Fix regression when stdin/out/err fds are are overridden by shell.
Found by Kyua tests.

Guys, are we happy with the state of things? I am keen to commit it, given relevant approval is provided.

Update diff with one that survived building head@r309672:

1. buildword && buildkernel on FreeBSD 10.3-R i386
2. universe on FreeBSD 11.0-R amd64

Should have ticked 'accept'

In D8543#180755, @pawel.biernacki-gmail.com wrote:

Since dd was removed from bootstrap in 309412, can this be recommitted?

Since dd was removed from bootstrap in 309412, can this be recommitted?

As I see libcapsicum is header only https://svnweb.freebsd.org/base/head/lib/libcapsicum/Makefile?revision=306726&view=markup.
The breakage was obviously caused by lack of that header in installed system older than 12-C.

See https://reviews.freebsd.org/D8605 for one possible resolution

I think we should have a fake libcapiscim that's all defeined as no-op success functions and add that to libegacy. We don't need to install the full libcapsicim and there's ordering issues trying to do so.

Thanks for you work, but I like more your previus patch :)
So I would like to fix the problem with that patch in a little different meaner basically install libcapsicum.
I will do that today, and replay your patch.

Reopening due to dd/build toolchain issues.

Make it compile on older releases as dd is part of bootstrap and pre 12-C don't have capsicum_helpers.h installed.

• be more consistent with lowercase in err().

Good work :)
Please just fix the error messages.

I think this looks good, and have asked @oshogbo if he can check again.

Fix indentation.

@oshogbo @allanjude It works for me, when I test it, so if I can get approval from someone with src commit bit, I am happy to commit it.

Updated diff after requested changes.

Regenerate, this time with -U999999.

Regenerate patch.

Minor style editing will be committed separately.

Suggestions by emaste.
Use flags instead of two booleans.

Fix copy/paste.

Add a knob to enable/disable dotdot lookups in cap mode. Restore pre-patch code to fail if dotdot parsed, and comments about that.

Remove nameicap_tracker_add() call from namei().

A fairly cursory look didn't turn up any obvious problems for me, but I would like to take a deeper look over the next few days.

Update comments.

Overall I like this approach, but there's an important experimental question as to whether this enables all the use cases we care about -- and, more generally, whether there are visible failure modes that might surprise application programmers. We also need to think quite hard to convince ourselves this maintains safe operation. Getting Jon Anderson, Ben Laurie, and David Drysdale to review the approach would be very useful.

In D8110#169002, @rwatson wrote:

In D8110#168999, @kib wrote:

Implement Jonathan Anderson suggestion of checking the result of dotdot lookup against the recorded list of traversed vnodes. Drop rename notifications. Check for dotdot vnodes living on local fs.

Possibly the Robert Watson suggestion. :-)

In D8110#168999, @kib wrote:

Implement Jonathan Anderson suggestion of checking the result of dotdot lookup against the recorded list of traversed vnodes. Drop rename notifications. Check for dotdot vnodes living on local fs.

Implement Jonathan Anderson suggestion of checking the result of dotdot lookup against the recorded list of traversed vnodes. Drop rename notifications. Check for dotdot vnodes living on local fs.

Construct a lookup tracker, which records the path by holding each directory vnode found during namei() operations. Simultaneously, all the directories are added to some global structure and marked by VOP_RENAME() implementations while tvp is still locked, as renamed.

I updated Makefile.depnd which was pointed out byt @bdrewery.
I update also some dependencies in libnames and BSD.debug.dist.

Please also update these as needed:

Code is also available at https://github.com/oshogbo/freebsd/tree/libcasper

Update according to David suggestion.
I forgot to commit changes about test, thanks!
You make very good points.

I *think* that nvlist_add_string() and friends don't cope with a NULL value, which means that all of the places where optional strings turn up in an API need to cope with absence. I've commented on a few such places, but there's probably more...