Stop binding audio devices exposed by sndiod to physical devices

This a shift towards a new model: clients connect to logical devices
(created with -s option) then the server routes data to/from the
underlying physical device (registered with -f option). The binding
may be changed at run-time with the server.device control exposed by
sndioctl(1).

As audio devices exposed by sndiod(8) are not bound to fixed physical
devices anymore, the physical audio device number component of
sndio(7) descriptors was removed.

fixes, help from and ok denis, edd

Don't try to open device that's already open

Save the current alternate device index and skip it in
dev_reopen(). Handling alternate device indices this way will ease
future development as well.

Add API to control audio device parameters exposed by sndiod.

The API exposes controls of modern audio hardware and sndiod software
volume knobs in a uniform way. Hardware knobs are exposed through
sndiod. Multiple programs may use the controls at the same time
without the need to continuously scan the controls.

For now sndiod exposes only its own controls and the master output and
input volumes of the underlying hardware (if any), i.e. those
typically exposed by acpi volume keys.

ok deraadt

When opening a device, loop over the alternate devices list in the
worker process instead of the helper process. It is simpler this way
and allows the worker to properly log which device is being used.

Allow switching between devices without disconnecting clients.

The new -F option allows alternate device to be specified. If the
device is disconnected, the one given with the last -f or -F options
will be used instead. Similarly, the new -Q option allows an alternate
MIDI port to be specified.

ok mpi@

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

Don't try to send to device helper process if it's terminated.

Free memory in the error code-path, when we run out of descriptors
during initialization. From Michael W. Bombardieri, thanks.

Make code fit in 80 columns, remove trailing spaces & tabs.

hide forgotten debug printfs

In case of a bug in sndiod, an attacker (a local user) could run
arbitrary code as user _sndio, i.e. get a second uid.

Mitigate the risk by implementing initial privilege separation as
follows. Break sndiod in two processes: a chroot()ed "worker" process
processing input, and a non-chroot()ed "helper" process opening
devices and passing descriptors to the worker.

With help from benno, claudio, semarie and gilles.

ok benno, semarie and tb

Don't try to open device that's already open

Save the current alternate device index and skip it in
dev_reopen(). Handling alternate device indices this way will ease
future development as well.

Add API to control audio device parameters exposed by sndiod.

The API exposes controls of modern audio hardware and sndiod software
volume knobs in a uniform way. Hardware knobs are exposed through
sndiod. Multiple programs may use the controls at the same time
without the need to continuously scan the controls.

For now sndiod exposes only its own controls and the master output and
input volumes of the underlying hardware (if any), i.e. those
typically exposed by acpi volume keys.

ok deraadt

When opening a device, loop over the alternate devices list in the
worker process instead of the helper process. It is simpler this way
and allows the worker to properly log which device is being used.

Allow switching between devices without disconnecting clients.

The new -F option allows alternate device to be specified. If the
device is disconnected, the one given with the last -f or -F options
will be used instead. Similarly, the new -Q option allows an alternate
MIDI port to be specified.

ok mpi@

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

Don't try to send to device helper process if it's terminated.

Free memory in the error code-path, when we run out of descriptors
during initialization. From Michael W. Bombardieri, thanks.

Make code fit in 80 columns, remove trailing spaces & tabs.

hide forgotten debug printfs

In case of a bug in sndiod, an attacker (a local user) could run
arbitrary code as user _sndio, i.e. get a second uid.

Mitigate the risk by implementing initial privilege separation as
follows. Break sndiod in two processes: a chroot()ed "worker" process
processing input, and a non-chroot()ed "helper" process opening
devices and passing descriptors to the worker.

With help from benno, claudio, semarie and gilles.

ok benno, semarie and tb

Add API to control audio device parameters exposed by sndiod.

The API exposes controls of modern audio hardware and sndiod software
volume knobs in a uniform way. Hardware knobs are exposed through
sndiod. Multiple programs may use the controls at the same time
without the need to continuously scan the controls.

For now sndiod exposes only its own controls and the master output and
input volumes of the underlying hardware (if any), i.e. those
typically exposed by acpi volume keys.

ok deraadt

When opening a device, loop over the alternate devices list in the
worker process instead of the helper process. It is simpler this way
and allows the worker to properly log which device is being used.

Allow switching between devices without disconnecting clients.

The new -F option allows alternate device to be specified. If the
device is disconnected, the one given with the last -f or -F options
will be used instead. Similarly, the new -Q option allows an alternate
MIDI port to be specified.

ok mpi@

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

Don't try to send to device helper process if it's terminated.

Free memory in the error code-path, when we run out of descriptors
during initialization. From Michael W. Bombardieri, thanks.

Make code fit in 80 columns, remove trailing spaces & tabs.

hide forgotten debug printfs

In case of a bug in sndiod, an attacker (a local user) could run
arbitrary code as user _sndio, i.e. get a second uid.

Mitigate the risk by implementing initial privilege separation as
follows. Break sndiod in two processes: a chroot()ed "worker" process
processing input, and a non-chroot()ed "helper" process opening
devices and passing descriptors to the worker.

With help from benno, claudio, semarie and gilles.

ok benno, semarie and tb

When opening a device, loop over the alternate devices list in the
worker process instead of the helper process. It is simpler this way
and allows the worker to properly log which device is being used.

Allow switching between devices without disconnecting clients.

The new -F option allows alternate device to be specified. If the
device is disconnected, the one given with the last -f or -F options
will be used instead. Similarly, the new -Q option allows an alternate
MIDI port to be specified.

ok mpi@

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

Don't try to send to device helper process if it's terminated.

Free memory in the error code-path, when we run out of descriptors
during initialization. From Michael W. Bombardieri, thanks.

Make code fit in 80 columns, remove trailing spaces & tabs.

hide forgotten debug printfs

In case of a bug in sndiod, an attacker (a local user) could run
arbitrary code as user _sndio, i.e. get a second uid.

Mitigate the risk by implementing initial privilege separation as
follows. Break sndiod in two processes: a chroot()ed "worker" process
processing input, and a non-chroot()ed "helper" process opening
devices and passing descriptors to the worker.

With help from benno, claudio, semarie and gilles.

ok benno, semarie and tb

Allow switching between devices without disconnecting clients.

The new -F option allows alternate device to be specified. If the
device is disconnected, the one given with the last -f or -F options
will be used instead. Similarly, the new -Q option allows an alternate
MIDI port to be specified.

ok mpi@

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

Don't try to send to device helper process if it's terminated.

Free memory in the error code-path, when we run out of descriptors
during initialization. From Michael W. Bombardieri, thanks.

Make code fit in 80 columns, remove trailing spaces & tabs.

hide forgotten debug printfs

In case of a bug in sndiod, an attacker (a local user) could run
arbitrary code as user _sndio, i.e. get a second uid.

Mitigate the risk by implementing initial privilege separation as
follows. Break sndiod in two processes: a chroot()ed "worker" process
processing input, and a non-chroot()ed "helper" process opening
devices and passing descriptors to the worker.

With help from benno, claudio, semarie and gilles.

ok benno, semarie and tb

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

Don't try to send to device helper process if it's terminated.

Free memory in the error code-path, when we run out of descriptors
during initialization. From Michael W. Bombardieri, thanks.

Make code fit in 80 columns, remove trailing spaces & tabs.

hide forgotten debug printfs

In case of a bug in sndiod, an attacker (a local user) could run
arbitrary code as user _sndio, i.e. get a second uid.

Mitigate the risk by implementing initial privilege separation as
follows. Break sndiod in two processes: a chroot()ed "worker" process
processing input, and a non-chroot()ed "helper" process opening
devices and passing descriptors to the worker.

With help from benno, claudio, semarie and gilles.

ok benno, semarie and tb

Don't try to send to device helper process if it's terminated.

Free memory in the error code-path, when we run out of descriptors
during initialization. From Michael W. Bombardieri, thanks.

Make code fit in 80 columns, remove trailing spaces & tabs.

hide forgotten debug printfs

In case of a bug in sndiod, an attacker (a local user) could run
arbitrary code as user _sndio, i.e. get a second uid.

Mitigate the risk by implementing initial privilege separation as
follows. Break sndiod in two processes: a chroot()ed "worker" process
processing input, and a non-chroot()ed "helper" process opening
devices and passing descriptors to the worker.

With help from benno, claudio, semarie and gilles.

ok benno, semarie and tb

Free memory in the error code-path, when we run out of descriptors
during initialization. From Michael W. Bombardieri, thanks.

Make code fit in 80 columns, remove trailing spaces & tabs.

hide forgotten debug printfs

In case of a bug in sndiod, an attacker (a local user) could run
arbitrary code as user _sndio, i.e. get a second uid.

Mitigate the risk by implementing initial privilege separation as
follows. Break sndiod in two processes: a chroot()ed "worker" process
processing input, and a non-chroot()ed "helper" process opening
devices and passing descriptors to the worker.

With help from benno, claudio, semarie and gilles.

ok benno, semarie and tb