9 files changed, 322 insertions, 51 deletions

diff --git a/lib/libsys/Symbol.sys.map b/lib/libsys/Symbol.sys.map
index 45e0160100af..e3fd8ac10621 100644
--- a/lib/libsys/Symbol.sys.map
+++ b/lib/libsys/Symbol.sys.map
@@ -89,7 +89,6 @@ FBSD_1.0 {
 	geteuid;
 	getfh;
 	getgid;
-	getgroups;
 	getitimer;
 	getpagesize;
 	getpeername;
@@ -204,7 +203,6 @@ FBSD_1.0 {
 	setegid;
 	seteuid;
 	setgid;
-	setgroups;
 	setitimer;
 	setlogin;
 	setpgid;
@@ -380,11 +378,15 @@ FBSD_1.7 {
 FBSD_1.8 {
 	exterrctl;
 	fchroot;
+	getgroups;
 	getrlimitusage;
 	inotify_add_watch_at;
 	inotify_rm_watch;
+	jail_attach_jd;
+	jail_remove_jd;
 	kcmp;
 	setcred;
+	setgroups;
 };
 
 FBSDprivate_1.0 {
diff --git a/lib/libsys/_libsys.h b/lib/libsys/_libsys.h
index 2f89e8fea92b..6bd768708a78 100644
--- a/lib/libsys/_libsys.h
+++ b/lib/libsys/_libsys.h
@@ -121,8 +121,6 @@ typedef int (__sys_munmap_t)(void *, size_t);
 typedef int (__sys_mprotect_t)(void *, size_t, int);
 typedef int (__sys_madvise_t)(void *, size_t, int);
 typedef int (__sys_mincore_t)(const void *, size_t, char *);
-typedef int (__sys_getgroups_t)(int, gid_t *);
-typedef int (__sys_setgroups_t)(int, const gid_t *);
 typedef int (__sys_getpgrp_t)(void);
 typedef int (__sys_setpgid_t)(int, int);
 typedef int (__sys_setitimer_t)(int, const struct itimerval *, struct itimerval *);
@@ -468,6 +466,10 @@ typedef int (__sys_setcred_t)(u_int, const struct setcred *, size_t);
 typedef int (__sys_exterrctl_t)(u_int, u_int, void *);
 typedef int (__sys_inotify_add_watch_at_t)(int, int, const char *, uint32_t);
 typedef int (__sys_inotify_rm_watch_t)(int, int);
+typedef int (__sys_getgroups_t)(int, gid_t *);
+typedef int (__sys_setgroups_t)(int, const gid_t *);
+typedef int (__sys_jail_attach_jd_t)(int);
+typedef int (__sys_jail_remove_jd_t)(int);
 
 _Noreturn void __sys__exit(int rval);
 int __sys_fork(void);
@@ -525,8 +527,6 @@ int __sys_munmap(void * addr, size_t len);
 int __sys_mprotect(void * addr, size_t len, int prot);
 int __sys_madvise(void * addr, size_t len, int behav);
 int __sys_mincore(const void * addr, size_t len, char * vec);
-int __sys_getgroups(int gidsetsize, gid_t * gidset);
-int __sys_setgroups(int gidsetsize, const gid_t * gidset);
 int __sys_getpgrp(void);
 int __sys_setpgid(int pid, int pgid);
 int __sys_setitimer(int which, const struct itimerval * itv, struct itimerval * oitv);
@@ -872,6 +872,10 @@ int __sys_setcred(u_int flags, const struct setcred * wcred, size_t size);
 int __sys_exterrctl(u_int op, u_int flags, void * ptr);
 int __sys_inotify_add_watch_at(int fd, int dfd, const char * path, uint32_t mask);
 int __sys_inotify_rm_watch(int fd, int wd);
+int __sys_getgroups(int gidsetsize, gid_t * gidset);
+int __sys_setgroups(int gidsetsize, const gid_t * gidset);
+int __sys_jail_attach_jd(int fd);
+int __sys_jail_remove_jd(int fd);
 __END_DECLS
 
 #endif /* __LIBSYS_H_ */
diff --git a/lib/libsys/copy_file_range.2 b/lib/libsys/copy_file_range.2
index bcd9170842d5..829a5a5d3c13 100644
--- a/lib/libsys/copy_file_range.2
+++ b/lib/libsys/copy_file_range.2
@@ -23,7 +23,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd December 28, 2023
+.Dd August 16, 2025
 .Dt COPY_FILE_RANGE 2
 .Os
 .Sh NAME
@@ -74,6 +74,7 @@ argument must be opened for reading and the
 .Fa outfd
 argument must be opened for writing, but not
 .Dv O_APPEND .
+.Pp
 If
 .Fa inoffp
 or
@@ -101,9 +102,29 @@ respectively will be used/updated and the file offset for
 or
 .Fa outfd
 respectively will not be affected.
-The
+.Pp
+The only
+.Fa flags
+argument currently defined is
+.Dv COPY_FILE_RANGE_CLONE .
+When this flag is set,
+.Fn copy_file_range
+will return
+.Er EOPNOTSUPP
+if the copy cannot be done via
+block cloning.
+When
 .Fa flags
-argument must be 0.
+is 0, a file system may do the copy via block cloning
+or by data copying.
+Block cloning is only possible when the offsets (plus
+.Fa len
+if not to EOF on the input file) are block
+aligned.
+The correct block alignment can normally be acquired via the
+.Dv _PC_CLONE_BLKSIZE
+query for
+.Xr pathconf 2 .
 .Pp
 This system call attempts to maintain holes in the output file for
 the byte range being copied.
@@ -203,9 +224,15 @@ refers to a directory.
 File system that stores
 .Fa outfd
 is full.
+.It Bq Er EOPNOTSUPP
+Cannot do the copy via block cloning and the
+.Dv COPY_FILE_RANGE_CLONE
+.Fa flags
+argument is specified.
 .El
 .Sh SEE ALSO
-.Xr lseek 2
+.Xr lseek 2 ,
+.Xr pathconf 2
 .Sh STANDARDS
 The
 .Fn copy_file_range
diff --git a/lib/libsys/getgroups.2 b/lib/libsys/getgroups.2
index 91cca2748ec2..37c8fbad7215 100644
--- a/lib/libsys/getgroups.2
+++ b/lib/libsys/getgroups.2
@@ -25,7 +25,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd January 21, 2011
+.Dd August 1, 2025
 .Dt GETGROUPS 2
 .Os
 .Sh NAME
@@ -41,8 +41,8 @@
 The
 .Fn getgroups
 system call
-gets the current group access list of the user process
-and stores it in the array
+gets the current supplementary groups of the user process and stores it in the
+array
 .Fa gidset .
 The
 .Fa gidsetlen
@@ -54,7 +54,7 @@ The
 system call
 returns the actual number of groups returned in
 .Fa gidset .
-At least one and as many as {NGROUPS_MAX}+1 values may be returned.
+As many as {NGROUPS_MAX} values may be returned.
 If
 .Fa gidsetlen
 is zero,
@@ -102,3 +102,10 @@ The
 .Fn getgroups
 system call appeared in
 .Bx 4.2 .
+.Pp
+Before
+.Fx 15.0 ,
+the
+.Fn getgroups
+system call always returned the effective group ID for the process as the first
+element of the array, before the supplementary groups.
diff --git a/lib/libsys/jail.2 b/lib/libsys/jail.2
index 8f8b9925c712..d3f871608c1d 100644
--- a/lib/libsys/jail.2
+++ b/lib/libsys/jail.2
@@ -23,7 +23,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd November 29, 2023
+.Dd September 9, 2025
 .Dt JAIL 2
 .Os
 .Sh NAME
@@ -31,7 +31,9 @@
 .Nm jail_get ,
 .Nm jail_set ,
 .Nm jail_remove ,
-.Nm jail_attach
+.Nm jail_attach ,
+.Nm jail_remove_jd ,
+.Nm jail_attach_jd
 .Nd create and manage system jails
 .Sh LIBRARY
 .Lb libc
@@ -44,6 +46,10 @@
 .Fn jail_attach "int jid"
 .Ft int
 .Fn jail_remove "int jid"
+.Ft int
+.Fn jail_attach_jd "int fd"
+.Ft int
+.Fn jail_remove_jd "int fd"
 .In sys/uio.h
 .Ft int
 .Fn jail_get "struct iovec *iov" "u_int niov" "int flags"
@@ -188,6 +194,29 @@ system call.
 This is deprecated in
 .Fn jail_set
 and has no effect.
+.It Dv JAIL_USE_DESC
+Identify the jail by a descriptor in the
+.Va desc
+parameter.
+.It Dv JAIL_AT_DESC
+Operate in the context of the jail described by the
+.Va desc
+parameter, instead of the current jail.
+Only one of
+.Dv JAIL_USE_DESC
+or
+.Dv JAIL_AT_DESC
+may be specified.
+.It Dv JAIL_GET_DESC
+Return a new jail descriptor for the jail in the
+.Va desc
+parameter.
+.It Dv JAIL_OWN_DESC
+Return an
+.Dq owning
+jail descriptor in the
+.Va desc
+parameter.
 .El
 .Pp
 The
@@ -221,6 +250,9 @@ arguments consists of one or more following flags:
 .Bl -tag -width indent
 .It Dv JAIL_DYING
 Allow getting a jail that is in the process of being removed.
+.It Dv JAIL_USE_DESC , Dv JAIL_AT_DESC , Dv JAIL_GET_DESC , Dv JAIL_OWN_DESC
+These have the same meaning as they do in
+.Fn jail_set .
 .El
 .Pp
 The
@@ -238,6 +270,76 @@ system call removes the jail identified by
 .Fa jid .
 It will kill all processes belonging to the jail, and remove any children
 of that jail.
+.Pp
+The
+.Fn jail_attach_fd
+and
+.Fn jail_remove_fd
+system calls work the same as
+.Fn jail_attach
+and
+.Fn jail_remove ,
+except that they operate on the jail identified by jail descriptor
+.Fa fd .
+.Ss Jail Descriptors
+In addition to the jail ID,
+jails can be referred to using a jail descriptor,
+a type of file descriptor tied to a particular jail.
+Jail descriptors are created by calling
+.Fn jail_set
+or
+.Fn jail_get
+with the special parameter
+.Va desc ,
+and either the
+.Dv JAIL_GET_DESC
+or
+.Dv JAIL_OWN_DESC
+flags set.
+The difference between the two flags is that descriptors created with
+.Dv JAIL_OWN_DESC
+.Po
+called
+.Dq owning
+descriptors
+.Pc
+will automatically remove the jail when the descriptor is closed.
+.Pp
+Jail descriptors can be passed back to
+.Fn jail_set
+or
+.Fm jail_get
+with the
+.Va desc
+parameter,
+and either the
+.Dv JAIL_USE_DESC
+or
+.Dv JAIL_AT_DESC
+flags set.
+With
+.Dv JAIL_USE_DESC ,
+the descriptor identifies the jail to operate on,
+instead of the
+.Va jid
+or
+.Va name
+parameter.
+With
+.Dv JAIL_AT_DESC ,
+the descriptor is used in place of the current jail,
+allowing accessing or creating jails that are children of the
+descriptor jail.
+.Pp
+The system calls
+.Fn jail_attach_jd
+and
+.Fn jail_aremove_jd
+work the same as
+.Fn jail_attach
+and
+.Fn jail_remove ,
+except that they operate on the jail referred to by the passed descriptor.
 .Sh RETURN VALUES
 If successful,
 .Fn jail ,
@@ -249,7 +351,7 @@ They return \-1 on failure, and set
 .Va errno
 to indicate the error.
 .Pp
-.Rv -std jail_attach jail_remove
+.Rv -std jail_attach jail_remove jail_attach_jd jail_remove_jd
 .Sh ERRORS
 The
 .Fn jail
@@ -281,6 +383,13 @@ the super-user, or because it would exceed the jail's
 .Va children.max
 limit.
 .It Bq Er EPERM
+The jail descriptor in the
+.Va desc
+parameter was created by a user other than the super-user,
+and the
+.Dv JAIL_USE_DESC
+flag was set.
+.It Bq Er EPERM
 A jail parameter was set to a less restrictive value then the current
 environment.
 .It Bq Er EFAULT
@@ -298,8 +407,12 @@ flag is not set.
 .It Bq Er ENOENT
 The jail referred to by a
 .Va jid
-is not accessible by the process, because the process is in a different
-jail.
+parameter is not accessible by the process, because the process is in a
+different jail.
+.It Bq Er ENOENT
+The jail referred to by a
+.Va desc
+parameter has been removed.
 .It Bq Er EEXIST
 The jail referred to by a
 .Va jid
@@ -326,6 +439,24 @@ flags is not set.
 A supplied string parameter is longer than allowed.
 .It Bq Er EAGAIN
 There are no jail IDs left.
+.It Bq Er EMFILE
+A jail descriptor could not be created for the
+.Va desc
+parameter with either the
+.Dv JAIL_GET_DESC
+or
+.Dv JAIL_OWN_DESC
+flag set,
+because the process has already reached its limit for open file descriptors.
+.It Bq Er ENFILE
+A jail descriptor could not be created for the
+.Va desc
+parameter with either the
+.Dv JAIL_GET_DESC
+or
+.Dv JAIL_OWN_DESC
+flag set,
+because the system file table is full.
 .El
 .Pp
 The
@@ -333,10 +464,6 @@ The
 system call
 will fail if:
 .Bl -tag -width Er
-.It Bq Er EFAULT
-.Fa Iov ,
-or one of the addresses contained within it,
-points to an address outside the allocated address space of the process.
 .It Bq Er ENOENT
 The jail referred to by a
 .Va jid
@@ -352,10 +479,37 @@ jail.
 The
 .Va lastjid
 parameter is greater than the highest current jail ID.
+.It Bq Er ENOENT
+The jail referred to by a
+.Va desc
+parameter has been removed
+.Pq even if the Dv JAIL_CREATE flag has been set .
 .It Bq Er EINVAL
 A supplied parameter is the wrong size.
 .It Bq Er EINVAL
+A supplied parameter is out of range.
+.It Bq Er EINVAL
+A supplied string parameter is not null-terminated.
+.It Bq Er EINVAL
 A supplied parameter name does not match any known parameters.
+.It Bq Er EMFILE
+A jail descriptor could not be created for the
+.Va desc
+parameter with either the
+.Dv JAIL_GET_DESC
+or
+.Dv JAIL_OWN_DESC
+flag set,
+because the process has already reached its limit for open file descriptors.
+.It Bq Er ENFILE
+A jail descriptor could not be created for the
+.Va desc
+parameter with either the
+.Dv JAIL_GET_DESC
+or
+.Dv JAIL_OWN_DESC
+flag set,
+because the system file table is full.
 .El
 .Pp
 The
@@ -373,11 +527,31 @@ The jail specified by
 does not exist.
 .El
 .Pp
+The
+.Fn jail_attach_jd
+and
+.Fn jail_remove_jd
+system calls
+will fail if:
+.Bl -tag -width Er
+.It Bq Er EINVAL
+The
+.Fa fd
+argument is not a valid jail descriptor.
+.It Bq Er EPERM
+The jail descriptor was created by a user other than the super-user.
+.It Bq Er EINVAL
+The jail specified by
+.Fa jid
+has been removed.
+.El
+.Pp
 Further
 .Fn jail ,
 .Fn jail_set ,
+.Fn jail_attach ,
 and
-.Fn jail_attach
+.Fn jail_attach_jd
 call
 .Xr chroot 2
 internally, so they can fail for all the same reasons.
diff --git a/lib/libsys/kqueue.2 b/lib/libsys/kqueue.2
index d6e949baa24c..e413f7d4fbca 100644
--- a/lib/libsys/kqueue.2
+++ b/lib/libsys/kqueue.2
@@ -22,7 +22,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd March 26, 2023
+.Dd September 4, 2025
 .Dt KQUEUE 2
 .Os
 .Sh NAME
@@ -593,6 +593,62 @@ returns the number of times the signal has occurred since the last call to
 This filter automatically sets the
 .Dv EV_CLEAR
 flag internally.
+.It Dv EVFILT_JAIL
+Takes the jail ID to monitor as the identifier and the events to watch for
+in
+.Va fflags ,
+and returns when the jail performs one or more of the requested events.
+If a process can normally see a jail, it can attach an event to it.
+An identifier of zero will watch the process's own jail.
+The events to monitor are:
+.Bl -tag -width "Dv NOTE_JAIL_ATTACH"
+.It Dv NOTE_JAIL_SET
+The jail has been changed via
+.Xr jail_set 2 .
+.It Dv NOTE_JAIL_ATTACH
+A process has attached to the jail via
+.Xr jail_attach 2
+or a similar call.
+The process ID will be stored in
+.Va data .
+If more than one process has attached since the last call to
+.Fn kevent ,
+.Va data
+will contain the most recently attached process ID,
+with
+.Dv NOTE_JAIL_ATTACH_MULTI
+set in
+.Va fflags .
+.It Dv NOTE_JAIL_REMOVE
+The jail has been removed.
+.It Dv NOTE_JAIL_CHILD
+A child of the watched jail has been created.
+.It Dv NOTE_TRACK
+Follow child jails created under this jail.
+Register a new kevent to monitor the child jail using the same
+.Va fflags
+as the original event.
+The child jail will signal an event with
+.Dv NOTE_CHILD
+set in
+.Va fflags
+and the parent JID in
+.Va data .
+.Pp
+If registering a new kevent fails
+.Pq usually due to resource limitations ,
+it will signal an event with
+.Dv NOTE_TRACKERR
+set in
+.Va fflags ,
+and the child jail will not signal a
+.Dv NOTE_CHILD
+event.
+.El
+.Pp
+On return,
+.Va fflags
+contains the events which triggered the filter.
 .It Dv EVFILT_TIMER
 Establishes an arbitrary timer identified by
 .Va ident .
diff --git a/lib/libsys/setgroups.2 b/lib/libsys/setgroups.2
index a226aeafea96..451f63ba1266 100644
--- a/lib/libsys/setgroups.2
+++ b/lib/libsys/setgroups.2
@@ -25,7 +25,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd January 19, 2018
+.Dd August 1, 2025
 .Dt SETGROUPS 2
 .Os
 .Sh NAME
@@ -42,7 +42,7 @@
 The
 .Fn setgroups
 system call
-sets the group access list of the current user process
+sets the supplementary group list of the current user process
 according to the array
 .Fa gidset .
 The
@@ -50,26 +50,12 @@ The
 argument
 indicates the number of entries in the array and must be no
 more than
-.Dv {NGROUPS_MAX}+1 .
-.Pp
-Only the super-user may set a new group list.
+.Dv {NGROUPS_MAX} .
+The
+.Fa ngroups
+argument may be set to 0 to clear the supplementary group list.
 .Pp
-The first entry of the group array
-.Pq Va gidset[0]
-is used as the effective group-ID for the process.
-This entry is over-written when a setgid program is run.
-To avoid losing access to the privileges of the
-.Va gidset[0]
-entry, it should be duplicated later in the group array.
-By convention,
-this happens because the group value indicated
-in the password file also appears in
-.Pa /etc/group .
-The group value in the password file is placed in
-.Va gidset[0]
-and that value then gets added a second time when the
-.Pa /etc/group
-file is scanned to create the group set.
+Only the super-user may set a new supplementary group list.
 .Sh RETURN VALUES
 .Rv -std setgroups
 .Sh ERRORS
@@ -99,3 +85,11 @@ The
 .Fn setgroups
 system call appeared in
 .Bx 4.2 .
+.Pp
+Before
+.Fx 15.0 ,
+the
+.Fn setgroups
+system call would set the effective group ID for the process to the first
+element of
+.Fa gidset .
diff --git a/lib/libsys/stat.2 b/lib/libsys/stat.2
index bd9005710147..8107740bd901 100644
--- a/lib/libsys/stat.2
+++ b/lib/libsys/stat.2
@@ -25,7 +25,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd March 30, 2021
+.Dd August 17, 2025
 .Dt STAT 2
 .Os
 .Sh NAME
@@ -169,6 +169,9 @@ Flags enabled for the file.
 See
 .Xr chflags 2
 for the list of flags and their description.
+.It Va st_rdev
+Numeric ID of the device referenced by the file, if the file is a
+character or block special; otherwise unspecified.
 .El
 .Pp
 The
diff --git a/lib/libsys/syscalls.map b/lib/libsys/syscalls.map
index dbb011343c8f..b5400b9849b3 100644
--- a/lib/libsys/syscalls.map
+++ b/lib/libsys/syscalls.map
@@ -117,10 +117,6 @@ FBSDprivate_1.0 {
 	__sys_madvise;
 	_mincore;
 	__sys_mincore;
-	_getgroups;
-	__sys_getgroups;
-	_setgroups;
-	__sys_setgroups;
 	_getpgrp;
 	__sys_getpgrp;
 	_setpgid;
@@ -813,4 +809,12 @@ FBSDprivate_1.0 {
 	__sys_inotify_add_watch_at;
 	_inotify_rm_watch;
 	__sys_inotify_rm_watch;
+	_getgroups;
+	__sys_getgroups;
+	_setgroups;
+	__sys_setgroups;
+	_jail_attach_jd;
+	__sys_jail_attach_jd;
+	_jail_remove_jd;
+	__sys_jail_remove_jd;
 };