Unveiling unveil(2).
This brings unveil into the tree, disabled by default - Currently
this will return EPERM on all attempts to use it until we are
fully certain it is ready for people to start usin

Unveiling unveil(2).
This brings unveil into the tree, disabled by default - Currently
this will return EPERM on all attempts to use it until we are
fully certain it is ready for people to start using, but this
now allows for others to do more tweaking and experimentation.

Still needs to send the unveil's across forks and execs before
fully enabling.

Many thanks to robert@ and deraadt@ for extensive testing.
ok deraadt@

show more ...

Move cleanup job control bits to their own function.

Part of the larger 'proctreelk' diff from guenther@

No functional change, ok benno@, tedu@

Delete unnecessary <sys/file.h> includes

ok millert@ krw@

deadproc_mutex is only taken _before_ kernel_lock; exclude it from
WITNESS checking as (our) witness code isn't smart enough to let that by.

ok visa@

Remove old deactivated pledge path code. A replacement mechanism is
being brewed.
ok beck

Add a port of witness(4) lock validation tool from FreeBSD.

Go-ahead from kettenis@, guenther@, deraadt@

Delete the obsolete fork/exec/exit emulation hooks.

ok mpi@ dlg@

Split PID from TID, giving processes a PID unrelated to the TID of their
initial thread

ok jsing@ kettenis@

boom goes the dynamite

Use a macro to check if a thread has a sibling.

Note that without locking a thread cannot claim that it is part
of a multi-threaded process using this macro.

Suggested by miod@, ok guenther@

Localize some declarations to kern_exit.c: the last good reason to put
them in sys/proc.h has been removed with compat_linux

diff from Michal Mazurek (akfaew (at) jasminek.net)

Rename tame() to pledge(). This fairly interface has evolved to be more
strict than anticipated. It allows a programmer to pledge/promise/covenant
that their program will operate within an easily d

Rename tame() to pledge(). This fairly interface has evolved to be more
strict than anticipated. It allows a programmer to pledge/promise/covenant
that their program will operate within an easily defined subset of the
Unix environment, or it pays the price.

show more ...

Add the tame "exec" request. This allows processes which request
"exec" to call execve(2), potentially fork(2) beforehands if they
asked for "proc". Calling execve is what "shells" (ksh, tmux, etc)

Add the tame "exec" request. This allows processes which request
"exec" to call execve(2), potentially fork(2) beforehands if they
asked for "proc". Calling execve is what "shells" (ksh, tmux, etc)
have as their primary purpose. But meantime, if such a shell has a
nasty bug, we want to mitigate the process from opening a socket or
calling 100+ other system calls. Unfortunately silver bullets are in
short supply, so if our goal is to stay in a POSIX-y environment, we
have to let shells call execve(). POSIX ate the world, so choices do
we all have?
Warning for many: silver bullets are even more rare in other OS
ecosystems, so please accept this as a narrow lowering of the bar in a
very raised environment.
Commited from a machine running tame "proc exec" ksh, make, etc.

show more ...

Only include <sys/tame.h> in the .c files that need it

ok deraadt@ miod@

fairly simple sizes for free(); ok tedu

Move to tame(int flags, char *paths[]) API/ABI.

The pathlist is a whitelist of dirs and files; anything else returns ENOENT.
Recommendation is to use a narrowly defined list. Also add TAME_FATTR, w

Move to tame(int flags, char *paths[]) API/ABI.

The pathlist is a whitelist of dirs and files; anything else returns ENOENT.
Recommendation is to use a narrowly defined list. Also add TAME_FATTR, which
permits explicit change operations against "struct stat" fields. Some
other TAME_ flags are refined slightly.

Not cranking libc now, since nothing commited in base uses this and the
timing is uncomfortable for others. Discussed with many; thanks for a
few bug fixes from semarie, doug, guenther.
ok guenther

show more ...

Remove some includes include-what-you-use claims don't
have any direct symbols used. Tested for indirect use by compiling
amd64/i386/sparc64 kernels.

ok tedu@ deraadt@

primary change: move uvm_vnode out of vnode, keeping only a pointer.
objective: vnode.h doesn't include uvm_extern.h anymore.
followup changes: include uvm_extern.h or lock.h where necessary.
ok and

primary change: move uvm_vnode out of vnode, keeping only a pointer.
objective: vnode.h doesn't include uvm_extern.h anymore.
followup changes: include uvm_extern.h or lock.h where necessary.
ok and help from deraadt

show more ...

add a size argument to free. will be used soon, but for now default to 0.
after discussions with beck deraadt kettenis.

It's init as a process that's special, not init's original thread.
Remember initprocess instead of initproc.

ok matthew@ blambert@

decouple struct uvmexp into a new file, so that uvm_extern.h and sysctl.h
don't need to be married.
ok guenther miod beck jsing kettenis

Track whether a process is a zombie or not yet fully built via flags
PS_{ZOMBIE,EMBRYO} on the process instead of peeking into the process's
thread data. This eliminates the need for the thread-leve

Track whether a process is a zombie or not yet fully built via flags
PS_{ZOMBIE,EMBRYO} on the process instead of peeking into the process's
thread data. This eliminates the need for the thread-level SDEAD state.

Change kvm_getprocs() (both the sysctl() and kvm backends) to report the
"most active" scheduler state for the process's threads.

tweaks kettenis@
feedback and ok matthew@

show more ...

Fix wait4 to not modify status or rusage if we return 0 because of
WNOHANG, in accordance with POSIX. Additionally, if rusage is
requested but the waited-on process did not terminate, return zero
by

Fix wait4 to not modify status or rusage if we return 0 because of
WNOHANG, in accordance with POSIX. Additionally, if rusage is
requested but the waited-on process did not terminate, return zero
bytes instead of kernel stack garbage.

ok deraadt, millert

show more ...

knote_processexit() needs the thread to pass down to FRELE(), so pass it
the exiting thread instead of assuming that that's ps_mainproc.
Also, panic no matter which thread of init takes it down.

ok

knote_processexit() needs the thread to pass down to FRELE(), so pass it
the exiting thread instead of assuming that that's ps_mainproc.
Also, panic no matter which thread of init takes it down.

ok tedu@

show more ...

Move from struct proc to process the reference-count-holding pointers
to the process's vmspace and filedescs. struct proc continues to
keep copies of the pointers, copying them on fork, clearing the

Move from struct proc to process the reference-count-holding pointers
to the process's vmspace and filedescs. struct proc continues to
keep copies of the pointers, copying them on fork, clearing them
on exit, and (for vmspace) refreshing on exec.
Also, make uvm_swapout_threads() thread aware, eliminating p_swtime
in kernel.

particular testing by ajacoutot@ and sebastia@

show more ...