Wouldn't it be somewhat more consistent to use 'R' for option ?

Shouldn't some additional checks be done there ? E.g. verify that something is mounted (as a compliment to kernel, to avoid dangerous syscall), and that the type of the mounted fs is expected one (tmpfs) ?

This again raises the question of the MNT flag that could be checked to ensure that we unmount our fs.

Style: do not use initialization in local declarations.

Unneeded empty line.

Same.

Style. Put error declaration last.

I hoped that userpace part of reroot kills all user processes except init. Apparently it does not.
This exacerbates the issue of the kernel root remount being fragile and lacking any protection against parallel modifications of the mount list.

Unneeded empty line.

Why is this block moved ?

This sentence is not very clear. Maybe

After changing vfs.root.mountfrom with
.Xr kenv 8 ,
.Nm
can be used to change the root filesystem while preserving kernel state.

Simpler:

errx(1, "-r cannot be used with -d, -n, or -p");

s/Nobody but/Only/

Actually here it should read from the path provided by: kern.proc.pathname

Hm, all the other flags for reboot(8) are lowercase. Or did you mean to change "init -R" to "init -r"?

What's dangerous in unmount(2)? As for interfering: on one hand you're right, on the other - if someone wants to interfere with the operation, and they are UID 0, then it's their fault.

To make it possible to call that whole block from reroot(), so that initial part of reroot process looks to userspace just like shutdown.

Erm, what I meant was - all the other flags for init(8) are lowercase, so how does "-R" improve consistency?

I've added a call to kill(-1, SIGKILL) in reroot_phase_two().

I'd prefer to obtain init path in a single unified way. And the problem is, the executable is exec(2)ed twice, from different paths, so the kern.proc.pathname would return "/sbin/init" only the first time, and "/dev/reroot/init" after that.

Perhaps we should have a sysctl, eg. kern.init_path? An alternative would be to use kenv(2) to obtain "init_path", and use the default init path if not found. But what if the kernel chose some other value, eg. in /rescue?

Several lines below, where you handle options for pid == 1 (i.e. reexec) case, you use '-R'. In fact I think that the re-exec flag should be changed to -r.

System should be as tamper-resistant as it could be, but not prevent users from being ingenious in their system usage. I do not see any useful consequences in tricking init into unmounting something which was not mounted transiently by reroot. In other words, the check could protect a mistaken user from destroying the system.

Ok, let me explain my question explicitely. The runshutdown() function was clean, it executed /etc/rc.shutdown script and that was all. The death() state handler brings system to the single mode, it needs to execute several steps, like shut down the getty sessions, run the rc.shutdown, switch state to single user and so on.

If you want to get the functionality of shutting down getty sessions + rc.shutdown, you should move getty code into new helper, and call the new helper and runshutdown() from that place, instead of hacking runshutdown.

I understand your point, but still - if a "mistaken user" manages to mount something on /dev/reroot/ during root mount, before even the init(8) gets started, then... well, it's their fault. There is no way to do it by accident.

Ah, you're right. Fixed.

Should be in alpha order?

When is howto & RB_REROOT anything other than 0 or RB_REROOT?

I'm not sure, but other programs using it - eg mount(8) - do it in this order.

Fixed, thanks.

respecting init_path from loader.conf/kenv is good enough for my usecase, for sure the current mechanism does not work for my use case.

Ok, I made it use init_path. Please test it to see if the semantics fits your use case.