login_cap.h: Remove LOGIN_DEFPRI

This is an implementation detail which is likely to become irrelevant in
the future, as we move to not resetting the priority if the
corresponding capability is not present in the configuration file
('/etc/login.conf').

GitHub's code search and Google show no use of this public constant, and
it doesn't exist in OpenBSD and NetBSD.

So, remove this definition and its sole use in-tree.

PR: 276570 (exp-run)
Reviewed by: emaste
Approved by: emaste (mentor)
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D43609

setusercontext(): Set priority from '~/.login_conf' as well

Setting the process priority is done only when the current process'
effective UID corresponds to that for which context is to be set.
Consequently, setting priority is done with appropriate credentials and
will fail if the target user tries to raise it unduly via his
'~/.login_conf'.

PR: 271751
Reviewed by: kib, Andrew Gierth <andrew_tao173.riddles.org.uk>
Approved by: emaste (mentor)
MFC after: 3 days
Relnotes: yes
Sponsored by: Kumacom SAS
Differential Revision: https://reviews.freebsd.org/D40352

setclasspriority(): New possible value 'inherit'

It indicates to the login.conf machinery (setusercontext() /
setclasscontext()) to leave priority alone, effectively inheriting it
from the parent process.

PR: 271749
Reviewed by: emaste, yuripv
Approved by: emaste (mentor)
MFC after: 3 days
Relnotes: yes
Sponsored by: Kumacom SAS
Differential Revision: https://reviews.freebsd.org/D40690

setusercontext(): Move priority setting in new setclasspriority()

In preparation for setting priorities from '~/.login_conf' and to ease
reading of setusercontext().

No functional change.

Reviewed by: emaste
Approved by: emaste (mentor)
MFC after: 3 days
Sponsored by: Kumacom SAS
Differential Revision: https://reviews.freebsd.org/D40350

setusercontext(): Better error messages when priority is not set correctly

Polish the syslog messages to contain readily useful information.

Behavior of capability 'priority' is inconsistent with what is done for
all other contexts: 'umask', 'cpumask', resource limits, etc., where an
absence of capability means to inherit the value. It is currently
preserved for compatibility, but is subject to change on a future major
release.

Reviewed by: emaste, kib (older version)
Approved by: emaste (mentor)
MFC after: 3 days
Sponsored by: Kumacom SAS
Differential Revision: https://reviews.freebsd.org/D40349

setlogincontext(): Comply to style(9)

Remove indentation by inverting the big 'if (lc)' and using 'return'.
Use explicit binary operators to produce booleans.

Reviewed by: emaste, kib, dchagin
Approved by: emaste (mentor)
MFC after: 3 days
Sponsored by: Kumacom SAS
Differential Revision: https://reviews.freebsd.org/D40346

setclassumask(): Accept 'inherit' as a value

'inherit' explicitly indicates that the umask should not be changed.

Reviewed by: emaste
Approved by: emaste (mentor)
MFC after: 3 days
Relnotes: yes
Sponsored by: Kumacom SAS
Differential Revision: https://reviews.freebsd.org/D40687

setusercontext(): Set umask in a separate function, setclassumask()

Reviewed by: emaste
Approved by: emaste (mentor)
MFC after: 3 days
Sponsored by: Kumacom SAS
Differential Revision: https://reviews.freebsd.org/D40686

setusercontext(): umask: Set it only once (in the common case)

Simplify the code and make it more coherent (umask was the only context
setting not modified by setlogincontext() directly).

Preserve the current behavior of not changing the umask if none is
specified in the login class capabilities database, but without the
superfluous umask() dance. (The only exception to this is that
a special value no user is likely to input in the database now stands
for no specification.)

If some user has a 'umask' override in its '~/.login_conf', the umask
will still be set twice as before (as is the case for all other context
settings overriden in '~/.login_conf').

Log a warning in case of an invalid umask specification.

This change makes it apparent that the value of LOGIN_DEFUMASK doesn't
matter. It will be removed in a subsequent commit.

PR: 271747
Reviewed by: emaste, kib (earlier version)
Approved by: emaste
MFC after: 3 days
Sponsored by: Kumacom SAS
Differential Revision: https://reviews.freebsd.org/D40344

lib: Automated cleanup of cdefs and other formatting

Apply the following automated changes to try to eliminate
no-longer-needed sys/cdefs.h includes as well as now-empty
blank lines in a row.

Remove /^#if.*\n#endif.*\n#include\s+<sys/cdefs.h>.*\n/
Remove /\n+#include\s+<sys/cdefs.h>.*\n+#if.*\n#endif.*\n+/
Remove /\n+#if.*\n#endif.*\n+/
Remove /^#if.*\n#endif.*\n/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/types.h>/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/param.h>/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/capsicum.h>/

Sponsored by: Netflix

setusercontext(): Apply personal settings only on matching effective UID

Commit 35305a8dc114 (r211393) added a check on whether 'uid' was equal
to getuid() before calling setlogincontext(). Doing so still allows
a setuid program to apply resource limits and priorities specified in
a user-controlled configuration file ('~/.login_conf') where
a non-setuid program could not. Plug the hole by checking instead that
the process' effective UID is the target one (which is likely what was
meant in the initial commit).

PR: 271750
Reviewed by: kib, des
MFC after: 2 weeks
Sponsored by: Kumacom SAS
Differential Revision: https://reviews.freebsd.org/D40351

setusercontext(): Fix gap when setting a realtime-class priority

The login.conf's "priority" capability allows to set priorities in the
idle or realtime classes in addition to the classical nice values (-20
to 20), through a natural extension where values greater than 20 put the
processes in the idle class (with priority adjusted within RTP_PRIO_MIN
and RTP_PRIO_MAX, 21 being converted to 0, 22 to 1, etc.) and values
lower than -20 put the process in the realtime class (with priority
adjusted within RTP_PRIO_MIN and RTP_PRIO_MAX, -21 being converted to
RTP_PRIO_MAX (31), -22 to 30, etc.).

Before this fix, in the latter case (realtime class), -21 was converted
to 30, and RTP_PRIO_MAX (31) could never be specified.

While here, change the priority computation for the idle-class case to
be symmetrical and use RTP_PRIO_MIN (in practice, this changes nothing
at all, since RTP_PRIO_MIN is 0; but this is the correct theoretical
formula, which would work as well with other values of RTP_PRIO_MIN).

PR: 271727
Reviewed by: imp, kib
MFC after: 2 weeks
Sponsored by: Kumacom SAS
Differential Revision: https://reviews.freebsd.org/D40339

Remove $FreeBSD$: one-line .c pattern

Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/

setclassenvironment: trim leading spaces in variable names

Trim leading spaces in variable names when the list is e.g.
pretty-formatted in /etc/login.conf or ~/.login_conf.

PR: 247947
Reviewed by: allanjude
Differential Revision: https://reviews.freebsd.org/D25649

login.conf(5): split MAIL env var out into a "mail" capability

This allows it to be easily suppressed in, e.g., the "daemon" class where it
will not be properly expanded.

This is a part of D21481.

Submitted by: Andrew Gierth <andrew_tao173.riddles.org.uk>

libutil: remove SIGSYS handling from setusercontext

It was a workaround for cases where the kernel lacks setloginclass(2),
added in the 9.x era.

Submitted by: Pawel Biernacki

Fix handling of umtxp resource limit in sh(1)/ulimit(1), limits(1), add
login.conf(5) support.

Reviewed by: jilles
Sponsored by: The FreeBSD Foundation
Differential revision: https://reviews.freebsd.org/D5610

Fix a clang 3.5 warning about abs(3) being given an argument of type
quad_t in setusercontext(). While here, sanitize the clamping of the
priority value, and use the correct type for the return value of
login_getcapnum().

Reviewed by: kib
MFC after: 3 days

Add a resource limit for the total number of kqueues available to the
user. Kqueue now saves the ucred of the allocating thread, to
correctly decrement the counter on close.

Under some specific and not real-world use scenario for kqueue, it is
possible for the kqueues to consume memory proportional to the square
of the number of the filedescriptors available to the process. Limit
allows administrator to prevent the abuse.

This is kernel-mode side of the change, with the user-mode enabling
commit following.

Reported and tested by: pho
Discussed with: jmg
Sponsored by: The FreeBSD Foundation
MFC after: 2 weeks

Fix NULL ptr dereference in setusercontext if pwd is null,
LOGIN_SETPRIORITY is set, and setting the priority (rtprio or
setpriority) fails.

PR: kern/164238
Submitted by: Alexander Wittig <alexander@wittig.name>
Reviewed by: des
Approved by: cperciva
MFC after: 1 month

Add two new system calls, setloginclass(2) and getloginclass(2). This makes
it possible for the kernel to track login class the process is assigned to,
which is required for RCTL. This change also make setusercontext(3) call
setloginclass(2) and makes it possible to retrieve current login class using
id(1).

Reviewed by: kib (as part of a larger patch)

A new jail(8) with a configuration file, to replace the work currently done
by /etc/rc.d/jail.

In setusercontext(), do not apply user settings unless running as the
user in question (usually but not necessarily because we were called
with LOGIN_SETUSER). This plugs a hole where users could raise their
resource limits and expand their CPU mask.

MFC after: 3 weeks

Create the altix project branch. The altix project will add support
for the SGI Altix 350 to FreeBSD/ia64. The hardware used for porting
is a two-module system, consisting of a base compute module and a
CPU expansion module. SGI's NUMAFlex architecture can be an excellent
platform to test CPU affinity and NUMA-aware features in FreeBSD.

Usermode portion of the support for swap allocation accounting:
- update for getrlimit(2) manpage;
- support for setting RLIMIT_SWAP in login class;
- addition to the limits(1) and sh and csh limit-setting builtins;
- tuning(7) documentation on the sysctls controlling overcommit.

In collaboration with: pho
Reviewed by: alc
Approved by: re (kensmith)

MFH (r184633, r184635): build at WARNS level 6

Avoid assigning a const char * to a char *.

MFC after: 3 weeks

Committed to wrong branch.

Avoid assigning a const char * to a char *.

MFC after: 3 weeks

Parenthesize return values.

include and whitespace cleanup.

- Import the HEAD csup code which is the basis for the cvsmode work.

Integrate the new MPSAFE TTY layer to the FreeBSD operating system.

The last half year I've been working on a replacement TTY layer for the
FreeBSD kernel. The new TTY layer was designed to improve the following:

- Improved driver model:

The old TTY layer has a driver model that is not abstract enough to
make it friendly to use. A good example is the output path, where the
device drivers directly access the output buffers. This means that an
in-kernel PPP implementation must always convert network buffers into
TTY buffers.

If a PPP implementation would be built on top of the new TTY layer
(still needs a hooks layer, though), it would allow the PPP
implementation to directly hand the data to the TTY driver.

- Improved hotplugging:

With the old TTY layer, it isn't entirely safe to destroy TTY's from
the system. This implementation has a two-step destructing design,
where the driver first abandons the TTY. After all threads have left
the TTY, the TTY layer calls a routine in the driver, which can be
used to free resources (unit numbers, etc).

The pts(4) driver also implements this feature, which means
posix_openpt() will now return PTY's that are created on the fly.

- Improved performance:

One of the major improvements is the per-TTY mutex, which is expected
to improve scalability when compared to the old Giant locking.
Another change is the unbuffered copying to userspace, which is both
used on TTY device nodes and PTY masters.

Upgrading should be quite straightforward. Unlike previous versions,
existing kernel configuration files do not need to be changed, except
when they reference device drivers that are listed in UPDATING.

Obtained from: //depot/projects/mpsafetty/...
Approved by: philip (ex-mentor)
Discussed: on the lists, at BSDCan, at the DevSummit
Sponsored by: Snow B.V., the Netherlands
dcons(4) fixed by: kan

Add support for a new login capability, cpumask which allows login
sessions to be pinned to cpus by login class.

Fix one kind of style(9) bug and a typo in a comment.

Tested with: md5(1)

Remove __NETBSD_SYSCALLS.

ANSIfy, WARNSify, CONSTify. Bit of style(9)-ify.

Tidy up. Sort headers.

Add LOGIN_SETMAC to the list of flags that can't be set without class
information, since we rely on the pwd entry to know what MAC labels
to set as part of the login process.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

If LOGIN_SETMAC is set and MAC is enabled in the kernel, then see
if the user has a 'label' entry in their login class. If so, attempt
to set that label on the process as part of the credential setup. If
we're unable to parse the label, or unable to set the label, fail.
In the future, we may also want to warn if a label is set but the
kernel doesn't support MAC.

Approved by: re
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

Add additional field 'overwrite' to login_vars. It mainly needed to handle
"term" according to manpage, i.e. not overwrite it, if already present in
environment.

Make libutil aware of vmemoryuse in its login.conf cap processing (aka
sshd, /usr/bin/login, etc)

Const poisoning.

Add __FBSDID()s to libutil

Make sbsize a size instead of a number. This allows the usual suffixes
to be applied to the value given. This does not break installed
/etc/login.conf files, since un-suffixed numbers are interpreted as
they were before.

PR: 19750
Submitted by: Paul Herman <pherman@frenchfries.net>

Do not set the default terminal type to "su", leave it empty.

PR: bin/5084
Reviewed by: asmodai, davidn, sef

This implements the RLIMIT_SBSIZE ("sbsize") administrative limits for
userland. Currently, it can be enforced by login and csh. More
shells supporting sbsize are welcome.

$Id$ -> $FreeBSD$

fix potential memory overwrite in escape parsing

PR: 11687
Submitted by: Don Lewis <Don.Lewis@tsc.tdk.com>

Print uid/gid as u_long per bde suggestion

cast arg to (long) to match format

If using NetBSD syscalls the rtprio syscall doesn't exist, so just
don't try to use it to set special priorities.

Allow setting of idle or realtime processing priorities per
login class.

PR: 6636
Submitted by: Jason Young <doogie@forbidden-donut.anet-stl.com>

Summary of login.conf support changes:

o Incorporated BSDI code and enhancements, better logging for error
checking (which has been shown to be a problem, and is therefore
justified, imho); also some minor things we were missing, including
better quad_t math, which checks for under/overflows.

o setusercontext() now allows user resource limit overrides, but
does this AFTER dropping root privs, to restrict the user to
droping hard limits and set soft limits within the kernel's
allowed user limits.

o umask() only set once, and only if requested.

o add _secure_path(), and use in login.conf to guard against
symlinks etc. and non-root owned or non-user owned files being
used. Derived from BSDI contributed code.

o revamped authentication code to BSDI's latest api, which
includes deleting authenticate() and adding auth_check()
and a few other functions. This is still marked as depecated
in BSDI, but is included for completeness. No other source
in the tree uses this anyway, so it is now bracketed with
#ifdef LOGIN_CAP_AUTH which is by default not defined. Only
auth_checknologin() and auth_cat() are actually used in
module login_auth.c.

o AUTH_NONE definition removed (collided with other includes
in the tree). [bde]

o BSDI's login_getclass() now accepts a char *classname
parameter rather than struct passwd *pwd. We now do likewise,
but added login_getpwclass() for (sort of) backwards
compatiblity, namely because we handle root as a special
case for the default class. This will require quite a few
changes elsewhere in the source tree.

o We no longer pretend to support rlim_t as a long type.

o Revised code formatting to be more bsd-ish style.

Revert $FreeBSD$ to $Id$

#include <sys/stat.h> for umask() prototype.

Make the long-awaited change from $Id$ to $FreeBSD$

This will make a number of things easier in the future, as well as (finally!)
avoiding the Id-smashing problem which has plagued developers for so long.

Boy, I'm glad we're not using sup anymore. This update would have been
insane otherwise.

Various bugfixes.

Library functions relating to the login class capabilities database,
including manpages.
See also login_cap.h.