>> - Jamie
>>
>>
>> On 2018-08-16 13:27, Rodney W. Grimes wrote:
>> >> Author: jamie
>> >> Date: Thu Aug 16 19:09:43 2018
>> >> New Revision: 337925
>> >> URL: https://svnweb.freebsd.org/changeset/base/337925
>> >>
>> >> Log:
>> >> Revert r337922, except for some documention-only bits. This needs
>> >> to wait
>> >> until user is changed to stop using jail(2).
>> >
>> > Can we please stop doing "partial" reverts, it makes log
>> > tracking and sorting out stuff later more difficult.
>> >
>> > If something is seperable and needs to stay it is best
>> > to revert the whole commit, and then commit with a proper
>> > log exactly what it is that you did not want to revert.
>> >
>> >>
>> >> Differential Revision: D14791
>> >>
>> >> Modified:
>> >> head/lib/libc/sys/jail.2
>> >> head/sys/compat/freebsd32/freebsd32_misc.c
>> >> head/sys/compat/freebsd32/freebsd32_proto.h
>> >> head/sys/compat/freebsd32/freebsd32_syscall.h
>> >> head/sys/compat/freebsd32/freebsd32_syscalls.c
>> >> head/sys/compat/freebsd32/freebsd32_sysent.c
>> >> head/sys/compat/freebsd32/freebsd32_systrace_args.c
>> >> head/sys/compat/freebsd32/syscalls.master
>> >> head/sys/kern/init_sysent.c
>> >> head/sys/kern/kern_jail.c
>> >> head/sys/kern/syscalls.c
>> >> head/sys/kern/syscalls.master
>> >> head/sys/kern/systrace_args.c
>> >> head/sys/sys/jail.h
>> >> head/sys/sys/syscall.h
>> >> head/sys/sys/syscall.mk
>> >> head/sys/sys/syscallsubr.h
>> >> head/sys/sys/sysproto.h
>> >>
>> >> Modified: head/lib/libc/sys/jail.2
>> >>
==============================================================================
>> >> --- head/lib/libc/sys/jail.2 Thu Aug 16 18:58:34 2018 (r337924)
>> >> +++ head/lib/libc/sys/jail.2 Thu Aug 16 19:09:43 2018 (r337925)
>> >> @@ -25,10 +25,11 @@
>> >> .\"
>> >> .\" $FreeBSD$
>> >> .\"
>> >> -.Dd August 16, 2018
>> >> +.Dd February 8, 2012
>> >> .Dt JAIL 2
>> >> .Os
>> >> .Sh NAME
>> >> +.Nm jail ,
>> >> .Nm jail_get ,
>> >> .Nm jail_set ,
>> >> .Nm jail_remove ,
>> >> @@ -40,6 +41,8 @@
>> >> .In sys/param.h
>> >> .In sys/jail.h
>> >> .Ft int
>> >> +.Fn jail "struct jail *jail"
>> >> +.Ft int
>> >> .Fn jail_attach "int jid"
>> >> .Ft int
>> >> .Fn jail_remove "int jid"
>> >> @@ -50,7 +53,74 @@
>> >> .Fn jail_set "struct iovec *iov" "u_int niov" "int flags"
>> >> .Sh DESCRIPTION
>> >> The
>> >> +.Fn jail
>> >> +system call sets up a jail and locks the current process in it.
>> >> +.Pp
>> >> +The argument is a pointer to a structure describing the prison:
>> >> +.Bd -literal -offset indent
>> >> +struct jail {
>> >> + uint32_t version;
>> >> + char *path;
>> >> + char *hostname;
>> >> + char *jailname;
>> >> + unsigned int ip4s;
>> >> + unsigned int ip6s;
>> >> + struct in_addr *ip4;
>> >> + struct in6_addr *ip6;
>> >> +};
>> >> +.Ed
>> >> +.Pp
>> >> +.Dq Li version
>> >> +defines the version of the API in use.
>> >> +.Dv JAIL_API_VERSION
>> >> +is defined for the current version.
>> >> +.Pp
>> >> +The
>> >> +.Dq Li path
>> >> +pointer should be set to the directory which is to be the root of the
>> >> +prison.
>> >> +.Pp
>> >> +The
>> >> +.Dq Li hostname
>> >> +pointer can be set to the hostname of the prison.
>> >> +This can be changed
>> >> +from the inside of the prison.
>> >> +.Pp
>> >> +The
>> >> +.Dq Li jailname
>> >> +pointer is an optional name that can be assigned to the jail
>> >> +for example for management purposes.
>> >> +.Pp
>> >> +The
>> >> +.Dq Li ip4s
>> >> +and
>> >> +.Dq Li ip6s
>> >> +give the numbers of IPv4 and IPv6 addresses that will be passed
>> >> +via their respective pointers.
>> >> +.Pp
>> >> +The
>> >> +.Dq Li ip4
>> >> +and
>> >> +.Dq Li ip6
>> >> +pointers can be set to an arrays of IPv4 and IPv6 addresses to be
>> >> assigned to
>> >> +the prison, or NULL if none.
>> >> +IPv4 addresses must be in network byte order.
>> >> +.Pp
>> >> +This is equivalent to, and deprecated in favor of, the
>> >> .Fn jail_set
>> >> +system call (see below), with the parameters
>> >> +.Va path ,
>> >> +.Va host.hostname ,
>> >> +.Va name ,
>> >> +.Va ip4.addr ,
>> >> +and
>> >> +.Va ip6.addr ,
>> >> +and with the
>> >> +.Dv JAIL_ATTACH
>> >> +flag.
>> >> +.Pp
>> >> +The
>> >> +.Fn jail_set
>> >> system call creates a new jail, or modifies an existing one, and
>> >> optionally
>> >> locks the current process in it.
>> >> Jail parameters are passed as an array of name-value pairs in the
>> >> array
>> >> @@ -76,19 +146,13 @@ The current set of available parameters, and
>> >> their for
>> >> retrieved via the
>> >> .Va security.jail.param
>> >> sysctl MIB entry.
>> >> -Notable parameters include
>> >> +Notable parameters include those mentioned in the
>> >> +.Fn jail
>> >> +description above, as well as
>> >> .Va jid
>> >> and
>> >> -.Va name
>> >> -which identify the jail being created or modified,
>> >> -.Va path
>> >> -(the root directory of the jail),
>> >> -.Va host.hostname
>> >> -(the hostname of the jail), and
>> >> -.Va ip4.addr
>> >> -and
>> >> -.Va ip6.addr
>> >> -(IP addresses to assign to the jail).
>> >> +.Va name ,
>> >> +which identify the jail being created or modified.
>> >> See
>> >> .Xr jail 8
>> >> for more information on the core jail parameters.
>> >> @@ -173,7 +237,8 @@ It will kill all processes belonging to the jail,
>> >> and
>> >> of that jail.
>> >> .Sh RETURN VALUES
>> >> If successful,
>> >> -.Fn jail_set
>> >> +.Fn jail ,
>> >> +.Fn jail_set ,
>> >> and
>> >> .Fn jail_get
>> >> return a non-negative integer, termed the jail identifier (JID).
>> >> @@ -184,6 +249,25 @@ to indicate the error.
>> >> .Rv -std jail_attach jail_remove
>> >> .Sh ERRORS
>> >> The
>> >> +.Fn jail
>> >> +system call
>> >> +will fail if:
>> >> +.Bl -tag -width Er
>> >> +.It Bq Er EPERM
>> >> +This process is not allowed to create a jail, either because it is
>> >> not
>> >> +the super-user, or because it would exceed the jail's
>> >> +.Va children.max
>> >> +limit.
>> >> +.It Bq Er EFAULT
>> >> +.Fa jail
>> >> +points to an address outside the allocated address space of the
>> >> process.
>> >> +.It Bq Er EINVAL
>> >> +The version number of the argument is not correct.
>> >> +.It Bq Er EAGAIN
>> >> +No free JID could be found.
>> >> +.El
>> >> +.Pp
>> >> +The
>> >> .Fn jail_set
>> >> system call
>> >> will fail if:
>> >> @@ -287,7 +371,8 @@ does not exist.
>> >> .El
>> >> .Pp
>> >> Further
>> >> -.Fn jail_set
>> >> +.Fn jail ,
>> >> +.Fn jail_set ,
>> >> and
>> >> .Fn jail_attach
>> >> call
>> >> @@ -301,7 +386,7 @@ manual page for details.
>> >> .Xr chroot 2 ,
>> >> .Xr jail 8
>> >> .Sh HISTORY
>> >> -The now-deprecated
>> >> +The
>> >> .Fn jail
>> >> system call appeared in
>> >> .Fx 4.0 .
>> >>
>> >> Modified: head/sys/compat/freebsd32/freebsd32_misc.c
>> >>
==============================================================================
>> >> --- head/sys/compat/freebsd32/freebsd32_misc.c Thu Aug 16 18:58:34
>> >> 2018 (r337924)
>> >> +++ head/sys/compat/freebsd32/freebsd32_misc.c Thu Aug 16 19:09:43
>> >> 2018 (r337925)
>> >> @@ -2289,10 +2289,8 @@ freebsd32_sysctl(struct thread *td, struct
>> >> freebsd32_s
>> >> return (0);
>> >> }
>> >>
>> >> -#ifdef COMPAT_FREEBSD11
>> >> int
>> >> -freebsd11_freebsd32_jail(struct thread *td,
>> >> - struct freebsd11_freebsd32_jail_args *uap)
>> >> +freebsd32_jail(struct thread *td, struct freebsd32_jail_args *uap)
>> >> {
>> >> uint32_t version;
>> >> int error;
>> >> @@ -2349,9 +2347,8 @@ freebsd11_freebsd32_jail(struct thread *td,
>> >> /* Sci-Fi jails are not supported, sorry. */
>> >> return (EINVAL);
>> >> }
>> >> - return (freebsd11_kern_jail(td, &j));
>> >> + return (kern_jail(td, &j));
>> >> }
>> >> -#endif /* COMPAT_FREEBSD11 */
>> >>
>> >> int
>> >> freebsd32_jail_set(struct thread *td, struct freebsd32_jail_set_args
>> >> *uap)
>> >>
>> >> Modified: head/sys/compat/freebsd32/freebsd32_proto.h
>> >>
==============================================================================
>> >> --- head/sys/compat/freebsd32/freebsd32_proto.h Thu Aug 16 18:58:34
>> >> 2018 (r337924)
>> >> +++ head/sys/compat/freebsd32/freebsd32_proto.h Thu Aug 16 19:09:43
>> >> 2018 (r337925)
>> >> @@ -283,6 +283,9 @@ struct freebsd32_sched_rr_get_interval_args {
>> >> char pid_l_[PADL_(pid_t)]; pid_t pid; char pid_r_[PADR_(pid_t)];
>> >> char interval_l_[PADL_(struct timespec32 *)]; struct timespec32 *
>> >> interval; char interval_r_[PADR_(struct timespec32 *)];
>> >> };
>> >> +struct freebsd32_jail_args {
>> >> + char jail_l_[PADL_(struct jail32 *)]; struct jail32 * jail; char
>> >> jail_r_[PADR_(struct jail32 *)];
>> >> +};
>> >> struct freebsd32_sigtimedwait_args {
>> >> char set_l_[PADL_(const sigset_t *)]; const sigset_t * set; char
>> >> set_r_[PADR_(const sigset_t *)];
>> >> char info_l_[PADL_(siginfo_t *)]; siginfo_t * info; char
>> >> info_r_[PADR_(siginfo_t *)];
>> >> @@ -758,6 +761,7 @@ int freebsd32_aio_return(struct thread *, struct
>> >> freeb
>> >> int freebsd32_aio_suspend(struct thread *, struct
>> >> freebsd32_aio_suspend_args *);
>> >> int freebsd32_aio_error(struct thread *, struct
>> >> freebsd32_aio_error_args *);
>> >> int freebsd32_sched_rr_get_interval(struct thread *, struct
>> >> freebsd32_sched_rr_get_interval_args *);
>> >> +int freebsd32_jail(struct thread *, struct freebsd32_jail_args *);
>> >> int freebsd32_sigtimedwait(struct thread *, struct
>> >> freebsd32_sigtimedwait_args *);
>> >> int freebsd32_sigwaitinfo(struct thread *, struct
>> >> freebsd32_sigwaitinfo_args *);
>> >> int freebsd32_aio_waitcomplete(struct thread *, struct
>> >> freebsd32_aio_waitcomplete_args *);
>> >> @@ -1180,9 +1184,6 @@ struct freebsd11_freebsd32_fhstat_args {
>> >> char u_fhp_l_[PADL_(const struct fhandle *)]; const struct fhandle *
>> >> u_fhp; char u_fhp_r_[PADR_(const struct fhandle *)];
>> >> char sb_l_[PADL_(struct freebsd11_stat32 *)]; struct
>> >> freebsd11_stat32 * sb; char sb_r_[PADR_(struct freebsd11_stat32 *)];
>> >> };
>> >> -struct freebsd11_freebsd32_jail_args {
>> >> - char jail_l_[PADL_(struct jail32 *)]; struct jail32 * jail; char
>> >> jail_r_[PADR_(struct jail32 *)];
>> >> -};
>> >> struct freebsd11_freebsd32_kevent_args {
>> >> char fd_l_[PADL_(int)]; int fd; char fd_r_[PADR_(int)];
>> >> char changelist_l_[PADL_(const struct kevent32_freebsd11 *)]; const
>> >> struct kevent32_freebsd11 * changelist; char changelist_r_[PADR_(const
>> >> struct kevent32_freebsd11 *)];
>> >> @@ -1222,7 +1223,6 @@ int freebsd11_freebsd32_lstat(struct thread *,
>> >> struct
>> >> int freebsd11_freebsd32_getdirentries(struct thread *, struct
>> >> freebsd11_freebsd32_getdirentries_args *);
>> >> int freebsd11_freebsd32_getdents(struct thread *, struct
>> >> freebsd11_freebsd32_getdents_args *);
>> >> int freebsd11_freebsd32_fhstat(struct thread *, struct
>> >> freebsd11_freebsd32_fhstat_args *);
>> >> -int freebsd11_freebsd32_jail(struct thread *, struct
>> >> freebsd11_freebsd32_jail_args *);
>> >> int freebsd11_freebsd32_kevent(struct thread *, struct
>> >> freebsd11_freebsd32_kevent_args *);
>> >> int freebsd11_freebsd32_fstatat(struct thread *, struct
>> >> freebsd11_freebsd32_fstatat_args *);
>> >> int freebsd11_freebsd32_mknodat(struct thread *, struct
>> >> freebsd11_freebsd32_mknodat_args *);
>> >> @@ -1317,7 +1317,7 @@ int freebsd11_freebsd32_mknodat(struct thread *,
>> >> struc
>> >>
>> >> #define FREEBSD32_SYS_AUE_freebsd6_freebsd32_lio_listio
AUE_LIO_LISTIO
>> >> #define FREEBSD32_SYS_AUE_freebsd32_sched_rr_get_interval
AUE_NULL
>> >> #define FREEBSD32_SYS_AUE_freebsd4_freebsd32_sendfile AUE_SENDFILE
>> >> -#define FREEBSD32_SYS_AUE_freebsd11_freebsd32_jail AUE_JAIL
>> >> +#define FREEBSD32_SYS_AUE_freebsd32_jail AUE_JAIL
>> >> #define FREEBSD32_SYS_AUE_freebsd4_freebsd32_sigaction
AUE_SIGACTION
>> >> #define FREEBSD32_SYS_AUE_freebsd4_freebsd32_sigreturn
AUE_SIGRETURN
>> >> #define FREEBSD32_SYS_AUE_freebsd32_sigtimedwait AUE_SIGWAIT
>> >>
>> >> Modified: head/sys/compat/freebsd32/freebsd32_syscall.h
>> >>
==============================================================================
>> >> --- head/sys/compat/freebsd32/freebsd32_syscall.h Thu Aug 16 18:58:34
>> >> 2018 (r337924)
>> >> +++ head/sys/compat/freebsd32/freebsd32_syscall.h Thu Aug 16 19:09:43
>> >> 2018 (r337925)
>> >> @@ -275,7 +275,7 @@
>> >> #define FREEBSD32_SYS_utrace 335
>> >> /* 336 is freebsd4 freebsd32_sendfile */
>> >> #define FREEBSD32_SYS_kldsym 337
>> >> -#define FREEBSD32_SYS_freebsd11_freebsd32_jail 338
>> >> +#define FREEBSD32_SYS_freebsd32_jail 338
>> >> #define FREEBSD32_SYS_sigprocmask 340
>> >> #define FREEBSD32_SYS_sigsuspend 341
>> >> /* 342 is freebsd4 freebsd32_sigaction */
>> >>
>> >> Modified: head/sys/compat/freebsd32/freebsd32_syscalls.c
>> >>
==============================================================================
>> >> --- head/sys/compat/freebsd32/freebsd32_syscalls.c Thu Aug 16 18:58:34
>> >> 2018 (r337924)
>> >> +++ head/sys/compat/freebsd32/freebsd32_syscalls.c Thu Aug 16 19:09:43
>> >> 2018 (r337925)
>> >> @@ -347,7 +347,7 @@ const char *freebsd32_syscallnames[] = {
>> >> "utrace", /* 335 = utrace */
>> >> "compat4.freebsd32_sendfile", /* 336 = freebsd4
freebsd32_sendfile
>> >> */
>> >> "kldsym", /* 337 = kldsym */
>> >> - "compat11.freebsd32_jail", /* 338 = freebsd11
freebsd32_jail */
>> >> + "freebsd32_jail", /* 338 = freebsd32_jail */
>> >> "#339", /* 339 = pioctl */
>> >> "sigprocmask", /* 340 = sigprocmask */
>> >> "sigsuspend", /* 341 = sigsuspend */
>> >>
>> >> Modified: head/sys/compat/freebsd32/freebsd32_sysent.c
>> >>
==============================================================================
>> >> --- head/sys/compat/freebsd32/freebsd32_sysent.c Thu Aug 16 18:58:34
>> >> 2018 (r337924)
>> >> +++ head/sys/compat/freebsd32/freebsd32_sysent.c Thu Aug 16 19:09:43
>> >> 2018 (r337925)
>> >> @@ -394,7 +394,7 @@ struct sysent freebsd32_sysent[] = {
>> >> { AS(utrace_args), (sy_call_t *)sys_utrace, AUE_NULL, NULL, 0, 0,
>> >> SYF_CAPENABLED, SY_THR_STATIC }, /* 335 = utrace */
>> >> { compat4(AS(freebsd4_freebsd32_sendfile_args),freebsd32_sendfile),
>> >> AUE_SENDFILE, NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC }, /* 336 =
>> >> freebsd4 freebsd32_sendfile */
>> >> { AS(kldsym_args), (sy_call_t *)sys_kldsym, AUE_NULL, NULL, 0, 0, 0,
>> >> SY_THR_STATIC }, /* 337 = kldsym */
>> >> - { compat11(AS(freebsd11_freebsd32_jail_args),freebsd32_jail),
>> >> AUE_JAIL, NULL, 0, 0, 0, SY_THR_STATIC }, /* 338 = freebsd11
>> >> freebsd32_jail */
>> >> + { AS(freebsd32_jail_args), (sy_call_t *)freebsd32_jail, AUE_JAIL,
>> >> NULL, 0, 0, 0, SY_THR_STATIC }, /* 338 = freebsd32_jail */
>> >> { 0, (sy_call_t *)nosys, AUE_NULL, NULL, 0, 0, 0, SY_THR_ABSENT
>> >> }, /* 339 = pioctl */
>> >> { AS(sigprocmask_args), (sy_call_t *)sys_sigprocmask,
>> >> AUE_SIGPROCMASK, NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC }, /* 340 =
>> >> sigprocmask */
>> >> { AS(sigsuspend_args), (sy_call_t *)sys_sigsuspend, AUE_SIGSUSPEND,
>> >> NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC }, /* 341 = sigsuspend */
>> >>
>> >> Modified: head/sys/compat/freebsd32/freebsd32_systrace_args.c
>> >>
==============================================================================
>> >> --- head/sys/compat/freebsd32/freebsd32_systrace_args.c Thu Aug 16
>> >> 18:58:34 2018 (r337924)
>> >> +++ head/sys/compat/freebsd32/freebsd32_systrace_args.c Thu Aug 16
>> >> 19:09:43 2018 (r337925)
>> >> @@ -1559,6 +1559,13 @@ systrace_args(int sysnum, void *params,
>> >> uint64_t *uarg
>> >> *n_args = 3;
>> >> break;
>> >> }
>> >> + /* freebsd32_jail */
>> >> + case 338: {
>> >> + struct freebsd32_jail_args *p = params;
>> >> + uarg[0] = (intptr_t) p->jail; /* struct jail32 * */
>> >> + *n_args = 1;
>> >> + break;
>> >> + }
>> >> /* sigprocmask */
>> >> case 340: {
>> >> struct sigprocmask_args *p = params;
>> >> @@ -5704,6 +5711,16 @@ systrace_entry_setargdesc(int sysnum, int ndx,
>> >> char *d
>> >> break;
>> >> };
>> >> break;
>> >> + /* freebsd32_jail */
>> >> + case 338:
>> >> + switch(ndx) {
>> >> + case 0:
>> >> + p = "userland struct jail32 *";
>> >> + break;
>> >> + default:
>> >> + break;
>> >> + };
>> >> + break;
>> >> /* sigprocmask */
>> >> case 340:
>> >> switch(ndx) {
>> >> @@ -9653,6 +9670,11 @@ systrace_return_setargdesc(int sysnum, int ndx,
>> >> char *
>> >> break;
>> >> /* kldsym */
>> >> case 337:
>> >> + if (ndx == 0 || ndx == 1)
>> >> + p = "int";
>> >> + break;
>> >> + /* freebsd32_jail */
>> >> + case 338:
>> >> if (ndx == 0 || ndx == 1)
>> >> p = "int";
>> >> break;
>> >>
>> >> Modified: head/sys/compat/freebsd32/syscalls.master
>> >>
==============================================================================
>> >> --- head/sys/compat/freebsd32/syscalls.master Thu Aug 16 18:58:34
>> >> 2018 (r337924)
>> >> +++ head/sys/compat/freebsd32/syscalls.master Thu Aug 16 19:09:43
>> >> 2018 (r337925)
>> >> @@ -601,7 +601,7 @@
>> >> off_t *sbytes, int flags); }
>> >> 337 AUE_NULL NOPROTO { int kldsym(int fileid, int cmd, \
>> >> void *data); }
>> >> -338 AUE_JAIL COMPAT11 { int freebsd32_jail(struct jail32 *jail);
}
>> >> +338 AUE_JAIL STD { int freebsd32_jail(struct jail32 *jail); }
>> >> 339 AUE_NULL UNIMPL pioctl
>> >> 340 AUE_SIGPROCMASK NOPROTO { int sigprocmask(int how, \
>> >> const sigset_t *set, sigset_t *oset); }
>> >>
>> >> Modified: head/sys/kern/init_sysent.c
>> >>
==============================================================================
>> >> --- head/sys/kern/init_sysent.c Thu Aug 16 18:58:34 2018
(r337924)
>> >> +++ head/sys/kern/init_sysent.c Thu Aug 16 19:09:43 2018
(r337925)
>> >> @@ -387,7 +387,7 @@ struct sysent sysent[] = {
>> >> { AS(utrace_args), (sy_call_t *)sys_utrace, AUE_NULL, NULL, 0, 0,
>> >> SYF_CAPENABLED, SY_THR_STATIC }, /* 335 = utrace */
>> >> { compat4(AS(freebsd4_sendfile_args),sendfile), AUE_SENDFILE, NULL,
>> >> 0, 0, SYF_CAPENABLED, SY_THR_STATIC }, /* 336 = freebsd4 sendfile
*/
>> >> { AS(kldsym_args), (sy_call_t *)sys_kldsym, AUE_NULL, NULL, 0, 0, 0,
>> >> SY_THR_STATIC }, /* 337 = kldsym */
>> >> - { compat11(AS(freebsd11_jail_args),jail), AUE_JAIL, NULL, 0, 0, 0,
>> >> SY_THR_STATIC }, /* 338 = freebsd11 jail */
>> >> + { AS(jail_args), (sy_call_t *)sys_jail, AUE_JAIL, NULL, 0, 0, 0,
>> >> SY_THR_STATIC }, /* 338 = jail */
>> >> { AS(nnpfs_syscall_args), (sy_call_t *)lkmressys, AUE_NULL, NULL, 0,
>> >> 0, 0, SY_THR_ABSENT }, /* 339 = nnpfs_syscall */
>> >> { AS(sigprocmask_args), (sy_call_t *)sys_sigprocmask,
>> >> AUE_SIGPROCMASK, NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC }, /* 340 =
>> >> sigprocmask */
>> >> { AS(sigsuspend_args), (sy_call_t *)sys_sigsuspend, AUE_SIGSUSPEND,
>> >> NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC }, /* 341 = sigsuspend */
>> >>
>> >> Modified: head/sys/kern/kern_jail.c
>> >>
==============================================================================
>> >> --- head/sys/kern/kern_jail.c Thu Aug 16 18:58:34 2018 (r337924)
>> >> +++ head/sys/kern/kern_jail.c Thu Aug 16 19:09:43 2018 (r337925)
>> >> @@ -74,14 +74,6 @@ __FBSDID("$FreeBSD$");
>> >>
>> >> #include <security/mac/mac_framework.h>
>> >>
>> >> -/*
>> >> - * The old jail(2) interface will exist under COMPAT_FREEBSD11, but
>> >> the global
>> >> - * permission sysctls are slated to go away sometime (even with
>> >> COMPAT).
>> >> - */
>> >> -#if defined(COMPAT_FREEBSD11) && !defined(BURN_BRIDGES)
>> >> -#define PR_GLOBAL_ALLOW
>> >> -#endif
>> >> -
>> >> #define DEFAULT_HOSTUUID
"00000000-0000-0000-0000-000000000000"
>> >>
>> >> MALLOC_DEFINE(M_PRISON, "prison", "Prison structures");
>> >> @@ -207,11 +199,9 @@ const size_t pr_flag_allow_size =
>> >> sizeof(pr_flag_allow
>> >> #define JAIL_DEFAULT_ALLOW (PR_ALLOW_SET_HOSTNAME |
>> >> PR_ALLOW_RESERVED_PORTS)
>> >> #define JAIL_DEFAULT_ENFORCE_STATFS 2
>> >> #define JAIL_DEFAULT_DEVFS_RSNUM 0
>> >> -#ifdef PR_GLOBAL_ALLOW
>> >> static unsigned jail_default_allow = JAIL_DEFAULT_ALLOW;
>> >> static int jail_default_enforce_statfs = JAIL_DEFAULT_ENFORCE_STATFS;
>> >> static int jail_default_devfs_rsnum = JAIL_DEFAULT_DEVFS_RSNUM;
>> >> -#endif
>> >> #if defined(INET) || defined(INET6)
>> >> static unsigned jail_max_af_ips = 255;
>> >> #endif
>> >> @@ -229,14 +219,13 @@ prison0_init(void)
>> >> strlcpy(prison0.pr_osrelease, osrelease,
>> >> sizeof(prison0.pr_osrelease));
>> >> }
>> >>
>> >> -#ifdef COMPAT_FREEBSD11
>> >> /*
>> >> * struct jail_args {
>> >> * struct jail *jail;
>> >> * };
>> >> */
>> >> int
>> >> -freebsd11_jail(struct thread *td, struct freebsd11_jail_args *uap)
>> >> +sys_jail(struct thread *td, struct jail_args *uap)
>> >> {
>> >> uint32_t version;
>> >> int error;
>> >> @@ -281,16 +270,13 @@ freebsd11_jail(struct thread *td, struct
>> >> freebsd11_jai
>> >> /* Sci-Fi jails are not supported, sorry. */
>> >> return (EINVAL);
>> >> }
>> >> - return (freebsd11_kern_jail(td, &j));
>> >> + return (kern_jail(td, &j));
>> >> }
>> >>
>> >> int
>> >> -freebsd11_kern_jail(struct thread *td, struct jail *j)
>> >> +kern_jail(struct thread *td, struct jail *j)
>> >> {
>> >> - struct iovec optiov[2 * (3
>> >> -#ifdef PR_GLOBAL_ALLOW
>> >> - + 1 + nitems(pr_flag_allow)
>> >> -#endif
>> >> + struct iovec optiov[2 * (4 + nitems(pr_flag_allow)
>> >> #ifdef INET
>> >> + 1
>> >> #endif
>> >> @@ -300,10 +286,7 @@ freebsd11_kern_jail(struct thread *td, struct
>> >> jail *j)
>> >> )];
>> >> struct uio opt;
>> >> char *u_path, *u_hostname, *u_name;
>> >> -#ifdef PR_GLOBAL_ALLOW
>> >> struct bool_flags *bf;
>> >> - int enforce_statfs;
>> >> -#endif
>> >> #ifdef INET
>> >> uint32_t ip4s;
>> >> struct in_addr *u_ip4;
>> >> @@ -312,7 +295,7 @@ freebsd11_kern_jail(struct thread *td, struct jail
>> >> *j)
>> >> struct in6_addr *u_ip6;
>> >> #endif
>> >> size_t tmplen;
>> >> - int error;
>> >> + int error, enforce_statfs;
>> >>
>> >> bzero(&optiov, sizeof(optiov));
>> >> opt.uio_iov = optiov;
>> >> @@ -323,7 +306,6 @@ freebsd11_kern_jail(struct thread *td, struct jail
>> >> *j)
>> >> opt.uio_rw = UIO_READ;
>> >> opt.uio_td = td;
>> >>
>> >> -#ifdef PR_GLOBAL_ALLOW
>> >> /* Set permissions for top-level jails from sysctls. */
>> >> if (!jailed(td->td_ucred)) {
>> >> for (bf = pr_flag_allow;
>> >> @@ -345,7 +327,6 @@ freebsd11_kern_jail(struct thread *td, struct jail
>> >> *j)
>> >> optiov[opt.uio_iovcnt].iov_len = sizeof(enforce_statfs);
>> >> opt.uio_iovcnt++;
>> >> }
>> >> -#endif
>> >>
>> >> tmplen = MAXPATHLEN + MAXHOSTNAMELEN + MAXHOSTNAMELEN;
>> >> #ifdef INET
>> >> @@ -449,7 +430,6 @@ freebsd11_kern_jail(struct thread *td, struct jail
>> >> *j)
>> >> free(u_path, M_TEMP);
>> >> return (error);
>> >> }
>> >> -#endif /* COMPAT_FREEBSD11 */
>> >>
>> >>
>> >> /*
>> >> @@ -1267,11 +1247,7 @@ kern_jail_set(struct thread *td, struct uio
>> >> *optuio, i
>> >>
>> >> pr->pr_securelevel = ppr->pr_securelevel;
>> >> pr->pr_allow = JAIL_DEFAULT_ALLOW & ppr->pr_allow;
>> >> -#ifdef PR_GLOBAL_ALLOW
>> >> pr->pr_enforce_statfs = jail_default_enforce_statfs;
>> >> -#else
>> >> - pr->pr_enforce_statfs = JAIL_DEFAULT_ENFORCE_STATFS;
>> >> -#endif
>> >> pr->pr_devfs_rsnum = ppr->pr_devfs_rsnum;
>> >>
>> >> pr->pr_osreldate = osreldt ? osreldt : ppr->pr_osreldate;
>> >> @@ -3439,7 +3415,6 @@ prison_path(struct prison *pr1, struct prison
>> >> *pr2)
>> >> static SYSCTL_NODE(_security, OID_AUTO, jail, CTLFLAG_RW, 0,
>> >> "Jails");
>> >>
>> >> -#ifdef COMPAT_FREEBSD11
>> >> static int
>> >> sysctl_jail_list(SYSCTL_HANDLER_ARGS)
>> >> {
>> >> @@ -3543,7 +3518,6 @@ sysctl_jail_list(SYSCTL_HANDLER_ARGS)
>> >> SYSCTL_OID(_security_jail, OID_AUTO, list,
>> >> CTLTYPE_STRUCT | CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, 0,
>> >> sysctl_jail_list, "S", "List of active jails");
>> >> -#endif /* COMPAT_FREEBSD11 */
>> >>
>> >> static int
>> >> sysctl_jail_jailed(SYSCTL_HANDLER_ARGS)
>> >> @@ -3583,14 +3557,13 @@ SYSCTL_PROC(_security_jail, OID_AUTO, vnet,
>> >> #if defined(INET) || defined(INET6)
>> >> SYSCTL_UINT(_security_jail, OID_AUTO, jail_max_af_ips, CTLFLAG_RW,
>> >> &jail_max_af_ips, 0,
>> >> - "Number of IP addresses a jail may have at most per address
>> >> family");
>> >> + "Number of IP addresses a jail may have at most per address
>> >> family (deprecated)");
>> >> #endif
>> >>
>> >> /*
>> >> - * Jail permissions - jailed processes can read these to find out
>> >> what they are
>> >> - * allowed to do. A deprecated use is to set default permissions for
>> >> prisons
>> >> - * created via jail(2). For historical reasons, the sysctl names
>> >> have varying
>> >> - * similarity to the parameter names.
>> >> + * Default parameters for jail(2) compatibility. For historical
>> >> reasons,
>> >> + * the sysctl names have varying similarity to the parameter names.
>> >> Prisons
>> >> + * just see their own parameters, and can't change them.
>> >> */
>> >> static int
>> >> sysctl_jail_default_allow(SYSCTL_HANDLER_ARGS)
>> >> @@ -3599,68 +3572,52 @@ sysctl_jail_default_allow(SYSCTL_HANDLER_ARGS)
>> >> int allow, error, i;
>> >>
>> >> pr = req->td->td_ucred->cr_prison;
>> >> -#ifdef PR_GLOBAL_ALLOW
>> >> allow = (pr == &prison0) ? jail_default_allow : pr->pr_allow;
>> >> -#else
>> >> - allow = pr->pr_allow;
>> >> -#endif
>> >>
>> >> /* Get the current flag value, and convert it to a boolean. */
>> >> i = (allow & arg2) ? 1 : 0;
>> >> if (arg1 != NULL)
>> >> i = !i;
>> >> error = sysctl_handle_int(oidp, &i, 0, req);
>> >> - if (error)
>> >> + if (error || !req->newptr)
>> >> return (error);
>> >> -#ifdef PR_GLOBAL_ALLOW
>> >> - if (req->newptr) {
>> >> - i = i ? arg2 : 0;
>> >> - if (arg1 != NULL)
>> >> - i ^= arg2;
>> >> - /*
>> >> - * The sysctls don't have CTLFLAGS_PRISON, so assume prison0
>> >> - * for writing.
>> >> - */
>> >> - mtx_lock(&prison0.pr_mtx);
>> >> - jail_default_allow = (jail_default_allow & ~arg2) | i;
>> >> - mtx_unlock(&prison0.pr_mtx);
>> >> - }
>> >> -#endif
>> >> + i = i ? arg2 : 0;
>> >> + if (arg1 != NULL)
>> >> + i ^= arg2;
>> >> + /*
>> >> + * The sysctls don't have CTLFLAGS_PRISON, so assume prison0
>> >> + * for writing.
>> >> + */
>> >> + mtx_lock(&prison0.pr_mtx);
>> >> + jail_default_allow = (jail_default_allow & ~arg2) | i;
>> >> + mtx_unlock(&prison0.pr_mtx);
>> >> return (0);
>> >> }
>> >>
>> >> -#ifdef PR_GLOBAL_ALLOW
>> >> -#define CTLFLAG_GLOBAL_ALLOW (CTLFLAG_RW | CTLFLAG_MPSAFE)
>> >> -#define ADDR_GLOBAL_ALLOW(i) &i
>> >> -#else
>> >> -#define CTLFLAG_GLOBAL_ALLOW (CTLFLAG_RD | CTLFLAG_MPSAFE)
>> >> -#define ADDR_GLOBAL_ALLOW(i) NULL
>> >> -#endif
>> >> -
>> >> SYSCTL_PROC(_security_jail, OID_AUTO, set_hostname_allowed,
>> >> - CTLTYPE_INT | CTLFLAG_GLOBAL_ALLOW,
>> >> + CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
>> >> NULL, PR_ALLOW_SET_HOSTNAME, sysctl_jail_default_allow, "I",
>> >> - "Processes in jail can set their hostnames");
>> >> + "Processes in jail can set their hostnames (deprecated)");
>> >> SYSCTL_PROC(_security_jail, OID_AUTO, socket_unixiproute_only,
>> >> - CTLTYPE_INT | CTLFLAG_GLOBAL_ALLOW,
>> >> + CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
>> >> (void *)1, PR_ALLOW_SOCKET_AF, sysctl_jail_default_allow, "I",
>> >> - "Processes in jail are limited to creating UNIX/IP/route sockets
>> >> only");
>> >> + "Processes in jail are limited to creating UNIX/IP/route sockets
>> >> only (deprecated)");
>> >> SYSCTL_PROC(_security_jail, OID_AUTO, sysvipc_allowed,
>> >> - CTLTYPE_INT | CTLFLAG_GLOBAL_ALLOW,
>> >> + CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
>> >> NULL, PR_ALLOW_SYSVIPC, sysctl_jail_default_allow, "I",
>> >> - "Processes in jail can use System V IPC primitives");
>> >> + "Processes in jail can use System V IPC primitives
>> >> (deprecated)");
>> >> SYSCTL_PROC(_security_jail, OID_AUTO, allow_raw_sockets,
>> >> - CTLTYPE_INT | CTLFLAG_GLOBAL_ALLOW,
>> >> + CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
>> >> NULL, PR_ALLOW_RAW_SOCKETS, sysctl_jail_default_allow, "I",
>> >> - "Prison root can create raw sockets");
>> >> + "Prison root can create raw sockets (deprecated)");
>> >> SYSCTL_PROC(_security_jail, OID_AUTO, chflags_allowed,
>> >> - CTLTYPE_INT | CTLFLAG_GLOBAL_ALLOW,
>> >> + CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
>> >> NULL, PR_ALLOW_CHFLAGS, sysctl_jail_default_allow, "I",
>> >> - "Processes in jail can alter system file flags");
>> >> + "Processes in jail can alter system file flags (deprecated)");
>> >> SYSCTL_PROC(_security_jail, OID_AUTO, mount_allowed,
>> >> - CTLTYPE_INT | CTLFLAG_GLOBAL_ALLOW,
>> >> + CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
>> >> NULL, PR_ALLOW_MOUNT, sysctl_jail_default_allow, "I",
>> >> - "Processes in jail can mount/unmount jail-friendly file
>> >> systems");
>> >> + "Processes in jail can mount/unmount jail-friendly file systems
>> >> (deprecated)");
>> >>
>> >> static int
>> >> sysctl_jail_default_level(SYSCTL_HANDLER_ARGS)
>> >> @@ -3669,33 +3626,25 @@ sysctl_jail_default_level(SYSCTL_HANDLER_ARGS)
>> >> int level, error;
>> >>
>> >> pr = req->td->td_ucred->cr_prison;
>> >> -#ifdef PR_GLOBAL_ALLOW
>> >> level = (pr == &prison0) ? *(int *)arg1 : *(int *)((char *)pr +
>> >> arg2);
>> >> -#else
>> >> - level = *(int *)((char *)pr + arg2);
>> >> -#endif
>> >> error = sysctl_handle_int(oidp, &level, 0, req);
>> >> - if (error)
>> >> + if (error || !req->newptr)
>> >> return (error);
>> >> -#ifdef PR_GLOBAL_ALLOW
>> >> - if (req->newptr)
>> >> - *(int *)arg1 = level;
>> >> -#endif
>> >> + *(int *)arg1 = level;
>> >> return (0);
>> >> }
>> >>
>> >> SYSCTL_PROC(_security_jail, OID_AUTO, enforce_statfs,
>> >> - CTLTYPE_INT | CTLFLAG_GLOBAL_ALLOW,
>> >> - ADDR_GLOBAL_ALLOW(jail_default_enforce_statfs),
>> >> - offsetof(struct prison, pr_enforce_statfs),
>> >> + CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
>> >> + &jail_default_enforce_statfs, offsetof(struct prison,
>> >> pr_enforce_statfs),
>> >> sysctl_jail_default_level, "I",
>> >> - "Processes in jail cannot see all mounted file systems");
>> >> + "Processes in jail cannot see all mounted file systems
>> >> (deprecated)");
>> >> +
>> >> SYSCTL_PROC(_security_jail, OID_AUTO, devfs_ruleset,
>> >> - CTLTYPE_INT | CTLFLAG_GLOBAL_ALLOW,
>> >> - ADDR_GLOBAL_ALLOW(jail_default_devfs_rsnum),
>> >> - offsetof(struct prison, pr_devfs_rsnum),
>> >> + CTLTYPE_INT | CTLFLAG_RD | CTLFLAG_MPSAFE,
>> >> + &jail_default_devfs_rsnum, offsetof(struct prison,
>> >> pr_devfs_rsnum),
>> >> sysctl_jail_default_level, "I",
>> >> - "Ruleset for the devfs filesystem in jail");
>> >> + "Ruleset for the devfs filesystem in jail (deprecated)");
>> >>
>> >> /*
>> >> * Nodes to describe jail parameters. Maximum length of string
>> >> parameters
>> >> @@ -3836,6 +3785,9 @@ prison_add_allow(const char *prefix, const char
>> >> *name,
>> >> struct bool_flags *bf;
>> >> struct sysctl_oid *parent;
>> >> char *allow_name, *allow_noname, *allowed;
>> >> +#ifndef NO_SYSCTL_DESCR
>> >> + char *descr_deprecated;
>> >> +#endif
>> >> unsigned allow_flag;
>> >>
>> >> if (prefix
>> >> @@ -3892,7 +3844,10 @@ prison_add_allow(const char *prefix, const char
>> >> *name,
>> >> bf->flag = allow_flag;
>> >> mtx_unlock(&prison0.pr_mtx);
>> >>
>> >> - /* Create sysctls for the paramter, and the current permission. */
>> >> + /*
>> >> + * Create sysctls for the paramter, and the back-compat global
>> >> + * permission.
>> >> + */
>> >> parent = prefix
>> >> ? SYSCTL_ADD_NODE(NULL,
>> >> SYSCTL_CHILDREN(&sysctl___security_jail_param_allow),
>> >> @@ -3904,10 +3859,17 @@ prison_add_allow(const char *prefix, const
>> >> char *name,
>> >> if ((prefix
>> >> ? asprintf(&allowed, M_TEMP, "%s_%s_allowed", prefix, name)
>> >> : asprintf(&allowed, M_TEMP, "%s_allowed", name)) >= 0) {
>> >> +#ifndef NO_SYSCTL_DESCR
>> >> + (void)asprintf(&descr_deprecated, M_TEMP, "%s (deprecated)",
>> >> + descr);
>> >> +#endif
>> >> (void)SYSCTL_ADD_PROC(NULL,
>> >> SYSCTL_CHILDREN(&sysctl___security_jail), OID_AUTO,
allowed,
>> >> - CTLTYPE_INT | CTLFLAG_GLOBAL_ALLOW, NULL, allow_flag,
>> >> - sysctl_jail_default_allow, "I", descr);
>> >> + CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, NULL,
allow_flag,
>> >> + sysctl_jail_default_allow, "I", descr_deprecated);
>> >> +#ifndef NO_SYSCTL_DESCR
>> >> + free(descr_deprecated, M_TEMP);
>> >> +#endif
>> >> free(allowed, M_TEMP);
>> >> }
>> >> return allow_flag;
>> >>
>> >> Modified: head/sys/kern/syscalls.c
>> >>
==============================================================================
>> >> --- head/sys/kern/syscalls.c Thu Aug 16 18:58:34 2018 (r337924)
>> >> +++ head/sys/kern/syscalls.c Thu Aug 16 19:09:43 2018 (r337925)
>> >> @@ -344,7 +344,7 @@ const char *syscallnames[] = {
>> >> "utrace", /* 335 = utrace */
>> >> "compat4.sendfile", /* 336 = freebsd4 sendfile */
>> >> "kldsym", /* 337 = kldsym */
>> >> - "compat11.jail", /* 338 = freebsd11 jail */
>> >> + "jail", /* 338 = jail */
>> >> "nnpfs_syscall", /* 339 = nnpfs_syscall */
>> >> "sigprocmask", /* 340 = sigprocmask */
>> >> "sigsuspend", /* 341 = sigsuspend */
>> >>
>> >> Modified: head/sys/kern/syscalls.master
>> >>
==============================================================================
>> >> --- head/sys/kern/syscalls.master Thu Aug 16 18:58:34 2018
(r337924)
>> >> +++ head/sys/kern/syscalls.master Thu Aug 16 19:09:43 2018
(r337925)
>> >> @@ -738,7 +738,7 @@
>> >> _Out_opt_ off_t *sbytes, int flags); }
>> >> 337 AUE_NULL STD { int kldsym(int fileid, int cmd, \
>> >> _In_ void *data); }
>> >> -338 AUE_JAIL COMPAT11 { int jail( \
>> >> +338 AUE_JAIL STD { int jail( \
>> >> _In_ struct jail *jail); }
>> >>
>> >> 339 AUE_NULL NOSTD|NOTSTATIC { int nnpfs_syscall(int operation, \
>> >>
>> >> Modified: head/sys/kern/systrace_args.c
>> >>
==============================================================================
>> >> --- head/sys/kern/systrace_args.c Thu Aug 16 18:58:34 2018
(r337924)
>> >> +++ head/sys/kern/systrace_args.c Thu Aug 16 19:09:43 2018
(r337925)
>> >> @@ -1593,6 +1593,13 @@ systrace_args(int sysnum, void *params,
>> >> uint64_t *uarg
>> >> *n_args = 3;
>> >> break;
>> >> }
>> >> + /* jail */
>> >> + case 338: {
>> >> + struct jail_args *p = params;
>> >> + uarg[0] = (intptr_t) p->jail; /* struct jail * */
>> >> + *n_args = 1;
>> >> + break;
>> >> + }
>> >> /* nnpfs_syscall */
>> >> case 339: {
>> >> struct nnpfs_syscall_args *p = params;
>> >> @@ -5765,6 +5772,16 @@ systrace_entry_setargdesc(int sysnum, int ndx,
>> >> char *d
>> >> break;
>> >> };
>> >> break;
>> >> + /* jail */
>> >> + case 338:
>> >> + switch(ndx) {
>> >> + case 0:
>> >> + p = "userland struct jail *";
>> >> + break;
>> >> + default:
>> >> + break;
>> >> + };
>> >> + break;
>> >> /* nnpfs_syscall */
>> >> case 339:
>> >> switch(ndx) {
>> >> @@ -9627,6 +9644,11 @@ systrace_return_setargdesc(int sysnum, int ndx,
>> >> char *
>> >> break;
>> >> /* kldsym */
>> >> case 337:
>> >> + if (ndx == 0 || ndx == 1)
>> >> + p = "int";
>> >> + break;
>> >> + /* jail */
>> >> + case 338:
>> >> if (ndx == 0 || ndx == 1)
>> >> p = "int";
>> >> break;
>> >>
>> >> Modified: head/sys/sys/jail.h
>> >>
==============================================================================
>> >> --- head/sys/sys/jail.h Thu Aug 16 18:58:34 2018 (r337924)
>> >> +++ head/sys/sys/jail.h Thu Aug 16 19:09:43 2018 (r337925)
>> >> @@ -32,7 +32,6 @@
>> >> #ifndef _SYS_JAIL_H_
>> >> #define _SYS_JAIL_H_
>> >>
>> >> -#ifdef COMPAT_FREEBSD11
>> >> #ifdef _KERNEL
>> >> struct jail_v0 {
>> >> u_int32_t version;
>> >> @@ -58,6 +57,16 @@ struct jail {
>> >> * For all xprison structs, always keep the pr_version an int and
>> >> * the first variable so userspace can easily distinguish them.
>> >> */
>> >> +#ifndef _KERNEL
>> >> +struct xprison_v1 {
>> >> + int pr_version;
>> >> + int pr_id;
>> >> + char pr_path[MAXPATHLEN];
>> >> + char pr_host[MAXHOSTNAMELEN];
>> >> + u_int32_t pr_ip;
>> >> +};
>> >> +#endif
>> >> +
>> >> struct xprison {
>> >> int pr_version;
>> >> int pr_id;
>> >> @@ -82,7 +91,6 @@ struct xprison {
>> >> #define PRISON_STATE_INVALID 0
>> >> #define PRISON_STATE_ALIVE 1
>> >> #define PRISON_STATE_DYING 2
>> >> -#endif /* COMPAT_FREEBSD11 */
>> >>
>> >> /*
>> >> * Flags for jail_set and jail_get.
>> >> @@ -102,6 +110,7 @@ struct xprison {
>> >>
>> >> struct iovec;
>> >>
>> >> +int jail(struct jail *);
>> >> int jail_set(struct iovec *, unsigned int, int);
>> >> int jail_get(struct iovec *, unsigned int, int);
>> >> int jail_attach(int);
>> >>
>> >> Modified: head/sys/sys/syscall.h
>> >>
==============================================================================
>> >> --- head/sys/sys/syscall.h Thu Aug 16 18:58:34 2018 (r337924)
>> >> +++ head/sys/sys/syscall.h Thu Aug 16 19:09:43 2018 (r337925)
>> >> @@ -280,7 +280,7 @@
>> >> #define SYS_utrace 335
>> >> /* 336 is freebsd4 sendfile */
>> >> #define SYS_kldsym 337
>> >> -#define SYS_freebsd11_jail 338
>> >> +#define SYS_jail 338
>> >> #define SYS_nnpfs_syscall 339
>> >> #define SYS_sigprocmask 340
>> >> #define SYS_sigsuspend 341
>> >>
>> >> Modified: head/sys/sys/syscall.mk
>> >>
==============================================================================
>> >> --- head/sys/sys/syscall.mk Thu Aug 16 18:58:34 2018 (r337924)
>> >> +++ head/sys/sys/syscall.mk Thu Aug 16 19:09:43 2018 (r337925)
>> >> @@ -209,7 +209,7 @@ MIASM = \
>> >> sched_rr_get_interval.o \
>> >> utrace.o \
>> >> kldsym.o \
>> >> - freebsd11_jail.o \
>> >> + jail.o \
>> >> nnpfs_syscall.o \
>> >> sigprocmask.o \
>> >> sigsuspend.o \
>> >>
>> >> Modified: head/sys/sys/syscallsubr.h
>> >>
==============================================================================
>> >> --- head/sys/sys/syscallsubr.h Thu Aug 16 18:58:34 2018
(r337924)
>> >> +++ head/sys/sys/syscallsubr.h Thu Aug 16 19:09:43 2018
(r337925)
>> >> @@ -143,6 +143,7 @@ int kern_getsockname(struct thread *td, int fd,
>> >> struct
>> >> int kern_getsockopt(struct thread *td, int s, int level, int name,
>> >> void *optval, enum uio_seg valseg, socklen_t *valsize);
>> >> int kern_ioctl(struct thread *td, int fd, u_long com, caddr_t data);
>> >> +int kern_jail(struct thread *td, struct jail *j);
>> >> int kern_jail_get(struct thread *td, struct uio *options, int flags);
>> >> int kern_jail_set(struct thread *td, struct uio *options, int flags);
>> >> int kern_kevent(struct thread *td, int fd, int nchanges, int nevents,
>> >> @@ -307,6 +308,5 @@ struct freebsd11_dirent;
>> >>
>> >> int freebsd11_kern_getdirentries(struct thread *td, int fd, char
>> >> *ubuf, u_int
>> >> count, long *basep, void (*func)(struct freebsd11_dirent *));
>> >> -int freebsd11_kern_jail(struct thread *td, struct jail *j);
>> >>
>> >> #endif /* !_SYS_SYSCALLSUBR_H_ */
>> >>
>> >> Modified: head/sys/sys/sysproto.h
>> >>
==============================================================================
>> >> --- head/sys/sys/sysproto.h Thu Aug 16 18:58:34 2018 (r337924)
>> >> +++ head/sys/sys/sysproto.h Thu Aug 16 19:09:43 2018 (r337925)
>> >> @@ -849,6 +849,9 @@ struct kldsym_args {
>> >> char cmd_l_[PADL_(int)]; int cmd; char cmd_r_[PADR_(int)];
>> >> char data_l_[PADL_(void *)]; void * data; char data_r_[PADR_(void
>> >> *)];
>> >> };
>> >> +struct jail_args {
>> >> + char jail_l_[PADL_(struct jail *)]; struct jail * jail; char
>> >> jail_r_[PADR_(struct jail *)];
>> >> +};
>> >> struct nnpfs_syscall_args {
>> >> char operation_l_[PADL_(int)]; int operation; char
>> >> operation_r_[PADR_(int)];
>> >> char a_pathP_l_[PADL_(char *)]; char * a_pathP; char
>> >> a_pathP_r_[PADR_(char *)];
>> >> @@ -1958,6 +1961,7 @@ int sys_sched_get_priority_min(struct thread *,
>> >> struct
>> >> int sys_sched_rr_get_interval(struct thread *, struct
>> >> sched_rr_get_interval_args *);
>> >> int sys_utrace(struct thread *, struct utrace_args *);
>> >> int sys_kldsym(struct thread *, struct kldsym_args *);
>> >> +int sys_jail(struct thread *, struct jail_args *);
>> >> int sys_nnpfs_syscall(struct thread *, struct nnpfs_syscall_args *);
>> >> int sys_sigprocmask(struct thread *, struct sigprocmask_args *);
>> >> int sys_sigsuspend(struct thread *, struct sigsuspend_args *);
>> >> @@ -2527,9 +2531,6 @@ struct freebsd11_fhstat_args {
>> >> char u_fhp_l_[PADL_(const struct fhandle *)]; const struct fhandle *
>> >> u_fhp; char u_fhp_r_[PADR_(const struct fhandle *)];
>> >> char sb_l_[PADL_(struct freebsd11_stat *)]; struct freebsd11_stat *
>> >> sb; char sb_r_[PADR_(struct freebsd11_stat *)];
>> >> };
>> >> -struct freebsd11_jail_args {
>> >> - char jail_l_[PADL_(struct jail *)]; struct jail * jail; char
>> >> jail_r_[PADR_(struct jail *)];
>> >> -};
>> >> struct freebsd11_kevent_args {
>> >> char fd_l_[PADL_(int)]; int fd; char fd_r_[PADR_(int)];
>> >> char changelist_l_[PADL_(struct kevent_freebsd11 *)]; struct
>> >> kevent_freebsd11 * changelist; char changelist_r_[PADR_(struct
>> >> kevent_freebsd11 *)];
>> >> @@ -2578,7 +2579,6 @@ int freebsd11_nstat(struct thread *, struct
>> >> freebsd11_
>> >> int freebsd11_nfstat(struct thread *, struct freebsd11_nfstat_args
>> >> *);
>> >> int freebsd11_nlstat(struct thread *, struct freebsd11_nlstat_args
>> >> *);
>> >> int freebsd11_fhstat(struct thread *, struct freebsd11_fhstat_args
>> >> *);
>> >> -int freebsd11_jail(struct thread *, struct freebsd11_jail_args *);
>> >> int freebsd11_kevent(struct thread *, struct freebsd11_kevent_args
>> >> *);
>> >> int freebsd11_getfsstat(struct thread *, struct
>> >> freebsd11_getfsstat_args *);
>> >> int freebsd11_statfs(struct thread *, struct freebsd11_statfs_args
>> >> *);
>> >> @@ -2849,7 +2849,7 @@ int freebsd11_mknodat(struct thread *, struct
>> >> freebsd1
>> >> #define SYS_AUE_utrace AUE_NULL
>> >> #define SYS_AUE_freebsd4_sendfile AUE_SENDFILE
>> >> #define SYS_AUE_kldsym AUE_NULL
>> >> -#define SYS_AUE_freebsd11_jail AUE_JAIL
>> >> +#define SYS_AUE_jail AUE_JAIL
>> >> #define SYS_AUE_nnpfs_syscall AUE_NULL
>> >> #define SYS_AUE_sigprocmask AUE_SIGPROCMASK
>> >> #define SYS_AUE_sigsuspend AUE_SIGSUSPEND
>> >>
>> >>
>>