sys: Automated cleanup of cdefs and other formatting

Apply the following automated changes to try to eliminate
no-longer-needed sys/cdefs.h includes as well as now-empty
blank lines in a row.

Remove /^#if.*\n#endif.*\n#include\s+<sys/cdefs.h>.*\n/
Remove /\n+#include\s+<sys/cdefs.h>.*\n+#if.*\n#endif.*\n+/
Remove /\n+#if.*\n#endif.*\n+/
Remove /^#if.*\n#endif.*\n/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/types.h>/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/param.h>/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/capsicum.h>/

Sponsored by: Netflix

sys: Remove $FreeBSD$: one-line .c pattern

Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/

imgact_binmisc: Optionally pre-open the interpreter vnode

This allows the use of chroot and/or jail environments which depend on
interpreters registed with imgact_binmisc to use emulator binaries from
the host to emulate programs inside the chroot.

Reviewed by: imp
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D37432

imgact_binmisc: limit the extent of match on incoming entries

imgact_binmisc matches magic/mask from imgp->image_header, which is only a
single page in size mapped from the first page of an image. One can specify
an interpreter that matches on, e.g., --offset 4096 --size 256 to read up to
256 bytes past the mapped first page.

The limitation is that we cannot specify a magic string that exceeds a
single page, and we can't allow offset + size to exceed a single page
either. A static assert has been added in case someone finds it useful to
try and expand the size, but it does seem a little unlikely.

While this looks kind of exploitable at a sideways squinty-glance, there are
a couple of mitigating factors:

1.) imgact_binmisc is not enabled by default,
2.) entries may only be added by the superuser,
3.) trying to exploit this information to read what's mapped past the end
would be worse than a root canal or some other relatably painful
experience, and
4.) there's no way one could pull this off without it being completely
obvious.

The first page is mapped out of an sf_buf, the implementation of which (or
lack thereof) depends on your platform.

MFC after: 1 week

imgact_binmisc: move some calculations out of the exec path

The offset we need to account for in the interpreter string comes in two
variants:

1. Fixed - macros other than #a that will not vary from invocation to
invocation
2. Variable - #a, which is substitued with the argv0 that we're replacing

Note that we don't have a mechanism to modify an existing entry. By
recording both of these offset requirements when the interpreter is added,
we can avoid some unnecessary calculations in the exec path.

Most importantly, we can know up-front whether we need to grab
calculate/grab the the filename for this interpreter. We also get to avoid
walking the string a first time looking for macros. For most invocations,
it's a swift exit as they won't have any, but there's no point entering a
loop and searching for the macro indicator if we already know there will not
be one.

While we're here, go ahead and only calculate the argv0 name length once per
invocation. While it's unlikely that we'll have more than one #a, there's no
reason to recalculate it every time we encounter an #a when it will not
change.

I have not bothered trying to benchmark this at all, because it's arguably a
minor and straightforward/obvious improvement.

MFC after: 1 week

imgact_binmisc: reorder members of struct imgact_binmisc_entry (NFC)

This doesn't change anything at the moment since the out-of-order elements
were a pair of uint32_t, but future additions may have caused unnecessary
padding by following the existing precedent.

MFC after: 1 week

imgact_binmisc: abstract away the list lock (NFC)

This module handles relatively few execs (initial qemu-user-static, then
qemu-user-static handles exec'ing itself for binaries it's already running),
but all execs pay the price of at least taking the relatively expensive
sx/slock to check for a match when this module is loaded. Future work will
almost certainly swap this out for another lock, perhaps an rmslock.

The RLOCK/WLOCK phrasing was chosen based on what the callers are really
wanting, rather than using the verbiage typically appropriate for an sx.

MFC after: 1 week

imgact_binmisc: validate flags coming from userland

We may want to reserve bits in the future for kernel-only use, so start
rejecting any that aren't the two that we're currently expecting from
userland.

MFC after: 1 week

imgact_binmisc: minor re-organization of imgact_binmisc_exec exits

Notably, streamline error paths through the existing 'done' label, making it
easier to quickly verify correct cleanup.

Future work might add a kernel-only flag to indicate that a interpreter uses
#a. Currently, all executions via imgact_binmisc pay the penalty of
constructing sname/fname, even if they will not use it. qemu-user-static
doesn't need it, the stock rc script for qemu-user-static certainly doesn't
use it, and I suspect these are the vast majority of (if not the only)
current users.

MFC after: 1 week

imgact_binmisc: fix up some minor nits

- Removed a bunch of redundant headers
- Don't explicitly initialize to 0
- The !error check prior to setting imgp->interpreter_name is redundant, all
error paths should and do return or go to 'done'. We have larger problems
otherwise.

Mark more nodes as CTLFLAG_MPSAFE or CTLFLAG_NEEDGIANT (17 of many)

r357614 added CTLFLAG_NEEDGIANT to make it easier to find nodes that are
still not MPSAFE (or already are but aren’t properly marked).
Use it in preparation for a general review of all nodes.

This is non-functional change that adds annotations to SYSCTL_NODE and
SYSCTL_PROC nodes using one of the soon-to-be-required flags.

Mark all obvious cases as MPSAFE. All entries that haven't been marked
as MPSAFE before are by default marked as NEEDGIANT

Approved by: kib (mentor, blanket)
Commented by: kib, gallatin, melifaro
Differential Revision: https://reviews.freebsd.org/D23718

Remove duplicated empty lines from kern/*.c

No functional changes.

Add helper functions to copy strings into struct image_args.

Given a zeroed struct image_args with an allocated buf member,
exec_args_add_fname() must be called to install a file name (or NULL).
Then zero or more calls to exec_args_add_env() followed by zero or
more calls to exec_args_add_env(). exec_args_adjust_args() may be
called after args and/or env to allow an interpreter to be prepended to
the argument list.

To allow code reuse when adding arg and env variables, begin_envv
should be accessed with the accessor exec_args_get_begin_envv()
which handles the case when no environment entries have been added.

Use these functions to simplify exec_copyin_args() and
freebsd32_exec_copyin_args().

Reviewed by: kib
Obtained from: CheriBSD
Sponsored by: DARPA, AFRL
Differential Revision: https://reviews.freebsd.org/D15468

Use NULL for SYSINIT's last arg, which is a pointer type

Sponsored by: The FreeBSD Foundation

Use C99 designated initializers for struct execsw

It it makes use slightly more clear and facilitates grepping.

tighten buffer bounds in imgact_binmisc_populate_interp

We must ensure there's space for the terminating null in the temporary
buffer in imgact_binmisc_populate_interp().

Note that there's no buffer overflow here because xbe->xbe_interpreter's
length and null termination is checked in imgact_binmisc_add_entry()
before imgact_binmisc_populate_interp() is called. However, the latter
should correctly enforce its own bounds.

Reviewed by: sbruno
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D10042

sys/kern: spelling fixes in comments.

No functional change.

Repair a overflow condition where a user could submit a string that was
not getting a proper bounds check.

Thanks to CTurt for pointing at this with a big red blinking neon sign.

PR: 206761
Submitted by: sson
Reviewed by: cturt@hardenedbsd.org
MFC after: 3 days

At the suggestion of jhb, replace atomic_set/clear calls with use of
exclusive locks in the enable/disable interpreter path.

Tested with WITNESS/INVARIANTS on and off.

Reviewed by: sson davide

Make imgact_binmisc_exec() static.

Submitted by: kib
Reviewed by: sson

Remove uneeded NULL check since malloc the malloc is now M_WAITOK

Submitted by: mjg

Must have one of either M_WAITOK or M_NOWAIT, read the man page bruno.

Submitted by: mjg

Feedback from commit r284535

davide: imgact_binmisc_clear_entry() needs to use atomic ops to remove
the enable bit.

kib: M_NOWAIT is not warranted and comment is invalid.

This change replaces the mutex with a sx lock for the interpreter list to
avoid the problem of holding a non-sleep lock during a page fault as
reported by witness. It also uses atomics where possible to avoid having
to acquire the exclusive lock. In addition, it consistently uses
memset()/memcpy() instead of bzero()/bcopy().

Differential Revision: https://reviews.freebsd.org/D1971
Submitted by: sson
Reviewed by: jhb

Revert 284029, update imgact_binmisctl.c change mtx to reader count, at the
request of the submitter.

Will attempt to use an sx_lock for this fix to WITNESS crashes in a later
revision.

Submitted by: sson

This change uses a reader count instead of holding the mutex for the
interpreter list to avoid the problem of holding a non-sleep lock during
a page fault as reported by witness. In addition, it consistently uses
memset()/memcpy() instead of bzero()/bcopy() except in the case where
bcopy() is required (i.e. overlapping copy).

Differential Revision: https://reviews.freebsd.org/D2123
Submitted by: sson
MFC after: 2 weeks
Relnotes: Yes

Allow multiple image activators to run on the same execution by changing
imgp->interpreted to a bitmask instead of, functionally, a bool. Each
imgactivator now requires its own flag in interpreted to indicate whether
or not it has already examined argv[0].

Change imgp->interpreted to an unsigned char to add one extra bit for
future use.

With this change, one can execute a shell script from a 64bit host native
make and still get the binmisc image activator to fire for the script
interpreter. Prior to this, execution would fail.

Phabric: https://reviews.freebsd.org/D696
Reviewed by: jhb@
MFC after: 4 weeks

sys/kern/imgact_binmisc.c -- free the right pointer mask vs magic

sys/sys/imagact_binmisc.h -- cleanup white space tabs vs spaces
-- remove stray " in comment

Submitted by: jmallett@

Add Stacey Son's binary activation patches that allow remapping of
execution to a emumation program via parsing of ELF header information.

With this kernel module and userland tool, poudriere is able to build
ports packages via the QEMU userland tools (or another emulator program)
in a different architecture chroot, e.g. TARGET=mips TARGET_ARCH=mips

I'm not connecting this to GENERIC for obvious reasons, but this should
allow the kernel module to be built by default and enable the building
of the userland tool (which automatically loads the kernel module).

Submitted by: sson@
Reviewed by: jhb@