Not that I know of.

(There's a lot I don't know.)

what is the correct way to add a unionfs (with -o below) mount to fstab?

This doesn't work with fstab: "/mnt/poudriere/data/archive /var/ftp/pub/FreeBSD/pkg unionfs late,below 0 0"

whats the last version of freebsd?

warsoul: freebsd.org/releases

Title: Release Information | The FreeBSD Project

tuaris: i think you will need another option such as rw

it's just a peculiarity of fstab i guess

Mount things manually the way you need, then run: mount -p | grep unionfs >> /etc/fstab

does anyone here use capsicumizer to sandbox firefox? wondering if anyone already has a configuration file that whitelists all of the paths that FF needs to function properly

tm512, what is that?

sfox, It's similar to AppArmor. github.com/valpackett/capsicumizer You can read an overview of it here: freebsdfoundation.org/wp-content/up…ds/2019/11/Capsicum-Update-2019.pdf

Title: GitHub - valpackett/capsicumizer: Run anything (like full blown GTK apps) under Capsicum

What was the default window manager in FreeBSD called again? fvwm or twm?

remiliascarlet: pretty sure X11 ships with twm

Ah yeah, thanks.

but it is not FeeBSD default window manager as there are none of such. twm is part X11

Yeah, I meant "whatever ships with X11". I was still in OpenBSD mode, which ships 3 different window managers out of the box.

I'm wondering just how much capsicumizer would actually help because it wouldn't prevent an exploited browser process from reading anything it wants out of ~/.{cache/,}mozilla for instance

like website login tokens

remiliascarlet, freebsd ships with twm. netbsd ships with ctwm

whereas if FF were actually programmed to properly use capsicum it could leverage much finer-grained control over which processes are allowed to access what

FF isn't even properly programmed to handle malloc() failing.

that seems like a lot ot ask from a corporation more interested in virtue signalling and donating to non-tech related 'influencers' projects then working on improving their own software

not to mention leaving the BSDs in the dust when they switched to using rust

to further mitigate risk I'd have to like, manually separate out websites like keeping financial stuff in its own separate profile and having two (or more) different capsicumized FF instances blacklisted from each others' data, though that sounds like a pain in the ass

tm512, if your really worried you could disable to cache

or disable javascript by default to reduce your attack surface

modern web browsers are kinda of a lost cause though. It may be more useful to prevent an exploited browser from reading and writing to non-web browser related userdata.

the state of chromium is such that when malloc fails, I get warnings about it trying to execut opcodes which do not exist.

I don't know exactly how worried I should be. it's just a shame that browsers on FreeBSD lack such a basic security feature that they've had for years on Linux through stuff like seccomp

this is topic for #freebsd-social

I believe that might mean it is executing non-program data

tm512, the state on Linux isn't that much better

angry_vincent: I'm specifically asking about FreeBSD-related software, not really socializing

this is not FreeBSD related software

how to best secure a browser on FreeBSD, particularly through imposing capsicum on it, or perhaps using jails, is inherently FreeBSD-related. I've never seen anyone ever suggest that talking about FreeBSD is off-topic for this channel

browsers are not related

more over browsers devs perhaps even less interested in FreeBSD at all

specially chromium

you can run browser in jail, this is true.

maybe, it is the most secure one can get

considering browsers are software that can be run on FreeBSD and have security issues on FreeBSD specifically, discussing those issues and how to best address them seems so clearly on-topic for this channel that I'm not even interested in bickering with you regarding this anymore

never seen anyone get chastised in this channel for discussing real-world use of FreeBSD, never seen anyone chastised for talking about anything outside of the base system

"best secure a browser" Are you talking about Lynx?

A browser that ships with a ton of spyware by default, has a billion lines of code, and takes ages to compile is not what I can consider "secure".

the problem is that on FreeBSD, every single browser process has unrestricted access to everything my user has access to, whereas on the "Big 3" this is not the case, because browsers care enough to write OS-specific sandboxing backends for those OSes

I guess OpenBSD + chromium is the exception for sandboxed browsers on the BSDs, because chromium has support for unveil

but that would require me to run both OpenBSD and chromium, neither of which are my preference

I'm probably going to see if capsicumizer works with Firefox, if not, I'll stick with this other route of running it in a separate user and granting that user access to my X server, and adding my main user to that separate user's group, but I ran into some annoying permissions issues with files downloaded into /tmp

Maybe consider chmod 600'ing important files and directories.

doesn't really help if a compromised browser is running as the user that has access, though running the browser as a separate user and not providing that user access to my main user's home directory does basically solve that issue

are you still paranoid about your desktop browser?

The alternative is to just use Lynx for your daily browsing.

Or Netsurf if it has to be graphical.

why would anyone want to target a freebsd desktop, with what, like .001% of the browser market

if you're really that paranoid, then don't run a browser on your computer, or run it in a VM that's reset to a pristine state each time, with none of your personal files

but it sounds like you're sure making a lot of work or inconvenience for yourself

I dunno how much of this would have to be tailored for FreeBSD specifically, don't really know the internals of Firefox. also dunno how I feel about being called paranoid for wanting a fraction of the security that I've had on Linux for years and just take for granted

The most balanced way would be to just deactivate all the spyware, install uBlock Origin to make webpages more sane and secure, and install Dark Reader to make websites easier on your eyes, and just leave it at that.

And disable Javascript by default to mitigate 99% of all possible browser exploits.

uBlock Origin is already a given. on the very rare occasion I use a browser without installing it right away, I just end up shocked by how unusable the web is without it. as for something like NoScript, eh, what I'm worried is going to happen is that I get annoyed by constantly needing to whitelist javascript that I just end up feeling like it's not worth the effort

No need for NoScript.

uBlock Origin has a Javascript on/off toggle built-in that works just fine.

that's like exactly my experience with trying to use duckduckgo several years back. it gave such useless search results on such a consistent basis, forcing me to go to google over and over again, eventually it just ended up not being worth the hassle

Because DuckDuckGo is broken by design.

I can recommend a decent SearXNG instance, which'll use both and many other engines without the need to have JS enabled.

from what I hear, nowadays they just scrape Bing search results. maybe better than what it used to be, but still

I've heard decent things about searx, as long as you can find a trusted instance

opnxng.com This one has never failed for me thus far.

Title: searxng

I do recommend you set HTTP method to "GET" if you intend on setting it as the default search engine.

I still use DuckDuckGo for image search, because SearXNG still doesn't have any all the useful features found in the big search engines for some reason.

as you say, you don't understand firefox internals, what do you think a sandbox of sort protects you against

from what I do understand of how the sandboxing works, it prevents each browser process from accessing any files other than those it's directly concerned with, like that specific website's cookies, cache, etc

so have you raised this issue with firefox?

there's already a ticket on their bug tracker regarding capsicum support, with work apparently abandoned

ok then

specifically, bugzilla.mozilla.org/1607980

Title: 1607980 - Implement sandboxing on FreeBSD with Capsicum

anybody got twitch.tv working in a browser on FreeBSD?

as for the whole thing about inconvenience, I'm specifically trying to find the solution that gives the most security as transparently as possible, like the solution I arrived at currently is having a shell script just called "firefox" higher up in my path than the actual binary, and that shell script launches firefox as another user, granting that user X11 privs before launching, and revoking them after

FF closes

dch: works here

dch: twitch doesn't already just work?

nope, login reports "Your browser is not currently supported. Please use a recommended browser or learn more here."

has done for a long time, IIRC. I used to watch code streamers a fair bit.

doesn't work in ungoogle-chromium, nor vanilla firefox

la_mettrie: what browser, and do you have to do any user agent hacking?

as a hunch, do you have H.264 support built-in to ffmpeg?

I just have whatever comes from pkg.freebsd.org

dch: firefox 122.0, i don't recall doing any agent hacking

albeit on current

I seem to recall that error message showing up when I was trying to get Linux set up on my friend's laptop recently, and it was because OpenSUSE does not package ffmpeg with patented codecs

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:123.0) Gecko/20100101 Firefox/123.0

is my UA according to firefox

hmm well here on 14-STABLE with the packages, H.264 was working just fine on youtube at least

looks like by default, ffmpeg has OpenH264 off andX264 on, as one would expect.

If it were to read "FreeBSD" instead of "Linux", more websites made by complete amateurs would probably display a "this system or browser is unsupported" message, which they do because they don't know how to make websites correctly.

x264 is an encoder library, I don't think it has a decoder, libavcodec has its own

la_mettrie: if you can, what's your user agent?

dch: ffmpeg -decoders | grep h264

also, whether the browser is trying to leverage hardware accel and failing might have something to do with the issue? though, I'd really expect it to seamlessly fall back to software

dch: 42e5f1a60d9445aba3650b7261c0a5f5

yeah this is a box that can play youtube video etc without issue

la_mettrie: whats that? I'd expected something like 'Mozilla/5.0 (X11; Linux x86_64; rv:123.0) Gecko/20100101 Firefox/123.0'

dch: Mozilla/5.0 (X11; FreeBSD amd64; rv:122.0) Gecko/20100101 Firefox/122.0

huh and it works OOTB

la_mettrie: thanks! thats very weird, its the same as mine, albeit I'm +1 firefox version, which makes no difference

maybe its our DNS blocking... nope not that either

just a fresh install of firefox on this laptop I'm setting up has twitch working out of the box

twitch work for me too in ff 123

yeah, FF 123 here as well for what it's worth

thanks for the testing!

what I see here is this:

I don't have any hardware decoding available though, according to about:support

I guess I have to install the AMD libva drivers first

fails with 400: POST passport.twitch.tv/integrity

I will scrounge up a 14.0-RELEASE and see if it works

nope neither

not even with a fresh profile

it looks like this integrity check fails with 400, and other people report the same issue

the whole passport.twitch.tv thing reminds me of this issue where I couldn't log in to twitch from FF (on Linux) at all for like a month and had to use chromium. I may be getting details confused, though

the site still worked, I think it was just the login that was broken

reddit.com/r/Twitch/comments/xmwj76…went_wrong_please_try_again_firefox ctrl-F "passport" and yeah, I wasn't misremembering

dch: one commenter in this thread was recommending setting network.http.referer.XOriginPolicy to 1 in about:config, though this is a pretty old thread

and it seems like the concrete solutions that people propose in this thread work for some and not others

tm512: mmm, thats the default, so my `firefox --profile $(mktemp -d -t firefox) &` has it

wow

twitch's CSP is crazy: allows recaptcha.net (IIRC google), facebook, cloudflare cdn, googleapis.com, bootstrapcdn, authy.com

thats basically everybody

so I installed mesa's VDPAU drivers, as well as the libva VDPAU wrapper, still don't get hardware codec support in firefox :|

this is a Vega 8 iGPU, with Video Core Next 1.0, so it should have decoders for up to VP9

I'll try to inspect further with vainfo, dunno if I will get around to that tonight though. I really don't have much experience with AMD's stuff, and never used VDPAU

hi. i'm having big problems with running win 10 on bhyve. it keeps exiting with error 137. evidently it means out of memory

i tried with all kinds of memory wired to vm 4g/8g/12g and it's always the same. host has 16gb ram. i reduced zfs arc to 2gb

usually stops within a few hours to a couple of days

download more ram ?

:p

if i can't run a 4gb vm on 16gb ram, soemthing is wrong, no?

depends what else the host is doing

what is returning "error 137" ?

supposed to be doing nothing at all

Feb 26 14:40:42: bhyve exited with status 137

i'm monitoring top now, just restarted vm, gonna see if i see anything suspicious

so far it's 7gb free mem

vm seems to be creeping up in mem use tho

bhyve that is

not sure how the oom killer works :/

it kills things it does not like;)

yea bhyve keeps allocating memory. it's up to 9.5gb now

11gb now :/ what amount of memory should i expect bhyve to use?

the limit you set in your config

not sure you're following :p

i've set 4gb on the vm. but bhyve is using 11.3gb

and rising

you mean u have set 4GB on guest?

or 4GB on bhyve conf?

i haven't found any setting that regulates bhyve memory usage

i'm starting to suspect pci passthru bug

I would assume bhyve to have a small constant overhead additional to the guest memory size specified via -m, reads like a bug somewhere to me

rebooted host and all is normal

noticed before i rebooted that vm ethernet was down, passthru not working anymore

it's happened before. need to find out what causes it

I have service written in golang daemonized with /usr/sbin/daemon . I just noticed that it seems to be 2-3x faster if I just leave it running in tmux rather than using daemon. What might cause this weird behaviour? is there any known issues with daemon and go concurrency ?

you probably would want to profile it to see where the time is spent...

Is it somehow not possible to do DHCP and assign a static IP alias to an interface? I can't seem to get the to work on 14.0

you want a static IP and the one DHCP gives you?

nimaje, yes

Hi all. Does ThinkPad UltraBase 3 Dock run on FreeBSD?

does that need some special operating system support? shouldn't that just look like generic hardware to the OS?

nimaje, yes, it is, but all users on different devices work in different ways. Maybe someone has experience specifically with this device ...

morning

I need someone with freebsd 13 and dig (from dns/bind-tools) installed to test something for me real quick, run this command: "dig @9.9.9.9 cname id.server.on.quad9.net +tls" and tell me if it works or not, I suspect freebsd 13 will not work and freebsd 14 will work but I would like confirmation

by "work" I mean the dig command returns the lookup results as normal, "not work" is either a timeout or no output at all from dig

tykling: le-fay.org/tmp/30d/dig.txt

both work! thank you very much lw

the plot thickens

lw: does it work consistently on 13 if you try a few times in a row?

just 2-3 times?

tykling: le-fay.org/tmp/30d/LkOSFy.txt

thanks again!

much appreciated :)