Copy stable/9 to releng/9.3 as part of the 9.3-RELEASE cycle.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

MFC r233648:
Remove trailing whitespace per mdoc lint warning

Approved by: cperciva (implicit)

MFC r235286:

General mdoc(7) and typo fixes.

PR: 167734

Copy head to stable/9 as part of 9.0-RELEASE release cycle.

Approved by: re (implicit)

Make it possible to use permission sets (full_set, modify_set, read_set
and write_set) with setfacl(1).

PR: kern/154113
Submitted by: Shawn Webb <lattera at gmail dot com> (earlier version)
MFC after: 1 month

Move the code around so that libc behaviour does not depend on a variable
that was supposed to be kernel-only. There should be no functional changes.

Make acl_strip_np(3) use new trivial ACL format for NFSv4 ACls (three
entries instead of six). This makes "setfacl -b" do the right thing
for ACLs on ZFS. UFS recognizes both kinds of trivial ACLs; no change
there.

MFC after: 2 months

Bump manual page date.

After PSARC/2010/029, "canonical six" no longer exists.

mdoc: drop redundant .Pp and .LP calls

They have no effect when coming in pairs, or before .Bl/.Bd

First step at adopting FreeBSD to support PSARC/2010/029. This makes
acl_is_trivial_np(3) properly recognize the new trivial ACLs. From
the user point of view, that means "ls -l" no longer shows plus signs
for all the files when running ZFS v28.

Arrgh, tested wrong source tree _again_. Fix previous commit. Also,
this and previous one are MFC candidate.

MFC after: 1 month

Add minor optimization. It's less strict than its kernel counterpart
due to upcoming ACL changes required by the new ZFS.

Spelling fixes.

Fix acl_from_text(3) - and, therefore, setfacl(1) - for user and group
names names starting with a digit.

MFC after: 1 month

Remove comment which didn't match reality for a long time.

Reviewed by: rwatson

Separate _posix1e_acl_id_to_name() into a separate file, to
break an unnecessary dependency on getpwuid() and getgrgid().

MFC after: 1 month

Don't use pointer to 64 bit value (id_t) to point to 32 bit value (uid_t).

Found with: Coverity Prevent
CID: 7466, 7467
MFC after: 2 weeks

Don't forget to free the string in error case.

Found with: Coverity Prevent
CID: 6585

_posix1e_acl_sort() never returns anything other than 0; change its
return type to void and update callers. This simplifies code and
fixes one place where the returned value was not actually checked.

Found with: Coverity Prevent
CID: 4791

Fix usage of uninitialized variable.

Found with: Coverity Prevent
CID: 7517
MFC after: 2 weeks

The 'acl_cnt' field is unsigned; no point in checking if it's >= 0.

Found with: Coverity Prevent
CID: 6192

The 'acl_cnt' field is unsigned; no point in checking if it's >= 0.

Found with: Coverity Prevent
CID: 6193

Make acl_get_perm_np(3) work with NFSv4 ACLs.

Reviewed by: kientzle@
MFC after: 1 week

Make branding less intrusive - in acl_set(3), in case ACL brand
is ACL_BRAND_UNKNOWN, do what the programmer says instead of failing.

MFC after: 1 week

Make it possible to actually use NFSv4 permission bits with acl_set_perm(3)
and acl_delete_perm(3). It went undetected, because neither setfacl(1)
nor Samba use this routines. D'oh.

MFC after: 1 week

mdoc: order prologue macros consistently by Dd/Dt/Os

Although groff_mdoc(7) gives another impression, this is the ordering
most widely used and also required by mdocml/mandoc.

Reviewed by: ru
Approved by: philip, ed (mentors)

Make acl_to_text_np(3) not crash on long group or user names in NFSv4 ACLs.

PR: amd64/145091
MFC after: 2 weeks

Switch to our preferred license text.

Approved by: jedgar

Use our standard license text. No more voices in the authors head. :-)

Approved by: trasz

s/APIS/APIs - not part of the original submission.

Correct two typoes.

Submitted by: Matthew Seaman <m.seaman@infracaninophile.co.uk>

Don't forget to clean up the file copied from the kernel sources.

MFC after: 1 week

Use a local copy of entry_d for finding matches. Otherwise, if entry_d pointed
to an entry of 'acl', all ACL entries starting with entry_d would be deleted.

Reviewed by: trasz
Approved by: emax (mentor)
MFC after: 3 days

Don't let the C library depend on <utmp.h>.

The maximum length of a username has nothing to do with the size of the
username in the utmp files. Use MAXLOGNAME, which is defined as 17
(UT_USERSIZE + 1).

Fix a memory leak in acl_from_text() in case the conversion succeeded.

Submitted by: Jim Wilcoxson <prirun@gmail.com>
MFC after: 1 week

Fix regression introduced with NFSv4 ACL support - make acl_to_text(3)
and acl_calc_mask(3) return error instead of crashing when acl passed
to them is NULL.

Submitted by: markus
Reviewed by: rwatson
MFC after: 3 days

Style: Remove trailing whitespace.

Update posix1e-related man pages, especially as relates to MAC, to more
accurately reflect the last ten years of work.

Approved by: re (kib)

Add missing MLINKS for acl_{get,set}_link_fd(3).

Approved by: re (kib)

Fix acl_set_fd(3) and acl_get_fd(3) for cases where the kernel doesn't know
anything about _PC_ACL_NFS4.

Manual page tweaks.

Fix c194955 - somehow I managed all the new files, tripling their
contents.

Bump manual page timestamps.

Add NFSv4 ACL support to libc.

This adds the following functions to the acl(3) API: acl_add_flag_np,
acl_clear_flags_np, acl_create_entry_np, acl_delete_entry_np,
acl_delete_flag_np, acl_get_extended_np, acl_get_flag_np, acl_get_flagset_np,
acl_set_extended_np, acl_set_flagset_np, acl_to_text_np, acl_is_trivial_np,
acl_strip_np, acl_get_brand_np. Most of them are similar to what Darwin
does. There are no backward-incompatible changes.

Approved by: rwatson@

Fix off by one error in acl_create_entry(3).

Reviewed by: rwatson@
MFC after: 2 weeks

Change license to more bori^Wadul^Wcanonical.

Submitted by: rwatson@

Improve API documentation.

Reviewed by: rwatson (earlier version)

Make 'struct acl' larger, as required to support NFSv4 ACLs. Provide
compatibility interfaces in both kernel and libc.

Reviewed by: rwatson

Since audit(4) isn't based on posix1e, remove the commented out audit.h header,
xref libbsm(3).

Submitted by: rwatson
MFC after: 3 days

Fix typo.

Replace the non-standard disclaimer with the standard one from /COPYRIGHT

Approved by: jedgar@

The libc acl_valid(3) function validates the contents of a POSIX.1e ACL.
This change removes the requirement that an ACL contain no ACL_USER
entries with a uid the same as those of a file, or ACL_GROUP entries
with a gid the same as those of a file. This requirement is not in the
specification, and not enforced by the kernel's ACL implementation.

Reported by: Iustin Pop <iusty at k1024 dot org>
MFC after: 1 week

Add __FBSDID() tags.

MFC after: 3 days

Some libc symbol map cleanups.

net: endhostdnsent is named _endhostdnsent and is
private to netdb family of functions.

posix1e: acl_size.c has been never compiled in,
so there's no "acl_size".

rpc: "getnetid" is a static function.

stdtime: "gtime" is #ifdef'ed out in the source.

some symbols are specific only to some architectures,
e.g., ___tls_get_addr is only defined on i386.

__htonl, __htons, __ntohl and __ntohs are no longer
functions, they are now (internal) defines in
<machine/endian.h>.

Submitted by: ru

Use C comments since we now preprocess these files with CPP.

Move _posix1e_acl_name_to_id out of acl_support.c and into
acl_from_text.c. Since acl_from_text.c is the only place it
is used, we can now make this internal utility function "static."

As a bonus, acl_set_fd() no longer pulls in getpwuid() for no reason.

MFC after: 7 days

Revise markup in recently added manpages.

Following repo-copy of mac_is_present_np.3 to mac_is_present.3, remove
old file, update references, etc. The C function is already named
mac_is_present().

Obtained from: TrustedBSD Project

Add each directory's symbol map file to SYM_MAPS.

Add symbol maps and initial symbol version definitions to libc.

Reviewed by: davidxu

There's no longer^Wyet <sys/capability.h>.

-mdoc sweep.

Include a couple of headers to ensure consistency between the prototype and
the function definition.

Fix all the spelling mistakes I could find in the man pages for words
that have at least 3 characters.

MFC after: 1 week
Thanks to: Music band ``Chingon''
for keeping me company while searching for these.

Minor grammar fix

Submitted by: Wojciech A. Koszek [dunstan at freebsd czest pl]
Approved by: re (hrs)

Missed rwatson's redundancy

Minor white space tweak.

MFC after: 3 days

Sort sections.

Fixed markup bug.

Scheduled mdoc(7) sweep.

-Add a note that currently two syntax styles for label element declaration
is supported.
-Document the new more preferred syntax
-Add examples for the new syntax
-Add a note that the old syntax will be deprecated in the future.

Reviewed by: rwatson

Fix the NAME section making whatis(1) happy in particular.

Eliminate double whitespace.

Mechanically kill hard sentence breaks.

Markup, grammar, and spelling fixes.

Add reference to mac_get_link() in man page, which was omitted when
mac_get_link() and mac_set_link() were added.

Adjust for brain outage that affected the previous commit.

Submitted by: Stefan Farfeleder <stefan@fafoe.narf.at>

Avoid undefined behavior:
foo[i] = bar[++i]; /* Which operator [] will be evaluated first? */

Remove unused variables and function declarations. Add missing headers.

Staticize label_default_head to prevent it from leaking out of mac.c.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

Update mac_set.3 to account for new behavior of mac_set_fd() in the
context of sockets, and document EINVAL as a possible failure mode
based on the object selected, not just the label provided.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

Implement mac_get_peer(3) using getsockopt() with SOL_SOCKET and
SO_PEERLABEL. This provides an interface to query the label of a
socket peer without embedding implementation details of mac_t in
the application. Previously, sizeof(*mac_t) had to be specified
by an application when performing getsockopt().

Document mac_get_peer(3), and expand documentation of the other
mac_get(3) functions. Note that it's possible to get EINVAL back
from mac_get_fd(3) when pointing it at an inappropriate object.

NOTE: mac_get_fd() and mac_set_fd() support for sockets will
follow shortly, so the documentation is slightly ahead of the
code.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

Memory allocated by mac_to_text() must be freed using free(3) not
mac_free(3), which is used only for variables of type mac_t in
the FreeBSD implementation.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

Remove debugging printf that crept into the last commit.

/etc/mac.conf is implicitly read and parsed when the MAC configuration
is accessed for the first time as a result of an application looking
up label configuration information. Previously, the check and read
were kicked off by mac_prepare_(typename)() functions; since
mac_prepare_type() may now be directly employed by a user process,
push the check and initialization into that function.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

When printing ACLs, truncate user and group names if they're too long,
rather than generating an error. This is consistent with other tools
printing user and group names, and means you can read the ACL using
our tools rather than being up a creek.

PR: 56991
Submitted by: Michael Bretterklieber <mbretter@a-quadrat.at>

mdoc(7): Fix common mistakes made in the SEE ALSO section.

Return (-1) not (ENOENT) for mac_prepare_type(), and set errno to
ENOENT instead.

Reported by: "Kenneth D. Merry" <ken@kdm.org>
Submitted by: Bryan Liesner <bleez@comcast.net>

Add HISTORY sections to the remaining MAC library man pages.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

Update the mac_prepare(3) man page to reflect changes to the
mac_prepare() APIs.

Add a HISTORY section.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

Make the elements argument to mac_prepare() be const.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

As new objects begin to support new labels, start to generalize
the default label support in /etc/mac.conf. Rather than maintain
each default label type in an explicit global variable in mac.c,
keep a list of defaults loaded from the configuration file.
Generalize the parsing so that we support both the older:

default_file_labels foo
default_ifnet_labels foo
default_process_labels foo

And also a new:

default_labels file foo
default_labels ifnet foo
default_labels process foo

We now accept arbitrary object classes in the first argument. If
the same object is specified more than once, we discard the
earlier definition in favor of the later one.

Add a new API, mac_prepare_type(), which accepts a mac_t to
prepare, as well as an object name in the second argument, which
will pull a default label set for the object out of the
configuration loaded by mac_init_internal(). This permits the libc
to adapt to new objects known about by applications but not by libc
at compile-time.

Also liberalize the error handling a bit: if we're using implicit
initialization (i.e., the application didn't explicitly initialize
the MAC code), ignore syntax errors and only use valid lines. In
the future, we may want to add explicit warnings and do this a
bit more consistently.

While here, add support for a MAC_CONFFILE environmental variable,
which may be used to specify an alternative mac.conf configuration
file if the application isn't running with modified privilege
(issetugid()).

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

Print group name in getfacl output when calculating an effective
permission set based on a more restrictive mask.

Submitted by: Glen Gibb <grg@ridley.unimelb.edu.au>

mdoc(7) fixes.

Approved by: re (blanket)

Assorted mdoc(7) fixes.

Approved by: re (blanket)

Add some strategic whitespace.

Add FILES section to mac.3 and mac.conf.5. Properly Xref mac.conf.5
from mac.3; likewise, mac.conf.5 from mac_prepare.3.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

Add a man page for the mac.conf MAC library configuration file.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

Add the mac_prepare{,_*}() functions to the high-level function list
in the mac.3 library man page. They were already cross-referenced
at the end of the man page, just not explicitly listed here.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

Clarify the relationship between the MAC library APIs and POSIX.1e:
they resemble one another, but POSIX.1e interfaces were not sufficiently
expressive to do what we needed.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

Eliminate 19 warnings in libc (at level WARNS=2) of the
`implicit declaration of function' variety.

mdoc(7) police: Scheduled sweep.

mdoc(7) police: kill self-xref.

Punctuation.

Typo.

Grammar.

Whack 28 unused variables.

Eliminate 61 warnings emitted at WARNS=2 (leaving 53 to go).
Only warnings that could be fixed without changing the generated object
code and without restructuring the source code have been handled.

Reviewed by: /sbin/md5

The .Fn function

Actually add mac_prepare.3.

Sponsored by: DARPA, Network Associates Laboratories

Cross-reference mac(4)

Sponsored by: DARPA, Network Associates Laboratories

s/SEE_ALSO/SEE ALSO/
Cross-reference mac(4) and mac(9)

Sponsored by: DARPA, Network Associates Laboratories

o Document mac_prepare() and associated functions
o Link mac_get_pid.3 to mac_get.3
o Update SEE ALSO to refer to mac_prepare, and added missing references
o Remove clause #3 on my work
o Update mac_get.3 for the updated MAC API

Sponsored by: DARPA, Network Associates Laboratories
Obtained from: TrustedBSD Project

o Remove clause #3
o Document mac_set_link().

Sponsored by: DARPA, Network Associates Labs

Remove BUGS section indicating that these calls are unimplemented.
Update copyrights.

Obtained from: TrustedBSD Project

Update acl_set.3, missed in last round:

- Update BUGS: this stuff is implemented.
- Update last modified date.
- Document acl_set_link_np() call.

Obtained from: TrustedBSD Project

Update libc POSIX.1e code and documentation to reflect:

- Updated copyrights, modified dates
- Remove "BUGS" entry indicating that ACLs are unimplemented
- Implement acl_*_link() library wrapper variants for get, set,
delete, aclvalid.
- Document acl_*_link() calls.

Obtained from: TrustedBSD Project

english(4) police.

mdoc(7) police: "The .Fa argument.".

mdoc(7) police: "The .Fn function".

mdoc(7) police: sort xrefs in SEE ALSO.

Uniformly refer to a file system as "file system".

Approved by: re

mdoc(7) police: Added the missing .Os call; it's not strictly
necessary nowadays, but is documented as "required", and may
become so again in the future.

Approved by: re

mdoc(7) police: markup overhaul.

Approved by: re

libc_r wasn't so tied to libc for 22 months.

Update acl.3 to xref getfacl(1) and setfacl(1), the recommended tools for
manipulating file ACLs. Update the status of the implementation a bit,
update the copyright, etc.

Obtained from: TrustedBSD Project

o Make the COMPATIBILITY section a bit less redundant.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Labs

o Update man page to reflect the new prototypes for mac_{to,from}_text.
o Remove a (currently) no-longer-pertinent entry from errors.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Labs

Hook up the userland wrapper for __mac_execve().

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

License update authorized by NAI: remove clause 3.

Clarify language relating to ACLs, Capabtilities, and MAC, since the
implementation status of these services has changed substantially
since this man page was last updated.

Update license, historical information.

Point out that the MAC Framework is considered experimental.

Scoop out examples illustrating the label text format and refer to
maclabel(7) instead.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Labs

Do not include <sys/syslimits.h> directly; it is not intended for general
consumption.

Place mac_prepare() with the other mac_prepare*() functions.

mac_free() no longer accepts a void * parameter; only mac_t's are supposed
to be passed. Point this out in a warning notice, which will eventually
go away, sometime between now and -RELEASE.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs

Remove superfluous empty "FILES" section.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs

Remove hard sentence breaks.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs

Reflect MAC kernel/user API changes into the libc MAC implementation.
This removes a lot of complexity, since we basically just reserve
space on a retrieval of a label, and pass around strings. Two new
elements: (1) consumers of the API must now declare what label
elements they are interested in retrieving, or (2) rely on the default
provided in a new configuration file, mac.conf.

Approved by: re
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

.Xr mac.3 and posix1e.3 to mac.9. Point at sys/mac.h in posix1e.3.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

Unhook the per-policy parsing/printing MAC modules in libc to prepare
to bring in the new MAC label management API. With the new API
revision, we have only policy-agnostic code in libc and the base
kernel.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

Update TE policy and MAC text conversion routines to support partial
label updates. Biba and MLS already supported this. This permits the
userland library to submit relative updates on MAC labels, rather
than submitting an entire label to replace the current label. This
also requires changes to the MAC modules, which are forthcoming.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs

X-ref mac.3.

Introduce support for Mandatory Access Control and extensible
kernel access control.

Extensions to libc to provide basic MAC label manipulation facilities
for userland. These interface will be replaced in the next month
or two with more flexible interfaces, but provide sufficient support
to allow use of the Biba and MLS policies for user applications.

libc_r wrappers to follow.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs

No POSIX.1e capabilities in the main tree yet.

Correct a bunch of typos. Translators can ignore this commit.

MFC after: 3 weeks

Fix the style of the SCM ID's.
I believe have made all of libc .c's as consistent as possible.

Check if string is not NULL, not *string, before setting *string.

o style(9) and consistency fix:
- if (!var) -> if (var == NULL)
o spelling fix (althouh -> although)

Reviewed by: rwatson
Obtained from: TrustedBSD Project

o style(9) and consistency fixes:
- if (!var) -> if (var == NULL)
- return val; -> return (val);

Reviewed by: rwatson
Obtained from: TrustedBSD Project

Add more argument checking

Reviewed by: rwatson
Obtained from: TrustedBSD Project

static'ize and declare functions

Reviewed by: rwatson
Obtained from: TrustedBSD Project

o style and consistency fixes:
- if (!var) -> if (var == NULL)
- return val; -> return (val);
o update copyright

Correct function's description.

Obtained from: TrustedBSD Project

o return EINVAL if acl_to_text() have been sent a NULL acl. o update copyright dates.

Reviewed by: rwatson

Correct phrase 'get an ACL' to 'set an ACL'.

PR: 33660
Submitted by: Rich Morin <rdm@cfcl.com>, Tom Rhodes <darklogik@pittgoth.com>

o Change the layout of the tagged lists to be like those in acl(3).
o Document the following capabilities: CAP_NET_ADMIN, CAP_SYS_RAWIO,
CAP_SYS_ADMIN, and CAP_SYS_TTY_CONFIG.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs

o Reflect repo-copy of extattr.[c3] from libutil to libc, moving
extattr namespace routines to the libc/posix1e directory. While
the extattr calls are not strictly POSIX.1e, POSIX.1e wasn't
strictly ever approved, so I think that's OK.

Obtained from: TrustedBSD Project

Fixed missing `const' in synopsis.

Fixed return type in synopsis.

mdoc(7) police: Use the new .In macro for #include statements.

Add __FBSDID()s to libutil

mdoc(7) police: removed commas from the standard (split) AUTHORS block.

mdoc(7) police: markup and minor content fixes.

o Removed whitespace at EOL
o Removed hard sentence breaks
o Added cap_size() to the NAME section
o Normalized .Nd descriptions
o Fixed the abuses of .Nm and .Va
o Fixed some DESCRIPTION texts
o Fixed the RETURN VALUES and ERRORS texts to look more traditional

Reviewed by: tmm

Add Thomas Moestl and Chris Faulhaber to the author list for POSIX.1e
support.

Obtained from: TrustedBSD Project

o Sync up prototypes for cap_size() and cap_copy_ext() with
sys/capability.h--this compiled fine on i386 where (int) and (ssize_t)
are the same, but broke on Alpha where they differ.

Submitted by: Mike Barcroft <mike@FreeBSD.org>
Obtained from: TrustedBSD Project

o Attach cap_cmp.c and cap_copy.c to the build.
o Attach cap_copy_ext.3 and cap_copy_int.3 to the install, and link
cap_size.3 to cap_copy_ext.3.

Submitted by: tmm
Obtained from: TrustedBSD Project

Use ``.Rv -std'' wherever possible.

Submitted by: yar

o Use .Fx to refer to FreeBSD

Submitted by: tmm
Obtained from: TrustedBSD Project

o Remove definition of CAP_MAX_BUF_LEN since it is defined in
sys/capability.h now.

Submitted by: tmm
Obtained from: TrustedBSD Project

Introduce implementations of POSIX.1e non-portable form capability
support functions:
cap_subset_np() - Is cap1 a subset of cap2
cap_equal_np() - Is cap1 equal to cap2

o Introduce implementations of POSIX.1e capability support functions:
cap_copy_ext() - Externalize capability
cap_copy_int() - Internalize capability
cap_size() - Determine size required for cap_copy_ext()

Submitted by: tmm
Obtained from: TrustedBSD Project

o src/sys/capability.h provides a number of support macros that are not
documented by POSIX.1e, and understand the opaque capability structures.
Introduce support in the userland POSIX.1e library for a
_CAPABILITY_NEEDMACROS define to remove these macros from the normal
namespace, but allow the libc functions to use them.

Submitted by: tmm
Obtained from: TrustedBSD Project

o s/violate/override/ Capabilities are part of the system policy, not
an exception to it.

Submitted by: tmm
Obtained from: TrustedBSD Project

Handle snprintf() returning -1

MFC after: 2 weeks

Use the ".Rv" mdoc(7) macro where appropriate.

Reviewed by: ru

Use the ``.Rv -std'' mdoc(7) macro in appropriate cases.

Reviewed by: ru

Remove whitespace at EOL.

mdoc(7) police: removed HISTORY info from the .Os call.

mdoc(7) police: remove extraneous .Pp before and/or after .Sh.

mdoc(7) police: sort SEE ALSO xrefs (sort -b -f +2 -3 +1 -2).

Add RETURN VALUES and ERRORS sections.

Add a manual page for extattr_string_to_namespace and
extattr_namespace_to_string.

Reviewed by: rwatson

Remove duplicate words.

Fix cross-references:
xntpd.8 --> ntpd.8
acl_delete_perms.3 --> acl_delete_perm.3
getname.2 --> getsockname.2

MFC after: 1 week

mdoc(7) police: fix markup.

Correct prototype (entry_p -> *entry_p)

Submitted by: Alex Zepeda <jazepeda@pacbell.net>

Document acl_get_entry(3)

Obtained from: TrustedBSD Project

o Separate acl_t into internal and external representations as
required by POSIX.1e. This maintains the current 'struct acl'
in the kernel while providing the generic external acl_t
interface required to complete the ACL editing library.
o Add the acl_get_entry() function.
o Convert the existing ACL utilities, getfacl and setfacl, to
fully make use of the ACL editing library.

Obtained from: TrustedBSD Project

Remove bogus assignments of libc syscall stub return values to errno;
the stubs do errno assignments and return -1 in this case, so that errno
would end up with this value.

Approved by: rwatson

mdoc(7) police: normalize .Nd.

mdoc(7) police: use .Fx where appropriate.

mdoc(7) police: fix markup.

Correct a bogus cast in acl_get_qualifier() causing invalid
ID's to be stored in the ACL.

Obtained from: TrustedBSD Project

Add acl_get_perm_np(3), a non-portable function to check if a
permission is in a permission set, required for third-party
applications such as Samba.

Reviewed by: rwatson
Obtained from: TrustedBSD Project

Add the remaining POSIX.1e ACL definitions:
ACL_UNDEFINED_TAG, ACL_UNDEFINED_ID, ACL_FIRST_ENTRY, ACL_NEXT_ENTRY

Reviewed by: rwatson
Obtained from: TrustedBSD Project

Revamp acl_create_entry() so it actually works.

Obtained from: TrustedBSD Project

Correct the following defines to match the POSIX.1e spec:

ACL_PERM_EXEC -> ACL_EXECUTE
ACL_PERM_READ -> ACL_READ
ACL_PERM_WRITE -> ACL_WRITE

Obtained from: TrustedBSD

mdoc(7) police: add missing LIBRARY section.

Unbreak world.

Submitted by: jhay

Record -lposix1e merge with -lc.

mdoc(7) police rev 1.11: convert descriptions and cross-references
for the ACL editing library functions to the plain tagged list.

- Add descriptions and cross-references for the ACL editing library
functions.
- Place the acl_dup() description in alphabetical order.
- Move the POSIX.1e descriptions under the ENVIRONMENT section to the
STANDARDS section.

Reviewed by: rwatson
Obtained from: TrustedBSD Project

Install the acl_create_entry.3 man page

Prepare for the inclusion of libposix1e into libc: retire the old
Makefile, add Makefile.inc needed for libc build; add
#include "namespace.h"/#include "un-namespace.h" pairs around the
includes of sys/acl.h and sys/capability.h, and an additional underscore
in front of the functions that will be overridden in libc_r.

Approved by: rwatson
Obtained from: TrustedBSD Project

Correct function name: acl_clear_perm -> acl_clear_perms

o De-uglify IMPLEMENTATION NOTES section by removing unnecessary use of
.Fx

MAN[1-9] -> MAN.

o Update copyright date
o Revise description in light of commits over last month including:
- ACL editing library is now implemented
- ACLs are now implemented

Obtained from: TrustedBSD Project

mdoc(7) police: fix markup.

Correct the acl_set_permset and acl_set_tag_type man pages
which somehow got mixed up with the acl_get_* man pages.

Submitted by: ru

mdoc(7) police: fix markup.

mdoc(7) police: fix markup, function prototype, and RETURN VALUES text.

Add the following ACL editing functions:
acl_add_perm, acl_clear_perms, acl_copy_entry, acl_create_entry,
acl_delete_perm, acl_get_permset, acl_get_qualifier, acl_get_tag_type,
acl_set_permset, acl_set_qualifier, acl_set_tag_type

This brings us within 4 functions of a full ACL editing library.

Reviewed by: rwatson

mdoc(7) police:

- lowercase Nd argument
- mark function arguments with Fa
- mark defined values with Dv
- simply copying POSIX text for RETURN VALUES and ERRORS sections is not
always a good idea. POSIX uses the word "shall" indicating the behavior
the correct implementation should follow.

o Rename "namespace" argument to "attrnamespace" as namespace is a C++
reserved word.

Submitted by: jkh
Obtained from: TrustedBSD Project

Add the following POSIX 1003.1e functions and man pages:
o acl_calc_mask(): calculates the ACL mask entry associated with
the given ACL.
o acl_delete_entry(): remove a specified ACL entry from the given
ACL.

Approved by: rwatson

o To support new EA interface with explicit namespaces, introduce two
utility functions which convert between string namespace names and
numeric constants used by the interface. Right now, two namespaces
are supported, EXTATTR_NAMESPACE_SYSTEM ("system") and
EXTATTR_NAMESPACE_USER ("user"). These functions are used by
various userland EA utilities, rather than hard coding the routines
all over the place.

Obtained from: TrustedBSD Project

o Update copyright dates.
o Rename internal library functions so that they are prefixed with
_posix1e or _POSIX1E, removing them from the application namespace (and
potential conflict with other ACL functions elsewhere in the system).

Obtained from: TrustedBSD Project

Fix typo: seperate -> separate.

Seperate does not exist in the english language.

Submitted to look at by: kris

Fixed C error(s) in synopsis.

o When returning NULL, return (NULL) instead of return (0).

Submitted by: jedgar
Obtained from: TrustedBSD Project

o acl_from_text.c:
- errno is already set to ENOMEM (as appropriate) when asprintf(),
strdup(), or acl_init() fails
o acl_to_text.c:
- the return value of the initial strdup() is not checked
- errno is already set to ENOMEM (as appropriate) when asprintf
and acl_init() fails
- let the the default: case use 'goto error_label' for consistency

Submitted by: jedgar

o bzero() the ACL structure only if malloc() returns non-NULL.

Submitted by: jedgar

o Correct spelling error from patch in previous commit.

o Add missing initialization of errno from error returns of
cap_get_fd(), cap_get_file() and cap_get_proc().

Submitted by: jedgar

o Make acl_from_text() support uid's and gid's as well as usernames
and groupnames, by adding appropriate support to acl_name_to_id()
in acl_support.c

Submitted by: green

Correct check of getgrnam output

Approved by: rwatson

Prepare for mdoc(7)NG.

mdoc(7) police: removed history info from the .Os FreeBSD call.

o Introduce a pile more documentation about capabilities, including
identification and descriptions of most capabilities, current inheritence
rules, etc. More to follow.

Reviewed by: sheldonh
Obtained from: TrustedBSD Project

mdoc(7) police: Er macro usage cleanup.

Use Fx macro wherever possible.

o Introduce cap_from_text() and cap_to_text() implementations.

Reviewed by: green
Obtained from: TrustedBSD Project
Security audited by: imp, green

o Simplify capability types away from an array of ints to a single
u_int64_t flag field, bounding the number of capabilities at 64,
but substantially cleaning up capability logic (there are currently
43 defined capabilities).

o Heads up to anyone actually using capabilities: the constant
assignments for various capabilities have been redone, so any
persistent binary capability stores (i.e., '$posix1e.cap' EA
backing files) must be recreated. If you have one of these,
you'll know about it, so if you have no idea what this means,
don't worry.

o Update libposix1e to reflect this new definition, fixing the
exposed functions that directly manipulate the flags fields.

Obtained from: TrustedBSD Project

o Update BUGS entry to indicate in a more precise manner the implementation
status of capabilities (library is complete, kernel work is maintained
outside the tree).

Obtained from: TrustedBSD Project

o Introduce a MAINTAINER entry for libposix1e, since it is actively
developed and maintained.

o Minor whitespace, comment cleanups
o Removal of unneeded enum
o Removal of commented out debugging printf()'s.

Obtained from: TrustedBSD Project

o Whitespace reduction appled to FreeBSD CVS ID

Obtained from: TrustedBSD Project

o General warning fixing commit
- Include <stdlib.h> and <string.h> as needed for prototypes
- Remove unneeded "error" variables
o Make cap_init() use cap_clear() instead of bzero()

Obtained from: TrustedBSD Project

o Add cap_from_text(3) and cap_to_text(3) man pages.
o Implementations will remain in the seperately distributed capability
patch until the cap_t type changes are synchronized.

Obtained from: TrustedBSD Project

o EACCES is not a possible error for acl_from_text(), so fix
acl_from_text.3
o Minor whitespace cleanups relative to the TrustedBSD tree to reduce
content-free differences.

Obtained from: TrustedBSD Project

o cap_set_flag() was not correctly clearing capabilities when value
was CAP_CLEAR.

Obtained from: TrustedBSD Project

Fix typo, teh -> the.

o Enable building of libposix1e capability state utility functions and
capability-related syscall wrappers.

Obtained from: TrustedBSD Project

o Introduce cap_{get,set}_{file,fd}() syscall wrappers, associated with
soon to be committed syscall stubs. These calls will be used to get
and set capability state associated with executables.

Obtained from: TrustedBSD Project

o When calling the syscall, use &cap instead of cap. Apparently this
error was introduced during the merge; fixing it corrects a (correct)
warning about types.

Obtained from: TrustedBSD Project

o Comment out <sys/audit.h> and <sys/mac.h> since they are not yet
committed

Obtained from: TrustedBSD Project

- Replace ``.Va (cap_t)NULL'' with ``.Dv NULL''
- Fix a typo: ``constrains'' -> ``constraints''

Reviewed by: rwatson

- Replace
.Pp
.Fn func
.Pp
Description ...
with a list (Bl ... Li ... El).
- Remove a superfluous ``.Sh ENVIRONMENT'' and replace it with a ``.Pp''
within the IMPLEMENTATION DETAILS section.

Reviewed by: rwatson

o Introduce libposix1e capability support routines, which provide a
standardized interface to the capability support in TrustedBSD.
o Not currently enabled in Makefile, as this code depends on syscalls
and include files that will be committed at a later date.

Obtained from: TrustedBSD Project

o Fix incorrect descriptions of cap_get_flag() and cap_set_flag() in
capabilities summary manpage, cap(3).

Obtained from: TrustedBSD Project

o Build and install POSIX.1e capabilities man pages
o Add shared library version 2 to libposix1e given API changes, et al
o Commented out cap_*.c as that is not currently being compiled into
the library (pending syscalls being committed)

Obtained from: TrustedBSD Project

o Add posix1e(3) references to acl.3 and cap.3

Obtained from: TrustedBSD Project

o Add mention of capabilities documentation + APIs
o Switch reference to www.trustedbsd.org instead of POSIX.1e implementation
page
o Add cross references to capabilities man pages
o Remove extended attribute not implemented "BUGS" entry

Obtained from: TrustedBSD Project

o Introduce man pages for POSIX.1e capability API
- cap.3 describing library interface
- cap_*.3 describing specific API calls

APIs to follow relatively soon, code to follow later.

Obtained from: TrustedBSD Project

o Remove extra cross reference from acl.3 to acl.3
o Remove "BUGS" entries indicating that there's nowhere to store ACLs as
we now have extended attributes.

Obtained from: TrustedBSD Project

Introduce .Lb macro to libposix1e manpages
Sort some .Nm values
Decapitalize .Nd values

Fixed wrong function return types in synopsis.

Fix various typos and mdoc style issues.

Reviewed by: rwatson

Introduce ACL man pages en masse for library calls, and general introduction.

Introduce ACL man pages en masse for library calls, and general introduction.

Also, fix acl_valid.c non-portable calls to include _np in their names,
making them standard-happy as well as consistent with acl.h

A few more touchups:
- clean up unneeded AFS ID type
- Add Coda, NTFS, NWFS ACL types
- Add acl_dup() prototype
- Remove acl_calc_mask, which belongs in the editing library
- Introduce posix1e.3, a man page introducing POSIX.1e library calls
(more man pages to follow)

Minor fixes to library interface to improve POSIX.1e compliance. This
adds _np to a couple of function prototypes that provided more broad/useful
interfaces than POSIX.1e interfaces included.

Also, move from using a heuristic to identify POSIX.1e-semantic ACLs to
using different ACL types for non-POSIX.1e ACLs. This should clean up the
existing fuzzy logic that determined when acl_sort() should be applied
before kernel submission.

Fix bde'isms in acl/extattr syscall interface, renaming syscalls to
prettier (?) names, adding some const's around here, et al.

This is commit 4 out of 3, updating the userland library to reflect kernel
interface changes.

Reviewed by: bde

acl_delete_default_file() changed to acl_delete_def_file()

Oops, didn't commit the Makefile for libposix1e--this should fix build
problems.

Reviewed by: eivind

libposix1e provides userland library calls for the POSIX.1e security
interface. This commit introduces the library, as well as a modest
subset of the ACL calls, with some modifications to support multiple
ACL semantics.

Reviewed by: eivind