11 files changed, 470 insertions, 92 deletions

diff --git a/lib/libsys/Symbol.map b/lib/libsys/Symbol.map
index eb71c813ae86..ae12124ca210 100644
--- a/lib/libsys/Symbol.map
+++ b/lib/libsys/Symbol.map
@@ -4,10 +4,4 @@ FBSDprivate_1.0 {
 	__getosreldate;
 	__libsys_interposing_slot;
 	_elf_aux_info;
-	freebsd11_fstat;
-	freebsd11_fstatat;
-	freebsd11_getfsstat;
-	freebsd11_lstat;
-	freebsd11_stat;
-	freebsd11_statfs;
 };
diff --git a/lib/libsys/Symbol.sys.map b/lib/libsys/Symbol.sys.map
index 45e0160100af..e3fd8ac10621 100644
--- a/lib/libsys/Symbol.sys.map
+++ b/lib/libsys/Symbol.sys.map
@@ -89,7 +89,6 @@ FBSD_1.0 {
 	geteuid;
 	getfh;
 	getgid;
-	getgroups;
 	getitimer;
 	getpagesize;
 	getpeername;
@@ -204,7 +203,6 @@ FBSD_1.0 {
 	setegid;
 	seteuid;
 	setgid;
-	setgroups;
 	setitimer;
 	setlogin;
 	setpgid;
@@ -380,11 +378,15 @@ FBSD_1.7 {
 FBSD_1.8 {
 	exterrctl;
 	fchroot;
+	getgroups;
 	getrlimitusage;
 	inotify_add_watch_at;
 	inotify_rm_watch;
+	jail_attach_jd;
+	jail_remove_jd;
 	kcmp;
 	setcred;
+	setgroups;
 };
 
 FBSDprivate_1.0 {
diff --git a/lib/libsys/_libsys.h b/lib/libsys/_libsys.h
index 2f89e8fea92b..6bd768708a78 100644
--- a/lib/libsys/_libsys.h
+++ b/lib/libsys/_libsys.h
@@ -121,8 +121,6 @@ typedef int (__sys_munmap_t)(void *, size_t);
 typedef int (__sys_mprotect_t)(void *, size_t, int);
 typedef int (__sys_madvise_t)(void *, size_t, int);
 typedef int (__sys_mincore_t)(const void *, size_t, char *);
-typedef int (__sys_getgroups_t)(int, gid_t *);
-typedef int (__sys_setgroups_t)(int, const gid_t *);
 typedef int (__sys_getpgrp_t)(void);
 typedef int (__sys_setpgid_t)(int, int);
 typedef int (__sys_setitimer_t)(int, const struct itimerval *, struct itimerval *);
@@ -468,6 +466,10 @@ typedef int (__sys_setcred_t)(u_int, const struct setcred *, size_t);
 typedef int (__sys_exterrctl_t)(u_int, u_int, void *);
 typedef int (__sys_inotify_add_watch_at_t)(int, int, const char *, uint32_t);
 typedef int (__sys_inotify_rm_watch_t)(int, int);
+typedef int (__sys_getgroups_t)(int, gid_t *);
+typedef int (__sys_setgroups_t)(int, const gid_t *);
+typedef int (__sys_jail_attach_jd_t)(int);
+typedef int (__sys_jail_remove_jd_t)(int);
 
 _Noreturn void __sys__exit(int rval);
 int __sys_fork(void);
@@ -525,8 +527,6 @@ int __sys_munmap(void * addr, size_t len);
 int __sys_mprotect(void * addr, size_t len, int prot);
 int __sys_madvise(void * addr, size_t len, int behav);
 int __sys_mincore(const void * addr, size_t len, char * vec);
-int __sys_getgroups(int gidsetsize, gid_t * gidset);
-int __sys_setgroups(int gidsetsize, const gid_t * gidset);
 int __sys_getpgrp(void);
 int __sys_setpgid(int pid, int pgid);
 int __sys_setitimer(int which, const struct itimerval * itv, struct itimerval * oitv);
@@ -872,6 +872,10 @@ int __sys_setcred(u_int flags, const struct setcred * wcred, size_t size);
 int __sys_exterrctl(u_int op, u_int flags, void * ptr);
 int __sys_inotify_add_watch_at(int fd, int dfd, const char * path, uint32_t mask);
 int __sys_inotify_rm_watch(int fd, int wd);
+int __sys_getgroups(int gidsetsize, gid_t * gidset);
+int __sys_setgroups(int gidsetsize, const gid_t * gidset);
+int __sys_jail_attach_jd(int fd);
+int __sys_jail_remove_jd(int fd);
 __END_DECLS
 
 #endif /* __LIBSYS_H_ */
diff --git a/lib/libsys/copy_file_range.2 b/lib/libsys/copy_file_range.2
index bcd9170842d5..829a5a5d3c13 100644
--- a/lib/libsys/copy_file_range.2
+++ b/lib/libsys/copy_file_range.2
@@ -23,7 +23,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd December 28, 2023
+.Dd August 16, 2025
 .Dt COPY_FILE_RANGE 2
 .Os
 .Sh NAME
@@ -74,6 +74,7 @@ argument must be opened for reading and the
 .Fa outfd
 argument must be opened for writing, but not
 .Dv O_APPEND .
+.Pp
 If
 .Fa inoffp
 or
@@ -101,9 +102,29 @@ respectively will be used/updated and the file offset for
 or
 .Fa outfd
 respectively will not be affected.
-The
+.Pp
+The only
+.Fa flags
+argument currently defined is
+.Dv COPY_FILE_RANGE_CLONE .
+When this flag is set,
+.Fn copy_file_range
+will return
+.Er EOPNOTSUPP
+if the copy cannot be done via
+block cloning.
+When
 .Fa flags
-argument must be 0.
+is 0, a file system may do the copy via block cloning
+or by data copying.
+Block cloning is only possible when the offsets (plus
+.Fa len
+if not to EOF on the input file) are block
+aligned.
+The correct block alignment can normally be acquired via the
+.Dv _PC_CLONE_BLKSIZE
+query for
+.Xr pathconf 2 .
 .Pp
 This system call attempts to maintain holes in the output file for
 the byte range being copied.
@@ -203,9 +224,15 @@ refers to a directory.
 File system that stores
 .Fa outfd
 is full.
+.It Bq Er EOPNOTSUPP
+Cannot do the copy via block cloning and the
+.Dv COPY_FILE_RANGE_CLONE
+.Fa flags
+argument is specified.
 .El
 .Sh SEE ALSO
-.Xr lseek 2
+.Xr lseek 2 ,
+.Xr pathconf 2
 .Sh STANDARDS
 The
 .Fn copy_file_range
diff --git a/lib/libsys/getgroups.2 b/lib/libsys/getgroups.2
index 91cca2748ec2..4881a65d532e 100644
--- a/lib/libsys/getgroups.2
+++ b/lib/libsys/getgroups.2
@@ -1,5 +1,13 @@
+.\"-
+.\" SPDX-License-Identifier: BSD-3-Clause
+.\"
 .\" Copyright (c) 1983, 1991, 1993
 .\"	The Regents of the University of California.  All rights reserved.
+.\" Copyright (c) 2025 The FreeBSD Foundation
+.\"
+.\" Portions of this documentation were written by Olivier Certner
+.\" <olce@FreeBSD.org> at Kumacom SARL under sponsorship from the FreeBSD
+.\" Foundation.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
 .\" modification, are permitted provided that the following conditions
@@ -25,12 +33,12 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd January 21, 2011
+.Dd September 17, 2025
 .Dt GETGROUPS 2
 .Os
 .Sh NAME
 .Nm getgroups
-.Nd get group access list
+.Nd get the calling process' supplementary groups
 .Sh LIBRARY
 .Lb libc
 .Sh SYNOPSIS
@@ -40,36 +48,39 @@
 .Sh DESCRIPTION
 The
 .Fn getgroups
-system call
-gets the current group access list of the user process
-and stores it in the array
-.Fa gidset .
-The
+system call gets the calling process' supplementary groups and stores them in
+the
+.Fa gidset
+array in strictly ascending order.
+The value of
 .Fa gidsetlen
-argument
-indicates the number of entries that may be placed in
+indicates the maximum number of entries that may be placed in
 .Fa gidset .
-The
-.Fn getgroups
-system call
-returns the actual number of groups returned in
-.Fa gidset .
-At least one and as many as {NGROUPS_MAX}+1 values may be returned.
+.Pp
 If
 .Fa gidsetlen
 is zero,
 .Fn getgroups
-returns the number of supplementary group IDs associated with
-the calling process without modifying the array pointed to by
+returns the cardinal of the calling process' supplementary groups set and
+ignores argument
 .Fa gidset .
 .Pp
+No more than
+.Dv {NGROUPS_MAX}
+values may ever be returned.
 The value of
 .Dv {NGROUPS_MAX}
 should be obtained using
 .Xr sysconf 3
 to avoid hard-coding it into the executable.
 .Sh RETURN VALUES
-A successful call returns the number of groups in the group set.
+On success, the
+.Fn getgroups
+system call returns the cardinal of the supplementary groups set.
+It always succeeds if argument
+.Fa gidsetlen
+is zero.
+.Pp
 A value of -1 indicates that an error occurred, and the error
 code is stored in the global variable
 .Va errno .
@@ -81,12 +92,12 @@ are:
 .It Bq Er EINVAL
 The argument
 .Fa gidsetlen
-is smaller than the number of groups in the group set.
+is smaller than the number of supplementary groups
+.Pq but not zero .
 .It Bq Er EFAULT
-The argument
+An invalid address was encountered while reading from the
 .Fa gidset
-specifies
-an invalid address.
+array.
 .El
 .Sh SEE ALSO
 .Xr setgroups 2 ,
@@ -96,9 +107,51 @@ an invalid address.
 The
 .Fn getgroups
 system call conforms to
-.St -p1003.1-2008 .
+.St -p1003.1-2008
+with the additional properties that supplementary groups are reported in
+strictly ascending order and the returned size coincides with the cardinal of
+the set.
 .Sh HISTORY
 The
 .Fn getgroups
 system call appeared in
 .Bx 4.2 .
+.Pp
+Since
+.Fx 14.3 ,
+the
+.Fn getgroups
+system call has treated the supplementary groups as a set, reporting them in
+strictly ascending order and returning the cardinal of the set.
+.Pp
+Before
+.Fx 15.0 ,
+the
+.Fn getgroups
+system call would additionally return the effective group ID as the first
+element of the array, before the supplementary groups.
+.Sh SECURITY CONSIDERATIONS
+The
+.Fn getgroups
+system call gets the supplementary groups set in the
+.Fa gidset
+array.
+In particular, as evoked in
+.Sx HISTORY ,
+it does not anymore retrieve the effective GID in the first slot of
+.Fa gidset .
+Programs should not make any assumption about which group is placed in the first
+slot of
+.Fa gidset
+other than it being the supplementary group with smallest GID.
+.Pp
+The effective GID is present in the supplementary groups set if and only if it
+was explicitly set as a supplementary group.
+The function
+.Fn initgroups
+enforces that, while the
+.Fn setgroups
+system call does not.
+Please consult the
+.Xr initgroups 3
+manual page for the rationale.
diff --git a/lib/libsys/jail.2 b/lib/libsys/jail.2
index 8f8b9925c712..ee4e5b03d38e 100644
--- a/lib/libsys/jail.2
+++ b/lib/libsys/jail.2
@@ -23,7 +23,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd November 29, 2023
+.Dd September 15, 2025
 .Dt JAIL 2
 .Os
 .Sh NAME
@@ -31,7 +31,9 @@
 .Nm jail_get ,
 .Nm jail_set ,
 .Nm jail_remove ,
-.Nm jail_attach
+.Nm jail_attach ,
+.Nm jail_remove_jd ,
+.Nm jail_attach_jd
 .Nd create and manage system jails
 .Sh LIBRARY
 .Lb libc
@@ -44,6 +46,10 @@
 .Fn jail_attach "int jid"
 .Ft int
 .Fn jail_remove "int jid"
+.Ft int
+.Fn jail_attach_jd "int fd"
+.Ft int
+.Fn jail_remove_jd "int fd"
 .In sys/uio.h
 .Ft int
 .Fn jail_get "struct iovec *iov" "u_int niov" "int flags"
@@ -188,6 +194,29 @@ system call.
 This is deprecated in
 .Fn jail_set
 and has no effect.
+.It Dv JAIL_USE_DESC
+Identify the jail by a descriptor in the
+.Va desc
+parameter.
+.It Dv JAIL_AT_DESC
+Operate in the context of the jail described by the
+.Va desc
+parameter, instead of the current jail.
+Only one of
+.Dv JAIL_USE_DESC
+or
+.Dv JAIL_AT_DESC
+may be specified.
+.It Dv JAIL_GET_DESC
+Return a new jail descriptor for the jail in the
+.Va desc
+parameter.
+.It Dv JAIL_OWN_DESC
+Return an
+.Dq owning
+jail descriptor in the
+.Va desc
+parameter.
 .El
 .Pp
 The
@@ -221,6 +250,9 @@ arguments consists of one or more following flags:
 .Bl -tag -width indent
 .It Dv JAIL_DYING
 Allow getting a jail that is in the process of being removed.
+.It Dv JAIL_USE_DESC , Dv JAIL_AT_DESC , Dv JAIL_GET_DESC , Dv JAIL_OWN_DESC
+These have the same meaning as they do in
+.Fn jail_set .
 .El
 .Pp
 The
@@ -238,6 +270,76 @@ system call removes the jail identified by
 .Fa jid .
 It will kill all processes belonging to the jail, and remove any children
 of that jail.
+.Pp
+The
+.Fn jail_attach_fd
+and
+.Fn jail_remove_fd
+system calls work the same as
+.Fn jail_attach
+and
+.Fn jail_remove ,
+except that they operate on the jail identified by jail descriptor
+.Fa fd .
+.Ss Jail Descriptors
+In addition to the jail ID,
+jails can be referred to using a jail descriptor,
+a type of file descriptor tied to a particular jail.
+Jail descriptors are created by calling
+.Fn jail_set
+or
+.Fn jail_get
+with the special parameter
+.Va desc ,
+and either the
+.Dv JAIL_GET_DESC
+or
+.Dv JAIL_OWN_DESC
+flags set.
+The difference between the two flags is that descriptors created with
+.Dv JAIL_OWN_DESC
+.Po
+called
+.Dq owning
+descriptors
+.Pc
+will automatically remove the jail when the descriptor is closed.
+.Pp
+Jail descriptors can be passed back to
+.Fn jail_set
+or
+.Fm jail_get
+with the
+.Va desc
+parameter,
+and either the
+.Dv JAIL_USE_DESC
+or
+.Dv JAIL_AT_DESC
+flags set.
+With
+.Dv JAIL_USE_DESC ,
+the descriptor identifies the jail to operate on,
+instead of the
+.Va jid
+or
+.Va name
+parameter.
+With
+.Dv JAIL_AT_DESC ,
+the descriptor is used in place of the current jail,
+allowing accessing or creating jails that are children of the
+descriptor jail.
+.Pp
+The system calls
+.Fn jail_attach_jd
+and
+.Fn jail_aremove_jd
+work the same as
+.Fn jail_attach
+and
+.Fn jail_remove ,
+except that they operate on the jail referred to by the passed descriptor.
 .Sh RETURN VALUES
 If successful,
 .Fn jail ,
@@ -249,7 +351,7 @@ They return \-1 on failure, and set
 .Va errno
 to indicate the error.
 .Pp
-.Rv -std jail_attach jail_remove
+.Rv -std jail_attach jail_remove jail_attach_jd jail_remove_jd
 .Sh ERRORS
 The
 .Fn jail
@@ -281,6 +383,13 @@ the super-user, or because it would exceed the jail's
 .Va children.max
 limit.
 .It Bq Er EPERM
+The jail descriptor in the
+.Va desc
+parameter was created by a user other than the super-user,
+and the
+.Dv JAIL_USE_DESC
+flag was set.
+.It Bq Er EPERM
 A jail parameter was set to a less restrictive value then the current
 environment.
 .It Bq Er EFAULT
@@ -298,8 +407,12 @@ flag is not set.
 .It Bq Er ENOENT
 The jail referred to by a
 .Va jid
-is not accessible by the process, because the process is in a different
-jail.
+parameter is not accessible by the process, because the process is in a
+different jail.
+.It Bq Er ENOENT
+The jail referred to by a
+.Va desc
+parameter has been removed.
 .It Bq Er EEXIST
 The jail referred to by a
 .Va jid
@@ -326,6 +439,24 @@ flags is not set.
 A supplied string parameter is longer than allowed.
 .It Bq Er EAGAIN
 There are no jail IDs left.
+.It Bq Er EMFILE
+A jail descriptor could not be created for the
+.Va desc
+parameter with either the
+.Dv JAIL_GET_DESC
+or
+.Dv JAIL_OWN_DESC
+flag set,
+because the process has already reached its limit for open file descriptors.
+.It Bq Er ENFILE
+A jail descriptor could not be created for the
+.Va desc
+parameter with either the
+.Dv JAIL_GET_DESC
+or
+.Dv JAIL_OWN_DESC
+flag set,
+because the system file table is full.
 .El
 .Pp
 The
@@ -333,10 +464,6 @@ The
 system call
 will fail if:
 .Bl -tag -width Er
-.It Bq Er EFAULT
-.Fa Iov ,
-or one of the addresses contained within it,
-points to an address outside the allocated address space of the process.
 .It Bq Er ENOENT
 The jail referred to by a
 .Va jid
@@ -352,10 +479,37 @@ jail.
 The
 .Va lastjid
 parameter is greater than the highest current jail ID.
+.It Bq Er ENOENT
+The jail referred to by a
+.Va desc
+parameter has been removed
+.Pq even if the Dv JAIL_CREATE flag has been set .
 .It Bq Er EINVAL
 A supplied parameter is the wrong size.
 .It Bq Er EINVAL
+A supplied parameter is out of range.
+.It Bq Er EINVAL
+A supplied string parameter is not null-terminated.
+.It Bq Er EINVAL
 A supplied parameter name does not match any known parameters.
+.It Bq Er EMFILE
+A jail descriptor could not be created for the
+.Va desc
+parameter with either the
+.Dv JAIL_GET_DESC
+or
+.Dv JAIL_OWN_DESC
+flag set,
+because the process has already reached its limit for open file descriptors.
+.It Bq Er ENFILE
+A jail descriptor could not be created for the
+.Va desc
+parameter with either the
+.Dv JAIL_GET_DESC
+or
+.Dv JAIL_OWN_DESC
+flag set,
+because the system file table is full.
 .El
 .Pp
 The
@@ -373,14 +527,37 @@ The jail specified by
 does not exist.
 .El
 .Pp
+The
+.Fn jail_attach_jd
+and
+.Fn jail_remove_jd
+system calls
+will fail if:
+.Bl -tag -width Er
+.It Bq Er EINVAL
+The
+.Fa fd
+argument is not a valid jail descriptor.
+.It Bq Er EPERM
+The jail descriptor was created by a user other than the super-user.
+.It Bq Er EINVAL
+The jail specified by
+.Fa jid
+has been removed.
+.El
+.Pp
 Further
 .Fn jail ,
 .Fn jail_set ,
+.Fn jail_attach ,
 and
-.Fn jail_attach
+.Fn jail_attach_jd
 call
 .Xr chroot 2
 internally, so they can fail for all the same reasons.
+In particular, they return the
+.Bq Er EPERM
+error when the process to join a jail has open directories.
 Please consult the
 .Xr chroot 2
 manual page for details.
diff --git a/lib/libsys/kqueue.2 b/lib/libsys/kqueue.2
index d6e949baa24c..96c9b0222a37 100644
--- a/lib/libsys/kqueue.2
+++ b/lib/libsys/kqueue.2
@@ -22,7 +22,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd March 26, 2023
+.Dd September 12, 2025
 .Dt KQUEUE 2
 .Os
 .Sh NAME
@@ -593,6 +593,64 @@ returns the number of times the signal has occurred since the last call to
 This filter automatically sets the
 .Dv EV_CLEAR
 flag internally.
+.It Dv EVFILT_JAIL
+Takes the jail ID to monitor as the identifier and the events to watch for
+in
+.Va fflags ,
+and returns when the jail performs one or more of the requested events.
+If a process can normally see a jail, it can attach an event to it.
+An identifier of zero will watch the process's own jail.
+The events to monitor are:
+.Bl -tag -width "Dv NOTE_JAIL_ATTACH"
+.It Dv NOTE_JAIL_SET
+The jail has been changed via
+.Xr jail_set 2 .
+.It Dv NOTE_JAIL_ATTACH
+A process has attached to the jail via
+.Xr jail_attach 2
+or a similar call.
+The process ID will be stored in
+.Va data .
+If more than one process has attached since the last call to
+.Fn kevent ,
+.Va data
+will be zero.
+.It Dv NOTE_JAIL_REMOVE
+The jail has been removed.
+.It Dv NOTE_JAIL_CHILD
+A child of the watched jail has been created.
+Its jail ID will be stored in
+.Va data .
+If more than one jail has been created since the last call to
+.Fn kevent ,
+.Va data
+will be zero.
+.El
+.Pp
+On return,
+.Va fflags
+contains the events which triggered the filter.
+It will also contain
+.Dv NOTE_JAIL_MULTI
+if more than one
+.Dv NOTE_JAIL_ATTACH
+or
+.Dv NOTE_JAIL_CHILD
+event has been received since the last call to
+.Fn kevent .
+.It Dv EVFILT_JAILDESC
+Takes a jail descriptor returned by
+.Xr jail_set 2
+or
+.Xr jail_get 2
+as the identifier and the events to watch for in
+.Va fflags ,
+and returns when the jail performs one or more of the requested events.
+The events to monitor and the resulting
+.Va fflags
+are the same as those listed in
+.Dv EVFILT_JAIL ,
+above.
 .It Dv EVFILT_TIMER
 Establishes an arbitrary timer identified by
 .Va ident .
diff --git a/lib/libsys/setcred.2 b/lib/libsys/setcred.2
index 86f61ddfdb30..f5d1f15b631b 100644
--- a/lib/libsys/setcred.2
+++ b/lib/libsys/setcred.2
@@ -6,7 +6,7 @@
 .\" This documentation was written by Olivier Certner <olce.freebsd@certner.fr>
 .\" at Kumacom SARL under sponsorship from the FreeBSD Foundation.
 .\"
-.Dd December 19, 2024
+.Dd August 29, 2025
 .Dt SETCRED 2
 .Os
 .Sh NAME
@@ -119,11 +119,6 @@ It must be less than or equal to
 An array of IDs to set the supplementary groups to, if flag
 .Dv SETCREDF_SUPP_GROUPS
 is specified.
-Note that all groups in this array will be set as supplementary groups only, in
-contrast to
-.Xr setgroups 2
-which treats the first element specially as the new effective group, not adding
-it to supplementary groups.
 .It Fa sc_label
 A pointer to a valid MAC label structure, e.g., built with the
 .Xr mac_from_text 3
diff --git a/lib/libsys/setgroups.2 b/lib/libsys/setgroups.2
index a226aeafea96..0ec99507cfb0 100644
--- a/lib/libsys/setgroups.2
+++ b/lib/libsys/setgroups.2
@@ -1,5 +1,13 @@
+.\"-
+.\" SPDX-License-Identifier: BSD-3-Clause
+.\"
 .\" Copyright (c) 1983, 1991, 1993, 1994
 .\"	The Regents of the University of California.  All rights reserved.
+.\" Copyright (c) 2025 The FreeBSD Foundation
+.\"
+.\" Portions of this documentation were written by Olivier Certner
+.\" <olce@FreeBSD.org> at Kumacom SARL under sponsorship from the FreeBSD
+.\" Foundation.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
 .\" modification, are permitted provided that the following conditions
@@ -25,12 +33,12 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd January 19, 2018
+.Dd September 17, 2025
 .Dt SETGROUPS 2
 .Os
 .Sh NAME
 .Nm setgroups
-.Nd set group access list
+.Nd set the calling process' supplementary groups
 .Sh LIBRARY
 .Lb libc
 .Sh SYNOPSIS
@@ -41,35 +49,21 @@
 .Sh DESCRIPTION
 The
 .Fn setgroups
-system call
-sets the group access list of the current user process
-according to the array
-.Fa gidset .
+system call sets the calling process' supplementary groups according to the
+.Fa gidset
+array.
 The
 .Fa ngroups
-argument
-indicates the number of entries in the array and must be no
-more than
-.Dv {NGROUPS_MAX}+1 .
+argument indicates the number of entries in the array and must be no more than
+.Dv {NGROUPS_MAX} .
 .Pp
-Only the super-user may set a new group list.
+The
+.Fa ngroups
+argument may be set to zero to clear all supplementary groups, in which case
+.Fa gidset
+is ignored.
 .Pp
-The first entry of the group array
-.Pq Va gidset[0]
-is used as the effective group-ID for the process.
-This entry is over-written when a setgid program is run.
-To avoid losing access to the privileges of the
-.Va gidset[0]
-entry, it should be duplicated later in the group array.
-By convention,
-this happens because the group value indicated
-in the password file also appears in
-.Pa /etc/group .
-The group value in the password file is placed in
-.Va gidset[0]
-and that value then gets added a second time when the
-.Pa /etc/group
-file is scanned to create the group set.
+Only the super-user may install a new supplementary groups set.
 .Sh RETURN VALUES
 .Rv -std setgroups
 .Sh ERRORS
@@ -83,19 +77,86 @@ The caller is not the super-user.
 The number specified in the
 .Fa ngroups
 argument is larger than the
-.Dv {NGROUPS_MAX}+1
+.Dv {NGROUPS_MAX}
 limit.
 .It Bq Er EFAULT
-The address specified for
+Part of the groups array starting at
 .Fa gidset
-is outside the process
-address space.
+is outside the process address space.
 .El
 .Sh SEE ALSO
 .Xr getgroups 2 ,
+.Xr setcred 2 ,
 .Xr initgroups 3
 .Sh HISTORY
 The
 .Fn setgroups
 system call appeared in
 .Bx 4.2 .
+.Pp
+Before
+.Fx 15.0 ,
+the
+.Fn setgroups
+system call would set the effective group ID for the process to the first
+element of
+.Fa gidset ,
+and only the other elements as supplementary groups.
+Despite treating the first element as the effective group ID to set, it accepted
+an empty
+.Fa gidset
+.Po
+.Fa ngroups
+being zero
+.Pc
+as a stance requiring to drop all supplementary groups, leaving the effective
+group ID unchanged.
+.Sh SECURITY CONSIDERATIONS
+The
+.Fn setgroups
+system call sets the process' supplementary groups to those contained in the
+.Fa gidset
+array.
+In particular, as evoked in
+.Sx HISTORY ,
+it does not anymore treat the first element of
+.Fa gidset
+separately.
+Formerly, it would set it as the effective group ID while only the others were
+used as supplementary groups.
+.Pp
+Programs solely relying on
+.Fn setgroups
+to change the effective group ID must be modified, e.g., to also call
+.Xr setegid 2
+or to instead use
+.Xr setcred 2 ,
+else they will unwillingly keep their effective group ID.
+.Pp
+Programs using
+.Fn setgroups
+with the effective group ID as the first element of array
+.Fa gidset
+and not duplicating it in the rest of the array, which includes those using
+.Fn initgroups ,
+now insert this group ID in the supplementary groups set.
+This is in general desirable, as explained in the
+.Xr initgroups 3
+manual page, and has the consequence that subsequent process' effective group
+ID's changes do not remove membership of the original effective group ID, since
+these changes do not affect the supplementary groups.
+Applications that expressly do not want that must be modified to stop passing
+the effective group ID as the first element to
+.Fn setgroups .
+.Pp
+To clear all the calling process' supplementary groups, always use the statement
+.Bd -literal -offset indent
+setgroups(0, NULL);
+.Ed
+.Pp
+which works also on older FreeBSD version
+.Po
+see the
+.Sx HISTORY
+section
+.Pc .
diff --git a/lib/libsys/stat.2 b/lib/libsys/stat.2
index bd9005710147..8107740bd901 100644
--- a/lib/libsys/stat.2
+++ b/lib/libsys/stat.2
@@ -25,7 +25,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd March 30, 2021
+.Dd August 17, 2025
 .Dt STAT 2
 .Os
 .Sh NAME
@@ -169,6 +169,9 @@ Flags enabled for the file.
 See
 .Xr chflags 2
 for the list of flags and their description.
+.It Va st_rdev
+Numeric ID of the device referenced by the file, if the file is a
+character or block special; otherwise unspecified.
 .El
 .Pp
 The
diff --git a/lib/libsys/syscalls.map b/lib/libsys/syscalls.map
index dbb011343c8f..b5400b9849b3 100644
--- a/lib/libsys/syscalls.map
+++ b/lib/libsys/syscalls.map
@@ -117,10 +117,6 @@ FBSDprivate_1.0 {
 	__sys_madvise;
 	_mincore;
 	__sys_mincore;
-	_getgroups;
-	__sys_getgroups;
-	_setgroups;
-	__sys_setgroups;
 	_getpgrp;
 	__sys_getpgrp;
 	_setpgid;
@@ -813,4 +809,12 @@ FBSDprivate_1.0 {
 	__sys_inotify_add_watch_at;
 	_inotify_rm_watch;
 	__sys_inotify_rm_watch;
+	_getgroups;
+	__sys_getgroups;
+	_setgroups;
+	__sys_setgroups;
+	_jail_attach_jd;
+	__sys_jail_attach_jd;
+	_jail_remove_jd;
+	__sys_jail_remove_jd;
 };