VM_MAP_BUSY and VM_MAP_WANTLOCK will be removed soon, prep for that.
OK dlg@

Stop printing the "syscall" bit in the header line, too.

ok deraadt@

Stop printing the "syscall" bit related to msyscall(2), since the subsystem
is being deleted.

change default output to -a format; ok tb

Show the entry immutable bit in the various output formats.

MAXCOMLEN is no longer needed in these programs, so remove the annotation
from sys/param.h include lines, or remove the include lines entirely if
it this was the least requirement.
ok millert

sys/proc.h requires sys/signal.h (will become visible when sys/param.h
is removed)

correct order of region bits for -a case: rwxSepc

Repurpose the "syscalls must be on a writeable page" mechanism to
enforce a new policy: system calls must be in pre-registered regions.
We have discussed more strict checks than this, but none satisf

Repurpose the "syscalls must be on a writeable page" mechanism to
enforce a new policy: system calls must be in pre-registered regions.
We have discussed more strict checks than this, but none satisfy the
cost/benefit based upon our understanding of attack methods, anyways
let's see what the next iteration looks like.

This is intended to harden (translation: attackers must put extra
effort into attacking) against a mixture of W^X failures and JIT bugs
which allow syscall misinterpretation, especially in environments with
polymorphic-instruction/variable-sized instructions. It fits in a bit
with libc/libcrypto/ld.so random relink on boot and no-restart-at-crash
behaviour, particularily for remote problems. Less effective once on-host
since someone the libraries can be read.

For static-executables the kernel registers the main program's
PIE-mapped exec section valid, as well as the randomly-placed sigtramp
page. For dynamic executables ELF ld.so's exec segment is also
labelled valid; ld.so then has enough information to register libc's
exec section as valid via call-once msyscall(2)

For dynamic binaries, we continue to to permit the main program exec
segment because "go" (and potentially a few other applications) have
embedded system calls in the main program. Hopefully at least go gets
fixed soon.

We declare the concept of embedded syscalls a bad idea for numerous
reasons, as we notice the ecosystem has many of
static-syscall-in-base-binary which are dynamically linked against
libraries which in turn use libc, which contains another set of
syscall stubs. We've been concerned about adding even one additional
syscall entry point... but go's approach tends to double the entry-point
attack surface.

This was started at a nano-hackathon in Bob Beck's basement 2 weeks
ago during a long discussion with mortimer trying to hide from the SSL
scream-conversations, and finished in more comfortable circumstances
next to a wood-stove at Elk Lakes cabin with UVM scream-conversations.

ok guenther kettenis mortimer, lots of feedback from others
conversations about go with jsing tb sthen

show more ...

dev_t is signed to permit passing -1 as an invalid condition, but the
decomposition into major and minor is unsigned, so we should print them
with %u instead of %d.
ok guenther

Fix description of -v and implement -v for -a showing holes; ok deraadt@

procmap fumbles with uvm_map_addr structures, which are now in RBTs

it also does proper traversal of the tree (ie, it does FOREACH)
which in turn uses MIN and NEXT operations to iterate over the who

procmap fumbles with uvm_map_addr structures, which are now in RBTs

it also does proper traversal of the tree (ie, it does FOREACH)
which in turn uses MIN and NEXT operations to iterate over the whole
tree. theyre complicated and need code.

so for now this pulls in subr_tree.c from the kernel and builds it
as part of procmap. that allows for traversal of the RBT using the
same code that the kernel uses.

it is a bit ugly though because procmap updates the pointers between
items in the tree so they point at local copies instead of kernel
addresses. its made worse because RBT code has pointers between
rb_entry structs, not between the nodes.

im putting this in now to unbreak the tree. it can be polished after
coffee/naps.

show more ...

Re-introduce vnode-to-filename mapping

The name cache walking code got adapted to the new name cache layout.
Along with the previous commit, procmap is now able to map a vnode
to a filename as long

Re-introduce vnode-to-filename mapping

The name cache walking code got adapted to the new name cache layout.
Along with the previous commit, procmap is now able to map a vnode
to a filename as long as it is in the name cache.

"nice stuff" deraadt@

show more ...

Must extract uvm_vnode from uvm_object first before reading the vnode

Otherwise procmap interprets the uvm_vnode contents as a vnode,
yielding bogus values. This should cure the
"procmap: invalid ad

Must extract uvm_vnode from uvm_object first before reading the vnode

Otherwise procmap interprets the uvm_vnode contents as a vnode,
yielding bogus values. This should cure the
"procmap: invalid address (ffffffffffffffff) == -1 vs. 656 @ ffffffffffffffff"
error messages that appear sporadically.

ok deraadt@

show more ...

Remove am_maxslot from amap.

am_maxslot represents the total number of slots an amap can be extended
to. Since we do not extend amaps, this field as well as rounding the
number of slots to the next

Remove am_maxslot from amap.

am_maxslot represents the total number of slots an amap can be extended
to. Since we do not extend amaps, this field as well as rounding the
number of slots to the next malloc bucket is not useful.

This also removes the corresponding output from procmap(1).

ok kettenis@

show more ...

Also print the fspace member of map entries when PRINT_VM_MAP_ENTRY is
requested.

ok deraadt@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_N

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

show more ...

Replace a plethora of historical protection options with just
PROT_NONE, PROT_READ, PROT_WRITE, and PROT_EXEC from mman.h.
PROT_MASK is introduced as the one true way of extracting those bits.
Remove

Replace a plethora of historical protection options with just
PROT_NONE, PROT_READ, PROT_WRITE, and PROT_EXEC from mman.h.
PROT_MASK is introduced as the one true way of extracting those bits.
Remove UVM_ADV_* wrapper, using the standard names.
ok doug guenther kettenis

show more ...

Delete procfs; it's always had races and is now unused: no one noticed for
months that I broke it before the 5.5 release.

confirmed as not being required by ports by sthen@, ajacoutot@, dcoppa@

decouple struct uvmexp into a new file, so that uvm_extern.h and sysctl.h
don't need to be married.
ok guenther miod beck jsing kettenis

There really isn't a strict "heap" anymore, so just call everything like
that an anon. Useful change since BRKSIZ will soon leave the namespace.
ok kettenis

Use errc/warnc to simplify code.
Also, in 'ftp', always put the error message last, after the hostname/ipaddr.

ok jsing@ krw@ millert@

remove tendrils of namei dumping code

use strtonum

get ready for big ino_t; ok gunther@