Roll back to the original version and optimise only for the pid == curproc->p_pid case.

Shouldn't then CPUCLOCK_WHICH_PID case in kern_clock_getcpuclockid2 be amended?

I'll check pfind and create new review if needed.

Address @kib comment and check for tid too.

OK, let me take a look at creating some in-kernel interface for this.

I don't know if I understand. jexec uses exactly the same syscall, jail_attach to achieve the same effect. Putting ifconfig and route inside a jail allows even more actions to be taken by the in-jail admin.
Also, there is no obvious other way to achieve this with current API.
I see two other options: additional API to manage jails and vnet without attaching process to the jail, or finding a way to avoid duplicated interface names but adding some sort of unique id(?).

Address comments and sync with r325058.

Even better grammar!

Use proper diff.

man fixes: improve poor grammar, bump date, start sentences from new line.

As I wrote in a mail to @jhb - the idea is worth considering. I'd like to gather some feedback from broader audience as the code is in base now and start a new review with some ideas about polishing / improvements to the code.

Remove extra ENOSYS check and notification about lack of Capsicum support in the kernel.

@grehan capsicum @emaste Guys, can this be reviewed and accepted once again so it could be safely committed?

Remove now empty #ifdef.

@grehan Thank you for your help and the review.

Address @grehan comments:

• use bcopy instead of memcpy to be consistent with the rest of the code,
• use cap_ioctl_t instead of unsigned long,
• style(9) fixes.

Drop executable permission in mmap.

Allow pci_e82545 descriptor to be used by mevent.

Allow fsync(2) in block devices.

• Address @grehan comments
• Sync with r311881
• Small style fixes

• Address @grehan comments and move table with VM_ ioctls to a separate function in libvmmapi
• Style fixes here and there
• Sync with r310050

@lattera-gmail.com Thank you for the tests! I'd also want to appeal to anyone else who can help testing it in any configuration.

Fix regression when stdin/out/err fds are are overridden by shell.
Found by Kyua tests.

Wops, wrong differential, sorry.

Fix regression when stdin/out/err fds are are overridden by shell.
Found by Kyua tests.

Update diff with one that survived building head@r309672:

1. buildword && buildkernel on FreeBSD 10.3-R i386
2. universe on FreeBSD 11.0-R amd64

Since dd was removed from bootstrap in 309412, can this be recommitted?

Ping after two weeks of silence.

As I see libcapsicum is header only https://svnweb.freebsd.org/base/head/lib/libcapsicum/Makefile?revision=306726&view=markup.
The breakage was obviously caused by lack of that header in installed system older than 12-C.

Make it compile on older releases as dd is part of bootstrap and pre 12-C don't have capsicum_helpers.h installed.

In D8290#177495, @grehan wrote:

Does VNC disconnect/reconnect work ? (I'll try and test this out)

• be more consistent with lowercase in err().

Fix indentation.

Updated diff after requested changes.

Regenerate, this time with -U999999.

Regenerate patch.

• use helper instead of raw catopen
• remove unneeded call to cap_rights_remove
• sort capabilities alphabetically

• bvmcons, stdin/out/err, uart are now properly limited, that means that all descriptors used should be now properly restricted
• additionally tested with nmdm
• style fixes
• small rewrites to reduce capabilities

• apply some rights later to limit capabilities needed
• remove CAP_FCNTL in uart code after the last use
• regenerate diff to match phabricate preferences
• #ifndef some missed cases
• fix spurious tabs

Update diff:

Remove some spurious tabs to spaces.

Obviously it should be

Thank you for your work on that port.

In D2130#23, @mjg wrote:

Or to re-state, I consider userspace approach inherently flawed. I also consider a kernel one relatively easy to achieve (pass filesystem list along when the jail is created, then let the kernel act on it when it decides to kill the jail).

Thank you all for the constructive feedback. A bit of history. I wrote this more that two year ago as a quick hack to solve a problem of leftovers after removing jails using jids. From the two years perspective I see that now I'd write it differently.