kernel - Add per-process capability-based restrictions

* This new system allows userland to set capability restrictions which
turns off numerous kernel features and root accesses. These restricti

kernel - Add per-process capability-based restrictions

* This new system allows userland to set capability restrictions which
turns off numerous kernel features and root accesses. These restrictions
are inherited by sub-processes recursively. Once set, restrictions cannot
be removed.

Basic restrictions that mimic an unadorned jail can be enabled without
creating a jail, but generally speaking real security also requires
creating a chrooted filesystem topology, and a jail is still needed
to really segregate processes from each other. If you do so, however,
you can (for example) disable mount/umount and most global root-only
features.

* Add new system calls and a manual page for syscap_get(2) and syscap_set(2)

* Add sys/caps.h

* Add the "setcaps" userland utility and manual page.

* Remove priv.9 and the priv_check infrastructure, replacing it with
a newly designed caps infrastructure.

* The intention is to add path restriction lists and similar features to
improve jailess security in the near future, and to optimize the
priv_check code.

show more ...

libc: Remove libc checks around manual pages from the Makefile.inc's.

Handle this better by setting NOMAN for libc_rtld.

Some additions and fixes related to fdatasync(2) and posix_fallocate(2).

* Fix a small issue in VOP_FDATASYNC()'s definition in <sys/vfsops.h>.

* Mention fdatasync() in fsync.2 (this basically sync

Some additions and fixes related to fdatasync(2) and posix_fallocate(2).

* Fix a small issue in VOP_FDATASYNC()'s definition in <sys/vfsops.h>.

* Mention fdatasync() in fsync.2 (this basically syncs that manual page
with FreeBSD, with a few adjustments).

* Add a manual page for posix_fallocate() (from FreeBSD, with a few
adjustments).

* Mention fdatasync() in the list of reentrant functions in sigaction.2.

* In pthread_testcancel.3, mention fdatasync() in the list of functions
for which a cancellation point will occur.

* Mention VOP_FDATASYNC() in VOP_FSYNC.9 (partly taken from FreeBSD).

* Remove a compatibility define in the fsstress tool.

Thanks to tkusumi for reviewing.

show more ...

kernel/libc: Remove the old vmm code.

Removes the kernel code and two system calls.

Bump __DragonFly_version too.

Reviewed-by: aly, dillon

Implement the fexecve(2) system call

The fexecve(2) function is equivalent to execve(2), except that the file
to be executed is determined by the file descriptor fd instead of a
pathname.

The purpo

Implement the fexecve(2) system call

The fexecve(2) function is equivalent to execve(2), except that the file
to be executed is determined by the file descriptor fd instead of a
pathname.

The purpose of fexecve(2) is to enable executing a file which has been
verified to be the intended file. It is possible to actively check the
file by reading from the file descriptor and be sure that the file is
not exchanged for another between the reading and the execution.

See https://pubs.opengroup.org/onlinepubs/9699919799/functions/fexecve.html

This work is partially based on swildner's patch and FreeBSD's
implementation (revisions 177787, 182191, 238220).

XXX: We're missing O_EXEC support in open(2).

Reviewed-by: dillon

show more ...

Implement clock_nanosleep(2) system call

* Extend the nanosleep1() function in kern_time.c to support the
clock_nanosleep(2) system call. Add {kern,sys}_clock_nanosleep()
functions and update k

Implement clock_nanosleep(2) system call

* Extend the nanosleep1() function in kern_time.c to support the
clock_nanosleep(2) system call. Add {kern,sys}_clock_nanosleep()
functions and update kern_nanosleep() accordingly.

* Add clock_nanosleep() syscall to syscalls.master and regenerate
syscall-related files.

* Update libc symbols with the new syscall.

* Add clock_nanosleep() warpper in libthread_xu.

* Update nanosleep.2 man page to describe clock_nanosleep().

* Update <time.h> and bump __DragonFly_version.

This work is loosely based on the FreeBSD implementation:
https://reviews.freebsd.org/rS315526

This clock_nanosleep(2) syscall passed all tests in the Open POSIX Test
Suite [0]:

conformance/interfaces/clock_nanosleep/1-1: execution: PASS
conformance/interfaces/clock_nanosleep/1-2: execution: PASS
conformance/interfaces/clock_nanosleep/1-3: execution: PASS
conformance/interfaces/clock_nanosleep/1-4: execution: PASS
conformance/interfaces/clock_nanosleep/1-5: execution: PASS
conformance/interfaces/clock_nanosleep/2-1: execution: PASS
conformance/interfaces/clock_nanosleep/2-2: execution: PASS
conformance/interfaces/clock_nanosleep/2-3: execution: PASS
conformance/interfaces/clock_nanosleep/3-1: execution: PASS
conformance/interfaces/clock_nanosleep/4-1: execution: PASS
conformance/interfaces/clock_nanosleep/5-1: execution: PASS
conformance/interfaces/clock_nanosleep/6-1: execution: PASS
conformance/interfaces/clock_nanosleep/9-1: execution: PASS
conformance/interfaces/clock_nanosleep/8-1: execution: PASS
conformance/interfaces/clock_nanosleep/10-1: execution: PASS
conformance/interfaces/clock_nanosleep/11-1: execution: PASS
conformance/interfaces/clock_nanosleep/13-1: execution: PASS
conformance/interfaces/clock_nanosleep/15-1: execution: PASS

[0] Open POSIX Test Suite: http://posixtest.sourceforge.net/

Reviewed-by: swildner, dillon, tuxillo, zach

show more ...

Use ${} instead of $() in various makefiles

Also use ${.TARGET} and ${.ALLSRC] wherever impossible.

Minor style adjustment in at(1)'s makefiles.

libc - Update manual page for realpath(3) and add page for __realpath(2)

* Add a manual page for __realpath(2) which clarifies differences
between realpath(3) and __realpath(2).

libc - Update for realpath() system call support

* The realpath() implementation now checks to see if the system call
is available and uses it.

* getosreldate() now caches the result to avoid mul

libc - Update for realpath() system call support

* The realpath() implementation now checks to see if the system call
is available and uses it.

* getosreldate() now caches the result to avoid multiple sysctl()
calls.

* Add the new system calls (__realpath and getrandom()) to the symbol
list.

show more ...

world - Add support for lwp_getname() and pthread_get_name_np()

* Add support for the new system call lwp_getname()

* Add support for pthread_get_name_np(), rounding out that function
set and imp

world - Add support for lwp_getname() and pthread_get_name_np()

* Add support for the new system call lwp_getname()

* Add support for pthread_get_name_np(), rounding out that function
set and improving ports compatibility.

show more ...

Adjust various things for the recent brk(2) removal.

kernel/libc: Remove sigstack() remains.

There is no sigstack() syscall anymore in DragonFly, besides being
obsolete, so remove some remains like the manual page and prototype,
and do some related cl

kernel/libc: Remove sigstack() remains.

There is no sigstack() syscall anymore in DragonFly, besides being
obsolete, so remove some remains like the manual page and prototype,
and do some related cleanup.

show more ...

system - Add wait6(), waitid(), and si_pid/si_uid siginfo support

* Add the wait6() system call (header definitions taken from FreeBSD).
This required rearranging kern_wait() a bit. In particular

system - Add wait6(), waitid(), and si_pid/si_uid siginfo support

* Add the wait6() system call (header definitions taken from FreeBSD).
This required rearranging kern_wait() a bit. In particular, we now
maintain a hold count of 1 on the process during processing instead
of releasing the hold count early.

* Add waitid() to libc (waitid.c taken from FreeBSD).

* Adjust manual pages (taken from FreeBSD).

* Add siginfo si_pid and si_uid support. This basically allows a process
taking a signal to determine where the signal came from. The fields
already existed in siginfo but were not implemented.

Implemented using a non-queued per-process array of signal numbers.
The last originator sending any given signal is recorded and passed
through to userland in the siginfo.

* Fixes the 'lightdm' X display manager. lightdm relies on si_pid
support. In addition, note that avoiding long lightdm related
latencies and timeouts require a softlink from libmozjs-52.so to
libmozjs-52.so.0 (must be addressed in dports, not addressed in this
commit).

Loosely-taken-from: FreeBSD (wait6, waitid support only)
Reviewed-by: swildner

show more ...

libc: Move to a format for specifying MLINKS that's less hard on the eyes.

We do it like this in other places of the tree already and will eventually
move to this everywhere.

Fix typo in MLINK name.

{read,write}.2: A bit more cleanup. Also add ext*() MLINKS.

Revert "libc: Add temporary (get|set)affinity DF404.0 symbols"

This reverts commit 3c2537818c14aaba122a276020143cd4b92d2cbc.

As indicated in the original commit, the (get|set)affinity DF404.0
symbo

Revert "libc: Add temporary (get|set)affinity DF404.0 symbols"

This reverts commit 3c2537818c14aaba122a276020143cd4b92d2cbc.

As indicated in the original commit, the (get|set)affinity DF404.0
symbols were temporary and limited to the 4.7 development branch.
Now that 4.8 has been officially released, remove them as they
have served their purpose. By now, all software built on 4.7
should have been rebuilt and thus nothing depends on the mistake
symbols.

show more ...

libc: Add temporary (get|set)affinity DF404.0 symbols

The sched_getaffinity, sched_setaffinity and related work had the new
symbols erroneously given DF404.0 versioning. This was corrected by
commi

libc: Add temporary (get|set)affinity DF404.0 symbols

The sched_getaffinity, sched_setaffinity and related work had the new
symbols erroneously given DF404.0 versioning. This was corrected by
commit 6262c9d, but that in turn broke any userland programs built
with the original symbol versions.

This patch redefines the old symbols while maintaining the correct
DF408.0 versions, but it is intended to be temporary. After the
branch (e.g. Release 4.8), this commit should be reverted so that
the next development trunk won't have the DF404.0 versions. It's
expected that all ports and third-party software is rebuilt when
upgrading to a new release. This serves as a reasonable bridge
to allow affected users to do that rebuild.

This patch is particularly intrusive regarding the syscall assembly
file creation, so it's not something we want to leave in place
permanently in my opinion.

show more ...

libc/libpthread: Some manual page cleanup after the *setaffinity* work.

libc: Remove the unused NO_P1003_1B variable checks.

libc: Add sched_getcpu().

lwp: Add lwp_create2 syscll, which takes cpumask for scheduling.

libc: Add sched_{set,get}affinity().

Same as other sched_ fucntions, these two functions do _not_ support
the overriding pid as tid as what Linux supports.

lwp: Add two syscalls to set/get lwp's CPU affinity mask.

libc: Fix up compat-43 a bit.

* Functions in libc/compat-43 aren't syscalls so move their manual
pages to section 3.

* Move the stuff that is still POSIX to libc/gen: creat, gethostid,
getwd, k

libc: Fix up compat-43 a bit.

* Functions in libc/compat-43 aren't syscalls so move their manual
pages to section 3.

* Move the stuff that is still POSIX to libc/gen: creat, gethostid,
getwd, killpg. compat-43 isn't the right place for them.

* While here, a non-existant .PATH in compat-43/Makefile.inc.

show more ...