Stop binding audio devices exposed by sndiod to physical devices

This a shift towards a new model: clients connect to logical devices
(created with -s option) then the server routes data to/from the
underlying physical device (registered with -f option). The binding
may be changed at run-time with the server.device control exposed by
sndioctl(1).

As audio devices exposed by sndiod(8) are not bound to fixed physical
devices anymore, the physical audio device number component of
sndio(7) descriptors was removed.

fixes, help from and ok denis, edd

When an audio device is disconnected, drop MIDI clients controlling it

On error, drop clients and close the device only if it's still open

Fixes crashes when USB devices are disconnected, caused by an attempt
to close the already closed device: it was closed once when its ref
counter drops to zero (after the last client is disconnected) and once
with an explicit call to dev_close() on the error code-path.

When opening a device, loop over the alternate devices list in the
worker process instead of the helper process. It is simpler this way
and allows the worker to properly log which device is being used.

Allow switching between devices without disconnecting clients.

The new -F option allows alternate device to be specified. If the
device is disconnected, the one given with the last -f or -F options
will be used instead. Similarly, the new -Q option allows an alternate
MIDI port to be specified.

ok mpi@

In case of a bug in sndiod, an attacker (a local user) could run
arbitrary code as user _sndio, i.e. get a second uid.

Mitigate the risk by implementing initial privilege separation as
follows. Break sndiod in two processes: a chroot()ed "worker" process
processing input, and a non-chroot()ed "helper" process opening
devices and passing descriptors to the worker.

With help from benno, claudio, semarie and gilles.

ok benno, semarie and tb

drain midi port output buffer before closing it ensuring the last
few bytes are not lost

Process incoming MIDI data on the fly rather than using an
input fifo; besides being simpler, this way there's no data
to drain when a connection is dropped.

Remplace aucat server by a new sndiod daemon aimed to be simpler
smaller and faster than aucat. It's a drop in replacement with the
following exceptions that don't affect the default setup:
- The sample rate and the encoding are a per-device parameters
thus -r and -e options must precede the corresponding -f option
- MIDI thru boxes are dynamically created and no -M option
is required anymore, so -M was removed.
- MIDI ports are exposed with a new ``midi/N'' name, rather
than abusing MIDI thru boxes.
with help from armani@, ok deraadt@

When an audio device is disconnected, drop MIDI clients controlling it

On error, drop clients and close the device only if it's still open

Fixes crashes when USB devices are disconnected, caused by an attempt
to close the already closed device: it was closed once when its ref
counter drops to zero (after the last client is disconnected) and once
with an explicit call to dev_close() on the error code-path.

When opening a device, loop over the alternate devices list in the
worker process instead of the helper process. It is simpler this way
and allows the worker to properly log which device is being used.

Allow switching between devices without disconnecting clients.

The new -F option allows alternate device to be specified. If the
device is disconnected, the one given with the last -f or -F options
will be used instead. Similarly, the new -Q option allows an alternate
MIDI port to be specified.

ok mpi@

In case of a bug in sndiod, an attacker (a local user) could run
arbitrary code as user _sndio, i.e. get a second uid.

Mitigate the risk by implementing initial privilege separation as
follows. Break sndiod in two processes: a chroot()ed "worker" process
processing input, and a non-chroot()ed "helper" process opening
devices and passing descriptors to the worker.

With help from benno, claudio, semarie and gilles.

ok benno, semarie and tb

drain midi port output buffer before closing it ensuring the last
few bytes are not lost

Process incoming MIDI data on the fly rather than using an
input fifo; besides being simpler, this way there's no data
to drain when a connection is dropped.

Remplace aucat server by a new sndiod daemon aimed to be simpler
smaller and faster than aucat. It's a drop in replacement with the
following exceptions that don't affect the default setup:
- The sample rate and the encoding are a per-device parameters
thus -r and -e options must precede the corresponding -f option
- MIDI thru boxes are dynamically created and no -M option
is required anymore, so -M was removed.
- MIDI ports are exposed with a new ``midi/N'' name, rather
than abusing MIDI thru boxes.
with help from armani@, ok deraadt@

On error, drop clients and close the device only if it's still open

Fixes crashes when USB devices are disconnected, caused by an attempt
to close the already closed device: it was closed once when its ref
counter drops to zero (after the last client is disconnected) and once
with an explicit call to dev_close() on the error code-path.

When opening a device, loop over the alternate devices list in the
worker process instead of the helper process. It is simpler this way
and allows the worker to properly log which device is being used.

Allow switching between devices without disconnecting clients.

The new -F option allows alternate device to be specified. If the
device is disconnected, the one given with the last -f or -F options
will be used instead. Similarly, the new -Q option allows an alternate
MIDI port to be specified.

ok mpi@

In case of a bug in sndiod, an attacker (a local user) could run
arbitrary code as user _sndio, i.e. get a second uid.

Mitigate the risk by implementing initial privilege separation as
follows. Break sndiod in two processes: a chroot()ed "worker" process
processing input, and a non-chroot()ed "helper" process opening
devices and passing descriptors to the worker.

With help from benno, claudio, semarie and gilles.

ok benno, semarie and tb

drain midi port output buffer before closing it ensuring the last
few bytes are not lost

Process incoming MIDI data on the fly rather than using an
input fifo; besides being simpler, this way there's no data
to drain when a connection is dropped.

Remplace aucat server by a new sndiod daemon aimed to be simpler
smaller and faster than aucat. It's a drop in replacement with the
following exceptions that don't affect the default setup:
- The sample rate and the encoding are a per-device parameters
thus -r and -e options must precede the corresponding -f option
- MIDI thru boxes are dynamically created and no -M option
is required anymore, so -M was removed.
- MIDI ports are exposed with a new ``midi/N'' name, rather
than abusing MIDI thru boxes.
with help from armani@, ok deraadt@

When opening a device, loop over the alternate devices list in the
worker process instead of the helper process. It is simpler this way
and allows the worker to properly log which device is being used.

Allow switching between devices without disconnecting clients.

The new -F option allows alternate device to be specified. If the
device is disconnected, the one given with the last -f or -F options
will be used instead. Similarly, the new -Q option allows an alternate
MIDI port to be specified.

ok mpi@

In case of a bug in sndiod, an attacker (a local user) could run
arbitrary code as user _sndio, i.e. get a second uid.

Mitigate the risk by implementing initial privilege separation as
follows. Break sndiod in two processes: a chroot()ed "worker" process
processing input, and a non-chroot()ed "helper" process opening
devices and passing descriptors to the worker.

With help from benno, claudio, semarie and gilles.

ok benno, semarie and tb

drain midi port output buffer before closing it ensuring the last
few bytes are not lost

Process incoming MIDI data on the fly rather than using an
input fifo; besides being simpler, this way there's no data
to drain when a connection is dropped.

Remplace aucat server by a new sndiod daemon aimed to be simpler
smaller and faster than aucat. It's a drop in replacement with the
following exceptions that don't affect the default setup:
- The sample rate and the encoding are a per-device parameters
thus -r and -e options must precede the corresponding -f option
- MIDI thru boxes are dynamically created and no -M option
is required anymore, so -M was removed.
- MIDI ports are exposed with a new ``midi/N'' name, rather
than abusing MIDI thru boxes.
with help from armani@, ok deraadt@

Allow switching between devices without disconnecting clients.

The new -F option allows alternate device to be specified. If the
device is disconnected, the one given with the last -f or -F options
will be used instead. Similarly, the new -Q option allows an alternate
MIDI port to be specified.

ok mpi@

In case of a bug in sndiod, an attacker (a local user) could run
arbitrary code as user _sndio, i.e. get a second uid.

Mitigate the risk by implementing initial privilege separation as
follows. Break sndiod in two processes: a chroot()ed "worker" process
processing input, and a non-chroot()ed "helper" process opening
devices and passing descriptors to the worker.

With help from benno, claudio, semarie and gilles.

ok benno, semarie and tb

drain midi port output buffer before closing it ensuring the last
few bytes are not lost

Process incoming MIDI data on the fly rather than using an
input fifo; besides being simpler, this way there's no data
to drain when a connection is dropped.

Remplace aucat server by a new sndiod daemon aimed to be simpler
smaller and faster than aucat. It's a drop in replacement with the
following exceptions that don't affect the default setup:
- The sample rate and the encoding are a per-device parameters
thus -r and -e options must precede the corresponding -f option
- MIDI thru boxes are dynamically created and no -M option
is required anymore, so -M was removed.
- MIDI ports are exposed with a new ``midi/N'' name, rather
than abusing MIDI thru boxes.
with help from armani@, ok deraadt@

In case of a bug in sndiod, an attacker (a local user) could run
arbitrary code as user _sndio, i.e. get a second uid.

Mitigate the risk by implementing initial privilege separation as
follows. Break sndiod in two processes: a chroot()ed "worker" process
processing input, and a non-chroot()ed "helper" process opening
devices and passing descriptors to the worker.

With help from benno, claudio, semarie and gilles.

ok benno, semarie and tb

drain midi port output buffer before closing it ensuring the last
few bytes are not lost

Process incoming MIDI data on the fly rather than using an
input fifo; besides being simpler, this way there's no data
to drain when a connection is dropped.

Remplace aucat server by a new sndiod daemon aimed to be simpler
smaller and faster than aucat. It's a drop in replacement with the
following exceptions that don't affect the default setup:
- The sample rate and the encoding are a per-device parameters
thus -r and -e options must precede the corresponding -f option
- MIDI thru boxes are dynamically created and no -M option
is required anymore, so -M was removed.
- MIDI ports are exposed with a new ``midi/N'' name, rather
than abusing MIDI thru boxes.
with help from armani@, ok deraadt@