Shawn Webb lattera

## gist:afd995d87e2e635f8935d97e61b4c9b9
git-host-01[shawn]:/home/shawn $ sudo top -j -b -d 1                                                                              [15:14:47]
Password:
last pid: 39792;  load averages:  0.10,  0.27,  0.25  up 2+06:01:48    15:15:27
42 processes:  1 running, 41 sleeping
CPU:  1.9% user,  0.0% nice,  1.9% system,  0.0% interrupt, 96.2% idle
Mem: 174M Active, 16G Inact, 21G Wired, 102G Free
ARC: 17G Total, 9844M MFU, 7068M MRU, 400K Anon, 95M Header, 629M Other
     16G Compressed, 18G Uncompressed, 1.12:1 Ratio
Swap: 64G Total, 64G Free

## core.txt.0
hbsd-laptop-02 dumped core - see /var/crash/vmcore.0

Sun Sep 20 19:24:59 EDT 2020

FreeBSD hbsd-laptop-02 13.0-CURRENT-HBSD FreeBSD 13.0-CURRENT-HBSD #0  502c6f771f4-c282126(hardened/current/master): Sun Sep 20 19:05:29 EDT 2020     shawn@hbsd-laptop-02:/usr/obj/usr/src/amd64.amd64/sys/HARDENEDBSD  amd64

panic: sleepq_add: td 0xfffffe0154975ac0 to sleep on wchan 0xfffff800041fa978 with sleeping prohibited

GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.

## build.txt
Started by user Administrator
Running as SYSTEM
Building in workspace /usr/local/jenkins/workspace/HardenedBSD 13-CURRENT package build
[HardenedBSD 13-CURRENT package build] $ /bin/sh -xe /tmp/jenkins3021525929002987689.sh
+ /usr/local/bin/sudo /usr/local/bin/zsh -c '/src/scripts/automation/jenkins.zsh -c /src/scripts/automation/config/hardenedbsd.config.json -r /src/scripts/automation/config/hbsd-13-current.repo.json'
warning: Pulling without specifying how to reconcile divergent branches is
discouraged. You can squelch this message by running one of the following
commands sometime before your next pull:

  git config pull.rebase false  # merge (the default strategy)

## pkg.patch.txt
diff --git a/libpkg/Makefile.autosetup b/libpkg/Makefile.autosetup
index ae722976..77854f16 100644
--- a/libpkg/Makefile.autosetup
+++ b/libpkg/Makefile.autosetup
@@ -42,7 +42,8 @@ SRCS=	backup.c \
 	pkg_repo_create.c \
 	pkg_version.c \
 	rcscripts.c \
-	flags.c
+	flags.c \

## gist:c2c67793c6b461a9b340da02c3a63d23
diff --git a/Mk/bsd.port.mk b/Mk/bsd.port.mk
index 1903c44e7b63..2de8869a2113 100644
--- a/Mk/bsd.port.mk
+++ b/Mk/bsd.port.mk
@@ -5337,7 +5337,7 @@ _STAGE_SEQ=		050:stage-message 100:stage-dir 150:run-depends \
 				200:apply-slist 300:pre-install \
 				400:generate-plist 450:pre-su-install 475:create-users-groups \
 				500:do-install 550:kmod-post-install 600:fixup-lib-pkgconfig 700:post-install \
-				750:post-install-script 800:post-stage 850:compress-man \
+				750:post-install-script 800:post-stage 825:fixup-mitigations 850:compress-man \

## gist:c2c88c283d0d82fdfd40a4b5ce0befa9
===>   git-2.26.2 depends on executable: cvsps - found
===>   Returning to build of git-2.26.2
===>   git-2.26.2 depends on package: p5-Error>=0 - found
===>   git-2.26.2 depends on file: /usr/local/lib/libcrypto.so.11 - found
===>   git-2.26.2 depends on file: /usr/local/bin/python3.7 - found
===>   git-2.26.2 depends on package: perl5>=5.30.r1<5.31 - found
[20200513105351] ===> Generating temporary packing list
[20200513105351] ===> Creating groups.
[20200513105351] ===> Creating users
[20200513105353] ===> Installing contributed scripts

## fsextattr.sh
#!/usr/local/bin/zsh

HBSDCTRL="/usr/sbin/hbsdcontrol"

dir=""

while getopts "d:" o; do
	case "${o}" in
		d)
			dir="${OPTARG}"

## gist:3cb37bbc24b5a59d1eab955ff64ede83
hardenedbsd[shawn]:/home/shawn $ nc -4vv git-01.md.hardenedbsd.org 22                                                        [17:12:19]
Connection to git-01.md.hardenedbsd.org 22 port [tcp/ssh] succeeded!
SSH-2.0-OpenSSH_7.8 HardenedBSD 12-STABLE
^C
hardenedbsd[shawn]:/home/shawn (130) $ nc -6vv git-01.md.hardenedbsd.org 22                                                  [17:12:31]
Connection to git-01.md.hardenedbsd.org 22 port [tcp/ssh] succeeded!
SSH-2.0-OpenSSH_7.8 HardenedBSD 12-STABLE

## gist:0a98c32f52ebbf5b3ee4f97dd0379eb9
hostb0@pci0:0:0:0:	class=0x060000 rev=0x07 hdr=0x00 vendor=0x8086 device=0x1918 subvendor=0x1028 subdevice=0x06d9
    vendor     = 'Intel Corporation'
    device     = 'Xeon E3-1200 v5/E3-1500 v5/6th Gen Core Processor Host Bridge/DRAM Registers'
    class      = bridge
    subclass   = HOST-PCI
pcib1@pci0:0:1:0:	class=0x060400 rev=0x07 hdr=0x01 vendor=0x8086 device=0x1901 subvendor=0x1028 subdevice=0x06d9
    vendor     = 'Intel Corporation'
    device     = 'Xeon E3-1200 v5/E3-1500 v5/6th Gen Core Processor PCIe Controller (x16)'
    class      = bridge
    subclass   = PCI-PCI

## gist:7ce19b4f3e913728514d3ef7276995f3
table <nats> counters { \
    192.168.8.0/24, \
    192.168.7.0/24, \
    192.168.10.0/24, \
    192.168.20.0/24 \
}

scrub in all

nat on em0 from {<nats>} to any -> (em0)
	git-host-01[shawn]:/home/shawn $ sudo top -j -b -d 1 [15:14:47]
	Password:
	last pid: 39792; load averages: 0.10, 0.27, 0.25 up 2+06:01:48 15:15:27
	42 processes: 1 running, 41 sleeping
	CPU: 1.9% user, 0.0% nice, 1.9% system, 0.0% interrupt, 96.2% idle
	Mem: 174M Active, 16G Inact, 21G Wired, 102G Free
	ARC: 17G Total, 9844M MFU, 7068M MRU, 400K Anon, 95M Header, 629M Other
	16G Compressed, 18G Uncompressed, 1.12:1 Ratio
	Swap: 64G Total, 64G Free
	hbsd-laptop-02 dumped core - see /var/crash/vmcore.0

	Sun Sep 20 19:24:59 EDT 2020

	FreeBSD hbsd-laptop-02 13.0-CURRENT-HBSD FreeBSD 13.0-CURRENT-HBSD #0 502c6f771f4-c282126(hardened/current/master): Sun Sep 20 19:05:29 EDT 2020 shawn@hbsd-laptop-02:/usr/obj/usr/src/amd64.amd64/sys/HARDENEDBSD amd64

	panic: sleepq_add: td 0xfffffe0154975ac0 to sleep on wchan 0xfffff800041fa978 with sleeping prohibited

	GNU gdb 6.1.1 [FreeBSD]
	Copyright 2004 Free Software Foundation, Inc.
	Started by user Administrator
	Running as SYSTEM
	Building in workspace /usr/local/jenkins/workspace/HardenedBSD 13-CURRENT package build
	[HardenedBSD 13-CURRENT package build] $ /bin/sh -xe /tmp/jenkins3021525929002987689.sh
	+ /usr/local/bin/sudo /usr/local/bin/zsh -c '/src/scripts/automation/jenkins.zsh -c /src/scripts/automation/config/hardenedbsd.config.json -r /src/scripts/automation/config/hbsd-13-current.repo.json'
	warning: Pulling without specifying how to reconcile divergent branches is
	discouraged. You can squelch this message by running one of the following
	commands sometime before your next pull:

	git config pull.rebase false # merge (the default strategy)
	diff --git a/libpkg/Makefile.autosetup b/libpkg/Makefile.autosetup
	index ae722976..77854f16 100644
	--- a/libpkg/Makefile.autosetup
	+++ b/libpkg/Makefile.autosetup
	@@ -42,7 +42,8 @@ SRCS= backup.c \
	pkg_repo_create.c \
	pkg_version.c \
	rcscripts.c \
	- flags.c
	+ flags.c \
	diff --git a/Mk/bsd.port.mk b/Mk/bsd.port.mk
	index 1903c44e7b63..2de8869a2113 100644
	--- a/Mk/bsd.port.mk
	+++ b/Mk/bsd.port.mk
	@@ -5337,7 +5337,7 @@ _STAGE_SEQ= 050:stage-message 100:stage-dir 150:run-depends \
	200:apply-slist 300:pre-install \
	400:generate-plist 450:pre-su-install 475:create-users-groups \
	500:do-install 550:kmod-post-install 600:fixup-lib-pkgconfig 700:post-install \
	- 750:post-install-script 800:post-stage 850:compress-man \
	+ 750:post-install-script 800:post-stage 825:fixup-mitigations 850:compress-man \
	===> git-2.26.2 depends on executable: cvsps - found
	===> Returning to build of git-2.26.2
	===> git-2.26.2 depends on package: p5-Error>=0 - found
	===> git-2.26.2 depends on file: /usr/local/lib/libcrypto.so.11 - found
	===> git-2.26.2 depends on file: /usr/local/bin/python3.7 - found
	===> git-2.26.2 depends on package: perl5>=5.30.r1<5.31 - found
	[20200513105351] ===> Generating temporary packing list
	[20200513105351] ===> Creating groups.
	[20200513105351] ===> Creating users
	[20200513105353] ===> Installing contributed scripts
	#!/usr/local/bin/zsh

	HBSDCTRL="/usr/sbin/hbsdcontrol"

	dir=""

	while getopts "d:" o; do
	case "${o}" in
	d)
	dir="${OPTARG}"
	hardenedbsd[shawn]:/home/shawn $ nc -4vv git-01.md.hardenedbsd.org 22 [17:12:19]
	Connection to git-01.md.hardenedbsd.org 22 port [tcp/ssh] succeeded!
	SSH-2.0-OpenSSH_7.8 HardenedBSD 12-STABLE
	^C
	hardenedbsd[shawn]:/home/shawn (130) $ nc -6vv git-01.md.hardenedbsd.org 22 [17:12:31]
	Connection to git-01.md.hardenedbsd.org 22 port [tcp/ssh] succeeded!
	SSH-2.0-OpenSSH_7.8 HardenedBSD 12-STABLE
	hostb0@pci0:0:0:0: class=0x060000 rev=0x07 hdr=0x00 vendor=0x8086 device=0x1918 subvendor=0x1028 subdevice=0x06d9
	vendor = 'Intel Corporation'
	device = 'Xeon E3-1200 v5/E3-1500 v5/6th Gen Core Processor Host Bridge/DRAM Registers'
	class = bridge
	subclass = HOST-PCI
	pcib1@pci0:0:1:0: class=0x060400 rev=0x07 hdr=0x01 vendor=0x8086 device=0x1901 subvendor=0x1028 subdevice=0x06d9
	vendor = 'Intel Corporation'
	device = 'Xeon E3-1200 v5/E3-1500 v5/6th Gen Core Processor PCIe Controller (x16)'
	class = bridge
	subclass = PCI-PCI
	table <nats> counters { \
	192.168.8.0/24, \
	192.168.7.0/24, \
	192.168.10.0/24, \
	192.168.20.0/24 \
	}

	scrub in all

	nat on em0 from {<nats>} to any -> (em0)