capsicum.h: Include ktrace.h only in kernel

Fix cross build failure by including ktrace.h only when _KERNEL is
defined.

Fixes: 9bec84131215
Approved by: markj (mentor)
MFC after: 1 month
Sponsored by: The FreeBSD Foundation

ktrace: Record detailed ECAPMODE violations

When a Capsicum violation occurs in the kernel, ktrace will now record
detailed information pertaining to the violation.

For example:
- When a namei lookup violation occurs, ktrace will record the path.
- When a signal violation occurs, ktrace will record the signal number.
- When a sendto(2) violation occurs, ktrace will record the recipient
sockaddr.

For all violations, the syscall and ABI is recorded.

kdump is also modified to display this new information to the user.

Reviewed by: oshogbo, markj
Approved by: markj (mentor)
MFC after: 1 month
Differential Revision: https://reviews.freebsd.org/D40676

capsicum: introduce cap_rights_is_empty Function

Before this commit, we only had the capability to check if a specific
capability was set (using cap_rights_is_set function). However, there
was no efficient method to determine if a cap_rights_t structure doesn't
contain any capability. The cap_rights_is_empty function addresses
this gap.

PR: 275330
Reported by: vini.ipsmaker@gmail.com
Reviewed by: emaste, markj
Differential Revision: https://reviews.freebsd.org/D42780

sys: Automated cleanup of cdefs and other formatting

Apply the following automated changes to try to eliminate
no-longer-needed sys/cdefs.h includes as well as now-empty
blank lines in a row.

Remove /^#if.*\n#endif.*\n#include\s+<sys/cdefs.h>.*\n/
Remove /\n+#include\s+<sys/cdefs.h>.*\n+#if.*\n#endif.*\n+/
Remove /\n+#if.*\n#endif.*\n+/
Remove /^#if.*\n#endif.*\n/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/types.h>/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/param.h>/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/capsicum.h>/

Sponsored by: Netflix

sys: Remove $FreeBSD$: two-line .h pattern

Remove /^\s*\*\n \*\s+\$FreeBSD\$$\n/

spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD

The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch
up to that fact and revert to their recommended match of BSD-2-Clause.

Discussed with: pfg
MFC After: 3 days
Sponsored by: Netflix

capsicum: move global caps to caprights.h

.. for easier inclusion

Remove unused SYSINIT macros for capability rights.

Static rights are initialized in cap_rights_sysinit().

MFC after: 1 week

capsicum: add cap_rights_init_zero, cap_rights_init_one, cap_rights_set_one

... which allow the compiler to generate relevant code in place without
resorting to calling to a routine at runtime.

u_char -> vm_prot_t in a couple of places, NFC

The latter is a typedef of the former; the typedef exists and these bits are
representing vmprot values, so use the correct type.

Submitted by: sigsys@gmail.com
MFC after: 3 days

capsicum: restore the cap_rights_contains symbol

It is expected to be provided by libc.

PR: 244033
Reported by: Jan Kokemueller

fd: streamline fget_unlocked

clang has the unfortunate property of paying little attention to prediction
hints when faced with a loop spanning the majority of the rotuine.

In particular fget_unlocked has an unlikely corner case where it starts almost
from scratch. Faced with this clang generates a maze of taken jumps, whereas
gcc produces jump-free code (in the expected case).

Work around the problem by providing a variant which only tries once and
resorts to calling the original code if anything goes wrong.

While here note that the 'seq' parameter is almost never passed, thus the
seldom users are redirected to call it directly.

capsicum: faster cap_rights_contains

Instead of doing a 2 iteration loop (determined at runeimt), take advantage
of the fact that the size is already known.

While here provdie cap_check_inline so that fget_unlocked does not have to
do a function call.

Verified with the capsicum suite /usr/tests.

Remove references to pdwait4(2) and `CAP_PDWAIT` from rights(4)

@cem removed references to pdwait4(2) (a nonexistent syscall) in
r320058.

This change removes references to pdwait4(2) and `CAP_PDWAIT` in
rights(4) to not mislead the user into thinking that pdwait4(2)/`CAP_PDWAIT` is
actually implemented in the stock FreeBSD kernel.

The goal of this functionality was to simplify monitoring/manipulating
processes started with `pdfork`, et al, and avoid races with waiting on pids.
The syscall was never completed though--just discussed on the capsicum mailing
list back in 2015:
https://lists.cam.ac.uk/pipermail/cl-capsicum-discuss/2015-May/msg00012.html
. That being said, there are members of the project (@rwatson, etc) who
have longterm goals to implement this syscall to better secure pdfork(2)
calls.

PR: 235871
Reviewed by: emaste
Discussed with: rwatson
Approved by: emaste (mentor)
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D18950

capsicum: provide cap_rights_fde_inline

Reading caps is in the hot path (on each successful fd lookup), but
completely unnecessarily requires a function call.

Approved by: re (gjb)
Sponsored by: The FreeBSD Foundation

kern_sendit: use pre-initialized rights

Add additional preinitialized cap_rights

capsicum: propagate const correctness

Eliminate the overhead of gratuitous repeated reinitialization of cap_rights

- Add macros to allow preinitialization of cap_rights_t.

- Convert most commonly used code paths to use preinitialized cap_rights_t.
A 3.6% speedup in fstat was measured with this change.

Reported by: mjg
Reviewed by: oshogbo
Approved by: sbruno
MFC after: 1 month

Change trap_enotcap to bool and annotate with __read_frequently

It is read on each return to user space.

SPDX: mostly fixes to previous changes.

Introduce the recently approved BSD-1-Clause and replace 0BSD which
never did fit well our use cases.

Add PROC_TRAPCAP procctl(2) controls and global sysctl kern.trap_enocap.

Both can be used to cause processes in capability mode to receive
SIGTRAP when ENOTCAPABLE or ECAPMODE errors are returned from
syscalls.

Idea by: emaste
Reviewed by: oshogbo (previous version), emaste
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D7965

Decompose linkat()/renameat() rights to source and target.

To make it easier to understand how Capsicum interacts with linkat() and
renameat(), rename the rights to CAP_{LINK,RENAME}AT_{SOURCE,TARGET}.

This also addresses a shortcoming in Capsicum, where it isn't possible
to disable linking to files stored in a directory. Creating hardlinks
essentially makes it possible to access files with additional rights.

Reviewed by: rwatson, wblock
Differential Revision: https://reviews.freebsd.org/D3411

Allow cap_rights_{set,clear,is_set} to be called with no arguments.

In the CloudABI code I sometimes call into cap_rights_* without
providing any arguments. Though one could argue that this doesn't make
sense, in this specific case it's hard to avoid, as the rights that
should be tested against are forwarded by a couple of wrapper macros.

Introduce a cap_ioctl_t used for the 'cmds' arguments to cap_ioctls_limit()
and cap_ioctls_get(). On FreeBSD, these are 'unsigned long', but on Linux,
ioctl(2) takes an 'int', making mild abstraction desirable.

MFC after: 3 days
Sponsored by: Google, Inc.

Add futimens and utimensat system calls.

The core kernel part is patch file utimes.2008.4.diff from
pluknet@FreeBSD.org. I updated the code for API changes, added the manual
page and added compatibility code for old kernels. There is also audit and
Capsicum support.

A new UTIME_* constant might allow setting birthtimes in future.

Differential Revision: https://reviews.freebsd.org/D1426
Submitted by: pluknet (partially)
Reviewed by: delphij, pluknet, rwatson
Relnotes: yes

Make sure CAP_BINDAT and CAP_CONNECTAT are part of CAP_ALL0.

This makes sure that file descriptors of opened directories will
actually get these capabilities. Without this change, bindat() and
connectat() don't seem to work for me.

MFC after: 2 weeks
Reviewed by: rwatson, pjd

Prepare fget_unlocked for reading fd table only once.

Some capsicum functions accept fdp + fd and lookup fde based on that.
Add variants which accept fde.

Reviewed by: pjd
MFC after: 1 week

sys/capsicum.h: Remove not very useful visibility guards.

Since <sys/capsicum.h> does not comply to any standards, standards-compliant
applications do not include it and it is not useful to restrict what is
exposed depending on the requested standard.

In addition, the use of types like u_int makes the header fail in strict
standards compliance modes anyway.

Rename capability.h to capsicum.h: the original name conflicts with the
draft POSIX.1e capability.h used on some systems (e.g., Linux). On
FreeBSD, leave a wrapper header so that current code continues to compile.

We will eventually want to deprecate the old header as the presence of a
capability.h may be confusing some configure scripts.

Suggested by: David Drysdale <drysdale at google.com>
Discussed on: cl-capsicum-discuss
MFC after: 3 weeks