sys_capability.c: update the source of CAPENABLED

System calls allowed in capability mode have been specified by the
CAPENABLED flag in syscalls.master since 2021.

capsicum: SIGTRAP is delivered also on ECAPMODE error.

Approved by: oshogbo (mentor)

ktrace: Record detailed ECAPMODE violations

When a Capsicum violation occurs in the kernel, ktrace will now record
detailed information pertaining to the violation.

For example:
- When a namei look

ktrace: Record detailed ECAPMODE violations

When a Capsicum violation occurs in the kernel, ktrace will now record
detailed information pertaining to the violation.

For example:
- When a namei lookup violation occurs, ktrace will record the path.
- When a signal violation occurs, ktrace will record the signal number.
- When a sendto(2) violation occurs, ktrace will record the recipient
sockaddr.

For all violations, the syscall and ABI is recorded.

kdump is also modified to display this new information to the user.

Reviewed by: oshogbo, markj
Approved by: markj (mentor)
MFC after: 1 month
Differential Revision: https://reviews.freebsd.org/D40676

show more ...

sys: Remove $FreeBSD$: one-line .c pattern

Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/

spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD

The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch
up to that fact and revert to their recommended match of

spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD

The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch
up to that fact and revert to their recommended match of BSD-2-Clause.

Discussed with: pfg
MFC After: 3 days
Sponsored by: Netflix

show more ...

fd: rename fget*_locked to fget*_noref

This gets rid of the error prone naming where fget_unlocked returns with
a ref held, while fget_locked requires a lock but provides nothing in
terms of making

fd: rename fget*_locked to fget*_noref

This gets rid of the error prone naming where fget_unlocked returns with
a ref held, while fget_locked requires a lock but provides nothing in
terms of making sure the file lives past unlock.

No functional changes.

show more ...

Enter a write sequence when updating rights.

The Capsicum system calls modify file descriptor table entries. To
ensure that readers observe a consistent snapshot of descriptor writes,
the system ca

Enter a write sequence when updating rights.

The Capsicum system calls modify file descriptor table entries. To
ensure that readers observe a consistent snapshot of descriptor writes,
the system calls need to signal to unlocked readers that an update is
pending.

Note that ioctl rights are always checked with the descriptor table lock
held, so it is not strictly necessary to signal unlocked readers.
However, we probably want to enable lockless ioctl checks eventually, so
use seqc_write_begin() in kern_cap_ioctls_limit() too.

Reviewed by: kib
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D24119

show more ...

Merge ^/head r357931 through r357965.

capsicum: use new helpers

Merge ^/head r357855 through r357920.

u_char -> vm_prot_t in a couple of places, NFC

The latter is a typedef of the former; the typedef exists and these bits are
representing vmprot values, so use the correct type.

Submitted by: sigsys

u_char -> vm_prot_t in a couple of places, NFC

The latter is a typedef of the former; the typedef exists and these bits are
representing vmprot values, so use the correct type.

Submitted by: sigsys@gmail.com
MFC after: 3 days

show more ...

Merge ^/head r357408 through r357661.

capsicum: faster cap_rights_contains

Instead of doing a 2 iteration loop (determined at runeimt), take advantage
of the fact that the size is already known.

While here provdie cap_check_inline so t

capsicum: faster cap_rights_contains

Instead of doing a 2 iteration loop (determined at runeimt), take advantage
of the fact that the size is already known.

While here provdie cap_check_inline so that fget_unlocked does not have to
do a function call.

Verified with the capsicum suite /usr/tests.

show more ...

Merge ^/head r340918 through r341763.

Let kern.trap_enotcap be set as a tunable.

This is handy for testing programs that are run by rc.

MFC after: 1 week
Sponsored by: The FreeBSD Foundation

Merge ^/head r339015 through r339669.

capsicum: provide cap_rights_fde_inline

Reading caps is in the hot path (on each successful fd lookup), but
completely unnecessarily requires a function call.

Approved by: re (gjb)
Sponsored by: Th

capsicum: provide cap_rights_fde_inline

Reading caps is in the hot path (on each successful fd lookup), but
completely unnecessarily requires a function call.

Approved by: re (gjb)
Sponsored by: The FreeBSD Foundation

show more ...

capsicum: propagate const correctness

Change trap_enotcap to bool and annotate with __read_frequently

It is read on each return to user space.

Fix broken assertion in r329520.

Reported by: pho@ lwhsu@

Use the fdeget_locked function instead of the fget_locked in the
sys_capability.

Reviewed by: pjd@ (earlier version)
Discussed with: mjg@

sys/kern: adoption of SPDX licensing ID tags.

Mainly focus on files that use BSD 2-Clause license, however the tool I
was using misidentified many licenses so this was mostly a manual - error
prone

sys/kern: adoption of SPDX licensing ID tags.

Mainly focus on files that use BSD 2-Clause license, however the tool I
was using misidentified many licenses so this was mostly a manual - error
prone - task.

The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.

show more ...

Merge ^/head r307383 through r307735.

capsicum: perform copyout without the fildesc lock held in sys_cap_ioctls_get

Reviewed by: pjd

Merge ^/head r305892 through r306302.