diff --git a/website/content/en/status/report-2025-07-2025-09/alpha-omega-beach-cleaning.adoc b/website/content/en/status/report-2025-07-2025-09/alpha-omega-beach-cleaning.adoc index 470eac52f1..c32487e2b7 100644 --- a/website/content/en/status/report-2025-07-2025-09/alpha-omega-beach-cleaning.adoc +++ b/website/content/en/status/report-2025-07-2025-09/alpha-omega-beach-cleaning.adoc @@ -1,37 +1,37 @@ === Alpha-Omega Beach Cleaning project Links: + -link:https://alpha-omega.dev[Alpha-Omega - Linux Foundation Project] URL: link:https://alpha-omega.dev[] + +link:https://alpha-omega.dev[Alpha-Omega -- Linux Foundation Project] URL: link:https://alpha-omega.dev[] + link:https://github.com/ossf/alpha-omega[Alpha-Omega on GitHub] URL: link:https://github.com/ossf/alpha-omega[] + link:https://freebsdfoundation.org[FreeBSD Foundation] URL: link:https://freebsdfoundation.org[] + link:https://github.com/FreeBSDFoundation/alpha-omega-beach-cleaning[Project repository from the FreeBSD Foundation] URL: link:https://github.com/FreeBSDFoundation/alpha-omega-beach-cleaning[] Contact: Pierre Pronchery Alpha-Omega's mission is to catalyze sustainable security improvements to critical open source projects and ecosystems. After a successful project with the FreeBSD Foundation in 2024 -- auditing the bhyve hypervisor and the Capsicum sandboxing framework -- Alpha-Omega has selected FreeBSD again, for the Alpha Omega Beach Cleaning project this time. This new grant consists in generally improving the security and maintenance of third-party software within the FreeBSD base system. The FreeBSD Foundation received the grant and is managing and executing the project. The list of tasks has been determined as follows: * Inventory of dependencies * Security risk assessments * Propose list of priorities * Plan the respective actions * Formalize code owners * Integrate review methodologies * Plan execution & coordination * Final report The first deliverables have been issued on the dedicated GitHub repository: * Machine-readable link:https://github.com/FreeBSDFoundation/alpha-omega-beach-cleaning/blob/main/database.yml[database] * link:https://github.com/FreeBSDFoundation/alpha-omega-beach-cleaning/blob/main/dependencies.md[List of dependencies] * link:https://github.com/FreeBSDFoundation/alpha-omega-beach-cleaning/blob/main/security.md[Security risk assessments] Help is welcome to complete the information collected, and to improve on any other aspect of the project! Finally, monthly reporting is submitted and available link:https://github.com/ossf/alpha-omega/tree/main/alpha/engagements/2025/FreeBSD[on GitHub]. Sponsor: Alpha-Omega, The FreeBSD Foundation diff --git a/website/content/en/status/report-2025-07-2025-09/bananapi-r64-drivers.adoc b/website/content/en/status/report-2025-07-2025-09/bananapi-r64-drivers.adoc index 5465ce3d39..0142b0aebc 100644 --- a/website/content/en/status/report-2025-07-2025-09/bananapi-r64-drivers.adoc +++ b/website/content/en/status/report-2025-07-2025-09/bananapi-r64-drivers.adoc @@ -1,32 +1,32 @@ === FreeBSD Driver Development for BananaPi-R64 Contact: Martin Filla Wiki: https://wiki.freebsd.org/arm/Bananapi ==== Introduction The Banana Pi R64 is a MediaTek MT7622-based development board (ARM Cortex-A53, dual-core ~1.35 GHz) featuring 4× Gigabit LAN, 1× Gigabit WAN, Wi-Fi (4×4n), Bluetooth 5.0, and multiple peripheral interfaces (UART, SPI, I²C, GPIO, SATA, mini-PCIe, eMMC, etc.). ==== Current State of FreeBSD Support - Implemented so far: * **UART driver** * **Clock management (clocks)** * **Pinctrl/gpio driver** – in active development gpio part - * **Storage controllers (eMMC/SD/MMC) driver - * **Ethernet Switch mt7531 driver - * **Ethernet mt7622 driver + * **Storage controllers (eMMC/SD/MMC) driver** + * **Ethernet Switch mt7531 driver** + * **Ethernet mt7622 driver** Other essential components—Ethernet, USB, SATA, Wi-Fi, etc.—are not yet implemented. ==== Technical Context and Significance Support for Banana Pi R64 in FreeBSD is in the early stages—UART and clocks drivers exist but ppl clock is under development, gpio is under development -- while most critical subsystems remain unimplemented. ==== Development roadmap * Implement missing drivers - USB (XHCI/OTG) - SATA / AHCI - Wi-Fi (likely MediaTek MT7615) - GPIO subsystems ==== Conclusion Support for Banana Pi R64 in FreeBSD is in the early stages—UART and clocks drivers exist but ppl clock is under development, gpio is under development—while most critical subsystems remain unimplemented. Publishing working code and artifacts, plus active collaboration with the FreeBSD community, will be essential to bring this board toward usable status under FreeBSD. diff --git a/website/content/en/status/report-2025-07-2025-09/group-changes.adoc b/website/content/en/status/report-2025-07-2025-09/group-changes.adoc index 8d41d0edbe..2beee38693 100644 --- a/website/content/en/status/report-2025-07-2025-09/group-changes.adoc +++ b/website/content/en/status/report-2025-07-2025-09/group-changes.adoc @@ -1,44 +1,44 @@ === Process Credentials' Groups-Related Changes in FreeBSD 15 Links: + link:https://www.freebsd.org/status/report-2025-04-2025-06/#_ucred_group_changes_in_freebsd_15_0[T2 2025 Status Report] URL: https://www.freebsd.org/status/report-2025-04-2025-06/#_ucred_group_changes_in_freebsd_15_0 + link:https://cgit.freebsd.org/src/commit/?id=9dc1ac869196[initgroups(3): Backwards-compatible implementation and manual page update ] URL: https://cgit.freebsd.org/src/commit/?id=9dc1ac869196 + link:https://cgit.freebsd.org/src/commit/?id=4be38acc826f[Main commit changing getgroups(2)'s manual page] URL: https://cgit.freebsd.org/src/commit/?id=4be38acc826f + link:https://cgit.freebsd.org/src/commit/?id=6d22cd6b5f8b[Main commit changing setgroups(2)'s manual page] URL: https://cgit.freebsd.org/src/commit/?id=6d22cd6b5f8b Contact: Olivier Certner + Contact: Kyle Evans Starting with FreeBSD 15: . [[setgroups_getgroups]]The behavior of the man:setgroups[2] and man:getgroups[2] system calls function has slightly changed. + Out of caution, even if almost all existing applications will continue to work undisturbed, we advise auditing those that you are maintaining or using as explained below. . [[initgroups]]How processes' group membership is derived from the password and group databases on login has slightly changed: The login user's initial numerical group ID from the password database is now automatically added to the supplementary groups set, even if that user is not explicitly listed as a member of the corresponding group in the group database. -. [[kernel]]The kernel stores the effective group ID in a new specific field of `struct ucred` (`cr_gid`) instead of in the same array as supplementary groups (`cr_ngroups[]`). +. [[kernel_group-changes]]The kernel stores the effective group ID in a new specific field of `struct ucred` (`cr_gid`) instead of in the same array as supplementary groups (`cr_ngroups[]`). The man:setgroups[2] and man:getgroups[2] system calls will operate only on the calling process' supplementary groups, not featuring the effective group ID as the first element of their array argument. The man:initgroups[3] function's implementation is unchanged and still relies on man:setgroups[2], with the consequence that it **does not** set the process' effective group ID **anymore**, instead including its `basegid` argument in the supplementary groups set. One of the reasons for these changes is to have FreeBSD behave exactly like GNU/Linux systems, NetBSD, OpenBSD and illumos-based operating systems. Consequently, almost all portable applications should already be compliant with FreeBSD's new behavior and will continue to work correctly or even get fixed in the process (see the previous status report linked above for an example with OpenSSH). However, porters, system administrators and users are advised to audit their applications that are using man:setgroups[2], man:getgroups[2] and man:initgroups[3], watching out for the following points: * Applications should already be using man:setgid[2] or man:setegid[2] in addition to man:setgroups[2] or man:initgroups[3] to set the effective group ID. + If this is not the case, these calls must be added, as otherwise affected applications will stop setting the effective group ID starting from FreeBSD 15. * Applications using man:getgroups[2] should not be treating the first element of the returned array specially, but as any other supplementary group. + If nonetheless they do, they have to be modified to obtain the effective group ID via man:getegid[2] instead and to treat all groups returned by man:getgroups[2] as supplementary groups only. Manual pages of all changed functions have been modified in `stable/14` and `stable/15` to describe and contrast the old and new behaviors, and have grown new `SECURITY CONSIDERATIONS` sections stating the reasons for the changes and the points to watch out for. Backwards-compatible implementations of changed functions are provided so that applications compiled on FreeBSD 14 or earlier continue to see the old behaviors and work as before. They are available if and only if the kernel was compiled with `COMPAT_FREEBSD14`, which is the case of the default `GENERIC` kernel. We have normally fixed all unwanted impacts of storing the effective group ID separately from the supplementary groups in the kernel, such as: * Some security policies or access checks would either ignore the effective group ID or the first supplementary group (with lowest numerical ID), affecting process visibility restrictions based on group IDs, the "can debug" and "can export KTLS keys" checks, the man:mac_do[4] and man:mac_bsdextended[4] security policies, and access control to some hardware facilities (tracing: man:hwt[4]; performance monitoring: man:hwpmc[4]) and to NFS-served shares. * Reporting of process' credentials would omit the effective group ID, affecting all variants of `procstat -s` (on live processes, core files, or system core dump), man:ddb[4]. Sponsor: The FreeBSD Foundation diff --git a/website/content/en/status/report-2025-07-2025-09/hackathon.adoc b/website/content/en/status/report-2025-07-2025-09/hackathon.adoc index 53cf41d276..63ce3016c2 100644 --- a/website/content/en/status/report-2025-07-2025-09/hackathon.adoc +++ b/website/content/en/status/report-2025-07-2025-09/hackathon.adoc @@ -1,25 +1,25 @@ === July 2025 FreeBSD Hackathon in Berlin, Germany Links: link:https://wiki.freebsd.org/Hackathon/202507[Event page] URL: link:https://wiki.freebsd.org/Hackathon/202507[] + -Date: July Saturday 12th and Sunday 13th 2025 +Date: July Saturday 12th and Sunday 13th 2025 + Location: Chaos Computer Club Berlin We had been invited to hold our two day Hackathon in the halls of the Chaos Computer Club Berlin. The full report can be found link:https://pad.lorenz.lu/Hackathon202507[here]. The approximately 30 participants hacked on the following projects: * link:https://pad.lorenz.lu/Hackathon202507#Local-Chatbot-RAG-with-FreeBSD-Knowledge[Local Chatbot RAG with FreeBSD Knowledge] * link:https://pad.lorenz.lu/Hackathon202507#Cross-compiling-FreeBSD-on-macOS[Cross compiling FreeBSD on macOS] * link:https://pad.lorenz.lu/Hackathon202507#Pierre-P-khorben[Importing OpenSSL 3.5] * link:https://pad.lorenz.lu/Hackathon202507#Kristof-P-kp[The netlinkification of PF] * link:https://pad.lorenz.lu/Hackathon202507#Jan-B[Injecting host executable into jails] * link:https://pad.lorenz.lu/Hackathon202507#Li-Wen-H-lwhsu[Updating OpenSearch ports] * link:https://pad.lorenz.lu/Hackathon202507#Benedict-R-bcr[Ambushing Mark Phillips with a Microphone] * link:https://pad.lorenz.lu/Hackathon202507#Rodrigo-O-rodrigo[Patching rsync to handle extattr] * link:https://pad.lorenz.lu/Hackathon202507#NN[Checking LICENSE files against SPDX templates] * link:https://pad.lorenz.lu/Hackathon202507#Timo[TCP/UDP checksum offloading for bhyve] * link:https://pad.lorenz.lu/Hackathon202507#Dave-C-dch[Native FreeBSD containers with Podman] * and more. diff --git a/website/content/en/status/report-2025-07-2025-09/nuageinit.adoc b/website/content/en/status/report-2025-07-2025-09/nuageinit.adoc index 77cbbaca23..4e4abc59b9 100644 --- a/website/content/en/status/report-2025-07-2025-09/nuageinit.adoc +++ b/website/content/en/status/report-2025-07-2025-09/nuageinit.adoc @@ -1,30 +1,30 @@ -=== Cloud: Improvements for nuageinit +=== Improvements for nuageinit Contact: Baptiste Daroussin + Contact: Jesús Daniel Colmenares Oviedo Inspired by link:https://cloud-init.io/[cloud-init], nuageinit is a script written entirely in Lua to add cloud-init compatibility to FreeBSD. Thanks to the `firstboot` feature of the man:rc[8] framework, it runs early and only once. Fixes and improvements have been made in recent months: * Missing documentation for already implemented parameters have been added. * More test cases have been added. * The device configuration ID is used as an interface when no `match` rule is specified. * Implementation of the `network.ethernets.{id}.match.name` parameter. * Implementation of the `network.ethernets.{id}.wakeonlan` parameter. * Implementation of the `network.ethernets.{id}.set-name` parameter. * Implementation of the `network.ethernets.{id}.match.driver` parameter. * Implementation of the `network.ethernets.{id}.mtu` parameter. * Implementation of the `nameservers` parameter. * Support for package:security/doas[]. * Allow the use of network parameters from `network-config` file. Committed in the following branches: stable/14, stable/15, and main. If you plan to use nuageinit, remember that each image is generated periodically and distributed on the following sites: * link:https://download.freebsd.org/releases/VM-IMAGES[] * link:https://download.freebsd.org/snapshots/VM-IMAGES[] Commits: link:https://cgit.freebsd.org/src/commit/?id=ba5df7a2d03cd5624b1825ca8d4c39dcaace7796[ba5df7a], link:https://cgit.freebsd.org/src/commit/?id=95b0be1118b1a24ceb1b59ecd936aaa155d828bd[95b0be1], link:https://cgit.freebsd.org/src/commit/?id=a7f19968ae5d5e7e5feba85d04698050fcaf784f[a7f1996], link:https://cgit.freebsd.org/src/commit/?id=9f3330f5224ea2384a1c7d79a5b1f2784f7c14b6[9f3330f], link:https://cgit.freebsd.org/src/commit/?id=a5cc9b7b96dcba4d3ee98f2eb58c3f389590ddf0[9f3330f], link:https://cgit.freebsd.org/src/commit/?id=95230b248f6412c2d1c416c1e9795c3192cdf750[95230b2], link:https://cgit.freebsd.org/src/commit/?id=9a829e865697e623a046800545be7781a117125e[9a829e8]