Copy stable/10@r272459 to releng/10.1 as part of
the 10.1-RELEASE process.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Add a -N option that prints the jail name rather than its number.

MFC after: 3 weeks

Fix building with WITHOUT_INET_SUPPORT set.

Reviewed by: jamie (actually provided the real fix)
MFC after: 3 days

Fix jls backward compat mode broken in r222465, correctly
displaying addresses in verbose mode (jls -v) again.

Submitted by: jamie
MFC after: 3 days
Approved by: re (kib)

Add a missing ',' to separate arguments lost for r222465 only found in
case a complete world is built without INET support.

MFC after: 10 days
X-MFC with: 222465

Check for IPv4 or IPv6 to be available by the kernel to not
provoke errors trying to query options not available.
Make it possible to compile out INET or INET6 only parts.

Reviewed by: jamie
Sponsored by: The FreeBSD Foundation
Sponsored by: iXsystems
MFC after: 10 days

Properly recognize a number followed by non-digits as a jail name.
Call "0" a name because zero is used to indicate no specified jid.

MFC after: 3 days

Properly progress through the list of IPv6 addresses using in6_addr size.

Right now if a jail has multiple IPv6 addresses, it will print them
shifting only 4 bytes at a time. Example:

2001:4dd0:ff41::b23f:a9
2001:4dd0:ff41::b23f:aa

Becomes:

2001:4dd0:ff41::b23f:a9
ff41::b23f:a9:2001:4dd0

By casting to in6_addr, it uses the correct offsets.

MFC after: 1 week

The last big commit: let usr.sbin/ use WARNS=6 by default.

Don't free jail parameter values after printing them - jail_param_get
expects them to be there for the next jail in the list.

PR: bin/141359
MFC after: 1 week

Do not truncate IPv6 addresses when printing them in the
jls -av 7.x multi-IP jail backward compat output.

Reported by: ed
Tested by: ed
Reviewed by: rwatson
Approved by: re

Some jail parameters (in particular, "ip4" and "ip6" for IP address
restrictions) were found to be inadequately described by a boolean.
Define a new parameter type with three values (disable, new, inherit)
to handle these and future cases.

Approved by: re (kib), bz (mentor)
Discussed with: rwatson

Give a more expected behavior to -[hns] options, defaulting to all
parameters instead of ignoring the options and giving the old-style
default output.

Approved by: re (kib), bz (mentor)

Add libjail, a (somewhat) simpler interface to the jail_set and jail_get
system calls and the security.jail.param sysctls.

Approved by: bz (mentor)

Use the right jail parameters for -v (cpuset has changed to cpuset.id).

Reported by: netchild
Approved by: bz (mentor)

Add support for the arbitrary named jail parameters used by jail_set(2)
and jail_get(2). Jail(8) can now create jails using a "name=value"
format instead of just specifying a limited set of fixed parameters; it
can also modify parameters of existing jails. Jls(8) can display all
parameters of jails, or a specified set of parameters. The available
parameters are gathered from the kernel, and not hard-coded into these
programs.

Small patches on killall(1) and jexec(8) to support jail names with
jail_get(2).

Approved by: bz (mentor)

Make sure that the direct jls invocations prints something
reasonable close to and in the same format as it had always.

r185435 said it would try that but I had been living with jail
patches for too long to actually remember the single-line format
when adding backwards compatibility back in p4.

Reported by: Philipp Wuensche <cryx-freebsd@h3q.com>
Tested by: Philipp Wuensche <cryx-freebsd@h3q.com>
MFC after: 4 weeks (just for me to get the mail)

Correctly check the number of prison states to not access anything
outside the prison_states array.
When checking if there is a name configured for the prison, check the
first character to not be '\0' instead of checking if the char array
is present, which it always is. Note, that this is different for the
*jailname in the syscall.

Found with: Coverity Prevent(tm)
CID: 4156, 4155
MFC after: 4 weeks (just that I get the mail)

MFp4:
Bring in updated jail support from bz_jail branch.

This enhances the current jail implementation to permit multiple
addresses per jail. In addtion to IPv4, IPv6 is supported as well.
Due to updated checks it is even possible to have jails without
an IP address at all, which basically gives one a chroot with
restricted process view, no networking,..

SCTP support was updated and supports IPv6 in jails as well.

Cpuset support permits jails to be bound to specific processor
sets after creation.

Jails can have an unrestricted (no duplicate protection, etc.) name
in addition to the hostname. The jail name cannot be changed from
within a jail and is considered to be used for management purposes
or as audit-token in the future.

DDB 'show jails' command was added to aid debugging.

Proper compat support permits 32bit jail binaries to be used on 64bit
systems to manage jails. Also backward compatibility was preserved where
possible: for jail v1 syscalls, as well as with user space management
utilities.

Both jail as well as prison version were updated for the new features.
A gap was intentionally left as the intermediate versions had been
used by various patches floating around the last years.

Bump __FreeBSD_version for the afore mentioned and in kernel changes.

Special thanks to:
- Pawel Jakub Dawidek (pjd) for his multi-IPv4 patches
and Olivier Houchard (cognet) for initial single-IPv6 patches.
- Jeff Roberson (jeff) and Randall Stewart (rrs) for their
help, ideas and review on cpuset and SCTP support.
- Robert Watson (rwatson) for lots and lots of help, discussions,
suggestions and review of most of the patch at various stages.
- John Baldwin (jhb) for his help.
- Simon L. Nielsen (simon) as early adopter testing changes
on cluster machines as well as all the testers and people
who provided feedback the last months on freebsd-jail and
other channels.
- My employer, CK Software GmbH, for the support so I could work on this.

Reviewed by: (see above)
MFC after: 3 months (this is just so that I get the mail)
X-MFC Before: 7.2-RELEASE if possible

Sync code with the error report: calloc(number, 1) is equivalent to
malloc(number).

Not sure why, but SYSCTL_OUT() can sometimes keep returning ENOMEM
in sysctl_jail_list(). Because of this, jls(8) could enter into
an endless loop. The strange thing is, that we can call jls(8) while
the other one is in loop and it will succeed - SYSCTL_OUT() will
not return ENOMEM there.

Maybe SYSCTL_OUT() returns first ENOMEM, because there is no memory,
but is marking some memory range as wired even on failure and another
SYSCTL_OUT() calls are not going to succeed, because process exceeds
limit of wired memory? ENOVMCLUE.

Anyway. Fix jls(8) to ignore ENOMEM and retry only 4 times.

Submitted by: Niklas Saers
PR: kern/79245
MFC after: 3 days

IP addresses can be up to 15 characters long, not 12.

PR: 50904

Fixed an err() format error in rev.1.1. This should have been fatal
since WARNS was high in rev.1.1, but __printf0like() has been temporarily
disabled for 9 months.

o Add jls(8) for listing active jails.
o Add jexec(8) to execute a command in an existing jail.
o Add -j option for killall(1) to kill all processes in a specified
jail.
o Add -i option to jail(8) to output jail ID of newly created jail.