12 files changed, 124 insertions, 7 deletions

diff --git a/lib/libc/tests/stdtime/detect_tz_changes_test.c b/lib/libc/tests/stdtime/detect_tz_changes_test.c
index e3fdcc0baef7..ad8c4818669d 100644
--- a/lib/libc/tests/stdtime/detect_tz_changes_test.c
+++ b/lib/libc/tests/stdtime/detect_tz_changes_test.c
@@ -44,12 +44,6 @@ static const struct tzcase {
 
 static const time_t then = 1751328000; /* 2025-07-01 00:00:00 UTC */
 
-#ifdef DETECT_TZ_CHANGES
-static const char *tz_change_interval_sym = "__tz_change_interval";
-static int *tz_change_interval_p;
-static const int tz_change_interval = 3;
-static int tz_change_timeout = 90;
-
 static bool debugging;
 
 static void
@@ -89,6 +83,35 @@ change_tz(const char *tzn)
 	debug("time zone %s installed", tzn);
 }
 
+ATF_TC(thin_jail);
+ATF_TC_HEAD(thin_jail, tc)
+{
+	atf_tc_set_md_var(tc, "descr", "Test typical thin jail scenario");
+	atf_tc_set_md_var(tc, "require.user", "root");
+}
+ATF_TC_BODY(thin_jail, tc)
+{
+	const struct tzcase *tzcase = tzcases;
+	char buf[128];
+	struct tm *tm;
+	size_t len;
+
+	/* prepare chroot */
+	ATF_REQUIRE_EQ(0, mkdir("root", 0755));
+	ATF_REQUIRE_EQ(0, mkdir("root/etc", 0755));
+	change_tz(tzcase->tzfn);
+	/* enter chroot */
+	ATF_REQUIRE_EQ(0, chroot("root"));
+	ATF_REQUIRE_EQ(0, chdir("/"));
+	/* check timezone */
+	unsetenv("TZ");
+	ATF_REQUIRE((tm = localtime(&then)) != NULL);
+	len = strftime(buf, sizeof(buf), "%z (%Z)", tm);
+	ATF_REQUIRE(len > 0);
+	ATF_CHECK_STREQ(tzcase->expect, buf);
+}
+
+#ifdef DETECT_TZ_CHANGES
 /*
  * Test time zone change detection.
  *
@@ -106,6 +129,11 @@ change_tz(const char *tzn)
  * after we've received and discarded the first report from the child,
  * which should come almost immediately on startup.
  */
+static const char *tz_change_interval_sym = "__tz_change_interval";
+static int *tz_change_interval_p;
+static const int tz_change_interval = 3;
+static int tz_change_timeout = 90;
+
 ATF_TC(detect_tz_changes);
 ATF_TC_HEAD(detect_tz_changes, tc)
 {
@@ -324,9 +352,10 @@ ATF_TC_BODY(tz_env_setugid, tc)
 
 ATF_TP_ADD_TCS(tp)
 {
-#ifdef DETECT_TZ_CHANGES
 	debugging = !getenv("__RUNNING_INSIDE_ATF_RUN") &&
 	    isatty(STDERR_FILENO);
+	ATF_TP_ADD_TC(tp, thin_jail);
+#ifdef DETECT_TZ_CHANGES
 	ATF_TP_ADD_TC(tp, detect_tz_changes);
 #endif /* DETECT_TZ_CHANGES */
 	ATF_TP_ADD_TC(tp, tz_env);
diff --git a/lib/libifconfig/Makefile b/lib/libifconfig/Makefile
index fb7c659e068c..02629eb88f25 100644
--- a/lib/libifconfig/Makefile
+++ b/lib/libifconfig/Makefile
@@ -17,6 +17,7 @@ SRCS=		libifconfig.c \
 		libifconfig_internal.c \
 		libifconfig_lagg.c \
 		libifconfig_media.c \
+		libifconfig_nl.c \
 		libifconfig_sfp.c
 
 GEN=		libifconfig_sfp_tables.h \
diff --git a/lib/libifconfig/libifconfig.h b/lib/libifconfig/libifconfig.h
index a5ce7b375830..817f52bd094e 100644
--- a/lib/libifconfig/libifconfig.h
+++ b/lib/libifconfig/libifconfig.h
@@ -35,6 +35,8 @@
 #include <netinet/ip_carp.h>
 #include <netinet6/in6_var.h>
 
+#include <stdbool.h>
+
 #define ND6_IFF_DEFAULTIF    0x8000
 
 typedef enum {
@@ -381,3 +383,12 @@ int ifconfig_set_vlantag(ifconfig_handle_t *h, const char *name,
  * 		length of *lenp * IFNAMSIZ bytes.
  */
 int ifconfig_list_cloners(ifconfig_handle_t *h, char **bufp, size_t *lenp);
+
+/** Brings the interface up/down
+ * @param h	    An open ifconfig state object
+ * @param ifname    The interface name
+ * @param up	    true to bring the interface up, false to bring it down
+ * @return	    0 on success, nonzero on failure.
+ *		    On failure, the error info on the handle is set.
+ */
+int ifconfig_set_up(ifconfig_handle_t *h, const char *ifname, bool up);
diff --git a/lib/libifconfig/libifconfig_nl.c b/lib/libifconfig/libifconfig_nl.c
new file mode 100644
index 000000000000..7d9decabe26f
--- /dev/null
+++ b/lib/libifconfig/libifconfig_nl.c
@@ -0,0 +1,72 @@
+/*-
+ * SPDX-License-Identifier: BSD-2-Clause
+ *
+ * Copyright (c) 2025, Muhammad Saheed <saheed@FreeBSD.org>
+ */
+
+#include <netlink/netlink.h>
+#include <netlink/netlink_snl.h>
+#include <netlink/route/common.h>
+#include <netlink/route/interface.h>
+
+#include "libifconfig.h"
+#include "libifconfig_internal.h"
+
+static int ifconfig_modify_flags(ifconfig_handle_t *h, const char *ifname,
+    int ifi_flags, int ifi_change);
+
+static int
+ifconfig_modify_flags(ifconfig_handle_t *h, const char *ifname, int ifi_flags,
+    int ifi_change)
+{
+	int ret = 0;
+	struct snl_state ss;
+	struct snl_writer nw;
+	struct nlmsghdr *hdr;
+	struct ifinfomsg *ifi;
+	struct snl_errmsg_data e = { 0 };
+
+	if (!snl_init(&ss, NETLINK_ROUTE)) {
+		ifconfig_error(h, NETLINK, ENOTSUP);
+		return (-1);
+	}
+
+	snl_init_writer(&ss, &nw);
+	hdr = snl_create_msg_request(&nw, NL_RTM_NEWLINK);
+	ifi = snl_reserve_msg_object(&nw, struct ifinfomsg);
+	snl_add_msg_attr_string(&nw, IFLA_IFNAME, ifname);
+
+	ifi->ifi_flags = ifi_flags;
+	ifi->ifi_change = ifi_change;
+
+	hdr = snl_finalize_msg(&nw);
+	if (hdr == NULL) {
+		ifconfig_error(h, NETLINK, ENOMEM);
+		ret = -1;
+		goto out;
+	}
+
+	if (!snl_send_message(&ss, hdr)) {
+		ifconfig_error(h, NETLINK, EIO);
+		ret = -1;
+		goto out;
+	}
+
+	if (!snl_read_reply_code(&ss, hdr->nlmsg_seq, &e)) {
+		ifconfig_error(h, NETLINK, e.error);
+		ret = -1;
+		goto out;
+	}
+
+out:
+	snl_free(&ss);
+	return (ret);
+}
+
+int
+ifconfig_set_up(ifconfig_handle_t *h, const char *ifname, bool up)
+{
+	int flag = up ? IFF_UP : ~IFF_UP;
+
+	return (ifconfig_modify_flags(h, ifname, flag, IFF_UP));
+}
diff --git a/lib/libutil++/Makefile b/lib/libutil++/Makefile
index 56b64bbf358c..2e7a614df800 100644
--- a/lib/libutil++/Makefile
+++ b/lib/libutil++/Makefile
@@ -11,6 +11,10 @@ MAN+=	freebsd::FILE_up.3 \
 	freebsd::pidfile.3 \
 	freebsd::stringf.3
 
+.for page in ${MAN}
+MANSRC.${page}=	${page:S/:/_/g}
+.endfor
+
 .include <src.opts.mk>
 
 HAS_TESTS=
diff --git a/lib/libutil++/freebsd::FILE_up.3 b/lib/libutil++/freebsd__FILE_up.3
index ea63b1233b43..ea63b1233b43 100644
--- a/lib/libutil++/freebsd::FILE_up.3
+++ b/lib/libutil++/freebsd__FILE_up.3
diff --git a/lib/libutil++/freebsd::addrinfo_up.3 b/lib/libutil++/freebsd__addrinfo_up.3
index 4845a76bfb61..4845a76bfb61 100644
--- a/lib/libutil++/freebsd::addrinfo_up.3
+++ b/lib/libutil++/freebsd__addrinfo_up.3
diff --git a/lib/libutil++/freebsd::fd_up.3 b/lib/libutil++/freebsd__fd_up.3
index 2ef2241a5c40..2ef2241a5c40 100644
--- a/lib/libutil++/freebsd::fd_up.3
+++ b/lib/libutil++/freebsd__fd_up.3
diff --git a/lib/libutil++/freebsd::malloc_up.3 b/lib/libutil++/freebsd__malloc_up.3
index b18e7854213a..b18e7854213a 100644
--- a/lib/libutil++/freebsd::malloc_up.3
+++ b/lib/libutil++/freebsd__malloc_up.3
diff --git a/lib/libutil++/freebsd::nvlist_up.3 b/lib/libutil++/freebsd__nvlist_up.3
index 43f76cf3ead3..43f76cf3ead3 100644
--- a/lib/libutil++/freebsd::nvlist_up.3
+++ b/lib/libutil++/freebsd__nvlist_up.3
diff --git a/lib/libutil++/freebsd::pidfile.3 b/lib/libutil++/freebsd__pidfile.3
index fb67253f5c02..fb67253f5c02 100644
--- a/lib/libutil++/freebsd::pidfile.3
+++ b/lib/libutil++/freebsd__pidfile.3
diff --git a/lib/libutil++/freebsd::stringf.3 b/lib/libutil++/freebsd__stringf.3
index 341fedef4343..341fedef4343 100644
--- a/lib/libutil++/freebsd::stringf.3
+++ b/lib/libutil++/freebsd__stringf.3