kernel - Add per-process capability-based restrictions

* This new system allows userland to set capability restrictions which
turns off numerous kernel features and root accesses. These restricti

kernel - Add per-process capability-based restrictions

* This new system allows userland to set capability restrictions which
turns off numerous kernel features and root accesses. These restrictions
are inherited by sub-processes recursively. Once set, restrictions cannot
be removed.

Basic restrictions that mimic an unadorned jail can be enabled without
creating a jail, but generally speaking real security also requires
creating a chrooted filesystem topology, and a jail is still needed
to really segregate processes from each other. If you do so, however,
you can (for example) disable mount/umount and most global root-only
features.

* Add new system calls and a manual page for syscap_get(2) and syscap_set(2)

* Add sys/caps.h

* Add the "setcaps" userland utility and manual page.

* Remove priv.9 and the priv_check infrastructure, replacing it with
a newly designed caps infrastructure.

* The intention is to add path restriction lists and similar features to
improve jailess security in the near future, and to optimize the
priv_check code.

show more ...

kernel/clock_getres: Improve CPU clock ID sanity checking.

clock_settime(2): Return EINVAL if tv_sec < 0

The same argument check is also done in nanosleep(2)/clock_nanosleep(2),
and FreeBSD also does this check.

Implement clock_nanosleep(2) system call

* Extend the nanosleep1() function in kern_time.c to support the
clock_nanosleep(2) system call. Add {kern,sys}_clock_nanosleep()
functions and update k

Implement clock_nanosleep(2) system call

* Extend the nanosleep1() function in kern_time.c to support the
clock_nanosleep(2) system call. Add {kern,sys}_clock_nanosleep()
functions and update kern_nanosleep() accordingly.

* Add clock_nanosleep() syscall to syscalls.master and regenerate
syscall-related files.

* Update libc symbols with the new syscall.

* Add clock_nanosleep() warpper in libthread_xu.

* Update nanosleep.2 man page to describe clock_nanosleep().

* Update <time.h> and bump __DragonFly_version.

This work is loosely based on the FreeBSD implementation:
https://reviews.freebsd.org/rS315526

This clock_nanosleep(2) syscall passed all tests in the Open POSIX Test
Suite [0]:

conformance/interfaces/clock_nanosleep/1-1: execution: PASS
conformance/interfaces/clock_nanosleep/1-2: execution: PASS
conformance/interfaces/clock_nanosleep/1-3: execution: PASS
conformance/interfaces/clock_nanosleep/1-4: execution: PASS
conformance/interfaces/clock_nanosleep/1-5: execution: PASS
conformance/interfaces/clock_nanosleep/2-1: execution: PASS
conformance/interfaces/clock_nanosleep/2-2: execution: PASS
conformance/interfaces/clock_nanosleep/2-3: execution: PASS
conformance/interfaces/clock_nanosleep/3-1: execution: PASS
conformance/interfaces/clock_nanosleep/4-1: execution: PASS
conformance/interfaces/clock_nanosleep/5-1: execution: PASS
conformance/interfaces/clock_nanosleep/6-1: execution: PASS
conformance/interfaces/clock_nanosleep/9-1: execution: PASS
conformance/interfaces/clock_nanosleep/8-1: execution: PASS
conformance/interfaces/clock_nanosleep/10-1: execution: PASS
conformance/interfaces/clock_nanosleep/11-1: execution: PASS
conformance/interfaces/clock_nanosleep/13-1: execution: PASS
conformance/interfaces/clock_nanosleep/15-1: execution: PASS

[0] Open POSIX Test Suite: http://posixtest.sourceforge.net/

Reviewed-by: swildner, dillon, tuxillo, zach

show more ...

nanosleep(2): Return EINVAL if tv_sec < 0 (POSIX-compliant)

When the requested sleep interval is negative, return EINVAL. This
behavior is the same as Linux and makes our nanosleep(2) pass all test

nanosleep(2): Return EINVAL if tv_sec < 0 (POSIX-compliant)

When the requested sleep interval is negative, return EINVAL. This
behavior is the same as Linux and makes our nanosleep(2) pass all tests
in the Open POSIX Test Suite [0].

conformance/interfaces/nanosleep/1-1: execution: PASS
conformance/interfaces/nanosleep/1-2: execution: PASS
conformance/interfaces/nanosleep/1-3: execution: PASS
conformance/interfaces/nanosleep/2-1: execution: PASS
conformance/interfaces/nanosleep/3-1: execution: PASS
conformance/interfaces/nanosleep/3-2: execution: PASS
conformance/interfaces/nanosleep/4-1: execution: PASS
conformance/interfaces/nanosleep/5-1: execution: PASS
conformance/interfaces/nanosleep/5-2: execution: PASS
conformance/interfaces/nanosleep/6-1: execution: PASS
conformance/interfaces/nanosleep/7-1: execution: PASS
conformance/interfaces/nanosleep/7-2: execution: PASS
conformance/interfaces/nanosleep/10000-1: execution: PASS

[0] Open POSIX Test Suite: http://posixtest.sourceforge.net/

show more ...

nanosleep(2): Plug a memory disclourse and be POSIX-compliant

The nanosleep1() called by sys_nanosleep() would only update rmt on
EINTR, but it can also return other errors, such as EINVAL. And in

nanosleep(2): Plug a memory disclourse and be POSIX-compliant

The nanosleep1() called by sys_nanosleep() would only update rmt on
EINTR, but it can also return other errors, such as EINVAL. And in that
case, sys_nanosleep() would update the user-space rmtp by copying
garbage from its stack frame. This is not only a kernel memory
disclourse, but also not POSIX-compliant.

Fix sys_nanosleep() to update rmtp only on EINTR. In addition, zero the
kernel rmt variable for double safety.

Obtained-from: FreeBSD (r315510)
Reviewd-by: dillon

show more ...

kernel: Use howmany() in a couple of places.

kernel - Refactor in-kernel system call API to remove bcopy()

* Change the in-kernel system call prototype to take the
system call arguments as a separate pointer, and make the
contents read-onl

kernel - Refactor in-kernel system call API to remove bcopy()

* Change the in-kernel system call prototype to take the
system call arguments as a separate pointer, and make the
contents read-only.

int sy_call_t (void *);
int sy_call_t (struct sysmsg *sysmsg, const void *);

* System calls with 6 arguments or less no longer need to copy
the arguments from the trapframe to a holding structure. Instead,
we simply point into the trapframe.

The L1 cache footprint will be a bit smaller, but in simple tests
the results are not noticably faster... maybe 1ns or so
(roughly 1%).

show more ...

kernel - Refactor sysclock_t from 32 to 64 bits

* Refactor the core cpu timer API, changing sysclock_t from 32
to 64 bits. Provide a full 64-bit count from all sources.

* Implement muldivu64() u

kernel - Refactor sysclock_t from 32 to 64 bits

* Refactor the core cpu timer API, changing sysclock_t from 32
to 64 bits. Provide a full 64-bit count from all sources.

* Implement muldivu64() using gcc's 128-bit integer type. This
functions takes three 64-bit valus, performs (a * b) / d
using a 128-bit intermediate calculation, and returns a 64-bit
result.

Change all timer scaling functions to use this function which
effectively gives systimers the capability of handling any
timeout that fits 64 bits for the timer's resolution.

* Remove TSC frequency scaling, it is no longer needed. The
TSC timer is now used at its full resolution.

* Use atomic_fcmpset_long() instead of a clock spinlock when
updating the msb bits for hardware timer sources less than
64 bits wide.

* Properly recalculate existing systimers when the clock source
is changed. Existing systimers were not being recalculated,
leading to the system failing to boot when time sources had
radically different clock frequencies.

show more ...

<sys/time.h>: Add 3rd arg to timespecadd()/sub() and make them public.

* Switch to the three argument versions of the timespecadd() and
timespecsub() macros. These are now the predominant ones. Fr

<sys/time.h>: Add 3rd arg to timespecadd()/sub() and make them public.

* Switch to the three argument versions of the timespecadd() and
timespecsub() macros. These are now the predominant ones. FreeBSD,
OpenBSD, NetBSD, and Solaris (albeit only for the kernel) have them.

* Make those macros public too. This allows for a number of cleanups
where they were defined locally.

Pointed-out-by: zrj
Reviewed-by: dillon

show more ...

kernel - Rewrite the callout_*() API

* Rewrite the entire API from scratch and improve compatibility
with FreeBSD. This is not an attempt to achieve full API compatibility,
as FreeBSD's API has

kernel - Rewrite the callout_*() API

* Rewrite the entire API from scratch and improve compatibility
with FreeBSD. This is not an attempt to achieve full API compatibility,
as FreeBSD's API has unnecessary complexity that coders would frequently
make mistakes interpreting.

* Remove the IPI mechanisms in favor of fine-grained spin-locks instead.

* Add some robustness features in an attempt to track down corrupted
callwheel lists due to originating subsystems freeing structures out
from under an active callout.

* The code supports a full-blown type-stable/adhoc-reuse structural
separation between the front-end and the back-end, but this feature
is currently not operational and may be removed at some future point.
Instead we currently just embed the struct _callout inside the
struct callout.

* Replace callout_stop_sync() with callout_cancel().

* callout_drain() is now implemented as a synchronous cancel instead
of an asynchronous stop, which is closer to the FreeBSD API and
expected operation for ported code (usb stack in particular). We
will just have to fix any deadlocks which we come across.

* Retain our callout_terminate() function as the 'better' way to
stop using a callout, as it will not only cancel the callout but
also de-flag the structure so it can no longer be used.

show more ...

libc - Add kpmap shortcut for gettimeofday()

* If the kern.gettimeofday_quick sysctl is set to 1, libc's
gettimeofday() will use the tick-granular realtime in
the kpmap instead of making a syste

libc - Add kpmap shortcut for gettimeofday()

* If the kern.gettimeofday_quick sysctl is set to 1, libc's
gettimeofday() will use the tick-granular realtime in
the kpmap instead of making a system call. The sysctl
defaults to 0 (off).

* Useful in situations where gettimeofday() interferes with
benchmarks, but otherwise not recommended.

* Running programs react instantly to changes in this sysctl.

show more ...

libc/libpthread: Add clock_getcpuclockid() and pthread_getcpuclockid().

* Adjust clock_gettime() and clock_getres() to accept values obtained
this way.

* Also set _POSIX_CPUTIME and _POSIX_THREAD

libc/libpthread: Add clock_getcpuclockid() and pthread_getcpuclockid().

* Adjust clock_gettime() and clock_getres() to accept values obtained
this way.

* Also set _POSIX_CPUTIME and _POSIX_THREAD_CPUTIME, although we should
really support values obtained by these functions in clock_settime()
too.

Based on and taken from FreeBSD's code.

Reviewed-by: sephe

show more ...

kernel/time: Change get_curthread_cputime() to get_thread_cputime().

kernel - Optimize lwp-specific signaling.

* Optimize the signal code to remove most instances of needing proc->p_token
when lwp-specific signals are sent.

* Add a CURSIG_LCK_TRACE() macro which c

kernel - Optimize lwp-specific signaling.

* Optimize the signal code to remove most instances of needing proc->p_token
when lwp-specific signals are sent.

* Add a CURSIG_LCK_TRACE() macro which can now return with p_token held, and
pass the status to postsig() which then consumes it.

* lwpsignal() now tries very hard to avoid acquiring proc->p_token.

* Significantly improves vkernel operation under heavy (vkernel) IPI loads.

show more ...

kernel - Incidental mplock removal - NTP support

* Make the NTP support functions MPSAFE.

kernel/clock_gettime: Various fixes.

* Fix CLOCK_PROF and CLOCK_VIRTUAL to behave like FreeBSD's. They are
not meant to return the values of ITIMER_PROF and ITIMER_VIRTUAL
(which are decreasing,

kernel/clock_gettime: Various fixes.

* Fix CLOCK_PROF and CLOCK_VIRTUAL to behave like FreeBSD's. They are
not meant to return the values of ITIMER_PROF and ITIMER_VIRTUAL
(which are decreasing, see getitimer(2)), like they were implemented
by 91810a6f0686477493e9915e98cfc5adcbe91363. This also fixes
CLOCK_PROCESS_CPUTIME_ID.

* Fix CLOCK_PROCESS_THREAD_ID. It was adding the values wrongly in a
way that could cause tv_nsec to overflow (i.e. become >= 1000000000).

* Fix clock_getres() for CLOCK_{PROCESS,THREAD}_CPUTIME_ID.

* Mention CLOCK_{PROCESS,THREAD}_CPUTIME_ID in clock_gettime()'s manual
page.

* Bring in some minor manual page fixes from FreeBSD.

Reported-by: zhtw
Dragonfly-bug: <https://bugs.dragonflybsd.org/issues/2951>

show more ...

kernel - Fix issue w/recent utimes commit

* The repurposed itimerfix() and itimespecfix() functions needed to have
a conditional removed which was putting an arbitrary limit on the tv_sec
field.

kernel - Fix issue w/recent utimes commit

* The repurposed itimerfix() and itimespecfix() functions needed to have
a conditional removed which was putting an arbitrary limit on the tv_sec
field.

* Fixes an issue that caused utimes*() to fail and return EINVAL.

show more ...

kernel - Sanity-check getutimes().

* Sanity check getutimes() and getutimens()

* Also note futimes commit just before this one was also
Submitted-by: stateless.

Submitted-by: stateless

sysctl: Partial sync with FreeBSD

* Revisit locking to use the same locks and macro names as FreeBSD

* Add sysctl_remove_name()

* Add sysctl_rename_oid()

Correct BSD License clause numbering from 1-2-4 to 1-2-3.

Apparently everyone's doing it:
http://svnweb.freebsd.org/base?view=revision&revision=251069

Submitted-by: "Eitan Adler" <lists at eitanadl

Correct BSD License clause numbering from 1-2-4 to 1-2-3.

Apparently everyone's doing it:
http://svnweb.freebsd.org/base?view=revision&revision=251069

Submitted-by: "Eitan Adler" <lists at eitanadler.com>

show more ...

kernel/kern_time.c: Mark the hack to not settimeofday(0) with XXX.

kernel: Add CLOCK_PROCESS_CPUTIME_ID

Remove advertising clause from all that isn't contrib or userland bin.

By: Eitan Adler <lists@eitanadler.com>

kernel: Add CLOCK_THREAD_CPUTIME_ID

And make it usable with clock_gettime() and clock_getres()

With-advice-from: Sascha Wildner