kernel - Add per-process capability-based restrictions

* This new system allows userland to set capability restrictions which
turns off numerous kernel features and root accesses. These restricti

kernel - Add per-process capability-based restrictions

* This new system allows userland to set capability restrictions which
turns off numerous kernel features and root accesses. These restrictions
are inherited by sub-processes recursively. Once set, restrictions cannot
be removed.

Basic restrictions that mimic an unadorned jail can be enabled without
creating a jail, but generally speaking real security also requires
creating a chrooted filesystem topology, and a jail is still needed
to really segregate processes from each other. If you do so, however,
you can (for example) disable mount/umount and most global root-only
features.

* Add new system calls and a manual page for syscap_get(2) and syscap_set(2)

* Add sys/caps.h

* Add the "setcaps" userland utility and manual page.

* Remove priv.9 and the priv_check infrastructure, replacing it with
a newly designed caps infrastructure.

* The intention is to add path restriction lists and similar features to
improve jailess security in the near future, and to optimize the
priv_check code.

show more ...

inet/inet6: Randomize local port

Due to avoid lock intruction, this also improves connect(2)
performance a bit.

loopback: Use ifclone APIs to create loopback interfaces.

This paves way for multiple FIB support.

inpcb: Don't rely on ncpus2 for local port allocation.

inpcb: Split portinfo token into tokens for porthash head

And use pooled token for porthash head. This avoids another 10K/s
~20K/s contention during local port selection.

inpcb: Push porthash token down a bit and use atomic op to update lastport

This paves the way to use pooled token for porthash list head.

Even just with this commit, porthash token contention is re

inpcb: Push porthash token down a bit and use atomic op to update lastport

This paves the way to use pooled token for porthash list head.

Even just with this commit, porthash token contention is reduced by 20K/s
on 12core/24threads system when running tools/kq_connect_client.

show more ...

inet6: Change scope to zone and use in6_clearscope() whenever possible

Obtained-from: KAME via FreeBSD

inet6: Cosmetic clean up

No functional changes.

Obtained-from: KAME via FreeBSD

kernel - Adjustments for CERT VU#711516

Note that IPV6 route advertisements are disabled by default, so these
adjustments have no real security implications if you haven't enabled
it. And, generall

kernel - Adjustments for CERT VU#711516

Note that IPV6 route advertisements are disabled by default, so these
adjustments have no real security implications if you haven't enabled
it. And, generally speaking, enabling IPV6 route advertisements is a
really bad idea anyway and these adjustments only address one small part
of the problem.

* Allowing RTR packets via net.inet6.ip6.accept_rtadv is not advised
even with this adjustment.

* Add a sysctl to put a lower limit on the IPV6 hop limit received via
RTR packets when allowed, default is 39. sysctl net.inet6.ip6.minhlim.

show more ...

in6pcb: in6_pcbsetport -> in6_pcbsetlport; no functional changes

inpcb: Add macros to get/release/assert port token

inpcb/in6pcb: Split port token

The original single local port space is devided into ncpus2 local port
space groups. We denote local port space group as PG(N), N=[0, ncpus2).

Property of PG(N):
- P

inpcb/in6pcb: Split port token

The original single local port space is devided into ncpus2 local port
space groups. We denote local port space group as PG(N), N=[0, ncpus2).

Property of PG(N):
- PG(N) only contains local ports matching following condition:
(host_order(port) & ncpus2_mask) == N
- PG(N) is protected by its own token.

On explicit local port bind(2) path and accept(2) path, PG(N) is selected
by using the local port already available (accept(2)) or supplied
(bind(2)):
N = host_order(port) & ncpus2_mask

On implicit local port selection path (bind(2) and connect(2)), PG(N) is
selected and used in the following way:
N = mycpuid;
N1 = N;
again:
if (find free port in PG(N)) {
DONE;
} else {
N = (N + 1) & ncpus2_mask;
if (N != N1)
goto again;
FAILED;
}

PG(N) is now recorded in inpcb struct, so when inpcb is destroyed, we
know which port space group it should use.

On i7-3770 w/ Intel 82599ES, using tools/kq_connect_client:
Port token contention rate on each hyperthread is reduced from 120K/s to
40K/s. Admittedly the contention rate is still high but it is much
better than before.

Now the major source of port token contention is the contention between
implicit local port select path and inpcb destroy path. There may be a
way to choose local port which could hash the inpcb to the current CPU;
this needs more investigation.

show more ...

inpcb: Group port related fields into inpcbportinfo

Prepare for port token splitting.

inpcb/in6pcb: in_pcbinsporthash() never fails

in6pcb: Properly hold port token for in6_pcbbind() and in6_pcbsetport()

jails/netinet6: Only select jailed ips for outgoing

Outgoing IP address selection for jailed processes using ipv6
was broken and selected the first ip6 address available.
Now the code checks whether

jails/netinet6: Only select jailed ips for outgoing

Outgoing IP address selection for jailed processes using ipv6
was broken and selected the first ip6 address available.
Now the code checks whether an ip6 is available to the jail
in in6_ifawithascope.

show more ...

Correct BSD License clause numbering from 1-2-4 to 1-2-3.

Apparently everyone's doing it:
http://svnweb.freebsd.org/base?view=revision&revision=251069

Submitted-by: "Eitan Adler" <lists at eitanadl

Correct BSD License clause numbering from 1-2-4 to 1-2-3.

Apparently everyone's doing it:
http://svnweb.freebsd.org/base?view=revision&revision=251069

Submitted-by: "Eitan Adler" <lists at eitanadler.com>

show more ...

Remove advertising clause from all that isn't contrib or userland bin.

By: Eitan Adler <lists@eitanadler.com>

kernel: Use NULL for pointers.

Initial import of binutils 2.22 on the new vendor branch

Future versions of binutils will also reside on this branch rather
than continuing to create new binutils branches for each new version.

Include necessary header file for SYSCTL_NODE

Add the management part of address selection policy described in RFC
3484.

Obtained-from: KAME via FreeBSD
Reviewed-by: sephe & hasso

suser_* to priv_* conversion

Made jails IPv6 aware and support more than one IP address.

Based-on: Pawel Jakub Dawidek mijail patches.
Reviewed-by: Simon 'corecode' Schubert, Thomas E. Spanjaard, et al.

Cosmetic changes.