kern/60238: Add posix_spawn_file_actions_addclosefrom_np

["cmhanson%eschatologist.net@localhost via gnats" <gnats-admin%NetBSD.org@localhost>]

>Number:         60238
>Category:       kern
>Synopsis:       Add posix_spawn_file_actions_addclosefrom_np
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Fri May 08 01:55:00 +0000 2026
>Originator:     Chris Hanson
>Release:        10.1
>Organization:
-
>Environment:
NetBSD core.eschatologist.net 10.1_STABLE NetBSD 10.1_STABLE (GENERIC) #5: Sun Apr 19 19:14:28 PDT 2026  cmh%core.eschatologist.net@localhost:/usr/obj-10/amd64/sys/arch/amd64/compile/GENERIC amd64
>Description:
The posix_spawn(3) API as standardized is inherently racy with respect to ensuring only desired file descriptors are inherited by the spawned process: In an application using many libraries, or an application using multiple threads, it?s not necessarily possible to know at the posix_spawn(3) point of call exactly which descriptors are will need to be explicitly closed. In particular, not all calls to open(2) in libraries can be counted on to be careful about specifying O_CLOEXEC.

>How-To-Repeat:
Create a process with multiple threads where one process is invoking posix_spawn and another is opening file descriptors without O_CLOEXEC. It's essentially impossible for the call site of posix_spawn to ensure all descriptors it doesn't want to pass to the child are closed.

>Fix:
Solaris and FreeBSD have a posix_spawn_file_actions_addclosefrom_np(3) API that adds a closefrom(3) action to close all file descriptors at or above a certain numeric value, which allows the caller of posix_spawn(3) to ensure only the descriptors they want to pass to the child remain open in it.