kernel - Add per-process capability-based restrictions

* This new system allows userland to set capability restrictions which
turns off numerous kernel features and root accesses. These restricti

kernel - Add per-process capability-based restrictions

* This new system allows userland to set capability restrictions which
turns off numerous kernel features and root accesses. These restrictions
are inherited by sub-processes recursively. Once set, restrictions cannot
be removed.

Basic restrictions that mimic an unadorned jail can be enabled without
creating a jail, but generally speaking real security also requires
creating a chrooted filesystem topology, and a jail is still needed
to really segregate processes from each other. If you do so, however,
you can (for example) disable mount/umount and most global root-only
features.

* Add new system calls and a manual page for syscap_get(2) and syscap_set(2)

* Add sys/caps.h

* Add the "setcaps" userland utility and manual page.

* Remove priv.9 and the priv_check infrastructure, replacing it with
a newly designed caps infrastructure.

* The intention is to add path restriction lists and similar features to
improve jailess security in the near future, and to optimize the
priv_check code.

show more ...

kernel: Use howmany() in a couple of places.

kernel - Refactor in-kernel system call API to remove bcopy()

* Change the in-kernel system call prototype to take the
system call arguments as a separate pointer, and make the
contents read-onl

kernel - Refactor in-kernel system call API to remove bcopy()

* Change the in-kernel system call prototype to take the
system call arguments as a separate pointer, and make the
contents read-only.

int sy_call_t (void *);
int sy_call_t (struct sysmsg *sysmsg, const void *);

* System calls with 6 arguments or less no longer need to copy
the arguments from the trapframe to a holding structure. Instead,
we simply point into the trapframe.

The L1 cache footprint will be a bit smaller, but in simple tests
the results are not noticably faster... maybe 1ns or so
(roughly 1%).

show more ...

jail: Simplify a bit by using the new BIT64 sysctl functions

- No functional changes.
- The per-jail settings have been renamed to match the new capability
constants. The default settings wi

jail: Simplify a bit by using the new BIT64 sysctl functions

- No functional changes.
- The per-jail settings have been renamed to match the new capability
constants. The default settings will be renamed soon too.
- Fix a missing prison chflags check in ufs_settattr() and
ext2fs_setattr().

show more ...

jail - Rework sysctl configuration variables

- Jail sysctls are now jail-specific so that different jails
can have different settings.
Each jail will have its own subtree which can be operated

jail - Rework sysctl configuration variables

- Jail sysctls are now jail-specific so that different jails
can have different settings.
Each jail will have its own subtree which can be operated
directly with sysctl(8).

Naming convention:

jail.<n>.<setting>

- All previous sysctls are now moved to 'jail.defaults' and they
are used as a template for any newly created jail.

Example:

# jls
JID Hostname Path IPs
2 t02.local /jails/02 10.0.0.3
1 t01.local /jails/01 10.0.0.2

# sysctl jail
jail.jailed: 0
jail.list: 2 t02.local /jails/02 10.0.0.3
1 t01.local /jails/01 10.0.0.2
jail.defaults.allow_raw_sockets: 0
jail.defaults.chflags_allowed: 0
jail.defaults.sysvipc_allowed: 0
jail.defaults.socket_unixiproute_only: 1
jail.defaults.set_hostname_allowed: 1
jail.1.set_hostname_allowed: 1
jail.1.socket_unixiproute_only: 1
jail.1.sysvipc_allowed: 0
jail.1.chflags_allowed: 0
jail.1.allow_raw_sockets: 0
jail.2.set_hostname_allowed: 1
jail.2.socket_unixiproute_only: 1
jail.2.sysvipc_allowed: 0
jail.2.chflags_allowed: 0
jail.2.allow_raw_sockets: 0

# sysctl jail.2.allow_raw_sockets=1
jail.2.allow_raw_sockets: 0 -> 1

# jexec 2 ping -q -c 1 10.0.0.1
PING 10.0.0.1 (10.0.0.1): 56 data bytes

--- 10.0.0.1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.766/0.766/0.766/0.000 ms

# jexec 1 ping -q -c 1 10.0.0.1
ping: socket: Operation not permitted

# service jail stop
Stopping jails: t01.local t02.local.

# sysctl jail
jail.jailed: 0
jail.defaults.allow_raw_sockets: 0
jail.defaults.chflags_allowed: 0
jail.defaults.sysvipc_allowed: 0
jail.defaults.socket_unixiproute_only: 1
jail.defaults.set_hostname_allowed: 1

show more ...

kernel - Incidental MPLOCK removal

* Remove misc #include <sys/mplock2.h> statements that are no longer needed.

* Replace mplock with acct_lock in kern_acct.c

* Replace mplock with msg_token in sy

kernel - Incidental MPLOCK removal

* Remove misc #include <sys/mplock2.h> statements that are no longer needed.

* Replace mplock with acct_lock in kern_acct.c

* Replace mplock with msg_token in sysv_msg.c

* Replace mplock with p->p_token in the profiling code.

show more ...

kernel: Move semicolon from the definition of SYSINIT() to its invocations.

This affected around 70 of our (more or less) 270 SYSINIT() calls.

style(9) advocates the terminating semicolon to be sup

kernel: Move semicolon from the definition of SYSINIT() to its invocations.

This affected around 70 of our (more or less) 270 SYSINIT() calls.

style(9) advocates the terminating semicolon to be supplied by the
invocation too, because it can make life easier for editors and other
source code parsing programs.

show more ...

libc/sysvipc: Constify msgsnd()'s message pointer argument (per POSIX).

Also add a comment in <sys/msg.h> that our msgrcv() should really
return ssize_t.

kernel: Remove {msg,sem,shm}sys() syscalls.

They have become obsolete with the recent sysvipc userland work
and are not implemented in userspace either.

Thanks to marino for helping to verify that

kernel: Remove {msg,sem,shm}sys() syscalls.

They have become obsolete with the recent sysvipc userland work
and are not implemented in userspace either.

Thanks to marino for helping to verify that no packages were
affected by this commit.

Pointed-out-by: Mihai Carabas

show more ...

kernel: Remove some unneeded NULL checks after kmalloc() with M_WAITOK.

Initial import of binutils 2.22 on the new vendor branch

Future versions of binutils will also reside on this branch rather
than continuing to create new binutils branches for each new version.

Merge branch 'master' of ssh://crater.dragonflybsd.org/repository/git/dragonfly into devel

Merge branch 'master' of git://chlamydia.fs.ei.tum.de/dragonfly

Merge branches 'master' and 'suser_to_priv'

Conflicts:

sys/netinet/ip_carp.c
sys/platform/pc64/amd64/machdep.c

suser_* to priv_* conversion

Remove bogus checks after kmalloc(M_WAITOK) which never returns NULL.

Reviewed-by: hasso

Ansify function declarations and fix some minor style issues.

In-collaboration-with: Alexey Slynko <slynko@tronet.ru>

Rename printf -> kprintf in sys/ and add some defines where necessary
(files which are used in userland, too).

Rename malloc->kmalloc, free->kfree, and realloc->krealloc. Pass 1

Modify kern/makesyscall.sh to prefix all kernel system call procedures
with "sys_". Modify all related kernel procedures to use the new naming
convention. This gets rid of most of the namespace ove

Modify kern/makesyscall.sh to prefix all kernel system call procedures
with "sys_". Modify all related kernel procedures to use the new naming
convention. This gets rid of most of the namespace overloading between
the kernel and standard header files.

show more ...

Consolidate SYSCTL_DECL(_kern_ipc), move it to sys/sysctl.h as
a common second-level OID.

No operational changes.

__P() removal

Explicitly use an unsigned index for 'which' in shmsys(), msgsys(), and
semsys(), so the implications of the use of a negative index become obvious.
Fix the misdocumented 'which' UAP argument, which

Explicitly use an unsigned index for 'which' in shmsys(), msgsys(), and
semsys(), so the implications of the use of a negative index become obvious.
Fix the misdocumented 'which' UAP argument, which is actually signed.

Note: There is no security issue because sizeof() is unsigned but such
non-explicit comparisons are a very dangerous way to code and this fixes
that.

show more ...

syscall messaging 3: Expand the 'header' that goes in front of the syscall
arguments in the kernel copy. The header was previously just an lwkt_msg.
The header is now a 'union sysmsg'. 'union sysms

syscall messaging 3: Expand the 'header' that goes in front of the syscall
arguments in the kernel copy. The header was previously just an lwkt_msg.
The header is now a 'union sysmsg'. 'union sysmsg' contains an lwkt_msg
plus space for the additional meta data required to asynchronize various
system calls. We haven't actually asynchronized anything yet and will not
be able to until the reply port and abort processing infrastructure is
in place. See sys/sysmsg.h for more information on the new header.

Also cleanup syscall generation somewhat and add some ibcs2 stuff I missed.

show more ...

Fix the msgsys(), semsys(), and shmsys() syscalls which were broken by the
messaging code.