lucaspalomodevelop/core
1
0
Fork 0
mirror of https://github.com/lucaspalomodevelop/core.git synced 2026-03-13 08:09:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

system: remove optional defaults, secure access to sysctl node

Browse Source 
The node is now empty by default so code peeking into the items
should check beforehand or use a safe iterator like config_read_array().

This is for 25.7 with the infamous two security sysctls flipping back
to FreeBSD defaults.
This commit is contained in:
Franco Fichtner 2025-03-18 16:32:24 +01:00
parent 815a56c8a7
commit f482df7d71
4 changed files with 12 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
src/etc/config.xml.sample
View File

@ -2,18 +2,7 @@
<opnsense>
<trigger_initial_wizard/>
<theme>opnsense</theme>
<sysctl>
<item>
<descr><![CDATA[Disable Indirect Branch Restricted Speculation (Spectre V2 mitigation)]]></descr>
<tunable>hw.ibrs_disable</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[Page Table Isolation (Meltdown mitigation, requires reboot.)]]></descr>
<tunable>vm.pmap.pti</tunable>
<value>default</value>
</item>
</sysctl>
<sysctl/>
<system>
<optimization>normal</optimization>
<hostname>OPNsense</hostname>

13
src/etc/inc/system.inc
View File

@ -69,12 +69,18 @@ function system_sysctl_defaults()
{
global $config;
/* notes:
* - set 'optional' => true for values that should no longer be enforced by default
/* - 'decription' and 'type' can be used to indicate persistence of these values
* when in reality these are not available due to kernel modules unloaded or
* compile time options unset (like debugging)
* - always set 'default' so the backend can use it and the user can see it
*/
return [
'debug.kassert.warn_only' => [ 'default' => '1', 'description' => 'KASSERT triggers a panic (0) or just a warning (1)', 'type' => 'w' ],
'hw.ibrs_disable' => [ 'default' => '0', 'optional' => true ],
'hw.ixl.enable_head_writeback' => [ 'default' => '0' ],
'hw.syscons.kbd_reboot' => [ 'default' => '0' ],
'hw.uart.console' => [ 'default' => 'io:0x3f8,br:' . system_console_speed(), 'type' => 't', 'optional' => true ], /* XXX remove in a future release */
'hw.vtnet.csum_disable' => [ 'default' => '1' ],
'kern.coredump' => [ 'default' => '0' ],
'kern.ipc.maxsockbuf' => [ 'default' => '4262144' ],
@ -131,7 +137,6 @@ function system_sysctl_defaults()
'vfs.zfs.dirty_data_sync_percent' => [ 'default' => '5' ],
'vfs.zfs.txg.timeout' => [ 'default' => '90' ],
'vm.numa.disabled' => [ 'default' => '1' ],
'vm.pmap.pti' => [ 'default' => '1', 'optional' => true ],
];
}
@ -143,7 +148,7 @@ function system_sysctl_get()
foreach ($defaults as $name => $info) {
/* compile list of required sysctls not necessarily present in config */
if (empty($info['optional'])) {
$sysctls[$name] = 'default';
$sysctls[$name] = '';
}
}

2
src/opnsense/mvc/app/controllers/OPNsense/Core/Api/TunablesController.php
View File

@ -74,7 +74,7 @@ class TunablesController extends ApiMutableModelControllerBase
Config::getInstance()->lock();
$factory_config = Config::getInstance()->toArrayFromFile('/usr/local/etc/config.xml', []);
$mdl = $this->getModel()->Default();
if (!empty($factory_config['sysctl']) && !empty($factory_config['sysctl']['item'])) {
if (!empty($factory_config['sysctl']['item'])) {
foreach ($factory_config['sysctl']['item'] as $item) {
$node = $mdl->item->Add();
foreach ($item as $key => $val) {

2
src/opnsense/scripts/interfaces/carp_set_status.php
View File

@ -38,7 +38,7 @@ if ($action == 'maintenance') {
if (isset($config["virtualip_carp_maintenancemode"])) {
unset($config["virtualip_carp_maintenancemode"]);
$carp_demotion_default = '0';
foreach ($config['sysctl']['item'] as $tunable) {
foreach (config_read_array('sysctl', 'item') as $tunable) {
if ($tunable['tunable'] == 'net.inet.carp.demotion' && ctype_digit($tunable['value'])) {
$carp_demotion_default = $tunable['value'];
}