9 files changed, 203 insertions, 39 deletions
diff --git a/lib/geom/shsec/gshsec.8 b/lib/geom/shsec/gshsec.8
index d4477de3a71e..f80ab9384fe3 100644
--- a/lib/geom/shsec/gshsec.8
+++ b/lib/geom/shsec/gshsec.8
@@ -1,3 +1,6 @@
+.\"
+.\" SPDX-License-Identifier: BSD-2-Clause
+.\"
 .\" Copyright (c) 2005 Pawel Jakub Dawidek <pjd@FreeBSD.org>
 .\" All rights reserved.
 .\"
@@ -64,7 +67,7 @@ the rest of them.
 The first argument to
 .Nm
 indicates an action to be performed:
-.Bl -tag -width ".Cm destroy"
+.Bl -tag -width indent
 .It Cm label
 Set up a shared secret device from the given components with the specified
 .Ar name .
@@ -92,7 +95,7 @@ See
 .El
 .Pp
 Additional options:
-.Bl -tag -width ".Fl f"
+.Bl -tag -width indent
 .It Fl f
 Force the removal of the specified shared secret device.
 .It Fl h
diff --git a/lib/libc/gen/getvfsbyname.3 b/lib/libc/gen/getvfsbyname.3
index 23036429b27e..61fd48624fbd 100644
--- a/lib/libc/gen/getvfsbyname.3
+++ b/lib/libc/gen/getvfsbyname.3
@@ -25,7 +25,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd August 16, 2018
+.Dd October 28, 2025
 .Dt GETVFSBYNAME 3
 .Os
 .Sh NAME
@@ -102,6 +102,7 @@ argument
 specifies a file system that is unknown or not configured in the kernel.
 .El
 .Sh SEE ALSO
+.Xr lsvfs 1 ,
 .Xr jail 2 ,
 .Xr mount 2 ,
 .Xr sysctl 3 ,
diff --git a/lib/libc/gen/sysconf.3 b/lib/libc/gen/sysconf.3
index e38357b898a7..290ef0dc158c 100644
--- a/lib/libc/gen/sysconf.3
+++ b/lib/libc/gen/sysconf.3
@@ -25,7 +25,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd April 26, 2013
+.Dd August 30, 2025
 .Dt SYSCONF 3
 .Os
 .Sh NAME
@@ -77,7 +77,9 @@ The maximum number of supplemental groups.
 .It Li _SC_NPROCESSORS_CONF
 The number of processors configured.
 .It Li _SC_NPROCESSORS_ONLN
-The number of processors currently online.
+The number of processors currently online, taking into account current jail
+restrictions to report only the number of processors that are usable to the
+process.
 .It Li _SC_OPEN_MAX
 One more than the maximum value the system may assign to a new file descriptor.
 .It Li _SC_PAGESIZE
diff --git a/lib/libc/gen/sysconf.c b/lib/libc/gen/sysconf.c
index b5b732eed05d..87aedc07c110 100644
--- a/lib/libc/gen/sysconf.c
+++ b/lib/libc/gen/sysconf.c
@@ -72,6 +72,7 @@ long
 sysconf(int name)
 {
 	struct rlimit rl;
+	cpuset_t cpus;
 	size_t len;
 	int mib[2], sverrno, value;
 	long lvalue, defaultresult;
@@ -581,8 +582,21 @@ yesno:
 		return (_POSIX_IPV6);
 #endif
 
-	case _SC_NPROCESSORS_CONF:
 	case _SC_NPROCESSORS_ONLN:
+		/*
+		 * Consult our root set first, because our CPU availability
+		 * may not match the total number of CPUs available on the
+		 * system and we may have a non-uniform layout even within
+		 * userland.  In particular, each jail has a root set that can
+		 * be constrained by its parent and processes within the jail
+		 * cannot widen beyond those constraints, so to those processes
+		 * it makes sense to claim the more limited count.
+		 */
+		if (cpuset_getaffinity(CPU_LEVEL_ROOT, CPU_WHICH_PID, -1,
+		    sizeof(cpus), &cpus) == 0)
+			return (CPU_COUNT(&cpus));
+		/* FALLTHROUGH */
+	case _SC_NPROCESSORS_CONF:
 		if (_elf_aux_info(AT_NCPUS, &value, sizeof(value)) == 0)
 			return ((long)value);
 		mib[0] = CTL_HW;
diff --git a/lib/libc/tests/sys/cpuset_test.c b/lib/libc/tests/sys/cpuset_test.c
index 53d6a8215bbc..c8ad225fadfc 100644
--- a/lib/libc/tests/sys/cpuset_test.c
+++ b/lib/libc/tests/sys/cpuset_test.c
@@ -34,8 +34,10 @@
 #include <sys/uio.h>
 #include <sys/wait.h>
 
+#include <assert.h>
 #include <errno.h>
 #include <stdio.h>
+#include <stdlib.h>
 #include <unistd.h>
 
 #include <atf-c.h>
@@ -107,6 +109,19 @@ skip_ltncpu(int ncpu, cpuset_t *mask)
 		atf_tc_skip("Test requires %d or more cores.", ncpu);
 }
 
+static void
+skip_ltncpu_root(int ncpu, cpuset_t *mask)
+{
+
+	CPU_ZERO(mask);
+	ATF_REQUIRE_EQ(0, cpuset_getaffinity(CPU_LEVEL_ROOT, CPU_WHICH_PID,
+	    -1, sizeof(*mask), mask));
+	if (CPU_COUNT(mask) < ncpu) {
+		atf_tc_skip("Test requires cpuset root with %d or more cores.",
+		    ncpu);
+	}
+}
+
 ATF_TC(newset);
 ATF_TC_HEAD(newset, tc)
 {
@@ -234,9 +249,8 @@ ATF_TC_BODY(deadlk, tc)
 }
 
 static int
-do_jail(int sock)
+create_jail(void)
 {
-	struct jail_test_info info;
 	struct iovec iov[2];
 	char *name;
 	int error;
@@ -250,8 +264,22 @@ do_jail(int sock)
 	iov[1].iov_base = name;
 	iov[1].iov_len = strlen(name) + 1;
 
-	if (jail_set(iov, 2, JAIL_CREATE | JAIL_ATTACH) < 0)
+	error = jail_set(iov, 2, JAIL_CREATE | JAIL_ATTACH);
+	free(name);
+	if (error < 0)
 		return (FAILURE_JAIL);
+	return (0);
+}
+
+static int
+do_jail(int sock)
+{
+	struct jail_test_info info;
+	int error;
+
+	error = create_jail();
+	if (error != 0)
+		return (error);
 
 	/* Record parameters, kick them over, then make a swift exit. */
 	CPU_ZERO(&info.jail_tidmask);
@@ -641,6 +669,111 @@ ATF_TC_BODY(jail_attach_disjoint, tc)
 	try_attach(jid, &smask);
 }
 
+struct nproc_info {
+	long		nproc_init;
+	long		nproc_final;
+	long		nproc_global;
+};
+
+ATF_TC(jail_nproc);
+ATF_TC_HEAD(jail_nproc, tc)
+{
+	atf_tc_set_md_var(tc, "descr",
+	    "Test that _SC_PROCESSORS_ONLN reflects jail cpuset constraints");
+}
+ATF_TC_BODY(jail_nproc, tc)
+{
+	cpuset_t jmask;
+	struct nproc_info ninfo = { };
+	int sockpair[2];
+	cpusetid_t setid;
+	ssize_t readsz;
+	pid_t pid;
+	int fcpu, error, pfd, sock;
+	char okb = 0x7f, rcvb;
+
+	skip_ltncpu_root(2, &jmask);
+	fcpu = CPU_FFS(&jmask) - 1;
+
+	/*
+	 * Just adjusting our affinity should not affect the number of
+	 * processors considered online- we want to be sure that it's only
+	 * adjusted if our jail's root set is.
+	 */
+	CPU_CLR(fcpu, &jmask);
+	error = cpuset_setaffinity(CPU_LEVEL_WHICH, CPU_WHICH_PID, -1,
+	    sizeof(jmask), &jmask);
+	ATF_REQUIRE_EQ(0, error);
+	ATF_REQUIRE(sysconf(_SC_NPROCESSORS_ONLN) > CPU_COUNT(&jmask));
+
+	ATF_REQUIRE_EQ(0, socketpair(PF_UNIX, SOCK_STREAM, 0, sockpair));
+
+	/* We'll wait on the procdesc, too, so we can fail faster if it dies. */
+	ATF_REQUIRE((pid = pdfork(&pfd, 0)) != -1);
+
+	if (pid == 0) {
+		/* First child sets up the jail. */
+		sock = sockpair[SP_CHILD];
+		close(sockpair[SP_PARENT]);
+
+		error = create_jail();
+		if (error != 0)
+			_exit(error);
+
+		ninfo.nproc_init = sysconf(_SC_NPROCESSORS_ONLN);
+
+		/* Signal the parent that we're jailed. */
+		readsz = write(sock, &okb, sizeof(okb));
+		assert(readsz == sizeof(okb));
+
+		/* Wait for parent to adjust our mask and signal OK. */
+		readsz = read(sock, &rcvb, sizeof(rcvb));
+		assert(readsz == sizeof(rcvb));
+		assert(rcvb == okb);
+
+		ninfo.nproc_final = sysconf(_SC_NPROCESSORS_ONLN);
+		ninfo.nproc_global = sysconf(_SC_NPROCESSORS_CONF);
+		readsz = write(sock, &ninfo, sizeof(ninfo));
+		assert(readsz == sizeof(ninfo));
+
+		_exit(0);
+	}
+
+	close(sockpair[SP_CHILD]);
+	sock = sockpair[SP_PARENT];
+
+	/* Wait for signal that they are jailed. */
+	readsz = read(sock, &rcvb, sizeof(rcvb));
+	assert(readsz == sizeof(rcvb));
+	assert(rcvb == okb);
+
+	/* Grab the cpuset id and adjust it. */
+	error = cpuset_getid(CPU_LEVEL_ROOT, CPU_WHICH_PID, pid, &setid);
+	ATF_REQUIRE_EQ(0, error);
+	error = cpuset_setaffinity(CPU_LEVEL_WHICH, CPU_WHICH_CPUSET,
+	    setid, sizeof(jmask), &jmask);
+	ATF_REQUIRE_EQ(0, error);
+
+	/* Signal OK to proceed. */
+	readsz = write(sock, &okb, sizeof(okb));
+	ATF_REQUIRE_EQ(sizeof(okb), readsz);
+
+	/* Grab our final nproc info. */
+	readsz = read(sock, &ninfo, sizeof(ninfo));
+	ATF_REQUIRE_EQ(sizeof(ninfo), readsz);
+
+	/*
+	 * We set our own affinity to jmask, which is derived from *our* root
+	 * set, at the beginning of the test.  The jail would inherit from this
+	 * set, so we just re-use that mask here to confirm that
+	 * _SC_NPROCESSORS_ONLN did actually drop in response to us limiting the
+	 * jail, and that its _SC_NPROCESSORS_CONF did not.
+	 */
+	ATF_REQUIRE_EQ(CPU_COUNT(&jmask) + 1, ninfo.nproc_init);
+	ATF_REQUIRE_EQ(CPU_COUNT(&jmask) + 1, ninfo.nproc_global);
+	ATF_REQUIRE_EQ(CPU_COUNT(&jmask), ninfo.nproc_final);
+}
+
 ATF_TC(badparent);
 ATF_TC_HEAD(badparent, tc)
 {
@@ -686,6 +819,7 @@ ATF_TP_ADD_TCS(tp)
 	ATF_TP_ADD_TC(tp, jail_attach_prevbase);
 	ATF_TP_ADD_TC(tp, jail_attach_plain);
 	ATF_TP_ADD_TC(tp, jail_attach_disjoint);
+	ATF_TP_ADD_TC(tp, jail_nproc);
 	ATF_TP_ADD_TC(tp, badparent);
 	return (atf_no_error());
 }
diff --git a/lib/libpfctl/libpfctl.c b/lib/libpfctl/libpfctl.c
index 8c4b26b98054..17576066fcfd 100644
--- a/lib/libpfctl/libpfctl.c
+++ b/lib/libpfctl/libpfctl.c
@@ -3202,6 +3202,9 @@ pfctl_get_ruleset(struct pfctl_handle *h, const char *path, uint32_t nr, struct
 			continue;
 	}
 
+	rs->nr = nr;
+	strlcpy(rs->path, path, sizeof(rs->path));
+
 	return (e.error);
 }
 
diff --git a/lib/libsys/closefrom.2 b/lib/libsys/closefrom.2
index 1885a6fdeaa8..e6b4a5a3e9d7 100644
--- a/lib/libsys/closefrom.2
+++ b/lib/libsys/closefrom.2
@@ -23,7 +23,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd May 17, 2025
+.Dd October 27, 2025
 .Dt CLOSEFROM 2
 .Os
 .Sh NAME
@@ -94,6 +94,11 @@ function first appeared in
 .Fx 8.0 .
 .Pp
 The
+.Fn close_range
+function first appeared in
+.Fx 12.2 .
+.Pp
+The
 .Dv CLOSE_RANGE_CLOFORK
 flag appeared in
 .Fx 15.0 .
diff --git a/lib/libutil/login_class.c b/lib/libutil/login_class.c
index c3c1b0ddda27..9478b4dc98ca 100644
--- a/lib/libutil/login_class.c
+++ b/lib/libutil/login_class.c
@@ -543,7 +543,7 @@ setusercontext(login_cap_t *lc, const struct passwd *pwd, uid_t uid, unsigned in
 
     /* we need a passwd entry to set these */
     if (pwd == NULL)
-	flags &= ~(LOGIN_SETGROUP | LOGIN_SETLOGIN | LOGIN_SETMAC);
+	flags &= ~(LOGIN_SETGROUP | LOGIN_SETLOGIN);
 
     /* Set the process priority */
     if (flags & LOGIN_SETPRIORITY)
@@ -564,6 +564,27 @@ setusercontext(login_cap_t *lc, const struct passwd *pwd, uid_t uid, unsigned in
 	}
     }
 
+    /* Set the sessions login */
+    if ((flags & LOGIN_SETLOGIN) && setlogin(pwd->pw_name) != 0) {
+	syslog(LOG_ERR, "setlogin(%s): %m", pwd->pw_name);
+	login_close(llc);
+	return (-1);
+    }
+
+    /* Inform the kernel about current login class */
+    if (lc != NULL && lc->lc_class != NULL && (flags & LOGIN_SETLOGINCLASS)) {
+	error = setloginclass(lc->lc_class);
+	if (error != 0) {
+	    syslog(LOG_ERR, "setloginclass(%s): %m", lc->lc_class);
+#ifdef notyet
+	    login_close(llc);
+	    return (-1);
+#endif
+	}
+    }
+
+    setlogincontext(lc, pwd, flags);
+
     /* Set up the user's MAC label. */
     if ((flags & LOGIN_SETMAC) && mac_is_present(NULL) == 1) {
 	const char *label_string;
@@ -572,8 +593,10 @@ setusercontext(login_cap_t *lc, const struct passwd *pwd, uid_t uid, unsigned in
 	label_string = login_getcapstr(lc, "label", NULL, NULL);
 	if (label_string != NULL) {
 	    if (mac_from_text(&label, label_string) == -1) {
-		syslog(LOG_ERR, "mac_from_text('%s') for %s: %m",
-		    pwd->pw_name, label_string);
+		syslog(LOG_ERR, "mac_from_text('%s') for %s %s: %m",
+		    label_string, pwd != NULL ? "user" : "class",
+		    pwd != NULL ? pwd->pw_name : lc->lc_class);
+		login_close(llc);
 		return (-1);
 	    }
 	    if (mac_set_proc(label) == -1)
@@ -582,33 +605,15 @@ setusercontext(login_cap_t *lc, const struct passwd *pwd, uid_t uid, unsigned in
 		error = 0;
 	    mac_free(label);
 	    if (error != 0) {
-		syslog(LOG_ERR, "mac_set_proc('%s') for %s: %s",
-		    label_string, pwd->pw_name, strerror(error));
+		syslog(LOG_ERR, "mac_set_proc('%s') for %s %s: %s",
+		    label_string, pwd != NULL ? "user" : "class",
+		    pwd != NULL ? pwd->pw_name : lc->lc_class, strerror(error));
+		login_close(llc);
 		return (-1);
 	    }
 	}
     }
 
-    /* Set the sessions login */
-    if ((flags & LOGIN_SETLOGIN) && setlogin(pwd->pw_name) != 0) {
-	syslog(LOG_ERR, "setlogin(%s): %m", pwd->pw_name);
-	login_close(llc);
-	return (-1);
-    }
-
-    /* Inform the kernel about current login class */
-    if (lc != NULL && lc->lc_class != NULL && (flags & LOGIN_SETLOGINCLASS)) {
-	error = setloginclass(lc->lc_class);
-	if (error != 0) {
-	    syslog(LOG_ERR, "setloginclass(%s): %m", lc->lc_class);
-#ifdef notyet
-	    login_close(llc);
-	    return (-1);
-#endif
-	}
-    }
-
-    setlogincontext(lc, pwd, flags);
     login_close(llc);
 
     /* This needs to be done after anything that needs root privs */
diff --git a/lib/libz/Makefile b/lib/libz/Makefile
index 6a135158e134..03204e388674 100644
--- a/lib/libz/Makefile
+++ b/lib/libz/Makefile
@@ -1,7 +1,4 @@
-#
-#
-
-PACKAGE=	runtime
+PACKAGE=	zlib
 LIB=		z
 SHLIBDIR?=	/lib
 SHLIB_MAJOR=	6