We've never seen this panic where *_fast_ipi() fails because a cpu isn't
responding. I don't think we can see the panic -- I think we are so low
that panic code will misbehave and more likely we see a hang.
It is easier to accept this impossible failure, decrement the counter, and
carry on.
Inside libc, getpwent.c does not use dbopen() and instead uses unexported
db functions. The copy of the code outside libc, must use dbopen().
-DFORCE_DBOPEN was used with #ifdef, but now that the file is an edited copy
that is no longer neccessary.
Add an additional "int fd" argument to the low-level db __{hash,rec,bt}_open()
functions to provide for the caller allocating the fd itself.
ok guenther
If a fd came from libc doing the __pledge_open(2) system call, do not
allow write(2), chmod(2), chflags(2), chown(2), ftruncate(2), or fdpassing.
pledge_open(2) is an unexported interface that libc will use (soon) to
open 2 devices (null and tty), about 9 files (based upon pledge promises),
and files within the zoneinfo directory. This works because libc only
reads from those fd. Currently those files are openable by non-libc code,
but soon only static libc code will be able to do those opens.
This does not transition libc to using the new system call, yet.
Based upon long discussions with david leadbeater and beck.
Introduce __pledge_open(2) system call which is pretty much the same as
open(2), except libc will use it to differentiate certain well-controlled
pathnames which follow special rules in pledge and can be accessed even
when "rpath" or unveil(2) don't allow so.
The kernel gets the system call BEFORE libc starts using it; soon there
will be more commits which will require at least this kernel.
Long discusions with david leadbeater and and beck
As a temporary hack, model the timezone change for America/Vancouver
as occurring on 2026-11-01 02:00, not on 2026-03-09. This allows
for a transition period where America/Vancouver still shows as PDT.
It also replaces "-07" with "MST" post-transition until such time
as a better abbreviation is chosen.
With it's own daemonization / fd cleaning code, ssh-agent opens /dev/null
O_RDWR after a pledge without "wpath". This is allowed in current pledge
because "/dev/null" is implicitly allowed to be opened even with the most
restrictive pledges or unveils. This is a design decision in pledge made
at the very beginning, to satisfy libc requirements. We've finally had
enough experience and know how to fix that in the near-future, but need
to review and fix all code which opens these implicit paths.
The fix is to add "wpath", so that "/dev/null" can be opened O_RDWR.
But that is uncomfortable, so we add unveil() allowing "/" with "r",
4 unveil "x" for the potential askpass and helpers to be execve'd,
and "/dev/null" with "wr". As a result filesystem access is substantially
more restricted than before, and ssh-agent is ready for the future pledge
change.
ok djm dtucker
