sys: add renameat2(2) syscall

Reviewed by: markj
Tested by: pho
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D55539

libsys, libc: provide rfork_thread() and pdrfork_thread() on all arches

Reviewed by: markj
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D

libsys, libc: provide rfork_thread() and pdrfork_thread() on all arches

Reviewed by: markj
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D54898

show more ...

lib/libsys, lib/libc: export pdrfork(2)

Reviewed by: asomers, markj
Tested by: pho
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D54592

jail: add jail descriptors

Similar to process descriptors, jail desriptors are allow jail
administration using the file descriptor interface instead of JIDs.
They come from and can be used by jail_s

jail: add jail descriptors

Similar to process descriptors, jail desriptors are allow jail
administration using the file descriptor interface instead of JIDs.
They come from and can be used by jail_set(2) and jail_get(2),
and there are two new system calls, jail_attach_jd(2) and
jail_remove_jd(2).

Reviewed by: bz, brooks
Relnotes: yes
Differential Revision: https://reviews.freebsd.org/D43696

show more ...

kern: fix setgroups(2) and getgroups(2) to match other platforms

On most other platforms observed, including OpenBSD, NetBSD, and Linux,
these system calls have long since been converted to only tou

kern: fix setgroups(2) and getgroups(2) to match other platforms

On most other platforms observed, including OpenBSD, NetBSD, and Linux,
these system calls have long since been converted to only touching the
supplementary groups of the process. This poses both portability and
security concerns in porting software to and from FreeBSD, as this
subtle difference is a landmine waiting to happen. Bugs have been
discovered even in FreeBSD-local sources, since this behavior is
somewhat unintuitive (see, e.g., fix 48fd05999b0f for chroot(8)).

Now that the egid is tracked outside of cr_groups in our ucred, convert
the syscalls to deal with only supplementary groups. Some remaining
stragglers in base that had baked in assumptions about these syscalls
are fixed in the process to avoid heartburn in conversion.

For relnotes: application developers should audit their use of both
setgroups(2) and getgroups(2) for signs that they had assumed the
previous FreeBSD behavior of using the first element for the egid. Any
calls to setgroups() to clear groups that used a single array of the
now or soon-to-be egid can be converted to setgroups(0, NULL) calls to
clear the supplementary groups entirely on all FreeBSD versions.

Co-authored-by: olce (but bugs are likely mine)
Relnotes: yes (see last paragraph)
Reviewed by: kib
Differential Revision: https://reviews.freebsd.org/D51648

show more ...

libsys: Add inotify support

Include the two new syscalls in the symbol map.

Reviewed by: kib
MFC after: 3 months
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D50315

libsys: export exterrctl symbol

Reviewed by: brooks
Sponsored by: The FreeBSD Foundation
MFC after: 2 weeks
Differential revision: https://reviews.freebsd.org/D50483

kgssapi: remove the gssd_syscall

Reviewed by: brooks
Differential Revision: https://reviews.freebsd.org/D48554

New setcred() system call and associated MAC hooks

This new system call allows to set all necessary credentials of
a process in one go: Effective, real and saved UIDs, effective, real and
saved GIDs

New setcred() system call and associated MAC hooks

This new system call allows to set all necessary credentials of
a process in one go: Effective, real and saved UIDs, effective, real and
saved GIDs, supplementary groups and the MAC label. Its advantage over
standard credential-setting system calls (such as setuid(), seteuid(),
etc.) is that it enables MAC modules, such as MAC/do, to restrict the
set of credentials some process may gain in a fine-grained manner.

Traditionally, credential changes rely on setuid binaries that call
multiple credential system calls and in a specific order (setuid() must
be last, so as to remain root for all other credential-setting calls,
which would otherwise fail with insufficient privileges). This
piecewise approach causes the process to transiently hold credentials
that are neither the original nor the final ones. For the kernel to
enforce that only certain transitions of credentials are allowed, either
these possibly non-compliant transient states have to disappear (by
setting all relevant attributes in one go), or the kernel must delay
setting or checking the new credentials. Delaying setting credentials
could be done, e.g., by having some mode where the standard system calls
contribute to building new credentials but without committing them. It
could be started and ended by a special system call. Delaying checking
could mean that, e.g., the kernel only verifies the credentials
transition at the next non-credential-setting system call (we just
mention this possibility for completeness, but are certainly not
endorsing it).

We chose the simpler approach of a new system call, as we don't expect
the set of credentials one can set to change often. It has the
advantages that the traditional system calls' code doesn't have to be
changed and that we can establish a special MAC protocol for it, by
having some cleanup function called just before returning (this is
a requirement for MAC/do), without disturbing the existing ones.

The mac_cred_check_setcred() hook is passed the flags received by
setcred() (including the version) and both the old and new kernel's
'struct ucred' instead of 'struct setcred' as this should simplify
evolving existing hooks as the 'struct setcred' structure evolves. The
mac_cred_setcred_enter() and mac_cred_setcred_exit() hooks are always
called by pairs around potential calls to mac_cred_check_setcred().
They allow MAC modules to allocate/free data they may need in their
mac_cred_check_setcred() hook, as the latter is called under the current
process' lock, rendering sleepable allocations impossible. MAC/do is
going to leverage these in a subsequent commit. A scheme where
mac_cred_check_setcred() could return ERESTART was considered but is
incompatible with proper composition of MAC modules.

While here, add missing includes and declarations for standalone
inclusion of <sys/ucred.h> both from kernel and userspace (for the
latter, it has been working thanks to <bsm/audit.h> already including
<sys/types.h>).

Reviewed by: brooks
Approved by: markj (mentor)
Relnotes: yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D47618

show more ...

Add fchroot(2)

This is similar to chroot(2), but takes a file descriptor instead
of path. Same syscall exists in NetBSD and Solaris. It is part of a larger
patch to make absolute pathnames usable

Add fchroot(2)

This is similar to chroot(2), but takes a file descriptor instead
of path. Same syscall exists in NetBSD and Solaris. It is part of a larger
patch to make absolute pathnames usable in Capsicum mode, but should
be useful in other contexts too.

Reviewed By: brooks
Sponsored by: Innovate UK
Differential Revision: https://reviews.freebsd.org/D41564

show more ...

lib{c,sys}: stop exposing errno symbol

Officially since C11 (and in reality FreeBSD since 3.0 with commit
1b46cb523df3) errno has been defined to be a macro. Rename the symbol
to __libsys_errno and

lib{c,sys}: stop exposing errno symbol

Officially since C11 (and in reality FreeBSD since 3.0 with commit
1b46cb523df3) errno has been defined to be a macro. Rename the symbol
to __libsys_errno and move it to FBSDprivate_1.0 and confine it entierly
to libsys for use by libthr. Add a FBSD_1.0 compat symbol for existing
binaries that were incorrectly linked to the errno symbol during
libc.so.7's lifetime.

This deliberately breaks linking software that directly links to errno.
Such software is broken and will fail in surprising ways if it becomes
threaded (e.g., if it triggers loading of a pam or nss module that
uses threads.)

Reviewed by: kib
Differential Revision: https://reviews.freebsd.org/D46780

show more ...

Userspace enablement for getrlimitusage(2)

Reviewed by: markj, olce
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D46747

kcmp(2): fix whitespace in symbol list

Fixes: 211bdd601ee51 Add kcmp(2) userspace bits

Make __libsys_interposing_slot libsys only

Reviewed by: kib
Differential Revision: https://reviews.freebsd.org/D44881

Revert "lib{c,sys}: normalize export of openat, setcontext, and swapcontext"

I put the symbols in the wrong file (should have been
lib/libc/sys/Symbol.map), added a duplicate pdfork entry due to a b

Revert "lib{c,sys}: normalize export of openat, setcontext, and swapcontext"

I put the symbols in the wrong file (should have been
lib/libc/sys/Symbol.map), added a duplicate pdfork entry due to a botch
rebase, and there seems to be a issue with gcc13/binutils not exposing
the symbols so revert the whole thing while I debug.

This reverts commit ee632fb9eb4a060a4087a7f5425bfe36e65cda61.

show more ...

lib{c,sys}: normalize export of openat, setcontext, and swapcontext

List them in the symbol map rather than using the __sym_default to
expose them. This will allow later improvements in the stub
im

lib{c,sys}: normalize export of openat, setcontext, and swapcontext

List them in the symbol map rather than using the __sym_default to
expose them. This will allow later improvements in the stub
implementations in libc.so.

Reviewed by: kib
Differential Revision: https://reviews.freebsd.org/D44113

show more ...

lib{c,sys}: correctly expose sched_getcpu

When moving the implementation, I failed to move the symbol entry.

Reviewed by: kib
Fixes: 84dd0c080ba5 libc: libc/gen/sched_getcpu_gen.c -> libsys/
Diffe

lib{c,sys}: correctly expose sched_getcpu

When moving the implementation, I failed to move the symbol entry.

Reviewed by: kib
Fixes: 84dd0c080ba5 libc: libc/gen/sched_getcpu_gen.c -> libsys/
Differential Revision: https://reviews.freebsd.org/D44112

show more ...

lib{c,sys}: return wrapped syscall APIs to libc

These provide standard APIs, but are implemented using another system
call (e.g., pipe implemented in terms of pipe2) or are interposed by the
threadi

lib{c,sys}: return wrapped syscall APIs to libc

These provide standard APIs, but are implemented using another system
call (e.g., pipe implemented in terms of pipe2) or are interposed by the
threading library to support cancelation.

After discussion with kib (see D44111), I've concluded that it is
better to keep most public interfaces in libc with as little
as possible in libsys.

Reviewed by: kib
Differential Revision: https://reviews.freebsd.org/D44241

show more ...

libsys: don't expose sigwait wrapper

Long ago (e129c18a83ef) __sys_sigwait was wrapped to prevent sigwait()
from returning with EINTR. Through a series of changes this wrapper
become __libc_sigwait

libsys: don't expose sigwait wrapper

Long ago (e129c18a83ef) __sys_sigwait was wrapped to prevent sigwait()
from returning with EINTR. Through a series of changes this wrapper
become __libc_sigwait which was internal to libc and used solely in the
interposing table. To support a move of sigwait back to libc, move this
wrapper into libsys and rename it with an __libsys_ prefix.

Reviewed by: kib
Differential Revision: https://reviews.freebsd.org/D44238

show more ...

lib{c,sys}: expose cap_sandboxed from libc/gen

It's a thin wrapper on cap_getmode() implemented in libc, not a system
call so the symbol should have been exposed by libc/gen/Symbol.map
alongside the

lib{c,sys}: expose cap_sandboxed from libc/gen

It's a thin wrapper on cap_getmode() implemented in libc, not a system
call so the symbol should have been exposed by libc/gen/Symbol.map
alongside the implementation.

Reviewed by: kib
Differential Revision: https://reviews.freebsd.org/D44110

show more ...

libsys: move errno to libsys

Before, the 'errno' itself was defined in libc and was referenced by
libsys, causing undesired dependency.

Reviewed by: brooks, imp
Sponsored by: The FreeBSD Foundation

libsys: move errno to libsys

Before, the 'errno' itself was defined in libc and was referenced by
libsys, causing undesired dependency.

Reviewed by: brooks, imp
Sponsored by: The FreeBSD Foundation
Differential revision: https://reviews.freebsd.org/D43985

show more ...

lib{c,sys}: move auxargs more firmly into libsys

Continue to filter the public interface (elf_aux_info()), but entierly
relocate the private interfaces (_elf_aux_info(),
__init_elf_aux_vector(), and

lib{c,sys}: move auxargs more firmly into libsys

Continue to filter the public interface (elf_aux_info()), but entierly
relocate the private interfaces (_elf_aux_info(),
__init_elf_aux_vector(), and __elf_aux_vector) to libsys.

This ensures that rtld updates the correct (only) copy of
__elf_aux_vector. After 968a18975adc9c2a619bb52aa2f009de99fc9e24
updates were confused and __getosreldate was failing, causing
the system to fall back to compat compat12 syscalls in some cases.

Return to explicitly linking libc to libsys and link libthr with libc
and libsys (in that order).

Reviewed by: kib
Differential Revision: https://reviews.freebsd.org/D43910

show more ...

libsys: generate private symbol map

We now export all _ and __sys_ prefixed syscalls stubs from libc and
libsys so that libsys can replace them.

Reviewed by: kib, emaste, imp
Pull Request: https://

libsys: generate private symbol map

We now export all _ and __sys_ prefixed syscalls stubs from libc and
libsys so that libsys can replace them.

Reviewed by: kib, emaste, imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/908

show more ...

libc: move getpagesize(s) to libsys

Reviewed by: kib, emaste, imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/908

libc: elf auxiliary vector handling to libsys

This is part of the interface to the kernel and some syscall wrappers
depend on it so move it there.

Reviewed by: kib, emaste, imp
Pull Request: https:

libc: elf auxiliary vector handling to libsys

This is part of the interface to the kernel and some syscall wrappers
depend on it so move it there.

Reviewed by: kib, emaste, imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/908

show more ...