ld.so boot cleanup support:
- put functions and data which are only used before calling the executable's
start function into their own page-aligned segments for unmapping
(only done on amd64, arm64, armv7, powerpc, and sparc64 so far)
- pass .init_array and .preinit_array functions an addition argument which
is a callback to get a structure which includes a function that frees
the boot text and data
- sometimes delay doing RELRO processing: for a shared-object marked
DF_1_INITFIRST do it after the object's .init_array, for the executable
do it after the .preinit_array
- improve test-ld.so to link against libpthread and trigger its initialization
late
libc changes to use this will come later

ok kettenis@

whitespace

Replace heaps of hand-written syscall stubs with a simpler framework
which is largely MI.
ok visa kettenis

On fatal errors, kill ourselves with thrkill(0,9,NULL) instead of
simply exiting, via helper functions _dl_die(), _dl_diedie(), and
_dl_oom().

prompted by a complaint from jsing@
ok jsing@ deraadt@

ld.so doesn't need gettimeofday or lstat stubs any more

ok deraadt@

Teach arm to pass &_DYNAMIC to _dl_boot_bind(); can optimize later in tree

Use a Thread Information Block in both single and multi-threaded programs.
This stores errno, the cancelation flags, and related bits for each thread
and is allocated by ld.so or libc.a. This is an ABI break from 5.9-stable!

Make libpthread dlopen'able by moving the cancelation wrappers into libc
and doing locking and fork/errno handling via callbacks that libpthread
registers when it first initializes. 'errno' *must* be declared via
<errno.h> now!

Clean up libpthread's symbol exports like libc.

On powerpc, offset the TIB/TCB/TLS data from the register per the ELF spec.

Testing by various, particularly sthen@ and patrick@
ok kettenis@

Rename the system call sendsyslog2 to sendsyslog. Keep the old one
as osendsyslog for a while. The three argument variant is the only
one that will stay.
input kettenis@; OK deraadt@

Switch ld.so's stack smash handler from sendsyslog to sendsyslog2
and pass the LOG_CONS flag like libc's handler.

ok deraadt@ bluhm@ (who had a similar diff)

ldd(1) sets environment variable LD_TRACE_LOADED_OBJECTS to tell ld.so
that it should show information about the program it loads, rather than
run it. In that specific case, ld.so can pledge to "stdio rpath" to
ensure that code path in ld.so has no bugs.
Yes, a pledge in ld.so.... who'd have thought!
ok guenther

kbind has eliminated the need for and use of the bind lock. Delete it, the
the callback, and the sigprocmask stub.
Keep around the DL_SETBINDLCK case until libpthread stops using it.

discussed with miod@ at l2k15
ok kettenis@

Rename __sysctl syscall to just sysctl, as the userland wrapper is no longer
necessary

ok deraadt@ jsing@

Now that we have sendsyslog(2), we can directly use it in the
(previously completely retarded) stack_smash_handler of ld.so
ok beck miod tedu

_dl_fcntl() is no longer used; kill the stubs

ok otto@ miod@

move from sysclt(KERN_ARND) to getentropy(2); ok miod@, kettenis@

Unlike libc syscall stubs, ld.so syscall stubs are expected to return -errno,
rather than -1, upon failure.

Even though nothing in ld.so currently needs to explicitely check for specific
error values, consistency doesn't hurt.

Pass _dl_dtors as the csu cleanup routine on arm.

Switch time_t, ino_t, clock_t, and struct kevent's ident and data
members to 64bit types. Assign new syscall numbers for (almost
all) the syscalls that involve the affected types, including anything
with time_t, timeval, itimerval, timespec, rusage, dirent, stat,
or kevent arguments. Add a d_off member to struct dirent and replace
getdirentries() with getdents(), thus immensely simplifying and
accelerating telldir/seekdir. Build perl with -DBIG_TIME.

Bump the major on every single base library: the compat bits included
here are only good enough to make the transition; the T32 compat
option will be burned as soon as we've reached the new world are
are happy with the snapshots for all architectures.

DANGER: ABI incompatibility. Updating to this kernel requires extra
work or you won't be able to login: install a snapshot instead.

Much assistance in fixing userland issues from deraadt@ and tedu@
and build assistance from todd@ and otto@

Introduce ltrace(1). This tool works with ld.so to inject utrace record for
each plt call, allowing to trace a binary linked against shared library at the
public function call level.

To do so, ltrace(1) sets up some environment variables to enable plt tracing
in ld.so, and invokes ktrace(2) for utrace events. ld.so will force lazy
binding and will send an utrace record in the plt resolver, without updating
the plt.

Minimal filtering capabilities are provided, inspired by Solaris' truss -u,
to limit tracing to libraries and/or symbol names. Non-traced libraries and
symbols will have the regular resolver processing, with the expected plt
update.

"Get it in" deraadt

- Add ORIGIN, OSNAME, OSREL and PLATFORM substitution support for rpaths.
Improvements and okay matthew@, millert@, guenther@

Zero %r0 before transferring control to the main program, to indicate that
the main program should not register a cleanup handler with atexit(3).
This will allow us to add the cleanup handler registration code to crt0.c
and have ld.so pass its cleanup handler to the main program in the future.

tested by tobiasu@
ok kurt@

Garbage-collect the _dl_stat() routine, now unused

ok matthew@ deraadt@

prebind - how to prelink a binary without throwing security out the window

Prelink fixes the address of libraries making 'return to libc' attacks trival,
prebind uses a different method to achieve most of the same gains, however
without adding any security conerns.

Still under development, now in-tree.

Use libc's SYS.h and SYSTRAP instead of rolling own. No binary change.

spacing

Enable lazy binding on arm:
_dl_bind_start inspired by netbsd.
changed a define to LD_ALLOW_WRITABLE_TEXT, should this be allowed?
remove plt protect code, arm has a text PLT.
relocate the got entries associated with the plt.
perform got protect/unprotect for lazy binding updates.

Use macros to reduce the amount of hand written asm. inspired by future amd64
code. no functional change.

Dynamic linker support for arm. non-lazy binding works.

whitespace

Replace heaps of hand-written syscall stubs with a simpler framework
which is largely MI.
ok visa kettenis

On fatal errors, kill ourselves with thrkill(0,9,NULL) instead of
simply exiting, via helper functions _dl_die(), _dl_diedie(), and
_dl_oom().

prompted by a complaint from jsing@
ok jsing@ deraadt@

ld.so doesn't need gettimeofday or lstat stubs any more

ok deraadt@

Teach arm to pass &_DYNAMIC to _dl_boot_bind(); can optimize later in tree

Use a Thread Information Block in both single and multi-threaded programs.
This stores errno, the cancelation flags, and related bits for each thread
and is allocated by ld.so or libc.a. This is an ABI break from 5.9-stable!

Make libpthread dlopen'able by moving the cancelation wrappers into libc
and doing locking and fork/errno handling via callbacks that libpthread
registers when it first initializes. 'errno' *must* be declared via
<errno.h> now!

Clean up libpthread's symbol exports like libc.

On powerpc, offset the TIB/TCB/TLS data from the register per the ELF spec.

Testing by various, particularly sthen@ and patrick@
ok kettenis@

Rename the system call sendsyslog2 to sendsyslog. Keep the old one
as osendsyslog for a while. The three argument variant is the only
one that will stay.
input kettenis@; OK deraadt@

Switch ld.so's stack smash handler from sendsyslog to sendsyslog2
and pass the LOG_CONS flag like libc's handler.

ok deraadt@ bluhm@ (who had a similar diff)

ldd(1) sets environment variable LD_TRACE_LOADED_OBJECTS to tell ld.so
that it should show information about the program it loads, rather than
run it. In that specific case, ld.so can pledge to "stdio rpath" to
ensure that code path in ld.so has no bugs.
Yes, a pledge in ld.so.... who'd have thought!
ok guenther

kbind has eliminated the need for and use of the bind lock. Delete it, the
the callback, and the sigprocmask stub.
Keep around the DL_SETBINDLCK case until libpthread stops using it.

discussed with miod@ at l2k15
ok kettenis@

Rename __sysctl syscall to just sysctl, as the userland wrapper is no longer
necessary

ok deraadt@ jsing@

Now that we have sendsyslog(2), we can directly use it in the
(previously completely retarded) stack_smash_handler of ld.so
ok beck miod tedu

_dl_fcntl() is no longer used; kill the stubs

ok otto@ miod@

move from sysclt(KERN_ARND) to getentropy(2); ok miod@, kettenis@

Unlike libc syscall stubs, ld.so syscall stubs are expected to return -errno,
rather than -1, upon failure.

Even though nothing in ld.so currently needs to explicitely check for specific
error values, consistency doesn't hurt.

Pass _dl_dtors as the csu cleanup routine on arm.

Switch time_t, ino_t, clock_t, and struct kevent's ident and data
members to 64bit types. Assign new syscall numbers for (almost
all) the syscalls that involve the affected types, including anything
with time_t, timeval, itimerval, timespec, rusage, dirent, stat,
or kevent arguments. Add a d_off member to struct dirent and replace
getdirentries() with getdents(), thus immensely simplifying and
accelerating telldir/seekdir. Build perl with -DBIG_TIME.

Bump the major on every single base library: the compat bits included
here are only good enough to make the transition; the T32 compat
option will be burned as soon as we've reached the new world are
are happy with the snapshots for all architectures.

DANGER: ABI incompatibility. Updating to this kernel requires extra
work or you won't be able to login: install a snapshot instead.

Much assistance in fixing userland issues from deraadt@ and tedu@
and build assistance from todd@ and otto@

Introduce ltrace(1). This tool works with ld.so to inject utrace record for
each plt call, allowing to trace a binary linked against shared library at the
public function call level.

To do so, ltrace(1) sets up some environment variables to enable plt tracing
in ld.so, and invokes ktrace(2) for utrace events. ld.so will force lazy
binding and will send an utrace record in the plt resolver, without updating
the plt.

Minimal filtering capabilities are provided, inspired by Solaris' truss -u,
to limit tracing to libraries and/or symbol names. Non-traced libraries and
symbols will have the regular resolver processing, with the expected plt
update.

"Get it in" deraadt

- Add ORIGIN, OSNAME, OSREL and PLATFORM substitution support for rpaths.
Improvements and okay matthew@, millert@, guenther@

Zero %r0 before transferring control to the main program, to indicate that
the main program should not register a cleanup handler with atexit(3).
This will allow us to add the cleanup handler registration code to crt0.c
and have ld.so pass its cleanup handler to the main program in the future.

tested by tobiasu@
ok kurt@

Garbage-collect the _dl_stat() routine, now unused

ok matthew@ deraadt@

prebind - how to prelink a binary without throwing security out the window

Prelink fixes the address of libraries making 'return to libc' attacks trival,
prebind uses a different method to achieve most of the same gains, however
without adding any security conerns.

Still under development, now in-tree.

Use libc's SYS.h and SYSTRAP instead of rolling own. No binary change.

spacing

Enable lazy binding on arm:
_dl_bind_start inspired by netbsd.
changed a define to LD_ALLOW_WRITABLE_TEXT, should this be allowed?
remove plt protect code, arm has a text PLT.
relocate the got entries associated with the plt.
perform got protect/unprotect for lazy binding updates.

Use macros to reduce the amount of hand written asm. inspired by future amd64
code. no functional change.

Dynamic linker support for arm. non-lazy binding works.