Thanks!

Agreed out-of-band that it's fine to defer testing both behaviors for the time being

Throw this diff on top, please, and we have a deal:

In D55713#1274982, @leres wrote:

At first I tried to find a DL_* that would identify a symlink but could not (I think I tried DT_LNK). I also tried debugging the logic using lua from the command line but wasn't easily able to figure out how to use the luafilesystem port from the command line...

I recently learned enough lua to write a wireshark dissector and was *not* impressed with the online documentation available.

I'm willing to take another run at this; where are the DL_* tokens defined?

Happy with this as long as we tag the getopt-related incompatibility for relnotes. I suspect it's not a problem in practice, but we should still call it out.

Add flags to the mount_check_update for policies that may want to reject a
forced-unmount or handle unmount by-fsid differently

My draft policy that uses 2/3 is here: https://git.kevans.dev/kevans/mac_capsule/src/branch/main/mac_capsule.c -- my capsule implementation tries to prevent its parent from gaining visibility or operating in an active capsule's fs. This is somewhat effective because the capsule also can't be removed, so tampering with its fs means you'll need to catch it in the window between system startup and capsule startup, however narrow or wide that may be, or have physical access.

Remove useless cast

In D55323#1265205, @kib wrote:

AFAIR this is not a valid C++, if anybody cares.

Address review feedback

In D55286#1264421, @kib wrote:

Do we want to accept e.g. 'random_garbage:aaa' as the xattr name? I.e., if user put non-existing namespace before ':' should we silently do not find anything?

Tentatively seems fine, I'll do another pass tomorrow

Thanks!

Seems reasonable

Perfect, thanks! I'll just smash them together pre-commit since you've tested the end result.

I was looking over this again- I think its' technically incomplete because we're missing its complement over in /usr/share for the system-distributed files: http://people.freebsd.org/~kevans/zfscompat.diff -- I haven't had a chance (machine) to test it, but it'd probably be good to land these together if you can confirm.

In D55074#1258796, @garga wrote:

I'm gonna test it on my laptop but I believe you should uncomment tpm device on GENERIC together with this change

I')l plan on landing this later today if nobody else beats me to it. I don't believe we expect anything on the system to populate it, but failing to remove this part of the tree if the sysadmin has would be the expected behavior IMO -- we do the helpful thing in the common case, and the safe thing otherwise.

This has been lightly tested, but additional validation would be appreciated.