kernel - Add per-process capability-based restrictions * This new system allows userland to set capability restrictions which turns off numerous kernel features and root accesses. These restrictions are inherited by sub-processes recursively. Once set, restrictions cannot be removed. Basic restrictions that mimic an unadorned jail can be enabled without creating a jail, but generally speaking real security also requires creating a chrooted filesystem topology, and a jail is still needed to really segregate processes from each other. If you do so, however, you can (for example) disable mount/umount and most global root-only features. * Add new system calls and a manual page for syscap_get(2) and syscap_set(2) * Add sys/caps.h * Add the "setcaps" userland utility and manual page. * Remove priv.9 and the priv_check infrastructure, replacing it with a newly designed caps infrastructure. * The intention is to add path restriction lists and similar features to improve jailess security in the near future, and to optimize the priv_check code.
date - Upgrade calculations, add some gnu date -d support * Use long instead of int for numerous calculations, fixing a number of date calculation overflow issues. * Add -d support (a gnu date option). Make -d an alias for -v. In addition to the formats already supported, we now support +/-Ndays seconds, minutes, hours, months, years, and abbreviations), next ..., last ..., several month, day, and year arrangements, h:m[:s] specifications, and a few other things. Not all of these can be combined with prefixes and there is still a lot of missing support for gnu date compatibility. In particular the handling of TZ= timezone specifications is mis-applied and support for the "Z" suffix is missing. Localization is still not properly supported for weekday and month names. * Appears to fix easy-rsa (part of the openvpn package), though easy-rsa still has an unrelated openssl/libressl issue.
KERN_PROC - Change behavior and bump version to 600302 * Change default behavior to not include pure LWPs. That is, to not include pure kernel threads without a process (pid returned as -1). * Add a flag KERN_PROC_FLAG_LWKT to re-include the LWPs for programs that don't get confused by them. * Adjust /bin/ps and /usr/bin/top to use the flag. Also conditionalized on the existance of the flag so buildworld on older systems doesn't fail. * Clean-up the sysctl kernel interface for KERN_PROC a bit, since adding the flag creates a lot more combinations that need to be handled as discrete sysctls.
sh - Support writes to non-blocking descriptors * Instead of reporting "write error on stdout", support writes to non-blocking sockets by having xwrite() use poll() to block when EAGAIN is returned. * This is possibly related to such errors appearing in the dsynth logs. Presumably (unverified), /bin/sh can wind up being executed with descriptor 1 set to non-blocking. This works fine only as long as the other end of the pipe is able to drain it quickly enough. But under heavy loads, this might not happen.
kernel - Adjust varsym API to match manual page, remove from uname * Adjust the varsym system call to match the manual page. It now returns 0 on success instead of the length, and returns -1 with an errno of EOVERFLOW if the supplied buffer is too small. * The uname*() code in libc actually assumed 0 would be returned on success, and thus never actually allowed varsym overrides. Just remove the functionality (that nobody uses) entirely. Reported-by: dan
Remove last remains of FSMID support from userland. The kernel side was added in 2005 (7d15906a7a159575b1983f7c1fadde4b) and removed again in 2009 (d98152a8b8a4b368ca0e08b84302f2f2). Approved-by: dillon