rpcsec_tls: cleanup the rpctls_syscall()

With all the recent changes we don't need extra argument that specifies
what exactly the syscalls does, neither we need a copyout-able pointer,
just a pointe

rpcsec_tls: cleanup the rpctls_syscall()

With all the recent changes we don't need extra argument that specifies
what exactly the syscalls does, neither we need a copyout-able pointer,
just a pointer sized integer.

Reviewed by: rmacklem
Differential Revision: https://reviews.freebsd.org/D48649

show more ...

kgssapi: remove the gssd_syscall

Reviewed by: brooks
Differential Revision: https://reviews.freebsd.org/D48554

New setcred() system call and associated MAC hooks

This new system call allows to set all necessary credentials of
a process in one go: Effective, real and saved UIDs, effective, real and
saved GIDs

New setcred() system call and associated MAC hooks

This new system call allows to set all necessary credentials of
a process in one go: Effective, real and saved UIDs, effective, real and
saved GIDs, supplementary groups and the MAC label. Its advantage over
standard credential-setting system calls (such as setuid(), seteuid(),
etc.) is that it enables MAC modules, such as MAC/do, to restrict the
set of credentials some process may gain in a fine-grained manner.

Traditionally, credential changes rely on setuid binaries that call
multiple credential system calls and in a specific order (setuid() must
be last, so as to remain root for all other credential-setting calls,
which would otherwise fail with insufficient privileges). This
piecewise approach causes the process to transiently hold credentials
that are neither the original nor the final ones. For the kernel to
enforce that only certain transitions of credentials are allowed, either
these possibly non-compliant transient states have to disappear (by
setting all relevant attributes in one go), or the kernel must delay
setting or checking the new credentials. Delaying setting credentials
could be done, e.g., by having some mode where the standard system calls
contribute to building new credentials but without committing them. It
could be started and ended by a special system call. Delaying checking
could mean that, e.g., the kernel only verifies the credentials
transition at the next non-credential-setting system call (we just
mention this possibility for completeness, but are certainly not
endorsing it).

We chose the simpler approach of a new system call, as we don't expect
the set of credentials one can set to change often. It has the
advantages that the traditional system calls' code doesn't have to be
changed and that we can establish a special MAC protocol for it, by
having some cleanup function called just before returning (this is
a requirement for MAC/do), without disturbing the existing ones.

The mac_cred_check_setcred() hook is passed the flags received by
setcred() (including the version) and both the old and new kernel's
'struct ucred' instead of 'struct setcred' as this should simplify
evolving existing hooks as the 'struct setcred' structure evolves. The
mac_cred_setcred_enter() and mac_cred_setcred_exit() hooks are always
called by pairs around potential calls to mac_cred_check_setcred().
They allow MAC modules to allocate/free data they may need in their
mac_cred_check_setcred() hook, as the latter is called under the current
process' lock, rendering sleepable allocations impossible. MAC/do is
going to leverage these in a subsequent commit. A scheme where
mac_cred_check_setcred() could return ERESTART was considered but is
incompatible with proper composition of MAC modules.

While here, add missing includes and declarations for standalone
inclusion of <sys/ucred.h> both from kernel and userspace (for the
latter, it has been working thanks to <bsm/audit.h> already including
<sys/types.h>).

Reviewed by: brooks
Approved by: markj (mentor)
Relnotes: yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D47618

show more ...

Add fchroot(2)

This is similar to chroot(2), but takes a file descriptor instead
of path. Same syscall exists in NetBSD and Solaris. It is part of a larger
patch to make absolute pathnames usable

Add fchroot(2)

This is similar to chroot(2), but takes a file descriptor instead
of path. Same syscall exists in NetBSD and Solaris. It is part of a larger
patch to make absolute pathnames usable in Capsicum mode, but should
be useful in other contexts too.

Reviewed By: brooks
Sponsored by: Innovate UK
Differential Revision: https://reviews.freebsd.org/D41564

show more ...

sysent: add a NOLIB modifer to prevent stub generation

The yield system call has long existed, but never had a stub. Replace
the hardcoded checks for it in libsys_h.lua and syscalls_map.lua and
sto

sysent: add a NOLIB modifer to prevent stub generation

The yield system call has long existed, but never had a stub. Replace
the hardcoded checks for it in libsys_h.lua and syscalls_map.lua and
stop inserting it into MIASM (requiring libsys/Makefile.sys to disable
the stub).

(This seems like overkill, but I've got another case in CheriBSD so this
reduces my diff appreciably.)

Reviewed by: emaste
Pull Request: https://github.com/freebsd/freebsd-src/pull/1503

show more ...

Update mentions of makesyscalls.lua

It is obsolete and will be removed in a followup commit.

Add getrlimitusage(2)

Reviewed by: markj, olce
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D46747

capsicum: allow subset of wait4(2) functionality

The usual way of handling process exit exit in capsicum(4) mode is
by using process descriptors (pdfork(2)) instead of the traditional
fork(2)/wait4(

capsicum: allow subset of wait4(2) functionality

The usual way of handling process exit exit in capsicum(4) mode is
by using process descriptors (pdfork(2)) instead of the traditional
fork(2)/wait4(2) API. But most apps hadn't been converted this way,
and many cannot because the wait is hidden behind a library APIs that
revolve around PID numbers and not descriptors; GLib's
g_spawn_check_wait_status(3) is one example.

Thus, provide backwards compatibility by allowing the wait(2) family
of functions in Capsicum mode, except for child processes created by
pdfork(2).

Reviewed by: brooks, oshogbo
Sponsored by: Innovate UK
Differential Revision: https://reviews.freebsd.org/D44372

show more ...

capsicum: allow rfork(2) in capability mode

Reviewed by: brooks, rwatson
MFC after: 4 days
Differential Revision: https://reviews.freebsd.org/D45040

syscalls.master: allow vfork(2) in capsicum(4) capability mode

There is no reason not do do this, we already allow fork(2),
and I need vfork(2) for CHERI process colocation.

Reviewed by: brooks, em

syscalls.master: allow vfork(2) in capsicum(4) capability mode

There is no reason not do do this, we already allow fork(2),
and I need vfork(2) for CHERI process colocation.

Reviewed by: brooks, emaste, oshogbo
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D39829

show more ...

syscalls.master: correct return type of {read,write}v

This was missed when read/write, etc were updated to return ssize_t.

Fixes: 2e83b2816183 Fix a few syscall arguments to use size_t instead of

syscalls.master: correct return type of {read,write}v

This was missed when read/write, etc were updated to return ssize_t.

Fixes: 2e83b2816183 Fix a few syscall arguments to use size_t instead of u_int.

Reviewed by: imp, kib
Differential Revision: https://reviews.freebsd.org/D44930

show more ...

syscalls.master: use __acl_type_t

Reviewed by: kib
Differential Revision: https://reviews.freebsd.org/D44418

syscalls.master: make __sys_fcntl take an intptr_t

The (optional) third argument of fcntl is sometimes a pointer so change
the type to intptr_t. Update the libc-internal defintion (actually used
by

syscalls.master: make __sys_fcntl take an intptr_t

The (optional) third argument of fcntl is sometimes a pointer so change
the type to intptr_t. Update the libc-internal defintion (actually used
by libthr) to take a fixed intptr_t argument rather than pretending it's
a variadic function. (That worked because all supported architectures
pass variadic arguments as though the function was declared with those
types. In CheriBSD that changes because variadic arguments are passed
via a bounded array.)

Reviewed by: kib
Differential Revision: https://reviews.freebsd.org/D44381

show more ...

syscalls.master: struct siginfo -> struct __siginfo

struct siginfo doesn't exist, it's struct __siginfo (and siginfo_t).

Reviewed by: kib
Differential Revision: https://reviews.freebsd.org/D44380

syscalls.master: align with sigfastblock declaration

sigfastblock is declared to take a void * argument in the manpage in
headers so declare it that way and use SAL annotations to say it
interacts w

syscalls.master: align with sigfastblock declaration

sigfastblock is declared to take a void * argument in the manpage in
headers so declare it that way and use SAL annotations to say it
interacts with a 32-bit word.

Reviewed by: kib
Differential Revision: https://reviews.freebsd.org/D44379

show more ...

syscall.master: fix aio_suspend signature

It takes a `const struct iovec *iovp`.

Reviewed by: kib
Differential Revision: https://reviews.freebsd.org/D44378

syscalls.master: fix readv and writev iovp decl

Both take const struct iovec * and only read the values.

Reviewed by: olce, kib
Differential Revision: https://reviews.freebsd.org/D44377

syscalls.master: Remove stray blank lines

No functional change.

Add kcmp(2) kernel bits

This is based purely on reading the Linux kcmp(2) man page.
In addition to the Linux set of comparators, I also added KCMP_FILEOBJ to
compare underlying file' objects.

Teste

Add kcmp(2) kernel bits

This is based purely on reading the Linux kcmp(2) man page.
In addition to the Linux set of comparators, I also added KCMP_FILEOBJ to
compare underlying file' objects.

Tested by: manu
Reviewed by: brooks, markj
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D43518

show more ...

Remove never implemented sbrk and sstk syscalls

Both system calls were stubs returning EOPNOTSUPP and libc did not
provide _ or __sys_ prefixed symbols. The actual implementation of
sbrk(2) is on t

Remove never implemented sbrk and sstk syscalls

Both system calls were stubs returning EOPNOTSUPP and libc did not
provide _ or __sys_ prefixed symbols. The actual implementation of
sbrk(2) is on top of the undocumented break(2) system call.

Technically this is a change in ABI, but no non-contrived program ever
called these syscalls.

Reviewed by: kib, emaste
Sponsored by: DARPA
Differential Revision: https://reviews.freebsd.org/D42872

show more ...

sccs: Manual changes

For the uncommon items: Go through the tree and remove sccs tags that
didn't fit any nice pattern. If in the neighborhood, other SCM tags were
removed when they were detritis of

sccs: Manual changes

For the uncommon items: Go through the tree and remove sccs tags that
didn't fit any nice pattern. If in the neighborhood, other SCM tags were
removed when they were detritis of long-ago CVS somehow in the early
mists of the project. Some adjacent copyrights stringswere removed (they
duplicated the copyright notices in the file). This also removed
non-standard formations of omission of SCCS tags (usually by adding an
extra #if 0 somewhere.

After this commit, a number of strings tagged with the 'what' @(#)
prefix remain, but they are primarily copyright notices.

Sponsored by: Netflix

show more ...

Add a COMPAT_FREEBSD14 kernel option

Use it wherever COMPAT_FREEBSD13 is currently specified.

Reviewed by: brooks, zlei
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision:

Add a COMPAT_FREEBSD14 kernel option

Use it wherever COMPAT_FREEBSD13 is currently specified.

Reviewed by: brooks, zlei
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D42100

show more ...

syscalls.master: Fix SAL annotation for getdirentires basep argument

getdirentires last argument "off_t *basep" is an optional output
argument. It returns the value only when the passed-in value(po

syscalls.master: Fix SAL annotation for getdirentires basep argument

getdirentires last argument "off_t *basep" is an optional output
argument. It returns the value only when the passed-in value(pointer)
is non-NULL.

This is a part of the research work at RCSLab, University of Waterloo.

Reviewed by: imp, emaste
Differential Revision: https://reviews.freebsd.org/D41969

show more ...

timerfd: Move implementation from linux compat to sys/kern

Move the timerfd impelemntation from linux compat code to sys/kern. Use
it to implement the new system calls for timerfd. Add a hook to ker

timerfd: Move implementation from linux compat to sys/kern

Move the timerfd impelemntation from linux compat code to sys/kern. Use
it to implement the new system calls for timerfd. Add a hook to kern_tc
to allow timerfd to know when the system time has stepped. Add kqueue
support to timerfd. Adjust a few names to be less Linux centric.

RelNotes: YES
Reviewed by: markj (on irc), imp, kib (with reservations), jhb (slack)
Differential Revision: https://reviews.freebsd.org/D38459

show more ...

Add membarrier(2)

This is an attempt at clean-room implementation of the Linux'
membarrier(2) syscall. For documentation, you would need to read
both membarrier(2) Linux man page, the comments in L

Add membarrier(2)

This is an attempt at clean-room implementation of the Linux'
membarrier(2) syscall. For documentation, you would need to read
both membarrier(2) Linux man page, the comments in Linux
kernel/sched/membarrier.c implementation and possibly look at
actual uses.

Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D32360

show more ...