libc: Purge unneeded cdefs.h

These sys/cdefs.h are not needed. Purge them. They are mostly left-over
from the $FreeBSD$ removal. A few in libc are still required for macros
that cdefs.h defines. Keep those.

Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D42385

Remove $FreeBSD$: one-line .c pattern

Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/

spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD

The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch
up to that fact and revert to their recommended match of BSD-2-Clause.

Discussed with: pfg
MFC After: 3 days
Sponsored by: Netflix

libc: further adoption of SPDX licensing ID tags.

Mainly focus on files that use BSD 2-Clause license, however the tool I
was using mis-identified many licenses so this was mostly a manual - error
prone - task.

The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.

libc: provide some bounds-checking through reallocarray(3).

reallocarray(3) is a non portable extension that originated in OpenBSD.
Given that it is already in FreeBSD's libc it is useful for the cases
where reallocation involves a multiplication.

MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D9955

wordexp: Rewrite to make WRDE_NOCMD reliable.

Shell syntax is too complicated to detect command substitution and unquoted
operators reliably without implementing much of sh's parser. Therefore, have
sh do this detection.

While changing sh's support anyway, also read input from a pipe instead of
arguments to avoid {ARG_MAX} limits and improve privacy, and output count
and length using 16 instead of 8 digits.

The basic concept is:
execl("/bin/sh", "sh", "-c", "freebsd_wordexp ${1:+\"$1\"} -f "$2",
"", flags & WRDE_NOCMD ? "-p" : "", <pipe with words>);

The WRDE_BADCHAR error is still implemented in libc. POSIX requires us to
fail strings containing unquoted braces with code WRDE_BADCHAR. Since this
is normally not a syntax error in sh, there is still a need for checking
code in libc, we_check().

The new we_check() is an optimistic check that all the characters
<newline> | & ; < > ( ) { }
are quoted. To avoid duplicating too much sh logic, such characters are
permitted when quoting characters are seen, even if the quoting characters
may themselves be quoted. This code reports all WRDE_BADCHAR errors; bad
characters that get past it and are a syntax error in sh return WRDE_SYNTAX.

Although many implementations of WRDE_NOCMD erroneously allow some command
substitutions (and ours even documented this), there appears to be code that
relies on its security (codesearch.debian.net shows quite a few uses).
Passing untrusted data to wordexp() still exposes a denial of service
possibility and a fairly large attack surface.

Reviewed by: wblock (man page only)
MFC after: 2 weeks
Relnotes: yes
Security: fixes command execution with wordexp(untrusted, WRDE_NOCMD)

Switch libc from using _sig{procmask,action,suspend} symbols, which
are aliases for the syscall stubs and are plt-interposed, to the
libc-private aliases of internally interposed sigprocmask() etc.

Since e.g. _sigaction is not interposed by libthr, calling signal()
removes thr_sighandler() from the handler slot etc. The result was
breaking signal semantic and rtld locking.

The added __libc_sigprocmask and other symbols are hidden, they are
not exported and cannot be called through PLT. The setjmp/longjmp
functions for x86 were changed to use direct calls, and since
PIC_PROLOGUE only needed for functional PLT indirection on i386, it is
removed as well.

The PowerPC bug of calling the syscall directly in the setjmp/longjmp
implementation is kept as is.

Reported by: Pete French <petefrench@ingresso.co.uk>
Tested by: Michiel Boland <boland37@xs4all.nl>
Reviewed by: jilles (previous version)
Sponsored by: The FreeBSD Foundation
MFC after: 1 week

wordexp(): Improve some error codes.

Distinguish between WRDE_BADVAL and WRDE_SYNTAX based on when the error
occurred (parsing or execution), not based on whether WRDE_UNDEF was passed.

Also, return WRDE_NOSPACE for a few more unexpected results from sh.

wordexp(): Stop using the undocumented wordexp builtin.

The functionality of the wordexp builtin is easily replaced using normal
shell code, although performance is slightly worse.

This does not mean that wordexp() will remain shell-independent -- a fully
reliable implementation of WRDE_NOCMD is really only possible using
extensions to the shell, or by adding much of the shell's code to libc.

wordexp: Explicitly pass along IFS.

Per Austin group issue #884, sh should not import IFS from the environment
but always set it to $' \t\n'. For wordexp(), however, it is documented and
useful for it to use IFS from the environment.

Since sh currently imports IFS from the environment, this change has no
functional effect.

MFC after: 1 week

wordexp(): Avoid leaking the pipe file descriptors to a parallel fork/exec.

This uses the new pipe2() system call added on May 1 (r250159).

wordexp(): Fix syntax validation for backslashes in single-quotes.

wordexp(): Simplify code by deferring work to sh.

wordexp(): Remove wrong IFS usage.

Words in shell script are separated by spaces or tabs independent of the
value of IFS. The value of IFS is only relevant for the result of
substitutions. Therefore, there should be a space between 'wordexp' and the
words to be expanded, not an IFS character.

Paranoia might dictate that the shell ignore IFS from the environment (even
though our sh currently uses it), so do not depend on it in the new test
case.

A new jail(8) with a configuration file, to replace the work currently done
by /etc/rc.d/jail.

Create the altix project branch. The altix project will add support
for the SGI Altix 350 to FreeBSD/ia64. The hardware used for porting
is a two-module system, consisting of a base compute module and a
CPU expansion module. SGI's NUMAFlex architecture can be an excellent
platform to test CPU affinity and NUMA-aware features in FreeBSD.

MFC r198406: wordexp(3): fix some bugs with signals and long outputs

* retry various system calls on EINTR
* retry the rest after a short read (common if there is more than about 1K
of output)
* block SIGCHLD like system(3) does (note that this does not and cannot
work fully in threaded programs, they will need to be careful with wait
functions)

PR: 90580

MFC revs 199781,199782,199784,199785,199786:

Eliminate dead stores.

In __mbsconv(), if prec was zero, nconv could have been used
uninitialized. Initialize it to a safe value so that there's no
chance of returning an error if stack garbage happens to be equal to
(size_t)-1 or (size_t)-2.

In svc_raw_reply(), don't leave stat uninitialized if the MSG_ACCEPTED
&& SUCCESS case succeeds. The stack garbage might be zero.

In clnt_raw_create(), avoid minor race condition initializing the
file-scope variable clntraw_private.

Found by: Clang static analyzer

Eliminate more dead stores.

Found by: Clang static analyzer
MFC after: 7 days

wordexp(3): fix some bugs with signals and long outputs
* retry various system calls on EINTR
* retry the rest after a short read (common if there is more than about 1K
of output)
* block SIGCHLD like system(3) does (note that this does not and cannot
work fully in threaded programs, they will need to be careful with wait
functions)

PR: 90580
MFC after: 1 month

- Import the HEAD csup code which is the basis for the cvsmode work.

Fix typo: WRDE_DOOFS -> WRDE_DOOFFS.

Noticed by: Stoned Elipot

Terminate execl()'s argument list with a null pointer instead of a
null pointer constant. (The latter may be an integer constant, which
is not correct here.)

Submitted by: Stefan Farfeleder

Use hidden names (_close, _dup2, _waitpid, etc.) where appropriate.

Fix a number of bugs noticed by more extensive testing:
o Call waitpid() if an error occurs after forking the child process
to avoid leaving zombies around.
o Handle the WRDE_DOOFS|WRDE_APPEND combination correctly
o Do not confuse $( substitution with $(( shell arithmetic
(noticed by wollman)
o Handle backslash escaping properly
o Allow $( and ${ to be quoted

Be more consistent with "static".

Add an implementation of the POSIX wordexp() and wordfree() functions,
which perform shell-style word expansion on strings. This is still a
little rough around the edges.

PR: 13420