remove support for syscall(2) -- the "indirection system call" because
it is a dangerous alternative entry point for all system calls, and thus
incompatible with the precision system call entry point

remove support for syscall(2) -- the "indirection system call" because
it is a dangerous alternative entry point for all system calls, and thus
incompatible with the precision system call entry point scheme we are
heading towards. This has been a 3-year mission:
First perl needed a code-generated wrapper to fake syscall(2) as a giant
switch table, then all the ports were cleaned with relatively minor fixes,
except for "go". "go" required two fixes -- 1) a framework issue with
old library versions, and 2) like perl, a fake syscall(2) wrapper to
handle ioctl(2) and sysctl(2) because "syscall(SYS_ioctl" occurs all over
the place in the "go" ecosystem because the "go developers" are plan9-loving
unix-hating folk who tried to build an ecosystem without allowing "ioctl".
ok kettenis, jsing, afresh1, sthen

show more ...

Add {get,set}thrname(2) for putting thread names in the kernel and
exposed in a new field returned by sysctl(KERN_PROC). Update
pthread_{get,set}_name_np(3) to use the syscalls. Show them, when
set

Add {get,set}thrname(2) for putting thread names in the kernel and
exposed in a new field returned by sysctl(KERN_PROC). Update
pthread_{get,set}_name_np(3) to use the syscalls. Show them, when
set, in ps -H and top -H output.

libc and libpthread minor bumps

ok mpi@, mvs@, deraadt@

show more ...

Unveiling unveil(2).
This brings unveil into the tree, disabled by default - Currently
this will return EPERM on all attempts to use it until we are
fully certain it is ready for people to start usin

Unveiling unveil(2).
This brings unveil into the tree, disabled by default - Currently
this will return EPERM on all attempts to use it until we are
fully certain it is ready for people to start using, but this
now allows for others to do more tweaking and experimentation.

Still needs to send the unveil's across forks and execs before
fully enabling.

Many thanks to robert@ and deraadt@ for extensive testing.
ok deraadt@

show more ...

pledge()'s 2nd argument becomes char *execpromises, which becomes the
pledge for a new execve image immediately upon start. Also introduces
"error" which makes violations return -1 ENOSYS instead of

pledge()'s 2nd argument becomes char *execpromises, which becomes the
pledge for a new execve image immediately upon start. Also introduces
"error" which makes violations return -1 ENOSYS instead of killing the
program ("error" may not be handed to a setuid/setgid program, which
may be missing/ignoring syscall return values and would continue with
inconsistant state)
Discussion with many
florian has used this to improve the strictness of a daemon

show more ...

As per style.9, prototypes should not have variable names associated
with the types.

OK jca@

Don't declare select() in <unistd.h>

ok deraadt@ millert@

Move the 10 (!) defintions of NULL to their own mini header file and
update the NULL definition for C++11. OK deraadt@ guenther@ kettenis@

Remove iruserok(_sa)? and __ivaliduser(sa)?

ok millert@ deraadt@

tame -> pledge.

Move to next tame() API. The flags are now passed as a very simple string,
which results in tame() code placements being much more recognizeable.
tame() can be moved to unistd.h and does not need cp

Move to next tame() API. The flags are now passed as a very simple string,
which results in tame() code placements being much more recognizeable.
tame() can be moved to unistd.h and does not need cpp symbols to turn the
bits on and off. The resulting API is a bit unexpected, but simplifies the
mapping to enabling bits in the kernel substantially.
vague ok's from various including guenther doug semarie

show more ...

Hide many (194!) symbols that nothing should be using.
Delete exect(2); it wasn't portable across archs and nothing used it.

ports test build by naddy@
ok deraadt@ kettenis@

claim posix 2008 compat. apparently people look at this and get scared
when it's really old. but no actual ports fallout in espie's build.
ok deraadt

update swab() to match the current posix definition. "rationale: none."
rewrite the function to be simpler as well. the compiler can unroll the
loop for us if necessary.
ok schwarze

header changes for recent libc changes:
add siphash
delete setkey, encrypt, cfree

change prototype for crypt_newhash. the login_cap_t is a holdover from its
pwd_gensalt origins, but a string argument works equally work and is more
friendly to consumers beyond local user accounts.

change prototype for crypt_newhash. the login_cap_t is a holdover from its
pwd_gensalt origins, but a string argument works equally work and is more
friendly to consumers beyond local user accounts.
ok deraadt

show more ...

Our setpgrp() is the BSD version with two args and not the XSI
version with zero args, so it should only be visible if __BSD_VISIBLE
(and not also for __XPG_VISIBLE). Contrawise, readlink() has been

Our setpgrp() is the BSD version with two args and not the XSI
version with zero args, so it should only be visible if __BSD_VISIBLE
(and not also for __XPG_VISIBLE). Contrawise, readlink() has been
part of base POSIX since 1995, so move to proper #if area for that.
Move crypt_checkpass() to the pure-BSD section of the file.

setpgrp() issue noted by Matti Karnaattu (mkarnaattu (at) gmail.com)
ok millert@

show more ...

Sync readlink(2) with IEEE Std 1003.1-2008.

discussion, help and ok guenther@

Declare and document getthrid()

indirectly prodded by krw@

Add additional kernel interfaces for setting close-on-exec on fds
when creating them: pipe2(), dup3(), accept4(), MSG_CMSG_CLOEXEC,
SOCK_CLOEXEC. Includes SOCK_NONBLOCK support.

ok matthew@

update _POSIX2_FORT_RUN, so that sysconf(_SC_2_FORT_RUN) remains correct.
because you care. reminded by matthew.

Change return value of getentropy() to int 0 for success. Maximum
buffersize is enforced strictly, this supplies sufficient entropy
payload to act as seed material. Discourage general use of this
A

Change return value of getentropy() to int 0 for success. Maximum
buffersize is enforced strictly, this supplies sufficient entropy
payload to act as seed material. Discourage general use of this
API, but lock down this function name as the go-to for userland
PRNG seeding. Improve documentation.
ok miod matthew

show more ...

Add new getentropy() system call. Code and pressure from matthew.
I accepted that he's right (again) to seperate this out from heavy
sysctl API and this will simply a variety of things. Functionnam

Add new getentropy() system call. Code and pressure from matthew.
I accepted that he's right (again) to seperate this out from heavy
sysctl API and this will simply a variety of things. Functionname
is not used by anyone in the ports tree, so we guess we can use it.
Shocking that no application has a function called this.
ok matthew & others who pushed him to start this early on

show more ...

add prototypes for new crypt functions

Use internal '__' names for __attributes__ in public headers

Define intptr_t in <unistd.h> as specified by POSIX

ok millert