syscall call-from verification

Theo de Raadt (deraadt@) hascommittedcode for a new exploit-prevention mechanism:

["]Repurpose the "syscalls must be on a writeable page" mechanism toenforce a new policy: system calls must be in pre-registered regions.We have discussed more strict checks than this, but none satisfy thecost/benefit based upon our understanding of attack methods, anywayslet's see what the next iteration looks like.This is intended to harden (translation: attackers must put extraeffort into attacking) against a mixture of W^X failures and JIT bugswhich allow syscall misinterpretation, especially in environments withpolymorphic-instruction/variable-sized instructions. It fits in a bitwith libc/libcrypto/ld.so random relink on boot and no-restart-at-crashbehaviour, particularily for remote problems. Less effective once on-hostsince someone the libraries can be read.["]

Thefull commit detailsare well worth reading, as is the manual page for the (new)msyscall(2),and someassociated discussion on tech@.

As this change involvesABIbreakage, upgrading via snapshots is the easiest way to avoidtrouble.