv(9) diff ignored since API/manpage not present on ^/stable/11.
  • MFC note: content changes based on r309745 not included.
  • MFC r316076:
  • MFC r321235:
  • MFC r310329: r310329 (by cem):
  • MFC r316818:
  • MFC note: content changes of r317315 were reversed. .Dd is being updated for diff reduction purposes.
  • MFC note: only the newsyslog.conf.d change has been backported to unbreak "make distribution" with etc/newsyslog.conf.d/opensm.conf installation. The cron.d and syslog.d changes were omitted by request to avoid churn on ^/stable/{10,11}. Requested by: jhb, peter
  • MFC r320135:
  • MFC r318960,r319545,r319546,r319548,r321261:
  • MFC r316102:
  • MFC r314893:
  • MFC r314654:
  • MFC r314653:
  • MFC r314479:
  • MFC r314454,r314455:
  • MFC r314475:
  • MFC r314543:
  • MFC r321240:
  • MFC r316603,r321214:
  • MFC r320445:
  • MFC r320446:
  • MFC r320443,r320444:
  • MFC r320441,r320442:
  • MFC r320491:


pfg (2):

  • Revert r316779: Remove (yet again) the definition for the GCC __nonnull() attribute.
  • MFC r320990, r321011:


philip (1):

  • MFC r320941: Fix GRE over IPv6 tunnels with IPFW


rmacklem (3):

  • MFC: r320659 Add a Bugs section that indicates that the nfsuserd doesn't work when jails are being used on the system. It is hoped that the patches in PR#205193 will someday get tested/debugged so that they can be MFC'd to fix this.
  • MFC: r321248 Update the nfsv4 man page to reflect recent changes to support the newer RFCs (5661 and 7530). The main man changes are for the case of "numbers in strings" for user/groups that RFC7530 allows and avoids use of nfsuserd(8).
  • MFC: r321314 r320062 introduced a bug when doing NFSv4.1 mounts against some non-FreeBSD servers.


sephe (5):

  • MFC 321286
  • MFC 321406
  • MFC 321407
  • MFC 321408
  • MFC 321409


sjg (1):

  • MFC bmake-20170720


trasz (1):

  • MFC r320359:


wulf (1):

  • MFC r319162: psm: add support for evdev protocol