remove unused DEBUG_PLEDGE lines; ok deraadt@

for sysctl on arm64, handle CPU_ID_AA64ISAR1 same as CPU_ID_AA64ISAR0
ok sthen

make psp attach to ccp as a different driver
'fine with me' hshoexer, ok bluhm@

simplify ccp ifdef; ok bluhm@

Pledge "vmm" for ccp(4) ioctl(2).

Limit ccp ioctls to processes that pledge vmm. Specific psp device
ioctls for AMD SEV will allowed for vmd(8).

from hshoexer@; input deraadt@ jsg@

avoid shadowing a local variable in a lower scope

pledge, MAP_STACK, and pinsyscall failures have been providing failure
visibility with kernel printf(9) (thus, onto console and into dmesg) since
the start of development. I want to reduce the dmesg

pledge, MAP_STACK, and pinsyscall failures have been providing failure
visibility with kernel printf(9) (thus, onto console and into dmesg) since
the start of development. I want to reduce the dmesg spam, and bring
this more into the attention of the user who ran the command, so let's
try using uprintf(9) which puts it onto the active foreground tty (yes,
there maybe cases where there is no tty, but that's ok. I'll admit
I've considered deleting the logging messages entirely)
tested in snaps for a week

show more ...

Add pathconfat(2): pathconf(2) but with at-fd and flags arguments,
the latter supporting the ability to get timestamp resolution of
symlinks.

ok deraadt@ millert@

noone calls msyscall() anymore.

Delete pinsyscall(2) [which was specific only to SYS_execve] now
that it has been replaced with pinsyscalls(2) [which tells the kernel
the location of all system calls in libc.so]
floated to various

Delete pinsyscall(2) [which was specific only to SYS_execve] now
that it has been replaced with pinsyscalls(2) [which tells the kernel
the location of all system calls in libc.so]
floated to various people before release, but it was prudent to wait.

show more ...

pledge: Allow the AUDIO_GETDEV ioctl in "audio"

ok deraadt, kn, phessler

put pinsyscalls(2) into the "always" group

Extend single_thread_set() mode with additional flag attributes.

The mode can now be or-ed with SINGLE_DEEP or SINGLE_NOWAIT to alter
the behaviour of single_thread_set(). This allows explicit contr

Extend single_thread_set() mode with additional flag attributes.

The mode can now be or-ed with SINGLE_DEEP or SINGLE_NOWAIT to alter
the behaviour of single_thread_set(). This allows explicit control
of the SINGLE_DEEP behaviour.

If SINGLE_DEEP is set the deep flag is passed to the initial check call
and by that the check will error out instead of suspending (SINGLE_UNWIND)
or exiting (SINGLE_EXIT). The SINGLE_DEEP flag is required in calls to
single_thread_set() outside of userret. E.g. at the start of sys_execve
because the proc is not allowed to call exit1() in that location.

SINGLE_NOWAIT skips the wait at the end of single_thread_set() and therefor
returns BEFORE all threads have been parked. Currently this is only used by
the ptrace code and should not be used anywhere else. Not waiting for all
threads to settle is asking for trouble.

This solves an issue by using SINGLE_UNWIND in the coredump case where
the code should actually exit in case another thread crashed moments earlier.
Also the SINGLE_UNWIND in pledge_fail() is now marked SINGLE_DEEP since
the call to pledge_fail() is for sure not at the kernel boundary.

OK mpi@

show more ...

Before coredump or in pledge_fail use SINGLE_UNWIND to stop all threads.

SINGLE_UNWIND unwinds to the kernel boundary. On the other hand
SINGLE_SUSPEND will sleep inside tsleep(9) and other sleep fu

Before coredump or in pledge_fail use SINGLE_UNWIND to stop all threads.

SINGLE_UNWIND unwinds to the kernel boundary. On the other hand
SINGLE_SUSPEND will sleep inside tsleep(9) and other sleep functions.
Since the code will exit1() very soon after it is better to already unwind.
Now one could argue that for coredumps all threads should stop asap to
get a clean dump. Using SINGLE_UNWIND the sleep will fail with ERESTART
and no copyout should happen in that case.

This is a bit of a workaround since SINGLE_SUSPEND has a small race
where single_thread_wait() returns before all threads are really stopped.
When SINGLE_EXIT is called quickly after this can blow up inside
sleep_finish.

Reported-by: syzbot+3ef066fcfaf991f2ac2c@syzkaller.appspotmail.com

OK mpi@ kettenis@

show more ...

Add kqueue1() system call

kqueue1() takes the flags argument. This lets the kqueue file descriptor
be opened with O_CLOEXEC. Adapted from NetBSD.

OK guenther@

pledge(2): stdio: permit restricted profil(2) for moncontrol(3)

Currently, pledged '-pg' binaries get killed in _mcleanup() when they
try to disable profil(2) via moncontrol(3).

Disabling profil(2)

pledge(2): stdio: permit restricted profil(2) for moncontrol(3)

Currently, pledged '-pg' binaries get killed in _mcleanup() when they
try to disable profil(2) via moncontrol(3).

Disabling profil(2) is harmless. Add profil(2) to the "stdio"
pledge(2) promise and permit profil(2) calls when the scale argument
is zero. Enabling profil(2) remains forbidden in pledged processes.

This gets us one step closer to making '-pg' binaries compatible with
pledge(2). The next step is to decide how to exfiltrate the profiling
data from the process during _mcleanup().

Prompted by semarie@. Cleaned up by deraadt@. With input from
deraadt@, espie@, and semarie@.

"Looks good" deraadt@
pledge(2) pieces ok semarie@

show more ...

Since waitid(2) shares code with wait4(2) and doesn't expose any
non-trivial new information or code-paths over wait4(), include
it in pledge("stdio")

discussed with deraadt@

Make pinsyscall(2) always available for pledged processes. Needed by pledge
execpromises, as noted by regress/sys/kern/pledge/execpromise.

sure deraadt@

non-padded 64-bit system calls arrived 2021/12/23, over a year ago.
time to delete the backwards compat padded functions in the kernel.

Add {get,set}thrname(2) for putting thread names in the kernel and
exposed in a new field returned by sysctl(KERN_PROC). Update
pthread_{get,set}_name_np(3) to use the syscalls. Show them, when
set

Add {get,set}thrname(2) for putting thread names in the kernel and
exposed in a new field returned by sysctl(KERN_PROC). Update
pthread_{get,set}_name_np(3) to use the syscalls. Show them, when
set, in ps -H and top -H output.

libc and libpthread minor bumps

ok mpi@, mvs@, deraadt@

show more ...

wrap a line better

zap a pile of dangling tabs

fix build after 1.298

Some limited setsockopt/getsockopt are allowed in pledge "stdio".
Also allow IPPROTO_TCP:TCP_NODELAY
It is very small kernel code, and will allow some software to drop "inet"
requested by djm

allow the KERN_AUTOCONF_SERIAL sysctl in pledge'd processes

ok deraadt@