Stop printing the "syscall" bit related to msyscall(2), since the subsystem
is being deleted.

change default output to -a format; ok tb

Show the entry immutable bit in the various output formats.

MAXCOMLEN is no longer needed in these programs, so remove the annotation
from sys/param.h include lines, or remove the include lines entirely if
it this was the least requirement.
ok millert

sys/proc.h requires sys/signal.h (will become visible when sys/param.h
is removed)

correct order of region bits for -a case: rwxSepc

Repurpose the "syscalls must be on a writeable page" mechanism to
enforce a new policy: system calls must be in pre-registered regions.
We have discussed more strict checks than this, but none satisfy the
cost/benefit based upon our understanding of attack methods, anyways
let's see what the next iteration looks like.

This is intended to harden (translation: attackers must put extra
effort into attacking) against a mixture of W^X failures and JIT bugs
which allow syscall misinterpretation, especially in environments with
polymorphic-instruction/variable-sized instructions. It fits in a bit
with libc/libcrypto/ld.so random relink on boot and no-restart-at-crash
behaviour, particularily for remote problems. Less effective once on-host
since someone the libraries can be read.

For static-executables the kernel registers the main program's
PIE-mapped exec section valid, as well as the randomly-placed sigtramp
page. For dynamic executables ELF ld.so's exec segment is also
labelled valid; ld.so then has enough information to register libc's
exec section as valid via call-once msyscall(2)

For dynamic binaries, we continue to to permit the main program exec
segment because "go" (and potentially a few other applications) have
embedded system calls in the main program. Hopefully at least go gets
fixed soon.

We declare the concept of embedded syscalls a bad idea for numerous
reasons, as we notice the ecosystem has many of
static-syscall-in-base-binary which are dynamically linked against
libraries which in turn use libc, which contains another set of
syscall stubs. We've been concerned about adding even one additional
syscall entry point... but go's approach tends to double the entry-point
attack surface.

This was started at a nano-hackathon in Bob Beck's basement 2 weeks
ago during a long discussion with mortimer trying to hide from the SSL
scream-conversations, and finished in more comfortable circumstances
next to a wood-stove at Elk Lakes cabin with UVM scream-conversations.

ok guenther kettenis mortimer, lots of feedback from others
conversations about go with jsing tb sthen

dev_t is signed to permit passing -1 as an invalid condition, but the
decomposition into major and minor is unsigned, so we should print them
with %u instead of %d.
ok guenther

Fix description of -v and implement -v for -a showing holes; ok deraadt@

procmap fumbles with uvm_map_addr structures, which are now in RBTs

it also does proper traversal of the tree (ie, it does FOREACH)
which in turn uses MIN and NEXT operations to iterate over the whole
tree. theyre complicated and need code.

so for now this pulls in subr_tree.c from the kernel and builds it
as part of procmap. that allows for traversal of the RBT using the
same code that the kernel uses.

it is a bit ugly though because procmap updates the pointers between
items in the tree so they point at local copies instead of kernel
addresses. its made worse because RBT code has pointers between
rb_entry structs, not between the nodes.

im putting this in now to unbreak the tree. it can be polished after
coffee/naps.

Re-introduce vnode-to-filename mapping

The name cache walking code got adapted to the new name cache layout.
Along with the previous commit, procmap is now able to map a vnode
to a filename as long as it is in the name cache.

"nice stuff" deraadt@

Must extract uvm_vnode from uvm_object first before reading the vnode

Otherwise procmap interprets the uvm_vnode contents as a vnode,
yielding bogus values. This should cure the
"procmap: invalid address (ffffffffffffffff) == -1 vs. 656 @ ffffffffffffffff"
error messages that appear sporadically.

ok deraadt@

Remove am_maxslot from amap.

am_maxslot represents the total number of slots an amap can be extended
to. Since we do not extend amaps, this field as well as rounding the
number of slots to the next malloc bucket is not useful.

This also removes the corresponding output from procmap(1).

ok kettenis@

Also print the fspace member of map entries when PRINT_VM_MAP_ENTRY is
requested.

ok deraadt@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Replace a plethora of historical protection options with just
PROT_NONE, PROT_READ, PROT_WRITE, and PROT_EXEC from mman.h.
PROT_MASK is introduced as the one true way of extracting those bits.
Remove UVM_ADV_* wrapper, using the standard names.
ok doug guenther kettenis

Delete procfs; it's always had races and is now unused: no one noticed for
months that I broke it before the 5.5 release.

confirmed as not being required by ports by sthen@, ajacoutot@, dcoppa@

decouple struct uvmexp into a new file, so that uvm_extern.h and sysctl.h
don't need to be married.
ok guenther miod beck jsing kettenis

There really isn't a strict "heap" anymore, so just call everything like
that an anon. Useful change since BRKSIZ will soon leave the namespace.
ok kettenis

Use errc/warnc to simplify code.
Also, in 'ftp', always put the error message last, after the hostname/ipaddr.

ok jsing@ krw@ millert@

remove tendrils of namei dumping code

use strtonum

get ready for big ino_t; ok gunther@

Don't bother printing vm_swrss of a process, the current uvm accounting
logic never sets this value.

pretty-print bigger ino_t variables

revert 1.45. it depended on a kernel change we will not be making, and
the old code was cleaner

for the sake of argument, let's pretend this #if 0 code isn't wanted

rework the main loop so we can drop kmem privs a little later,
prepping for a coming kernel change. we need to call sysctl for
all the procs to get their vmspace pointer, then we drop, then
we go grovelling. ok deraadt

revert, that restriction is already enforced the right way

Only root can look at the kernel address space.

document a safe cast, which should be (unsigned int) instead of simply
(unsigned)

Userspace counterpart of new vmmap.

Allows memory walks to function.

Userland counterpart of the vmmap backout; cranks major version of libkvm.

Reimplement uvm/uvm_map.

vmmap is designed to perform address space randomized allocations,
without letting fragmentation of the address space go through the roof.

Some highlights:
- kernel address space randomization
- proper implementation of guardpages
- roughly 10% system time reduction during kernel build

Tested by alot of people on tech@ and developers.
Theo's machines are still happy.

BRKSIZ is the right constant now, so I don't get lots of teeny tiny heaps
mixed up in my address space.

Switch back from KERN_PROC2/kinfo_proc2 to KERN_PROC/kinfo_proc now
that we've got name we want for the API we want

"ZAP!" deraadt@

Avoid using NULL in non-pointer contexts: use 0 for integer values and '\0'
for chars.

Remove portalfs.

While it is a terribly cool idea, it's just awful and since noone has stepped
up to the plate to keep it up with the current vop state, retire it to the
attic.

ok krw@, deraadt@, guenther@, miod@.
comments from jmc@

Update nlist array and uncomment a few things to pave the way for upcoming
new name cache information gathering code.

Namecache revamp.

This eliminates the large single namecache hash table, and implements
the name cache as a global lru of entires, and a redblack tree in each
vnode. It makes cache_purge actually purge the namecache entries associated
with a vnode when a vnode is recycled (very important for later on actually being
able to resize the vnode pool)

This commit does #if 0 out a bunch of procmap code that was
already broken before this change, but needs to be redone completely.

Tested by many, including in thib's nfs test setup.

ok oga@,art@,thib@,miod@

No longer consider kernel pointers invalid if pointing under the kernel
load address (hello, PMAP_DIRECT architectures). Makes procmap walk the
kernel name cache correctly.
ok art@

document -A and include in usage

Add a flag to print amap usage.
otto@ ok

First pass at removing clauses 3 and 4 from NetBSD licenses.

Not sure what's more surprising: how long it took for NetBSD to
catch up to the rest of the BSDs (including UCB), or the amount of
code that NetBSD has claimed for itself without attributing to the
actual authors.

OK deraadt@

Define a new flag, UVM_FLAG_HOLE, for uvm_map to create a vm_map_entry of
a new etype, UVM_ET_HOLE, meaning it has no backend.

UVM_ET_HOLE entries (which should be created as UVM_PROT_NONE and with
UVM_FLAG_NOMERGE and UVM_FLAG_HOLE) are skipped in uvm_unmap_remove(), so
that pmap_{k,}remove() is not called on the entry.

This is intended to save time, and behave better, on pmaps with MMU holes
at process exit time.

ok art@, kettenis@ provided feedback as well.

Use kinfo_proc2 instead of kinfo_proc.

ok art@

use calloc() to avoid malloc(n * m) overflows; checked by djm canacar jsg

Zap a bunch of unused VT_* tags.

ok tedu@,pedro@

kill some commented "struct proc *", and knf while there; ok ray

Don't warn for kernel_text being zero on (some) m68k systems.

Remove fdescfs

Remove kernfs, okay deraadt@.

kill stackable filesystems ghosts

setresgid; ok deraadt@

Use the return value from getopt() instead of optopt in non-error
cases since optopt is not set in these cases, and it is not required
by POSIX that it should be.

ok millert otto

[From: Joris Vink]
Use strtonum(3) instead of strtol(3). ok deraadt@ & me

Off by 1 ! OK millert@, tedu@

more accurate msg, pr3713 from Andre Lucas

make sure we don't backwards before buffer

buffer len paranoia

if the heap is non-exec, it makes it hard to find by looking for an exec
mapping. much better heuristic.

unknown is less ugly than ??, and not a trigraph. requested by deraadt

no peeking at kernel or other processes for normal users. ok deraadt@

pedro martelletto tells me stroul returns an unsigned long which
may be bigger than a pid_t

strtoul for getting pid. ok and numerous hints from deraadt@
also correct errbuf size

revoke privs asap; tedu ok

a pinch of knf

little cleanup. strlcat. usage. don't call atoi on non-numbers.
mostly spotted by deraadt@

printing (null) is not so useful. instead print names of missing symbols
with a useful message.

malloc checks, strlcpy. based on patch from Vink Joris <nimadeus@pandora.be>

catch all vnode types

rough cut of netbsd's pmap process memory map inspector.
initially from drahn@, renamed to procmap to avoid conflict with
unrelated pmap(9).
works more or less as advertised, could definitely use some work though.
would be really nice if somebody made it use sysctl and not kmem.
more or less ok deraadt@ drahn@

change default output to -a format; ok tb

Show the entry immutable bit in the various output formats.

MAXCOMLEN is no longer needed in these programs, so remove the annotation
from sys/param.h include lines, or remove the include lines entirely if
it this was the least requirement.
ok millert

sys/proc.h requires sys/signal.h (will become visible when sys/param.h
is removed)

correct order of region bits for -a case: rwxSepc

Repurpose the "syscalls must be on a writeable page" mechanism to
enforce a new policy: system calls must be in pre-registered regions.
We have discussed more strict checks than this, but none satisfy the
cost/benefit based upon our understanding of attack methods, anyways
let's see what the next iteration looks like.

This is intended to harden (translation: attackers must put extra
effort into attacking) against a mixture of W^X failures and JIT bugs
which allow syscall misinterpretation, especially in environments with
polymorphic-instruction/variable-sized instructions. It fits in a bit
with libc/libcrypto/ld.so random relink on boot and no-restart-at-crash
behaviour, particularily for remote problems. Less effective once on-host
since someone the libraries can be read.

For static-executables the kernel registers the main program's
PIE-mapped exec section valid, as well as the randomly-placed sigtramp
page. For dynamic executables ELF ld.so's exec segment is also
labelled valid; ld.so then has enough information to register libc's
exec section as valid via call-once msyscall(2)

For dynamic binaries, we continue to to permit the main program exec
segment because "go" (and potentially a few other applications) have
embedded system calls in the main program. Hopefully at least go gets
fixed soon.

We declare the concept of embedded syscalls a bad idea for numerous
reasons, as we notice the ecosystem has many of
static-syscall-in-base-binary which are dynamically linked against
libraries which in turn use libc, which contains another set of
syscall stubs. We've been concerned about adding even one additional
syscall entry point... but go's approach tends to double the entry-point
attack surface.

This was started at a nano-hackathon in Bob Beck's basement 2 weeks
ago during a long discussion with mortimer trying to hide from the SSL
scream-conversations, and finished in more comfortable circumstances
next to a wood-stove at Elk Lakes cabin with UVM scream-conversations.

ok guenther kettenis mortimer, lots of feedback from others
conversations about go with jsing tb sthen

dev_t is signed to permit passing -1 as an invalid condition, but the
decomposition into major and minor is unsigned, so we should print them
with %u instead of %d.
ok guenther

Fix description of -v and implement -v for -a showing holes; ok deraadt@

procmap fumbles with uvm_map_addr structures, which are now in RBTs

it also does proper traversal of the tree (ie, it does FOREACH)
which in turn uses MIN and NEXT operations to iterate over the whole
tree. theyre complicated and need code.

so for now this pulls in subr_tree.c from the kernel and builds it
as part of procmap. that allows for traversal of the RBT using the
same code that the kernel uses.

it is a bit ugly though because procmap updates the pointers between
items in the tree so they point at local copies instead of kernel
addresses. its made worse because RBT code has pointers between
rb_entry structs, not between the nodes.

im putting this in now to unbreak the tree. it can be polished after
coffee/naps.

Re-introduce vnode-to-filename mapping

The name cache walking code got adapted to the new name cache layout.
Along with the previous commit, procmap is now able to map a vnode
to a filename as long as it is in the name cache.

"nice stuff" deraadt@

Must extract uvm_vnode from uvm_object first before reading the vnode

Otherwise procmap interprets the uvm_vnode contents as a vnode,
yielding bogus values. This should cure the
"procmap: invalid address (ffffffffffffffff) == -1 vs. 656 @ ffffffffffffffff"
error messages that appear sporadically.

ok deraadt@

Remove am_maxslot from amap.

am_maxslot represents the total number of slots an amap can be extended
to. Since we do not extend amaps, this field as well as rounding the
number of slots to the next malloc bucket is not useful.

This also removes the corresponding output from procmap(1).

ok kettenis@

Also print the fspace member of map entries when PRINT_VM_MAP_ENTRY is
requested.

ok deraadt@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Replace a plethora of historical protection options with just
PROT_NONE, PROT_READ, PROT_WRITE, and PROT_EXEC from mman.h.
PROT_MASK is introduced as the one true way of extracting those bits.
Remove UVM_ADV_* wrapper, using the standard names.
ok doug guenther kettenis

Delete procfs; it's always had races and is now unused: no one noticed for
months that I broke it before the 5.5 release.

confirmed as not being required by ports by sthen@, ajacoutot@, dcoppa@

decouple struct uvmexp into a new file, so that uvm_extern.h and sysctl.h
don't need to be married.
ok guenther miod beck jsing kettenis

There really isn't a strict "heap" anymore, so just call everything like
that an anon. Useful change since BRKSIZ will soon leave the namespace.
ok kettenis

Use errc/warnc to simplify code.
Also, in 'ftp', always put the error message last, after the hostname/ipaddr.

ok jsing@ krw@ millert@

remove tendrils of namei dumping code

use strtonum

get ready for big ino_t; ok gunther@

Don't bother printing vm_swrss of a process, the current uvm accounting
logic never sets this value.

pretty-print bigger ino_t variables

revert 1.45. it depended on a kernel change we will not be making, and
the old code was cleaner

for the sake of argument, let's pretend this #if 0 code isn't wanted

rework the main loop so we can drop kmem privs a little later,
prepping for a coming kernel change. we need to call sysctl for
all the procs to get their vmspace pointer, then we drop, then
we go grovelling. ok deraadt

revert, that restriction is already enforced the right way

Only root can look at the kernel address space.

document a safe cast, which should be (unsigned int) instead of simply
(unsigned)

Userspace counterpart of new vmmap.

Allows memory walks to function.

Userland counterpart of the vmmap backout; cranks major version of libkvm.

Reimplement uvm/uvm_map.

vmmap is designed to perform address space randomized allocations,
without letting fragmentation of the address space go through the roof.

Some highlights:
- kernel address space randomization
- proper implementation of guardpages
- roughly 10% system time reduction during kernel build

Tested by alot of people on tech@ and developers.
Theo's machines are still happy.

BRKSIZ is the right constant now, so I don't get lots of teeny tiny heaps
mixed up in my address space.

Switch back from KERN_PROC2/kinfo_proc2 to KERN_PROC/kinfo_proc now
that we've got name we want for the API we want

"ZAP!" deraadt@

Avoid using NULL in non-pointer contexts: use 0 for integer values and '\0'
for chars.

Remove portalfs.

While it is a terribly cool idea, it's just awful and since noone has stepped
up to the plate to keep it up with the current vop state, retire it to the
attic.

ok krw@, deraadt@, guenther@, miod@.
comments from jmc@

Update nlist array and uncomment a few things to pave the way for upcoming
new name cache information gathering code.

Namecache revamp.

This eliminates the large single namecache hash table, and implements
the name cache as a global lru of entires, and a redblack tree in each
vnode. It makes cache_purge actually purge the namecache entries associated
with a vnode when a vnode is recycled (very important for later on actually being
able to resize the vnode pool)

This commit does #if 0 out a bunch of procmap code that was
already broken before this change, but needs to be redone completely.

Tested by many, including in thib's nfs test setup.

ok oga@,art@,thib@,miod@

No longer consider kernel pointers invalid if pointing under the kernel
load address (hello, PMAP_DIRECT architectures). Makes procmap walk the
kernel name cache correctly.
ok art@

document -A and include in usage

Add a flag to print amap usage.
otto@ ok

First pass at removing clauses 3 and 4 from NetBSD licenses.

Not sure what's more surprising: how long it took for NetBSD to
catch up to the rest of the BSDs (including UCB), or the amount of
code that NetBSD has claimed for itself without attributing to the
actual authors.

OK deraadt@

Define a new flag, UVM_FLAG_HOLE, for uvm_map to create a vm_map_entry of
a new etype, UVM_ET_HOLE, meaning it has no backend.

UVM_ET_HOLE entries (which should be created as UVM_PROT_NONE and with
UVM_FLAG_NOMERGE and UVM_FLAG_HOLE) are skipped in uvm_unmap_remove(), so
that pmap_{k,}remove() is not called on the entry.

This is intended to save time, and behave better, on pmaps with MMU holes
at process exit time.

ok art@, kettenis@ provided feedback as well.

Use kinfo_proc2 instead of kinfo_proc.

ok art@

use calloc() to avoid malloc(n * m) overflows; checked by djm canacar jsg

Zap a bunch of unused VT_* tags.

ok tedu@,pedro@

kill some commented "struct proc *", and knf while there; ok ray

Don't warn for kernel_text being zero on (some) m68k systems.

Remove fdescfs

Remove kernfs, okay deraadt@.

kill stackable filesystems ghosts

setresgid; ok deraadt@

Use the return value from getopt() instead of optopt in non-error
cases since optopt is not set in these cases, and it is not required
by POSIX that it should be.

ok millert otto

[From: Joris Vink]
Use strtonum(3) instead of strtol(3). ok deraadt@ & me

Off by 1 ! OK millert@, tedu@

more accurate msg, pr3713 from Andre Lucas

make sure we don't backwards before buffer

buffer len paranoia

if the heap is non-exec, it makes it hard to find by looking for an exec
mapping. much better heuristic.

unknown is less ugly than ??, and not a trigraph. requested by deraadt

no peeking at kernel or other processes for normal users. ok deraadt@

pedro martelletto tells me stroul returns an unsigned long which
may be bigger than a pid_t

strtoul for getting pid. ok and numerous hints from deraadt@
also correct errbuf size

revoke privs asap; tedu ok

a pinch of knf

little cleanup. strlcat. usage. don't call atoi on non-numbers.
mostly spotted by deraadt@

printing (null) is not so useful. instead print names of missing symbols
with a useful message.

malloc checks, strlcpy. based on patch from Vink Joris <nimadeus@pandora.be>

catch all vnode types

rough cut of netbsd's pmap process memory map inspector.
initially from drahn@, renamed to procmap to avoid conflict with
unrelated pmap(9).
works more or less as advertised, could definitely use some work though.
would be really nice if somebody made it use sysctl and not kmem.
more or less ok deraadt@ drahn@

Show the entry immutable bit in the various output formats.

MAXCOMLEN is no longer needed in these programs, so remove the annotation
from sys/param.h include lines, or remove the include lines entirely if
it this was the least requirement.
ok millert

sys/proc.h requires sys/signal.h (will become visible when sys/param.h
is removed)

correct order of region bits for -a case: rwxSepc

Repurpose the "syscalls must be on a writeable page" mechanism to
enforce a new policy: system calls must be in pre-registered regions.
We have discussed more strict checks than this, but none satisfy the
cost/benefit based upon our understanding of attack methods, anyways
let's see what the next iteration looks like.

This is intended to harden (translation: attackers must put extra
effort into attacking) against a mixture of W^X failures and JIT bugs
which allow syscall misinterpretation, especially in environments with
polymorphic-instruction/variable-sized instructions. It fits in a bit
with libc/libcrypto/ld.so random relink on boot and no-restart-at-crash
behaviour, particularily for remote problems. Less effective once on-host
since someone the libraries can be read.

For static-executables the kernel registers the main program's
PIE-mapped exec section valid, as well as the randomly-placed sigtramp
page. For dynamic executables ELF ld.so's exec segment is also
labelled valid; ld.so then has enough information to register libc's
exec section as valid via call-once msyscall(2)

For dynamic binaries, we continue to to permit the main program exec
segment because "go" (and potentially a few other applications) have
embedded system calls in the main program. Hopefully at least go gets
fixed soon.

We declare the concept of embedded syscalls a bad idea for numerous
reasons, as we notice the ecosystem has many of
static-syscall-in-base-binary which are dynamically linked against
libraries which in turn use libc, which contains another set of
syscall stubs. We've been concerned about adding even one additional
syscall entry point... but go's approach tends to double the entry-point
attack surface.

This was started at a nano-hackathon in Bob Beck's basement 2 weeks
ago during a long discussion with mortimer trying to hide from the SSL
scream-conversations, and finished in more comfortable circumstances
next to a wood-stove at Elk Lakes cabin with UVM scream-conversations.

ok guenther kettenis mortimer, lots of feedback from others
conversations about go with jsing tb sthen

dev_t is signed to permit passing -1 as an invalid condition, but the
decomposition into major and minor is unsigned, so we should print them
with %u instead of %d.
ok guenther

Fix description of -v and implement -v for -a showing holes; ok deraadt@

procmap fumbles with uvm_map_addr structures, which are now in RBTs

it also does proper traversal of the tree (ie, it does FOREACH)
which in turn uses MIN and NEXT operations to iterate over the whole
tree. theyre complicated and need code.

so for now this pulls in subr_tree.c from the kernel and builds it
as part of procmap. that allows for traversal of the RBT using the
same code that the kernel uses.

it is a bit ugly though because procmap updates the pointers between
items in the tree so they point at local copies instead of kernel
addresses. its made worse because RBT code has pointers between
rb_entry structs, not between the nodes.

im putting this in now to unbreak the tree. it can be polished after
coffee/naps.

Re-introduce vnode-to-filename mapping

The name cache walking code got adapted to the new name cache layout.
Along with the previous commit, procmap is now able to map a vnode
to a filename as long as it is in the name cache.

"nice stuff" deraadt@

Must extract uvm_vnode from uvm_object first before reading the vnode

Otherwise procmap interprets the uvm_vnode contents as a vnode,
yielding bogus values. This should cure the
"procmap: invalid address (ffffffffffffffff) == -1 vs. 656 @ ffffffffffffffff"
error messages that appear sporadically.

ok deraadt@

Remove am_maxslot from amap.

am_maxslot represents the total number of slots an amap can be extended
to. Since we do not extend amaps, this field as well as rounding the
number of slots to the next malloc bucket is not useful.

This also removes the corresponding output from procmap(1).

ok kettenis@

Also print the fspace member of map entries when PRINT_VM_MAP_ENTRY is
requested.

ok deraadt@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Replace a plethora of historical protection options with just
PROT_NONE, PROT_READ, PROT_WRITE, and PROT_EXEC from mman.h.
PROT_MASK is introduced as the one true way of extracting those bits.
Remove UVM_ADV_* wrapper, using the standard names.
ok doug guenther kettenis

Delete procfs; it's always had races and is now unused: no one noticed for
months that I broke it before the 5.5 release.

confirmed as not being required by ports by sthen@, ajacoutot@, dcoppa@

decouple struct uvmexp into a new file, so that uvm_extern.h and sysctl.h
don't need to be married.
ok guenther miod beck jsing kettenis

There really isn't a strict "heap" anymore, so just call everything like
that an anon. Useful change since BRKSIZ will soon leave the namespace.
ok kettenis

Use errc/warnc to simplify code.
Also, in 'ftp', always put the error message last, after the hostname/ipaddr.

ok jsing@ krw@ millert@

remove tendrils of namei dumping code

use strtonum

get ready for big ino_t; ok gunther@

Don't bother printing vm_swrss of a process, the current uvm accounting
logic never sets this value.

pretty-print bigger ino_t variables

revert 1.45. it depended on a kernel change we will not be making, and
the old code was cleaner

for the sake of argument, let's pretend this #if 0 code isn't wanted

rework the main loop so we can drop kmem privs a little later,
prepping for a coming kernel change. we need to call sysctl for
all the procs to get their vmspace pointer, then we drop, then
we go grovelling. ok deraadt

revert, that restriction is already enforced the right way

Only root can look at the kernel address space.

document a safe cast, which should be (unsigned int) instead of simply
(unsigned)

Userspace counterpart of new vmmap.

Allows memory walks to function.

Userland counterpart of the vmmap backout; cranks major version of libkvm.

Reimplement uvm/uvm_map.

vmmap is designed to perform address space randomized allocations,
without letting fragmentation of the address space go through the roof.

Some highlights:
- kernel address space randomization
- proper implementation of guardpages
- roughly 10% system time reduction during kernel build

Tested by alot of people on tech@ and developers.
Theo's machines are still happy.

BRKSIZ is the right constant now, so I don't get lots of teeny tiny heaps
mixed up in my address space.

Switch back from KERN_PROC2/kinfo_proc2 to KERN_PROC/kinfo_proc now
that we've got name we want for the API we want

"ZAP!" deraadt@

Avoid using NULL in non-pointer contexts: use 0 for integer values and '\0'
for chars.

Remove portalfs.

While it is a terribly cool idea, it's just awful and since noone has stepped
up to the plate to keep it up with the current vop state, retire it to the
attic.

ok krw@, deraadt@, guenther@, miod@.
comments from jmc@

Update nlist array and uncomment a few things to pave the way for upcoming
new name cache information gathering code.

Namecache revamp.

This eliminates the large single namecache hash table, and implements
the name cache as a global lru of entires, and a redblack tree in each
vnode. It makes cache_purge actually purge the namecache entries associated
with a vnode when a vnode is recycled (very important for later on actually being
able to resize the vnode pool)

This commit does #if 0 out a bunch of procmap code that was
already broken before this change, but needs to be redone completely.

Tested by many, including in thib's nfs test setup.

ok oga@,art@,thib@,miod@

No longer consider kernel pointers invalid if pointing under the kernel
load address (hello, PMAP_DIRECT architectures). Makes procmap walk the
kernel name cache correctly.
ok art@

document -A and include in usage

Add a flag to print amap usage.
otto@ ok

First pass at removing clauses 3 and 4 from NetBSD licenses.

Not sure what's more surprising: how long it took for NetBSD to
catch up to the rest of the BSDs (including UCB), or the amount of
code that NetBSD has claimed for itself without attributing to the
actual authors.

OK deraadt@

Define a new flag, UVM_FLAG_HOLE, for uvm_map to create a vm_map_entry of
a new etype, UVM_ET_HOLE, meaning it has no backend.

UVM_ET_HOLE entries (which should be created as UVM_PROT_NONE and with
UVM_FLAG_NOMERGE and UVM_FLAG_HOLE) are skipped in uvm_unmap_remove(), so
that pmap_{k,}remove() is not called on the entry.

This is intended to save time, and behave better, on pmaps with MMU holes
at process exit time.

ok art@, kettenis@ provided feedback as well.

Use kinfo_proc2 instead of kinfo_proc.

ok art@

use calloc() to avoid malloc(n * m) overflows; checked by djm canacar jsg

Zap a bunch of unused VT_* tags.

ok tedu@,pedro@

kill some commented "struct proc *", and knf while there; ok ray

Don't warn for kernel_text being zero on (some) m68k systems.

Remove fdescfs

Remove kernfs, okay deraadt@.

kill stackable filesystems ghosts

setresgid; ok deraadt@

Use the return value from getopt() instead of optopt in non-error
cases since optopt is not set in these cases, and it is not required
by POSIX that it should be.

ok millert otto

[From: Joris Vink]
Use strtonum(3) instead of strtol(3). ok deraadt@ & me

Off by 1 ! OK millert@, tedu@

more accurate msg, pr3713 from Andre Lucas

make sure we don't backwards before buffer

buffer len paranoia

if the heap is non-exec, it makes it hard to find by looking for an exec
mapping. much better heuristic.

unknown is less ugly than ??, and not a trigraph. requested by deraadt

no peeking at kernel or other processes for normal users. ok deraadt@

pedro martelletto tells me stroul returns an unsigned long which
may be bigger than a pid_t

strtoul for getting pid. ok and numerous hints from deraadt@
also correct errbuf size

revoke privs asap; tedu ok

a pinch of knf

little cleanup. strlcat. usage. don't call atoi on non-numbers.
mostly spotted by deraadt@

printing (null) is not so useful. instead print names of missing symbols
with a useful message.

malloc checks, strlcpy. based on patch from Vink Joris <nimadeus@pandora.be>

catch all vnode types

rough cut of netbsd's pmap process memory map inspector.
initially from drahn@, renamed to procmap to avoid conflict with
unrelated pmap(9).
works more or less as advertised, could definitely use some work though.
would be really nice if somebody made it use sysctl and not kmem.
more or less ok deraadt@ drahn@

MAXCOMLEN is no longer needed in these programs, so remove the annotation
from sys/param.h include lines, or remove the include lines entirely if
it this was the least requirement.
ok millert

sys/proc.h requires sys/signal.h (will become visible when sys/param.h
is removed)

correct order of region bits for -a case: rwxSepc

Repurpose the "syscalls must be on a writeable page" mechanism to
enforce a new policy: system calls must be in pre-registered regions.
We have discussed more strict checks than this, but none satisfy the
cost/benefit based upon our understanding of attack methods, anyways
let's see what the next iteration looks like.

This is intended to harden (translation: attackers must put extra
effort into attacking) against a mixture of W^X failures and JIT bugs
which allow syscall misinterpretation, especially in environments with
polymorphic-instruction/variable-sized instructions. It fits in a bit
with libc/libcrypto/ld.so random relink on boot and no-restart-at-crash
behaviour, particularily for remote problems. Less effective once on-host
since someone the libraries can be read.

For static-executables the kernel registers the main program's
PIE-mapped exec section valid, as well as the randomly-placed sigtramp
page. For dynamic executables ELF ld.so's exec segment is also
labelled valid; ld.so then has enough information to register libc's
exec section as valid via call-once msyscall(2)

For dynamic binaries, we continue to to permit the main program exec
segment because "go" (and potentially a few other applications) have
embedded system calls in the main program. Hopefully at least go gets
fixed soon.

We declare the concept of embedded syscalls a bad idea for numerous
reasons, as we notice the ecosystem has many of
static-syscall-in-base-binary which are dynamically linked against
libraries which in turn use libc, which contains another set of
syscall stubs. We've been concerned about adding even one additional
syscall entry point... but go's approach tends to double the entry-point
attack surface.

This was started at a nano-hackathon in Bob Beck's basement 2 weeks
ago during a long discussion with mortimer trying to hide from the SSL
scream-conversations, and finished in more comfortable circumstances
next to a wood-stove at Elk Lakes cabin with UVM scream-conversations.

ok guenther kettenis mortimer, lots of feedback from others
conversations about go with jsing tb sthen

dev_t is signed to permit passing -1 as an invalid condition, but the
decomposition into major and minor is unsigned, so we should print them
with %u instead of %d.
ok guenther

Fix description of -v and implement -v for -a showing holes; ok deraadt@

procmap fumbles with uvm_map_addr structures, which are now in RBTs

it also does proper traversal of the tree (ie, it does FOREACH)
which in turn uses MIN and NEXT operations to iterate over the whole
tree. theyre complicated and need code.

so for now this pulls in subr_tree.c from the kernel and builds it
as part of procmap. that allows for traversal of the RBT using the
same code that the kernel uses.

it is a bit ugly though because procmap updates the pointers between
items in the tree so they point at local copies instead of kernel
addresses. its made worse because RBT code has pointers between
rb_entry structs, not between the nodes.

im putting this in now to unbreak the tree. it can be polished after
coffee/naps.

Re-introduce vnode-to-filename mapping

The name cache walking code got adapted to the new name cache layout.
Along with the previous commit, procmap is now able to map a vnode
to a filename as long as it is in the name cache.

"nice stuff" deraadt@

Must extract uvm_vnode from uvm_object first before reading the vnode

Otherwise procmap interprets the uvm_vnode contents as a vnode,
yielding bogus values. This should cure the
"procmap: invalid address (ffffffffffffffff) == -1 vs. 656 @ ffffffffffffffff"
error messages that appear sporadically.

ok deraadt@

Remove am_maxslot from amap.

am_maxslot represents the total number of slots an amap can be extended
to. Since we do not extend amaps, this field as well as rounding the
number of slots to the next malloc bucket is not useful.

This also removes the corresponding output from procmap(1).

ok kettenis@

Also print the fspace member of map entries when PRINT_VM_MAP_ENTRY is
requested.

ok deraadt@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Replace a plethora of historical protection options with just
PROT_NONE, PROT_READ, PROT_WRITE, and PROT_EXEC from mman.h.
PROT_MASK is introduced as the one true way of extracting those bits.
Remove UVM_ADV_* wrapper, using the standard names.
ok doug guenther kettenis

Delete procfs; it's always had races and is now unused: no one noticed for
months that I broke it before the 5.5 release.

confirmed as not being required by ports by sthen@, ajacoutot@, dcoppa@

decouple struct uvmexp into a new file, so that uvm_extern.h and sysctl.h
don't need to be married.
ok guenther miod beck jsing kettenis

There really isn't a strict "heap" anymore, so just call everything like
that an anon. Useful change since BRKSIZ will soon leave the namespace.
ok kettenis

Use errc/warnc to simplify code.
Also, in 'ftp', always put the error message last, after the hostname/ipaddr.

ok jsing@ krw@ millert@

remove tendrils of namei dumping code

use strtonum

get ready for big ino_t; ok gunther@

Don't bother printing vm_swrss of a process, the current uvm accounting
logic never sets this value.

pretty-print bigger ino_t variables

revert 1.45. it depended on a kernel change we will not be making, and
the old code was cleaner

for the sake of argument, let's pretend this #if 0 code isn't wanted

rework the main loop so we can drop kmem privs a little later,
prepping for a coming kernel change. we need to call sysctl for
all the procs to get their vmspace pointer, then we drop, then
we go grovelling. ok deraadt

revert, that restriction is already enforced the right way

Only root can look at the kernel address space.

document a safe cast, which should be (unsigned int) instead of simply
(unsigned)

Userspace counterpart of new vmmap.

Allows memory walks to function.

Userland counterpart of the vmmap backout; cranks major version of libkvm.

Reimplement uvm/uvm_map.

vmmap is designed to perform address space randomized allocations,
without letting fragmentation of the address space go through the roof.

Some highlights:
- kernel address space randomization
- proper implementation of guardpages
- roughly 10% system time reduction during kernel build

Tested by alot of people on tech@ and developers.
Theo's machines are still happy.

BRKSIZ is the right constant now, so I don't get lots of teeny tiny heaps
mixed up in my address space.

Switch back from KERN_PROC2/kinfo_proc2 to KERN_PROC/kinfo_proc now
that we've got name we want for the API we want

"ZAP!" deraadt@

Avoid using NULL in non-pointer contexts: use 0 for integer values and '\0'
for chars.

Remove portalfs.

While it is a terribly cool idea, it's just awful and since noone has stepped
up to the plate to keep it up with the current vop state, retire it to the
attic.

ok krw@, deraadt@, guenther@, miod@.
comments from jmc@

Update nlist array and uncomment a few things to pave the way for upcoming
new name cache information gathering code.

Namecache revamp.

This eliminates the large single namecache hash table, and implements
the name cache as a global lru of entires, and a redblack tree in each
vnode. It makes cache_purge actually purge the namecache entries associated
with a vnode when a vnode is recycled (very important for later on actually being
able to resize the vnode pool)

This commit does #if 0 out a bunch of procmap code that was
already broken before this change, but needs to be redone completely.

Tested by many, including in thib's nfs test setup.

ok oga@,art@,thib@,miod@

No longer consider kernel pointers invalid if pointing under the kernel
load address (hello, PMAP_DIRECT architectures). Makes procmap walk the
kernel name cache correctly.
ok art@

document -A and include in usage

Add a flag to print amap usage.
otto@ ok

First pass at removing clauses 3 and 4 from NetBSD licenses.

Not sure what's more surprising: how long it took for NetBSD to
catch up to the rest of the BSDs (including UCB), or the amount of
code that NetBSD has claimed for itself without attributing to the
actual authors.

OK deraadt@

Define a new flag, UVM_FLAG_HOLE, for uvm_map to create a vm_map_entry of
a new etype, UVM_ET_HOLE, meaning it has no backend.

UVM_ET_HOLE entries (which should be created as UVM_PROT_NONE and with
UVM_FLAG_NOMERGE and UVM_FLAG_HOLE) are skipped in uvm_unmap_remove(), so
that pmap_{k,}remove() is not called on the entry.

This is intended to save time, and behave better, on pmaps with MMU holes
at process exit time.

ok art@, kettenis@ provided feedback as well.

Use kinfo_proc2 instead of kinfo_proc.

ok art@

use calloc() to avoid malloc(n * m) overflows; checked by djm canacar jsg

Zap a bunch of unused VT_* tags.

ok tedu@,pedro@

kill some commented "struct proc *", and knf while there; ok ray

Don't warn for kernel_text being zero on (some) m68k systems.

Remove fdescfs

Remove kernfs, okay deraadt@.

kill stackable filesystems ghosts

setresgid; ok deraadt@

Use the return value from getopt() instead of optopt in non-error
cases since optopt is not set in these cases, and it is not required
by POSIX that it should be.

ok millert otto

[From: Joris Vink]
Use strtonum(3) instead of strtol(3). ok deraadt@ & me

Off by 1 ! OK millert@, tedu@

more accurate msg, pr3713 from Andre Lucas

make sure we don't backwards before buffer

buffer len paranoia

if the heap is non-exec, it makes it hard to find by looking for an exec
mapping. much better heuristic.

unknown is less ugly than ??, and not a trigraph. requested by deraadt

no peeking at kernel or other processes for normal users. ok deraadt@

pedro martelletto tells me stroul returns an unsigned long which
may be bigger than a pid_t

strtoul for getting pid. ok and numerous hints from deraadt@
also correct errbuf size

revoke privs asap; tedu ok

a pinch of knf

little cleanup. strlcat. usage. don't call atoi on non-numbers.
mostly spotted by deraadt@

printing (null) is not so useful. instead print names of missing symbols
with a useful message.

malloc checks, strlcpy. based on patch from Vink Joris <nimadeus@pandora.be>

catch all vnode types

rough cut of netbsd's pmap process memory map inspector.
initially from drahn@, renamed to procmap to avoid conflict with
unrelated pmap(9).
works more or less as advertised, could definitely use some work though.
would be really nice if somebody made it use sysctl and not kmem.
more or less ok deraadt@ drahn@

sys/proc.h requires sys/signal.h (will become visible when sys/param.h
is removed)

correct order of region bits for -a case: rwxSepc

Repurpose the "syscalls must be on a writeable page" mechanism to
enforce a new policy: system calls must be in pre-registered regions.
We have discussed more strict checks than this, but none satisfy the
cost/benefit based upon our understanding of attack methods, anyways
let's see what the next iteration looks like.

This is intended to harden (translation: attackers must put extra
effort into attacking) against a mixture of W^X failures and JIT bugs
which allow syscall misinterpretation, especially in environments with
polymorphic-instruction/variable-sized instructions. It fits in a bit
with libc/libcrypto/ld.so random relink on boot and no-restart-at-crash
behaviour, particularily for remote problems. Less effective once on-host
since someone the libraries can be read.

For static-executables the kernel registers the main program's
PIE-mapped exec section valid, as well as the randomly-placed sigtramp
page. For dynamic executables ELF ld.so's exec segment is also
labelled valid; ld.so then has enough information to register libc's
exec section as valid via call-once msyscall(2)

For dynamic binaries, we continue to to permit the main program exec
segment because "go" (and potentially a few other applications) have
embedded system calls in the main program. Hopefully at least go gets
fixed soon.

We declare the concept of embedded syscalls a bad idea for numerous
reasons, as we notice the ecosystem has many of
static-syscall-in-base-binary which are dynamically linked against
libraries which in turn use libc, which contains another set of
syscall stubs. We've been concerned about adding even one additional
syscall entry point... but go's approach tends to double the entry-point
attack surface.

This was started at a nano-hackathon in Bob Beck's basement 2 weeks
ago during a long discussion with mortimer trying to hide from the SSL
scream-conversations, and finished in more comfortable circumstances
next to a wood-stove at Elk Lakes cabin with UVM scream-conversations.

ok guenther kettenis mortimer, lots of feedback from others
conversations about go with jsing tb sthen

dev_t is signed to permit passing -1 as an invalid condition, but the
decomposition into major and minor is unsigned, so we should print them
with %u instead of %d.
ok guenther

Fix description of -v and implement -v for -a showing holes; ok deraadt@

procmap fumbles with uvm_map_addr structures, which are now in RBTs

it also does proper traversal of the tree (ie, it does FOREACH)
which in turn uses MIN and NEXT operations to iterate over the whole
tree. theyre complicated and need code.

so for now this pulls in subr_tree.c from the kernel and builds it
as part of procmap. that allows for traversal of the RBT using the
same code that the kernel uses.

it is a bit ugly though because procmap updates the pointers between
items in the tree so they point at local copies instead of kernel
addresses. its made worse because RBT code has pointers between
rb_entry structs, not between the nodes.

im putting this in now to unbreak the tree. it can be polished after
coffee/naps.

Re-introduce vnode-to-filename mapping

The name cache walking code got adapted to the new name cache layout.
Along with the previous commit, procmap is now able to map a vnode
to a filename as long as it is in the name cache.

"nice stuff" deraadt@

Must extract uvm_vnode from uvm_object first before reading the vnode

Otherwise procmap interprets the uvm_vnode contents as a vnode,
yielding bogus values. This should cure the
"procmap: invalid address (ffffffffffffffff) == -1 vs. 656 @ ffffffffffffffff"
error messages that appear sporadically.

ok deraadt@

Remove am_maxslot from amap.

am_maxslot represents the total number of slots an amap can be extended
to. Since we do not extend amaps, this field as well as rounding the
number of slots to the next malloc bucket is not useful.

This also removes the corresponding output from procmap(1).

ok kettenis@

Also print the fspace member of map entries when PRINT_VM_MAP_ENTRY is
requested.

ok deraadt@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Replace a plethora of historical protection options with just
PROT_NONE, PROT_READ, PROT_WRITE, and PROT_EXEC from mman.h.
PROT_MASK is introduced as the one true way of extracting those bits.
Remove UVM_ADV_* wrapper, using the standard names.
ok doug guenther kettenis

Delete procfs; it's always had races and is now unused: no one noticed for
months that I broke it before the 5.5 release.

confirmed as not being required by ports by sthen@, ajacoutot@, dcoppa@

decouple struct uvmexp into a new file, so that uvm_extern.h and sysctl.h
don't need to be married.
ok guenther miod beck jsing kettenis

There really isn't a strict "heap" anymore, so just call everything like
that an anon. Useful change since BRKSIZ will soon leave the namespace.
ok kettenis

Use errc/warnc to simplify code.
Also, in 'ftp', always put the error message last, after the hostname/ipaddr.

ok jsing@ krw@ millert@

remove tendrils of namei dumping code

use strtonum

get ready for big ino_t; ok gunther@

Don't bother printing vm_swrss of a process, the current uvm accounting
logic never sets this value.

pretty-print bigger ino_t variables

revert 1.45. it depended on a kernel change we will not be making, and
the old code was cleaner

for the sake of argument, let's pretend this #if 0 code isn't wanted

rework the main loop so we can drop kmem privs a little later,
prepping for a coming kernel change. we need to call sysctl for
all the procs to get their vmspace pointer, then we drop, then
we go grovelling. ok deraadt

revert, that restriction is already enforced the right way

Only root can look at the kernel address space.

document a safe cast, which should be (unsigned int) instead of simply
(unsigned)

Userspace counterpart of new vmmap.

Allows memory walks to function.

Userland counterpart of the vmmap backout; cranks major version of libkvm.

Reimplement uvm/uvm_map.

vmmap is designed to perform address space randomized allocations,
without letting fragmentation of the address space go through the roof.

Some highlights:
- kernel address space randomization
- proper implementation of guardpages
- roughly 10% system time reduction during kernel build

Tested by alot of people on tech@ and developers.
Theo's machines are still happy.

BRKSIZ is the right constant now, so I don't get lots of teeny tiny heaps
mixed up in my address space.

Switch back from KERN_PROC2/kinfo_proc2 to KERN_PROC/kinfo_proc now
that we've got name we want for the API we want

"ZAP!" deraadt@

Avoid using NULL in non-pointer contexts: use 0 for integer values and '\0'
for chars.

Remove portalfs.

While it is a terribly cool idea, it's just awful and since noone has stepped
up to the plate to keep it up with the current vop state, retire it to the
attic.

ok krw@, deraadt@, guenther@, miod@.
comments from jmc@

Update nlist array and uncomment a few things to pave the way for upcoming
new name cache information gathering code.

Namecache revamp.

This eliminates the large single namecache hash table, and implements
the name cache as a global lru of entires, and a redblack tree in each
vnode. It makes cache_purge actually purge the namecache entries associated
with a vnode when a vnode is recycled (very important for later on actually being
able to resize the vnode pool)

This commit does #if 0 out a bunch of procmap code that was
already broken before this change, but needs to be redone completely.

Tested by many, including in thib's nfs test setup.

ok oga@,art@,thib@,miod@

No longer consider kernel pointers invalid if pointing under the kernel
load address (hello, PMAP_DIRECT architectures). Makes procmap walk the
kernel name cache correctly.
ok art@

document -A and include in usage

Add a flag to print amap usage.
otto@ ok

First pass at removing clauses 3 and 4 from NetBSD licenses.

Not sure what's more surprising: how long it took for NetBSD to
catch up to the rest of the BSDs (including UCB), or the amount of
code that NetBSD has claimed for itself without attributing to the
actual authors.

OK deraadt@

Define a new flag, UVM_FLAG_HOLE, for uvm_map to create a vm_map_entry of
a new etype, UVM_ET_HOLE, meaning it has no backend.

UVM_ET_HOLE entries (which should be created as UVM_PROT_NONE and with
UVM_FLAG_NOMERGE and UVM_FLAG_HOLE) are skipped in uvm_unmap_remove(), so
that pmap_{k,}remove() is not called on the entry.

This is intended to save time, and behave better, on pmaps with MMU holes
at process exit time.

ok art@, kettenis@ provided feedback as well.

Use kinfo_proc2 instead of kinfo_proc.

ok art@

use calloc() to avoid malloc(n * m) overflows; checked by djm canacar jsg

Zap a bunch of unused VT_* tags.

ok tedu@,pedro@

kill some commented "struct proc *", and knf while there; ok ray

Don't warn for kernel_text being zero on (some) m68k systems.

Remove fdescfs

Remove kernfs, okay deraadt@.

kill stackable filesystems ghosts

setresgid; ok deraadt@

Use the return value from getopt() instead of optopt in non-error
cases since optopt is not set in these cases, and it is not required
by POSIX that it should be.

ok millert otto

[From: Joris Vink]
Use strtonum(3) instead of strtol(3). ok deraadt@ & me

Off by 1 ! OK millert@, tedu@

more accurate msg, pr3713 from Andre Lucas

make sure we don't backwards before buffer

buffer len paranoia

if the heap is non-exec, it makes it hard to find by looking for an exec
mapping. much better heuristic.

unknown is less ugly than ??, and not a trigraph. requested by deraadt

no peeking at kernel or other processes for normal users. ok deraadt@

pedro martelletto tells me stroul returns an unsigned long which
may be bigger than a pid_t

strtoul for getting pid. ok and numerous hints from deraadt@
also correct errbuf size

revoke privs asap; tedu ok

a pinch of knf

little cleanup. strlcat. usage. don't call atoi on non-numbers.
mostly spotted by deraadt@

printing (null) is not so useful. instead print names of missing symbols
with a useful message.

malloc checks, strlcpy. based on patch from Vink Joris <nimadeus@pandora.be>

catch all vnode types

rough cut of netbsd's pmap process memory map inspector.
initially from drahn@, renamed to procmap to avoid conflict with
unrelated pmap(9).
works more or less as advertised, could definitely use some work though.
would be really nice if somebody made it use sysctl and not kmem.
more or less ok deraadt@ drahn@

correct order of region bits for -a case: rwxSepc

Repurpose the "syscalls must be on a writeable page" mechanism to
enforce a new policy: system calls must be in pre-registered regions.
We have discussed more strict checks than this, but none satisfy the
cost/benefit based upon our understanding of attack methods, anyways
let's see what the next iteration looks like.

This is intended to harden (translation: attackers must put extra
effort into attacking) against a mixture of W^X failures and JIT bugs
which allow syscall misinterpretation, especially in environments with
polymorphic-instruction/variable-sized instructions. It fits in a bit
with libc/libcrypto/ld.so random relink on boot and no-restart-at-crash
behaviour, particularily for remote problems. Less effective once on-host
since someone the libraries can be read.

For static-executables the kernel registers the main program's
PIE-mapped exec section valid, as well as the randomly-placed sigtramp
page. For dynamic executables ELF ld.so's exec segment is also
labelled valid; ld.so then has enough information to register libc's
exec section as valid via call-once msyscall(2)

For dynamic binaries, we continue to to permit the main program exec
segment because "go" (and potentially a few other applications) have
embedded system calls in the main program. Hopefully at least go gets
fixed soon.

We declare the concept of embedded syscalls a bad idea for numerous
reasons, as we notice the ecosystem has many of
static-syscall-in-base-binary which are dynamically linked against
libraries which in turn use libc, which contains another set of
syscall stubs. We've been concerned about adding even one additional
syscall entry point... but go's approach tends to double the entry-point
attack surface.

This was started at a nano-hackathon in Bob Beck's basement 2 weeks
ago during a long discussion with mortimer trying to hide from the SSL
scream-conversations, and finished in more comfortable circumstances
next to a wood-stove at Elk Lakes cabin with UVM scream-conversations.

ok guenther kettenis mortimer, lots of feedback from others
conversations about go with jsing tb sthen

dev_t is signed to permit passing -1 as an invalid condition, but the
decomposition into major and minor is unsigned, so we should print them
with %u instead of %d.
ok guenther

Fix description of -v and implement -v for -a showing holes; ok deraadt@

procmap fumbles with uvm_map_addr structures, which are now in RBTs

it also does proper traversal of the tree (ie, it does FOREACH)
which in turn uses MIN and NEXT operations to iterate over the whole
tree. theyre complicated and need code.

so for now this pulls in subr_tree.c from the kernel and builds it
as part of procmap. that allows for traversal of the RBT using the
same code that the kernel uses.

it is a bit ugly though because procmap updates the pointers between
items in the tree so they point at local copies instead of kernel
addresses. its made worse because RBT code has pointers between
rb_entry structs, not between the nodes.

im putting this in now to unbreak the tree. it can be polished after
coffee/naps.

Re-introduce vnode-to-filename mapping

The name cache walking code got adapted to the new name cache layout.
Along with the previous commit, procmap is now able to map a vnode
to a filename as long as it is in the name cache.

"nice stuff" deraadt@

Must extract uvm_vnode from uvm_object first before reading the vnode

Otherwise procmap interprets the uvm_vnode contents as a vnode,
yielding bogus values. This should cure the
"procmap: invalid address (ffffffffffffffff) == -1 vs. 656 @ ffffffffffffffff"
error messages that appear sporadically.

ok deraadt@

Remove am_maxslot from amap.

am_maxslot represents the total number of slots an amap can be extended
to. Since we do not extend amaps, this field as well as rounding the
number of slots to the next malloc bucket is not useful.

This also removes the corresponding output from procmap(1).

ok kettenis@

Also print the fspace member of map entries when PRINT_VM_MAP_ENTRY is
requested.

ok deraadt@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Replace a plethora of historical protection options with just
PROT_NONE, PROT_READ, PROT_WRITE, and PROT_EXEC from mman.h.
PROT_MASK is introduced as the one true way of extracting those bits.
Remove UVM_ADV_* wrapper, using the standard names.
ok doug guenther kettenis

Delete procfs; it's always had races and is now unused: no one noticed for
months that I broke it before the 5.5 release.

confirmed as not being required by ports by sthen@, ajacoutot@, dcoppa@

decouple struct uvmexp into a new file, so that uvm_extern.h and sysctl.h
don't need to be married.
ok guenther miod beck jsing kettenis

There really isn't a strict "heap" anymore, so just call everything like
that an anon. Useful change since BRKSIZ will soon leave the namespace.
ok kettenis

Use errc/warnc to simplify code.
Also, in 'ftp', always put the error message last, after the hostname/ipaddr.

ok jsing@ krw@ millert@

remove tendrils of namei dumping code

use strtonum

get ready for big ino_t; ok gunther@

Don't bother printing vm_swrss of a process, the current uvm accounting
logic never sets this value.

pretty-print bigger ino_t variables

revert 1.45. it depended on a kernel change we will not be making, and
the old code was cleaner

for the sake of argument, let's pretend this #if 0 code isn't wanted

rework the main loop so we can drop kmem privs a little later,
prepping for a coming kernel change. we need to call sysctl for
all the procs to get their vmspace pointer, then we drop, then
we go grovelling. ok deraadt

revert, that restriction is already enforced the right way

Only root can look at the kernel address space.

document a safe cast, which should be (unsigned int) instead of simply
(unsigned)

Userspace counterpart of new vmmap.

Allows memory walks to function.

Userland counterpart of the vmmap backout; cranks major version of libkvm.

Reimplement uvm/uvm_map.

vmmap is designed to perform address space randomized allocations,
without letting fragmentation of the address space go through the roof.

Some highlights:
- kernel address space randomization
- proper implementation of guardpages
- roughly 10% system time reduction during kernel build

Tested by alot of people on tech@ and developers.
Theo's machines are still happy.

BRKSIZ is the right constant now, so I don't get lots of teeny tiny heaps
mixed up in my address space.

Switch back from KERN_PROC2/kinfo_proc2 to KERN_PROC/kinfo_proc now
that we've got name we want for the API we want

"ZAP!" deraadt@

Avoid using NULL in non-pointer contexts: use 0 for integer values and '\0'
for chars.

Remove portalfs.

While it is a terribly cool idea, it's just awful and since noone has stepped
up to the plate to keep it up with the current vop state, retire it to the
attic.

ok krw@, deraadt@, guenther@, miod@.
comments from jmc@

Update nlist array and uncomment a few things to pave the way for upcoming
new name cache information gathering code.

Namecache revamp.

This eliminates the large single namecache hash table, and implements
the name cache as a global lru of entires, and a redblack tree in each
vnode. It makes cache_purge actually purge the namecache entries associated
with a vnode when a vnode is recycled (very important for later on actually being
able to resize the vnode pool)

This commit does #if 0 out a bunch of procmap code that was
already broken before this change, but needs to be redone completely.

Tested by many, including in thib's nfs test setup.

ok oga@,art@,thib@,miod@

No longer consider kernel pointers invalid if pointing under the kernel
load address (hello, PMAP_DIRECT architectures). Makes procmap walk the
kernel name cache correctly.
ok art@

document -A and include in usage

Add a flag to print amap usage.
otto@ ok

First pass at removing clauses 3 and 4 from NetBSD licenses.

Not sure what's more surprising: how long it took for NetBSD to
catch up to the rest of the BSDs (including UCB), or the amount of
code that NetBSD has claimed for itself without attributing to the
actual authors.

OK deraadt@

Define a new flag, UVM_FLAG_HOLE, for uvm_map to create a vm_map_entry of
a new etype, UVM_ET_HOLE, meaning it has no backend.

UVM_ET_HOLE entries (which should be created as UVM_PROT_NONE and with
UVM_FLAG_NOMERGE and UVM_FLAG_HOLE) are skipped in uvm_unmap_remove(), so
that pmap_{k,}remove() is not called on the entry.

This is intended to save time, and behave better, on pmaps with MMU holes
at process exit time.

ok art@, kettenis@ provided feedback as well.

Use kinfo_proc2 instead of kinfo_proc.

ok art@

use calloc() to avoid malloc(n * m) overflows; checked by djm canacar jsg

Zap a bunch of unused VT_* tags.

ok tedu@,pedro@

kill some commented "struct proc *", and knf while there; ok ray

Don't warn for kernel_text being zero on (some) m68k systems.

Remove fdescfs

Remove kernfs, okay deraadt@.

kill stackable filesystems ghosts

setresgid; ok deraadt@

Use the return value from getopt() instead of optopt in non-error
cases since optopt is not set in these cases, and it is not required
by POSIX that it should be.

ok millert otto

[From: Joris Vink]
Use strtonum(3) instead of strtol(3). ok deraadt@ & me

Off by 1 ! OK millert@, tedu@

more accurate msg, pr3713 from Andre Lucas

make sure we don't backwards before buffer

buffer len paranoia

if the heap is non-exec, it makes it hard to find by looking for an exec
mapping. much better heuristic.

unknown is less ugly than ??, and not a trigraph. requested by deraadt

no peeking at kernel or other processes for normal users. ok deraadt@

pedro martelletto tells me stroul returns an unsigned long which
may be bigger than a pid_t

strtoul for getting pid. ok and numerous hints from deraadt@
also correct errbuf size

revoke privs asap; tedu ok

a pinch of knf

little cleanup. strlcat. usage. don't call atoi on non-numbers.
mostly spotted by deraadt@

printing (null) is not so useful. instead print names of missing symbols
with a useful message.

malloc checks, strlcpy. based on patch from Vink Joris <nimadeus@pandora.be>

catch all vnode types