]> git.saurik.com Git - apple/launchd.git/blobdiff - launchd/src/launchd_core_logic.c
projects / apple / launchd.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
launchd-392.18.tar.gz
[apple/launchd.git] / launchd / src / launchd_core_logic.c
diff --git a/launchd/src/launchd_core_logic.c b/launchd/src/launchd_core_logic.c
index 726ab6342a3f48d769ffed4ee51c3639c26a95aa..c04a496df5b75fe113d39197718b73621aaf4181 100644 (file)
--- a/launchd/src/launchd_core_logic.c
+++ b/launchd/src/launchd_core_logic.c
@@ -16,14 +16,16 @@
  * @APPLE_APACHE_LICENSE_HEADER_END@
  */
 
  * @APPLE_APACHE_LICENSE_HEADER_END@
  */
 
-static const char *const __rcs_file_version__ = "$Revision: 23433 $";
+static const char *const __rcs_file_version__ = "$Revision: 24984 $";
 
 #include "config.h"
 #include "launchd_core_logic.h"
 
 #include "config.h"
 #include "launchd_core_logic.h"
+#include "launch_internal.h"
+#include "launchd_helper.h"
 
 
+#include <TargetConditionals.h>
 #include <mach/mach.h>
 #include <mach/mach_error.h>
 #include <mach/mach.h>
 #include <mach/mach_error.h>
-#include <mach/mach_time.h>
 #include <mach/boolean.h>
 #include <mach/message.h>
 #include <mach/notify.h>
 #include <mach/boolean.h>
 #include <mach/message.h>
 #include <mach/notify.h>
@@ -50,6 +52,9 @@ static const char *const __rcs_file_version__ = "$Revision: 23433 $";
 #include <sys/ioctl.h>
 #include <sys/mount.h>
 #include <sys/pipe.h>
 #include <sys/ioctl.h>
 #include <sys/mount.h>
 #include <sys/pipe.h>
+#include <sys/mman.h>
+#include <sys/socket.h>
+#include <sys/syscall.h>
 #include <net/if.h>
 #include <netinet/in.h>
 #include <netinet/in_var.h>
 #include <net/if.h>
 #include <netinet/in.h>
 #include <netinet/in_var.h>
@@ -72,16 +77,48 @@ static const char *const __rcs_file_version__ = "$Revision: 23433 $";
 #include <string.h>
 #include <ctype.h>
 #include <glob.h>
 #include <string.h>
 #include <ctype.h>
 #include <glob.h>
+#include <System/sys/spawn.h>
 #include <spawn.h>
 #include <spawn.h>
+#include <time.h>
+
+#include <libproc.h>
+#include <malloc/malloc.h>
+#include <pthread.h>
+#include <libproc.h>
+#if HAVE_SANDBOX
+#define __APPLE_API_PRIVATE
 #include <sandbox.h>
 #include <sandbox.h>
+#endif
+#if HAVE_QUARANTINE
+#include <quarantine.h>
+#endif
+#if TARGET_OS_EMBEDDED
+#include <sys/kern_memorystatus.h>
+#else
+/* To make my life easier. */
+typedef struct jetsam_priority_entry {
+       pid_t pid;
+       uint32_t priority;
+       uint32_t flags;
+       int32_t hiwat_pages;
+       int32_t hiwat_reserved1;
+       int32_t hiwat_reserved2;
+       int32_t hiwat_reserved3;
+} jetsam_priority_entry_t;
+
+enum {
+    kJetsamFlagsFrontmost = (1 << 0),
+    kJetsamFlagsKilled =    (1 << 1)
+};
+#endif
 
 
-#include "liblaunch_public.h"
-#include "liblaunch_private.h"
-#include "liblaunch_internal.h"
-#include "libbootstrap_public.h"
-#include "libbootstrap_private.h"
-#include "libvproc_public.h"
-#include "libvproc_internal.h"
+#include "launch.h"
+#include "launch_priv.h"
+#include "launch_internal.h"
+#include "bootstrap.h"
+#include "bootstrap_priv.h"
+#include "vproc.h"
+#include "vproc_internal.h"
 
 #include "reboot2.h"
 
 
 #include "reboot2.h"
 
@@ -90,12 +127,37 @@ static const char *const __rcs_file_version__ = "$Revision: 23433 $";
 #include "launchd_unix_ipc.h"
 #include "protocol_vproc.h"
 #include "protocol_vprocServer.h"
 #include "launchd_unix_ipc.h"
 #include "protocol_vproc.h"
 #include "protocol_vprocServer.h"
-#include "job_reply.h"
+#include "protocol_job_reply.h"
+#include "protocol_job_forward.h"
+#include "mach_excServer.h"
+#if !TARGET_OS_EMBEDDED
+#include "domainServer.h"
+#include "init.h"
+#endif
+#include "eventsServer.h"
+
+#ifndef POSIX_SPAWN_OSX_TALAPP_START
+#define POSIX_SPAWN_OSX_TALAPP_START 0x0400
+#endif
+
+#ifndef POSIX_SPAWN_OSX_WIDGET_START
+#define POSIX_SPAWN_OSX_WIDGET_START 0x0800
+#endif
+
+#ifndef POSIX_SPAWN_IOS_APP_START
+#define POSIX_SPAWN_IOS_APP_START 0x1000
+#endif
 
 
-#define LAUNCHD_MIN_JOB_RUN_TIME 10
-#define LAUNCHD_DEFAULT_EXIT_TIMEOUT 20
-#define LAUNCHD_SIGKILL_TIMER 5
+/* LAUNCHD_DEFAULT_EXIT_TIMEOUT
+ *   If the job hasn't exited in the given number of seconds after sending
+ *   it a SIGTERM, SIGKILL it. Can be overriden in the job plist.
+ */
+#define LAUNCHD_MIN_JOB_RUN_TIME               10
+#define LAUNCHD_DEFAULT_EXIT_TIMEOUT   20
+#define LAUNCHD_SIGKILL_TIMER                  2
+#define LAUNCHD_LOG_FAILED_EXEC_FREQ   10
 
 
+#define SHUTDOWN_LOG_DIR "/var/log/shutdown"
 
 #define TAKE_SUBSET_NAME       "TakeSubsetName"
 #define TAKE_SUBSET_PID                "TakeSubsetPID"
 
 #define TAKE_SUBSET_NAME       "TakeSubsetName"
 #define TAKE_SUBSET_PID                "TakeSubsetPID"
@@ -113,28 +175,34 @@ struct waiting_for_removal {
 static bool waiting4removal_new(job_t j, mach_port_t rp);
 static void waiting4removal_delete(job_t j, struct waiting_for_removal *w4r);
 
 static bool waiting4removal_new(job_t j, mach_port_t rp);
 static void waiting4removal_delete(job_t j, struct waiting_for_removal *w4r);
 
-struct mspolicy {
-       SLIST_ENTRY(mspolicy) sle;
-       unsigned int            allow:1, per_pid:1;
-       const char              name[0];
-};
-
-static bool mspolicy_new(job_t j, const char *name, bool allow, bool pid_local, bool skip_check);
-static bool mspolicy_copy(job_t j_to, job_t j_from);
-static void mspolicy_setup(launch_data_t obj, const char *key, void *context);
-static bool mspolicy_check(job_t j, const char *name, bool pid_local);
-static void mspolicy_delete(job_t j, struct mspolicy *msp);
-
 struct machservice {
        SLIST_ENTRY(machservice) sle;
        SLIST_ENTRY(machservice) special_port_sle;
        LIST_ENTRY(machservice) name_hash_sle;
        LIST_ENTRY(machservice) port_hash_sle;
 struct machservice {
        SLIST_ENTRY(machservice) sle;
        SLIST_ENTRY(machservice) special_port_sle;
        LIST_ENTRY(machservice) name_hash_sle;
        LIST_ENTRY(machservice) port_hash_sle;
-       job_t                   job;
-       uint64_t                bad_perf_cnt;
+       struct machservice *alias;
+       job_t                           job;
        unsigned int            gen_num;
        mach_port_name_t        port;
        unsigned int            gen_num;
        mach_port_name_t        port;
-       unsigned int            isActive:1, reset:1, recv:1, hide:1, kUNCServer:1, per_user_hack:1, debug_on_close:1, per_pid:1, special_port_num:10;
+       unsigned int
+               isActive                                        :1,
+               reset                                           :1,
+               recv                                            :1,
+               hide                                            :1,
+               kUNCServer                                      :1,
+               per_user_hack                           :1,
+               debug_on_close                          :1,
+               per_pid                                         :1,
+               delete_on_destruction           :1,
+               drain_one_on_crash                      :1,
+               drain_all_on_crash                      :1,
+               event_update_port                       :1, /* The job which owns this port is the event monitor. */
+               upfront                                         :1, /* This service was declared in the plist. */
+               event_channel                           :1, /* The job is to receive events on this channel. */
+               /* Don't let the size of this field to get too small. It has to be large enough
+                * to represent the reasonable range of special port numbers.
+                */
+               special_port_num                        :18;
        const char              name[0];
 };
 
        const char              name[0];
 };
 
@@ -149,6 +217,9 @@ static void machservice_setup(launch_data_t obj, const char *key, void *context)
 static void machservice_setup_options(launch_data_t obj, const char *key, void *context);
 static void machservice_resetport(job_t j, struct machservice *ms);
 static struct machservice *machservice_new(job_t j, const char *name, mach_port_t *serviceport, bool pid_local);
 static void machservice_setup_options(launch_data_t obj, const char *key, void *context);
 static void machservice_resetport(job_t j, struct machservice *ms);
 static struct machservice *machservice_new(job_t j, const char *name, mach_port_t *serviceport, bool pid_local);
+#ifndef __LAUNCH_DISABLE_XPC_SUPPORT__
+static struct machservice *machservice_new_alias(job_t aj, struct machservice *orig);
+#endif
 static void machservice_ignore(job_t j, struct machservice *ms);
 static void machservice_watch(job_t j, struct machservice *ms);
 static void machservice_delete(job_t j, struct machservice *, bool port_died);
 static void machservice_ignore(job_t j, struct machservice *ms);
 static void machservice_watch(job_t j, struct machservice *ms);
 static void machservice_delete(job_t j, struct machservice *, bool port_died);
@@ -159,15 +230,20 @@ static bool machservice_hidden(struct machservice *);
 static bool machservice_active(struct machservice *);
 static const char *machservice_name(struct machservice *);
 static bootstrap_status_t machservice_status(struct machservice *);
 static bool machservice_active(struct machservice *);
 static const char *machservice_name(struct machservice *);
 static bootstrap_status_t machservice_status(struct machservice *);
+void machservice_drain_port(struct machservice *);
+static struct machservice *xpc_events_find_channel(job_t j, event_name_t stream, mach_port_t *p);
 
 struct socketgroup {
        SLIST_ENTRY(socketgroup) sle;
        int *fds;
        unsigned int junkfds:1, fd_cnt:31;
 
 struct socketgroup {
        SLIST_ENTRY(socketgroup) sle;
        int *fds;
        unsigned int junkfds:1, fd_cnt:31;
-       char name[0];
+       union {
+               const char name[0];
+               char name_init[0];
+       };
 };
 
 };
 
-static bool socketgroup_new(job_t j, const char *name, int *fds, unsigned int fd_cnt, bool junkfds);
+static bool socketgroup_new(job_t j, const char *name, int *fds, size_t fd_cnt, bool junkfds);
 static void socketgroup_delete(job_t j, struct socketgroup *sg);
 static void socketgroup_watch(job_t j, struct socketgroup *sg);
 static void socketgroup_ignore(job_t j, struct socketgroup *sg);
 static void socketgroup_delete(job_t j, struct socketgroup *sg);
 static void socketgroup_watch(job_t j, struct socketgroup *sg);
 static void socketgroup_ignore(job_t j, struct socketgroup *sg);
@@ -195,13 +271,18 @@ static void calendarinterval_sanity_check(void);
 
 struct envitem {
        SLIST_ENTRY(envitem) sle;
 
 struct envitem {
        SLIST_ENTRY(envitem) sle;
+       bool one_shot;
        char *value;
        char *value;
-       char key[0];
+       union {
+               const char key[0];
+               char key_init[0];
+       };
 };
 
 };
 
-static bool envitem_new(job_t j, const char *k, const char *v, bool global);
+static bool envitem_new(job_t j, const char *k, const char *v, bool global, bool one_shot);
 static void envitem_delete(job_t j, struct envitem *ei, bool global);
 static void envitem_setup(launch_data_t obj, const char *key, void *context);
 static void envitem_delete(job_t j, struct envitem *ei, bool global);
 static void envitem_setup(launch_data_t obj, const char *key, void *context);
+static void envitem_setup_one_shot(launch_data_t obj, const char *key, void *context);
 
 struct limititem {
        SLIST_ENTRY(limititem) sle;
 
 struct limititem {
        SLIST_ENTRY(limititem) sle;
@@ -212,13 +293,19 @@ struct limititem {
 static bool limititem_update(job_t j, int w, rlim_t r);
 static void limititem_delete(job_t j, struct limititem *li);
 static void limititem_setup(launch_data_t obj, const char *key, void *context);
 static bool limititem_update(job_t j, int w, rlim_t r);
 static void limititem_delete(job_t j, struct limititem *li);
 static void limititem_setup(launch_data_t obj, const char *key, void *context);
+#if HAVE_SANDBOX
 static void seatbelt_setup_flags(launch_data_t obj, const char *key, void *context);
 static void seatbelt_setup_flags(launch_data_t obj, const char *key, void *context);
+#endif
+
+static void jetsam_property_setup(launch_data_t obj, const char *key, job_t j);
 
 typedef enum {
        NETWORK_UP = 1,
        NETWORK_DOWN,
        SUCCESSFUL_EXIT,
        FAILED_EXIT,
 
 typedef enum {
        NETWORK_UP = 1,
        NETWORK_DOWN,
        SUCCESSFUL_EXIT,
        FAILED_EXIT,
+       CRASHED,
+       DID_NOT_CRASH,
        PATH_EXISTS,
        PATH_MISSING,
        OTHER_JOB_ENABLED,
        PATH_EXISTS,
        PATH_MISSING,
        OTHER_JOB_ENABLED,
@@ -233,8 +320,13 @@ typedef enum {
 struct semaphoreitem {
        SLIST_ENTRY(semaphoreitem) sle;
        semaphore_reason_t why;
 struct semaphoreitem {
        SLIST_ENTRY(semaphoreitem) sle;
        semaphore_reason_t why;
+       bool watching_parent;
        int fd;
        int fd;
-       char what[0];
+       
+       union {
+               const char what[0];
+               char what_init[0];
+       };
 };
 
 struct semaphoreitem_dict_iter_context {
 };
 
 struct semaphoreitem_dict_iter_context {
@@ -252,42 +344,136 @@ static void semaphoreitem_watch(job_t j, struct semaphoreitem *si);
 static void semaphoreitem_ignore(job_t j, struct semaphoreitem *si);
 static void semaphoreitem_runtime_mod_ref(struct semaphoreitem *si, bool add);
 
 static void semaphoreitem_ignore(job_t j, struct semaphoreitem *si);
 static void semaphoreitem_runtime_mod_ref(struct semaphoreitem *si, bool add);
 
+struct externalevent {
+       LIST_ENTRY(externalevent) sys_le;
+       LIST_ENTRY(externalevent) job_le;
+       struct eventsystem *sys;
+       
+       uint64_t id;
+       job_t job;
+       bool state;
+       bool wanted_state;
+       launch_data_t event;
+       
+       char name[0];
+};
+
+struct externalevent_iter_ctx {
+       job_t j;
+       struct eventsystem *sys;
+};
+
+static bool externalevent_new(job_t j, struct eventsystem *sys, char *evname, launch_data_t event);
+static void externalevent_delete(struct externalevent *ee);
+static void externalevent_setup(launch_data_t obj, const char *key, void *context);
+static struct externalevent *externalevent_find(const char *sysname, uint64_t id);
+
+struct eventsystem {
+       LIST_ENTRY(eventsystem) global_le;
+       LIST_HEAD(, externalevent) events;
+       uint64_t curid;
+       bool has_updates;
+       char name[0];
+};
+
+static struct eventsystem *eventsystem_new(const char *name);
+static void eventsystem_delete(struct eventsystem *sys);
+static void eventsystem_setup(launch_data_t obj, const char *key, void *context);
+static struct eventsystem *eventsystem_find(const char *name);
+static void eventsystem_ping(void);
+
 #define ACTIVE_JOB_HASH_SIZE   32
 #define ACTIVE_JOB_HASH(x)     (IS_POWER_OF_TWO(ACTIVE_JOB_HASH_SIZE) ? (x & (ACTIVE_JOB_HASH_SIZE - 1)) : (x % ACTIVE_JOB_HASH_SIZE))
 #define ACTIVE_JOB_HASH_SIZE   32
 #define ACTIVE_JOB_HASH(x)     (IS_POWER_OF_TWO(ACTIVE_JOB_HASH_SIZE) ? (x & (ACTIVE_JOB_HASH_SIZE - 1)) : (x % ACTIVE_JOB_HASH_SIZE))
+
 #define MACHSERVICE_HASH_SIZE  37
 
 #define MACHSERVICE_HASH_SIZE  37
 
+#define LABEL_HASH_SIZE 53
 struct jobmgr_s {
        kq_callback kqjobmgr_callback;
 struct jobmgr_s {
        kq_callback kqjobmgr_callback;
+       LIST_ENTRY(jobmgr_s) xpc_le;
        SLIST_ENTRY(jobmgr_s) sle;
        SLIST_HEAD(, jobmgr_s) submgrs;
        LIST_HEAD(, job_s) jobs;
        SLIST_ENTRY(jobmgr_s) sle;
        SLIST_HEAD(, jobmgr_s) submgrs;
        LIST_HEAD(, job_s) jobs;
+       LIST_HEAD(, job_s) jetsam_jobs;
+       
+       /* For legacy reasons, we keep all job labels that are imported in the
+        * root job manager's label hash. If a job manager is an XPC domain, then
+        * it gets its own label hash that is separate from the "global" one
+        * stored in the root job manager.
+        */
+       LIST_HEAD(, job_s) label_hash[LABEL_HASH_SIZE];
        LIST_HEAD(, job_s) active_jobs[ACTIVE_JOB_HASH_SIZE];
        LIST_HEAD(, machservice) ms_hash[MACHSERVICE_HASH_SIZE];
        LIST_HEAD(, job_s) active_jobs[ACTIVE_JOB_HASH_SIZE];
        LIST_HEAD(, machservice) ms_hash[MACHSERVICE_HASH_SIZE];
+       LIST_HEAD(, job_s) global_env_jobs;
        mach_port_t jm_port;
        mach_port_t req_port;
        jobmgr_t parentmgr;
        int reboot_flags;
        mach_port_t jm_port;
        mach_port_t req_port;
        jobmgr_t parentmgr;
        int reboot_flags;
+       time_t shutdown_time;
        unsigned int global_on_demand_cnt;
        unsigned int global_on_demand_cnt;
-       unsigned int hopefully_first_cnt;
        unsigned int normal_active_cnt;
        unsigned int normal_active_cnt;
-       unsigned int sent_stop_to_normal_jobs:1, sent_stop_to_hopefully_last_jobs:1, shutting_down:1, session_initialized:1;
-       char name[0];
+       unsigned int jetsam_jobs_cnt;
+       unsigned int 
+               shutting_down                                   :1,
+               session_initialized                             :1, 
+               killed_stray_jobs                               :1,
+               monitor_shutdown                                :1,
+               shutdown_jobs_dirtied                   :1,
+               shutdown_jobs_cleaned                   :1,
+               xpc_singleton                                   :1;
+       uint32_t properties;
+       /* XPC-specific properties. */
+       char owner[MAXCOMLEN];
+       char *shortdesc;
+       mach_port_t req_bsport;
+       mach_port_t req_excport;
+       mach_port_t req_asport;
+       pid_t req_pid;
+       uid_t req_euid;
+       gid_t req_egid;
+       au_asid_t req_asid;
+       vm_offset_t req_ctx;
+       mach_msg_type_number_t req_ctx_sz;
+       mach_port_t req_rport;
+       kern_return_t error;
+       union {
+               const char name[0];
+               char name_init[0];
+       };
 };
 
 };
 
-#define jobmgr_assumes(jm, e)  \
-       (__builtin_expect(!(e), 0) ? jobmgr_log_bug(jm, __rcs_file_version__, __FILE__, __LINE__, #e), false : true)
+/* Global XPC domains. */
+#ifndef __LAUNCH_DISABLE_XPC_SUPPORT__
+static jobmgr_t _s_xpc_system_domain;
+static LIST_HEAD(, jobmgr_s) _s_xpc_user_domains;
+static LIST_HEAD(, jobmgr_s) _s_xpc_session_domains;
+#endif
 
 
-static jobmgr_t jobmgr_new(jobmgr_t jm, mach_port_t requestorport, mach_port_t transfer_port, bool sflag, const char *name);
+#define jobmgr_assumes(jm, e)  \
+       (unlikely(!(e)) ? jobmgr_log_bug(jm, __LINE__), false : true)
+
+static jobmgr_t jobmgr_new(jobmgr_t jm, mach_port_t requestorport, mach_port_t transfer_port, bool sflag, const char *name, bool no_init, mach_port_t asport);
+#ifndef __LAUNCH_DISABLE_XPC_SUPPORT__
+static jobmgr_t jobmgr_new_xpc_singleton_domain(jobmgr_t jm, name_t name);
+static jobmgr_t jobmgr_find_xpc_per_user_domain(jobmgr_t jm, uid_t uid);
+static jobmgr_t jobmgr_find_xpc_per_session_domain(jobmgr_t jm, au_asid_t asid);
+static job_t xpc_domain_import_service(jobmgr_t jm, launch_data_t pload);
+#endif
 static job_t jobmgr_import2(jobmgr_t jm, launch_data_t pload);
 static jobmgr_t jobmgr_parent(jobmgr_t jm);
 static jobmgr_t jobmgr_do_garbage_collection(jobmgr_t jm);
 static job_t jobmgr_import2(jobmgr_t jm, launch_data_t pload);
 static jobmgr_t jobmgr_parent(jobmgr_t jm);
 static jobmgr_t jobmgr_do_garbage_collection(jobmgr_t jm);
+static bool jobmgr_label_test(jobmgr_t jm, const char *str);
 static void jobmgr_reap_bulk(jobmgr_t jm, struct kevent *kev);
 static void jobmgr_reap_bulk(jobmgr_t jm, struct kevent *kev);
-static void jobmgr_log_stray_children(jobmgr_t jm);
+static void jobmgr_log_stray_children(jobmgr_t jm, bool kill_strays);
+static void jobmgr_kill_stray_children(jobmgr_t jm, pid_t *p, size_t np);
 static void jobmgr_remove(jobmgr_t jm);
 static void jobmgr_dispatch_all(jobmgr_t jm, bool newmounthack);
 static job_t jobmgr_init_session(jobmgr_t jm, const char *session_type, bool sflag);
 static void jobmgr_remove(jobmgr_t jm);
 static void jobmgr_dispatch_all(jobmgr_t jm, bool newmounthack);
 static job_t jobmgr_init_session(jobmgr_t jm, const char *session_type, bool sflag);
+static job_t jobmgr_find_by_pid_deep(jobmgr_t jm, pid_t p, bool anon_okay);
 static job_t jobmgr_find_by_pid(jobmgr_t jm, pid_t p, bool create_anon);
 static job_t jobmgr_find_by_pid(jobmgr_t jm, pid_t p, bool create_anon);
+static jobmgr_t jobmgr_find_by_name(jobmgr_t jm, const char *where);
 static job_t job_mig_intran2(jobmgr_t jm, mach_port_t mport, pid_t upid);
 static job_t job_mig_intran2(jobmgr_t jm, mach_port_t mport, pid_t upid);
+static job_t jobmgr_lookup_per_user_context_internal(job_t j, uid_t which_user, mach_port_t *mp);
 static void job_export_all2(jobmgr_t jm, launch_data_t where);
 static void jobmgr_callback(void *obj, struct kevent *kev);
 static void jobmgr_setup_env_from_other_jobs(jobmgr_t jm);
 static void job_export_all2(jobmgr_t jm, launch_data_t where);
 static void jobmgr_callback(void *obj, struct kevent *kev);
 static void jobmgr_setup_env_from_other_jobs(jobmgr_t jm);
@@ -296,83 +482,182 @@ static struct machservice *jobmgr_lookup_service(jobmgr_t jm, const char *name,
 static void jobmgr_logv(jobmgr_t jm, int pri, int err, const char *msg, va_list ap) __attribute__((format(printf, 4, 0)));
 static void jobmgr_log(jobmgr_t jm, int pri, const char *msg, ...) __attribute__((format(printf, 3, 4)));
 /* static void jobmgr_log_error(jobmgr_t jm, int pri, const char *msg, ...) __attribute__((format(printf, 3, 4))); */
 static void jobmgr_logv(jobmgr_t jm, int pri, int err, const char *msg, va_list ap) __attribute__((format(printf, 4, 0)));
 static void jobmgr_log(jobmgr_t jm, int pri, const char *msg, ...) __attribute__((format(printf, 3, 4)));
 /* static void jobmgr_log_error(jobmgr_t jm, int pri, const char *msg, ...) __attribute__((format(printf, 3, 4))); */
-static void jobmgr_log_bug(jobmgr_t jm, const char *rcs_rev, const char *path, unsigned int line, const char *test);
-
-#define DO_RUSAGE_SUMMATION 0
+static void jobmgr_log_bug(jobmgr_t jm, unsigned int line);
 
 #define AUTO_PICK_LEGACY_LABEL (const char *)(~0)
 
 #define AUTO_PICK_LEGACY_LABEL (const char *)(~0)
+#define AUTO_PICK_ANONYMOUS_LABEL (const char *)(~1)
+#define AUTO_PICK_XPC_LABEL (const char *)(~2)
+
+struct suspended_peruser {
+       LIST_ENTRY(suspended_peruser) sle;
+       job_t j;
+};
 
 struct job_s {
 
 struct job_s {
-       kq_callback kqjob_callback;
+       kq_callback kqjob_callback;     /* MUST be first element of this structure for benefit of launchd's run loop. */
        LIST_ENTRY(job_s) sle;
        LIST_ENTRY(job_s) sle;
+       LIST_ENTRY(job_s) subjob_sle;
+       LIST_ENTRY(job_s) needing_session_sle;
+       LIST_ENTRY(job_s) jetsam_sle;
        LIST_ENTRY(job_s) pid_hash_sle;
        LIST_ENTRY(job_s) label_hash_sle;
        LIST_ENTRY(job_s) pid_hash_sle;
        LIST_ENTRY(job_s) label_hash_sle;
+       LIST_ENTRY(job_s) global_env_sle;
+       SLIST_ENTRY(job_s) curious_jobs_sle;
+       LIST_HEAD(, suspended_peruser) suspended_perusers;
+       LIST_HEAD(, waiting_for_exit) exit_watchers;
+       LIST_HEAD(, job_s) subjobs;
+       LIST_HEAD(, externalevent) events;
        SLIST_HEAD(, socketgroup) sockets;
        SLIST_HEAD(, calendarinterval) cal_intervals;
        SLIST_HEAD(, envitem) global_env;
        SLIST_HEAD(, envitem) env;
        SLIST_HEAD(, limititem) limits;
        SLIST_HEAD(, socketgroup) sockets;
        SLIST_HEAD(, calendarinterval) cal_intervals;
        SLIST_HEAD(, envitem) global_env;
        SLIST_HEAD(, envitem) env;
        SLIST_HEAD(, limititem) limits;
-       SLIST_HEAD(, mspolicy) mspolicies;
        SLIST_HEAD(, machservice) machservices;
        SLIST_HEAD(, semaphoreitem) semaphores;
        SLIST_HEAD(, waiting_for_removal) removal_watchers;
        SLIST_HEAD(, machservice) machservices;
        SLIST_HEAD(, semaphoreitem) semaphores;
        SLIST_HEAD(, waiting_for_removal) removal_watchers;
-#if DO_RUSAGE_SUMMATION
+       job_t alias;
        struct rusage ru;
        struct rusage ru;
-#endif
        cpu_type_t *j_binpref;
        size_t j_binpref_cnt;
        mach_port_t j_port;
        cpu_type_t *j_binpref;
        size_t j_binpref_cnt;
        mach_port_t j_port;
-       mach_port_t wait_reply_port;
+       mach_port_t exit_status_dest;
+       mach_port_t exit_status_port;
+       mach_port_t spawn_reply_port;
        uid_t mach_uid;
        jobmgr_t mgr;
        uid_t mach_uid;
        jobmgr_t mgr;
+       size_t argc;
        char **argv;
        char *prog;
        char *rootdir;
        char *workingdir;
        char *username;
        char *groupname;
        char **argv;
        char *prog;
        char *rootdir;
        char *workingdir;
        char *username;
        char *groupname;
+       char *stdinpath;
        char *stdoutpath;
        char *stderrpath;
        char *stdoutpath;
        char *stderrpath;
+       char *alt_exc_handler;
+       struct vproc_shmem_s *shmem;
        struct machservice *lastlookup;
        unsigned int lastlookup_gennum;
        struct machservice *lastlookup;
        unsigned int lastlookup_gennum;
+#if HAVE_SANDBOX
        char *seatbelt_profile;
        uint64_t seatbelt_flags;
        char *seatbelt_profile;
        uint64_t seatbelt_flags;
+#endif
+#if HAVE_QUARANTINE
        void *quarantine_data;
        size_t quarantine_data_sz;
        void *quarantine_data;
        size_t quarantine_data_sz;
+#endif
        pid_t p;
        pid_t p;
-       int argc;
        int last_exit_status;
        int last_exit_status;
-       int forkfd;
+       int stdin_fd;
+       int fork_fd;
        int log_redirect_fd;
        int nice;
        int log_redirect_fd;
        int nice;
-       unsigned int timeout;
-       unsigned int exit_timeout;
        int stdout_err_fd;
        int stdout_err_fd;
-       uint64_t sent_sigterm_time;
+       uint32_t pstype;
+       int32_t jetsam_priority;
+       int32_t jetsam_memlimit;
+       int32_t jetsam_seq;
+       int32_t main_thread_priority;
+       uint32_t timeout;
+       uint32_t exit_timeout;
+       uint64_t sent_signal_time;
        uint64_t start_time;
        uint32_t min_run_time;
        uint32_t start_interval;
        uint64_t start_time;
        uint32_t min_run_time;
        uint32_t start_interval;
-       unsigned int checkedin:1, anonymous:1, debug:1, inetcompat:1, inetcompat_wait:1,
-                    ondemand:1, session_create:1, low_pri_io:1, no_init_groups:1, priv_port_has_senders:1,
-                    importing_global_env:1, importing_hard_limits:1, setmask:1, legacy_mach_job:1, start_pending:1;
+       uint32_t peruser_suspend_count; /* The number of jobs that have disabled this per-user launchd. */
+       uuid_t instance_id;
+       uint32_t fail_cnt;
+#if 0
+       /* someday ... */
+       enum {
+               J_TYPE_ANONYMOUS = 1,
+               J_TYPE_LANCHSERVICES,
+               J_TYPE_MACHINIT,
+               J_TYPE_INETD,
+       } j_type;
+#endif
+       bool    
+       debug                                           :1,     /* man launchd.plist --> Debug */
+       ondemand                                        :1,     /* man launchd.plist --> KeepAlive == false */
+       session_create                          :1,     /* man launchd.plist --> SessionCreate */
+       low_pri_io                                      :1,     /* man launchd.plist --> LowPriorityIO */
+       no_init_groups                          :1,     /* man launchd.plist --> InitGroups */
+       priv_port_has_senders           :1,     /* a legacy mach_init concept to make bootstrap_create_server/service() work */
+       importing_global_env            :1,     /* a hack during job importing */
+       importing_hard_limits           :1,     /* a hack during job importing */
+       setmask                                         :1,     /* man launchd.plist --> Umask */
+       anonymous                                       :1,     /* a process that launchd knows about, but isn't managed by launchd */
+       checkedin                                       :1,     /* a legacy mach_init concept to detect sick jobs */
+       legacy_mach_job                         :1,     /* a job created via bootstrap_create_server() */
+       legacy_LS_job                           :1,     /* a job created via spawn_via_launchd() */
+       inetcompat                                      :1,     /* a legacy job that wants inetd compatible semantics */
+       inetcompat_wait                         :1,     /* a twist on inetd compatibility */
+       start_pending                           :1,     /* an event fired and the job should start, but not necessarily right away */
+       globargv                                        :1,     /* man launchd.plist --> EnableGlobbing */
+       wait4debugger                           :1,     /* man launchd.plist --> WaitForDebugger */
+       wait4debugger_oneshot           :1, /* One-shot WaitForDebugger. */
+       internal_exc_handler            :1,     /* MachExceptionHandler == true */
+       stall_before_exec                       :1,     /* a hack to support an option of spawn_via_launchd() */
+       only_once                                       :1,     /* man launchd.plist --> LaunchOnlyOnce. Note: 5465184 Rename this to "HopefullyNeverExits" */
+       currently_ignored                       :1,     /* Make job_ignore() / job_watch() work. If these calls were balanced, then this wouldn't be necessarily. */
+       forced_peers_to_demand_mode     :1,     /* A job that forced all other jobs to be temporarily launch-on-demand */
+       setnice                                         :1,     /* man launchd.plist --> Nice */
+       removal_pending                         :1,     /* a job was asked to be unloaded/removed while running, we'll remove it after it exits */
+       sent_sigkill                            :1,     /* job_kill() was called */
+       debug_before_kill                       :1,     /* enter the kernel debugger before killing a job */
+       weird_bootstrap                         :1,     /* a hack that launchd+launchctl use during jobmgr_t creation */
+       start_on_mount                          :1,     /* man launchd.plist --> StartOnMount */
+       per_user                                        :1,     /* This job is a per-user launchd managed by the PID 1 launchd */
+       unload_at_mig_return            :1,     /* A job thoroughly confused launchd. We need to unload it ASAP */
+       abandon_pg                                      :1,     /* man launchd.plist --> AbandonProcessGroup */
+       ignore_pg_at_shutdown           :1, /* During shutdown, do not send SIGTERM to stray processes in the process group of this job. */
+       poll_for_vfs_changes            :1,     /* a hack to work around the fact that kqueues don't work on all filesystems */
+       deny_job_creation                       :1,     /* Don't let this job create new 'job_t' objects in launchd */
+       kill_via_shmem                          :1,     /* man launchd.plist --> EnableTransactions */
+       sent_kill_via_shmem                     :1,     /* We need to 'kill_via_shmem' once-and-only-once */
+       clean_kill                                      :1, /* The job was sent SIGKILL because it was clean. */
+       kill_after_sample                       :1, /* The job is to be killed after sampling. */
+       reap_after_trace                        :1,     /* The job exited before sample did, so we should reap it after sample is done. */
+       nosy                                            :1, /* The job has an OtherJobEnabled KeepAlive criterion. */
+       crashed                                         :1, /* The job is the default Mach exception handler, and it crashed. */
+       reaped                                          :1, /* We've received NOTE_EXIT for the job. */
+       stopped                                         :1, /* job_stop() was called. */
+       jetsam_frontmost                        :1, /* The job is considered "frontmost" by Jetsam. */
+       needs_kickoff                           :1, /* The job is to be kept alive continuously, but it must be initially kicked off. */
+       is_bootstrapper                         :1, /* The job is a bootstrapper. */
+       has_console                                     :1, /* The job owns the console. */
+       embedded_special_privileges     :1, /* The job runs as a non-root user on embedded but has select privileges of the root user. */
+       did_exec                                        :1, /* The job exec(2)ed successfully. */
+       xpcproxy_did_exec                       :1, /* The job is an XPC service, and XPC proxy successfully exec(3)ed. */
+       holds_ref                                       :1, /* The (anonymous) job called vprocmgr_switch_to_session(). */
+       jetsam_properties                       :1, /* The job has Jetsam limits in place. */
+       dedicated_instance                      :1, /* This job was created as the result of a look up of a service provided by a per-lookup job. */
+       multiple_instances                      :1, /* The job supports creating additional instances of itself. */
+       former_subjob                           :1, /* The sub-job was already removed from the parent's list of sub-jobs. */
+       event_monitor                           :1, /* The job is responsible for monitoring external events for this launchd. */
+       removing                                        :1, /* A lame hack. */
+       disable_aslr                            :1, /* Disable ASLR when launching this job. */
+       xpc_service                                     :1, /* The job is an XPC Service. */
+       shutdown_monitor                        :1, /* The job is the Performance team's shutdown monitor. */
+       dirty_at_shutdown                       :1, /* We should open a transaction for the job when shutdown begins. */
+       workaround9359725                       :1; /* The job was sent SIGKILL but did not exit in a timely fashion, indicating a kernel bug. */
+
        mode_t mask;
        mode_t mask;
-       unsigned int globargv:1, wait4debugger:1, unload_at_exit:1, stall_before_exec:1, only_once:1,
-                    currently_ignored:1, forced_peers_to_demand_mode:1, setnice:1, hopefully_exits_last:1, removal_pending:1,
-                    wait4pipe_eof:1, sent_sigkill:1, debug_before_kill:1, weird_bootstrap:1, start_on_mount:1,
-                    per_user:1, hopefully_exits_first:1, deny_unknown_mslookups:1, unload_at_mig_return:1, abandon_pg:1,
-                    poll_for_vfs_changes:1;
+       pid_t tracing_pid;
+       mach_port_t asport;
+       /* Only set for per-user launchd's. */
+       au_asid_t asid;
+       uuid_t expected_audit_uuid;
        const char label[0];
 };
 
        const char label[0];
 };
 
-#define LABEL_HASH_SIZE 53
-
-static LIST_HEAD(, job_s) label_hash[LABEL_HASH_SIZE];
 static size_t hash_label(const char *label) __attribute__((pure));
 static size_t hash_ms(const char *msstr) __attribute__((pure));
 static size_t hash_label(const char *label) __attribute__((pure));
 static size_t hash_ms(const char *msstr) __attribute__((pure));
-
+static SLIST_HEAD(, job_s) s_curious_jobs;
 
 #define job_assumes(j, e)      \
 
 #define job_assumes(j, e)      \
-       (__builtin_expect(!(e), 0) ? job_log_bug(j, __rcs_file_version__, __FILE__, __LINE__, #e), false : true)
+       (unlikely(!(e)) ? job_log_bug(j, __LINE__), false : true)
 
 static void job_import_keys(launch_data_t obj, const char *key, void *context);
 static void job_import_bool(job_t j, const char *key, bool value);
 
 static void job_import_keys(launch_data_t obj, const char *key, void *context);
 static void job_import_bool(job_t j, const char *key, bool value);
@@ -385,40 +670,45 @@ static bool job_set_global_on_demand(job_t j, bool val);
 static const char *job_active(job_t j);
 static void job_watch(job_t j);
 static void job_ignore(job_t j);
 static const char *job_active(job_t j);
 static void job_watch(job_t j);
 static void job_ignore(job_t j);
+static void job_cleanup_after_tracer(job_t j);
 static void job_reap(job_t j);
 static bool job_useless(job_t j);
 static bool job_keepalive(job_t j);
 static void job_reap(job_t j);
 static bool job_useless(job_t j);
 static bool job_keepalive(job_t j);
+static void job_dispatch_curious_jobs(job_t j);
 static void job_start(job_t j);
 static void job_start_child(job_t j) __attribute__((noreturn));
 static void job_setup_attributes(job_t j);
 static bool job_setup_machport(job_t j);
 static void job_start(job_t j);
 static void job_start_child(job_t j) __attribute__((noreturn));
 static void job_setup_attributes(job_t j);
 static bool job_setup_machport(job_t j);
+static kern_return_t job_setup_exit_port(job_t j);
 static void job_setup_fd(job_t j, int target_fd, const char *path, int flags);
 static void job_postfork_become_user(job_t j);
 static void job_setup_fd(job_t j, int target_fd, const char *path, int flags);
 static void job_postfork_become_user(job_t j);
-static void job_find_and_blame_pids_with_weird_uids(job_t j);
-static void job_force_sampletool(job_t j);
+static void job_postfork_test_user(job_t j);
+static void job_log_pids_with_weird_uids(job_t j);
 static void job_setup_exception_port(job_t j, task_t target_task);
 static void job_setup_exception_port(job_t j, task_t target_task);
-static void job_reparent_hack(job_t j, const char *where);
 static void job_callback(void *obj, struct kevent *kev);
 static void job_callback(void *obj, struct kevent *kev);
-static void job_callback_proc(job_t j, int flags, int fflags);
+static void job_callback_proc(job_t j, struct kevent *kev);
 static void job_callback_timer(job_t j, void *ident);
 static void job_callback_read(job_t j, int ident);
 static void job_log_stray_pg(job_t j);
 static void job_callback_timer(job_t j, void *ident);
 static void job_callback_read(job_t j, int ident);
 static void job_log_stray_pg(job_t j);
-static job_t job_new_anonymous(jobmgr_t jm, pid_t anonpid);
-static job_t job_new(jobmgr_t jm, const char *label, const char *prog, const char *const *argv);
-static job_t job_new_via_mach_init(job_t j, const char *cmd, uid_t uid, bool ond);
-static const char *job_prog(job_t j);
-static jobmgr_t job_get_bs(job_t j);
+static void job_log_children_without_exec(job_t j);
+static job_t job_new_anonymous(jobmgr_t jm, pid_t anonpid) __attribute__((malloc, nonnull, warn_unused_result));
+static job_t job_new(jobmgr_t jm, const char *label, const char *prog, const char *const *argv) __attribute__((malloc, nonnull(1,2), warn_unused_result));
+#ifndef __LAUNCH_DISABLE_XPC_SUPPORT__
+static job_t job_new_alias(jobmgr_t jm, job_t src);
+#endif
+static job_t job_new_via_mach_init(job_t j, const char *cmd, uid_t uid, bool ond) __attribute__((malloc, nonnull, warn_unused_result));
+static job_t job_new_subjob(job_t j, uuid_t identifier);
 static void job_kill(job_t j);
 static void job_uncork_fork(job_t j);
 static void job_log_stdouterr(job_t j);
 static void job_logv(job_t j, int pri, int err, const char *msg, va_list ap) __attribute__((format(printf, 4, 0)));
 static void job_log_error(job_t j, int pri, const char *msg, ...) __attribute__((format(printf, 3, 4)));
 static void job_kill(job_t j);
 static void job_uncork_fork(job_t j);
 static void job_log_stdouterr(job_t j);
 static void job_logv(job_t j, int pri, int err, const char *msg, va_list ap) __attribute__((format(printf, 4, 0)));
 static void job_log_error(job_t j, int pri, const char *msg, ...) __attribute__((format(printf, 3, 4)));
-static void job_log_bug(job_t j, const char *rcs_rev, const char *path, unsigned int line, const char *test);
+static void job_log_bug(job_t j, unsigned int line);
 static void job_log_stdouterr2(job_t j, const char *msg, ...);
 static void job_log_stdouterr2(job_t j, const char *msg, ...);
-static void job_set_exeception_port(job_t j, mach_port_t port);
-static kern_return_t job_handle_mpm_wait(job_t j, mach_port_t srp, int *waitstatus);
-
-
+static void job_set_exception_port(job_t j, mach_port_t port);
+static kern_return_t job_mig_spawn_internal(job_t j, vm_offset_t indata, mach_msg_type_number_t indataCnt, mach_port_t asport, job_t *outj);
+static void job_open_shutdown_transaction(job_t ji);
+static void job_close_shutdown_transaction(job_t ji);
 
 static const struct {
        const char *key;
 
 static const struct {
        const char *key;
@@ -442,29 +732,53 @@ static bool cronemu_mday(struct tm *wtm, int mday, int hour, int min);
 static bool cronemu_hour(struct tm *wtm, int hour, int min);
 static bool cronemu_min(struct tm *wtm, int min);
 
 static bool cronemu_hour(struct tm *wtm, int hour, int min);
 static bool cronemu_min(struct tm *wtm, int min);
 
+/* These functions are a total nightmare to get to through headers.
+ * See rdar://problem/8223092.
+ */
+typedef __darwin_mach_port_t fileport_t;
+#define FILEPORT_NULL ((fileport_t)0)
+extern int fileport_makeport(int, fileport_t *);
+extern int fileport_makefd(fileport_t);
+
 /* miscellaneous file local functions */
 /* miscellaneous file local functions */
-static void ensure_root_bkgd_setup(void);
+static size_t get_kern_max_proc(void);
 static int dir_has_files(job_t j, const char *path);
 static char **mach_cmd2argv(const char *string);
 static size_t our_strhash(const char *s) __attribute__((pure));
 static void extract_rcsid_substr(const char *i, char *o, size_t osz);
 static int dir_has_files(job_t j, const char *path);
 static char **mach_cmd2argv(const char *string);
 static size_t our_strhash(const char *s) __attribute__((pure));
 static void extract_rcsid_substr(const char *i, char *o, size_t osz);
-static void do_first_per_user_launchd_hack(void);
-static void do_file_init(void) __attribute__((constructor));
+
+void eliminate_double_reboot(void);
 
 /* file local globals */
 static size_t total_children;
 static size_t total_anon_children;
 static mach_port_t the_exception_server;
 
 /* file local globals */
 static size_t total_children;
 static size_t total_anon_children;
 static mach_port_t the_exception_server;
-static bool did_first_per_user_launchd_BootCache_hack;
-#define JOB_BOOTCACHE_HACK_CHECK(j)    (j->per_user && !did_first_per_user_launchd_BootCache_hack && (j->mach_uid >= 500) && (j->mach_uid != (uid_t)-2))
-static jobmgr_t background_jobmgr;
 static job_t workaround_5477111;
 static job_t workaround_5477111;
-static mach_timebase_info_data_t tbi;
+static LIST_HEAD(, job_s) s_needing_sessions;
+static LIST_HEAD(, eventsystem) _s_event_systems;
+static job_t _s_event_monitor;
+static job_t _s_shutdown_monitor;
+static mach_port_t _s_event_update_port;
+mach_port_t g_audit_session_port = MACH_PORT_NULL;
+static uint32_t s_jetsam_sequence_id;
+
+#if !TARGET_OS_EMBEDDED
+static job_t s_embedded_privileged_job = (job_t)&root_jobmgr;
+au_asid_t g_audit_session = AU_DEFAUDITSID;
+#else
+static job_t s_embedded_privileged_job = NULL;
+pid_t g_audit_session = 0;
+#endif
+
+static int s_no_hang_fd = -1;
 
 /* process wide globals */
 mach_port_t inherited_bootstrap_port;
 jobmgr_t root_jobmgr;
 
 /* process wide globals */
 mach_port_t inherited_bootstrap_port;
 jobmgr_t root_jobmgr;
-
+bool g_shutdown_debugging = false;
+bool g_verbose_boot = false;
+bool g_embedded_privileged_action = false;
+bool g_runtime_busy_time = false;
 
 void
 job_ignore(job_t j)
 
 void
 job_ignore(job_t j)
@@ -483,7 +797,7 @@ job_ignore(job_t j)
 
        if (j->poll_for_vfs_changes) {
                j->poll_for_vfs_changes = false;
 
        if (j->poll_for_vfs_changes) {
                j->poll_for_vfs_changes = false;
-               job_assumes(j, kevent_mod((uintptr_t)&j->semaphores, EVFILT_TIMER, EV_DELETE, 0, 0, j) != -1);
+               (void)job_assumes(j, kevent_mod((uintptr_t)&j->semaphores, EVFILT_TIMER, EV_DELETE, 0, 0, j) != -1);
        }
 
        SLIST_FOREACH(sg, &j->sockets, sle) {
        }
 
        SLIST_FOREACH(sg, &j->sockets, sle) {
@@ -530,19 +844,68 @@ job_watch(job_t j)
 void
 job_stop(job_t j)
 {
 void
 job_stop(job_t j)
 {
-       if (!j->p || j->anonymous) {
+       char extralog[100];
+       int32_t newval = 1;
+
+       if (unlikely(!j->p || j->stopped || j->anonymous)) {
                return;
        }
 
                return;
        }
 
-       job_assumes(j, runtime_kill(j->p, SIGTERM) != -1);
-       j->sent_sigterm_time = mach_absolute_time();
+#if TARGET_OS_EMBEDDED
+       if (g_embedded_privileged_action && s_embedded_privileged_job) {
+               if (!job_assumes(j, s_embedded_privileged_job->username != NULL && j->username != NULL)) {
+                       errno = EPERM;
+                       return;
+               }
+       
+               if (strcmp(j->username, s_embedded_privileged_job->username) != 0) {
+                       errno = EPERM;
+                       return;
+               }
+       } else if (g_embedded_privileged_action) {
+               errno = EINVAL;
+               return;
+       }
+#endif
 
 
-       if (j->exit_timeout) {
-               job_assumes(j, kevent_mod((uintptr_t)&j->exit_timeout, EVFILT_TIMER,
-                                       EV_ADD|EV_ONESHOT, NOTE_SECONDS, j->exit_timeout, j) != -1);
+       if (j->kill_via_shmem) {
+               if (j->shmem) {
+                       if (!j->sent_kill_via_shmem) {
+                               j->shmem->vp_shmem_flags |= VPROC_SHMEM_EXITING;
+                               newval = __sync_sub_and_fetch(&j->shmem->vp_shmem_transaction_cnt, 1);
+                               j->sent_kill_via_shmem = true;
+                       } else {
+                               newval = j->shmem->vp_shmem_transaction_cnt;
+                       }
+               } else {
+                       newval = -1;
+               }
        }
 
        }
 
-       job_log(j, LOG_DEBUG, "Sent SIGTERM signal");
+       j->sent_signal_time = runtime_get_opaque_time();
+
+       if (newval < 0) {
+               j->clean_kill = true;
+               job_kill(j);
+       } else {
+               (void)job_assumes(j, runtime_kill(j->p, SIGTERM) != -1);
+
+               if (j->exit_timeout) {
+                       (void)job_assumes(j, kevent_mod((uintptr_t)&j->exit_timeout, EVFILT_TIMER, EV_ADD|EV_ONESHOT, NOTE_SECONDS, j->exit_timeout, j) != -1);
+               } else {
+                       job_log(j, LOG_NOTICE, "This job has an infinite exit timeout");
+               }
+
+               if (j->kill_via_shmem) {
+                       snprintf(extralog, sizeof(extralog), ": %d remaining transactions", newval + 1);
+               } else {
+                       extralog[0] = '\0';
+               }
+
+               job_log(j, LOG_DEBUG, "Sent SIGTERM signal%s", extralog);
+       }
+       
+       j->stopped = true;
 }
 
 launch_data_t
 }
 
 launch_data_t
@@ -575,14 +938,17 @@ job_export(job_t j)
        if (j->prog && (tmp = launch_data_new_string(j->prog))) {
                launch_data_dict_insert(r, tmp, LAUNCH_JOBKEY_PROGRAM);
        }
        if (j->prog && (tmp = launch_data_new_string(j->prog))) {
                launch_data_dict_insert(r, tmp, LAUNCH_JOBKEY_PROGRAM);
        }
+       if (j->stdinpath && (tmp = launch_data_new_string(j->stdinpath))) {
+               launch_data_dict_insert(r, tmp, LAUNCH_JOBKEY_STANDARDINPATH);
+       }
        if (j->stdoutpath && (tmp = launch_data_new_string(j->stdoutpath))) {
                launch_data_dict_insert(r, tmp, LAUNCH_JOBKEY_STANDARDOUTPATH);
        }
        if (j->stderrpath && (tmp = launch_data_new_string(j->stderrpath))) {
                launch_data_dict_insert(r, tmp, LAUNCH_JOBKEY_STANDARDERRORPATH);
        }
        if (j->stdoutpath && (tmp = launch_data_new_string(j->stdoutpath))) {
                launch_data_dict_insert(r, tmp, LAUNCH_JOBKEY_STANDARDOUTPATH);
        }
        if (j->stderrpath && (tmp = launch_data_new_string(j->stderrpath))) {
                launch_data_dict_insert(r, tmp, LAUNCH_JOBKEY_STANDARDERRORPATH);
        }
-       if (j->argv && (tmp = launch_data_alloc(LAUNCH_DATA_ARRAY))) {
-               int i;
+       if (likely(j->argv) && (tmp = launch_data_alloc(LAUNCH_DATA_ARRAY))) {
+               size_t i;
 
                for (i = 0; i < j->argc; i++) {
                        if ((tmp2 = launch_data_new_string(j->argv[i]))) {
 
                for (i = 0; i < j->argc; i++) {
                        if ((tmp2 = launch_data_new_string(j->argv[i]))) {
@@ -593,6 +959,24 @@ job_export(job_t j)
                launch_data_dict_insert(r, tmp, LAUNCH_JOBKEY_PROGRAMARGUMENTS);
        }
 
                launch_data_dict_insert(r, tmp, LAUNCH_JOBKEY_PROGRAMARGUMENTS);
        }
 
+       if (j->kill_via_shmem && (tmp = launch_data_new_bool(true))) {
+               int32_t tmp_cnt = -1;
+
+               launch_data_dict_insert(r, tmp, LAUNCH_JOBKEY_ENABLETRANSACTIONS);
+
+               if (j->shmem) {
+                       tmp_cnt = j->shmem->vp_shmem_transaction_cnt;
+               }
+
+               if (j->sent_kill_via_shmem) {
+                       tmp_cnt++;
+               }
+
+               if ((tmp = launch_data_new_integer(tmp_cnt))) {
+                       launch_data_dict_insert(r, tmp, LAUNCH_JOBKEY_TRANSACTIONCOUNT);
+               }
+       }
+
        if (j->session_create && (tmp = launch_data_new_bool(true))) {
                launch_data_dict_insert(r, tmp, LAUNCH_JOBKEY_SESSIONCREATE);
        }
        if (j->session_create && (tmp = launch_data_new_bool(true))) {
                launch_data_dict_insert(r, tmp, LAUNCH_JOBKEY_SESSIONCREATE);
        }
@@ -667,49 +1051,59 @@ jobmgr_log_active_jobs(jobmgr_t jm)
        }
 
        LIST_FOREACH(ji, &jm->jobs, sle) {
        }
 
        LIST_FOREACH(ji, &jm->jobs, sle) {
-               why_active = job_active(ji);
-
-               job_log(ji, LOG_DEBUG, "%s", why_active ? why_active : "Inactive");
+               if ((why_active = job_active(ji))) {
+                       if (ji->p != 1) {
+                               job_log(ji, LOG_DEBUG | LOG_CONSOLE, "%s", why_active);
+                       }
+               }
        }
        }
-
 }
 
 static void
 }
 
 static void
-still_alive_with_check(void)
+jobmgr_still_alive_with_check(jobmgr_t jm)
 {
 {
-       jobmgr_log(root_jobmgr, LOG_NOTICE, "Still alive with %lu/%lu children", total_children, total_anon_children);
-
-       jobmgr_log_active_jobs(root_jobmgr);
-
-       runtime_closelog(); /* hack to flush logs */
+       jobmgr_log(jm, LOG_DEBUG | LOG_CONSOLE, "Still alive with %lu/%lu (normal/anonymous) children.", total_children, total_anon_children);
+       jobmgr_log_active_jobs(jm);
 }
 
 jobmgr_t
 jobmgr_shutdown(jobmgr_t jm)
 {
        jobmgr_t jmi, jmn;
 }
 
 jobmgr_t
 jobmgr_shutdown(jobmgr_t jm)
 {
        jobmgr_t jmi, jmn;
-       job_t ji;
-
        jobmgr_log(jm, LOG_DEBUG, "Beginning job manager shutdown with flags: %s", reboot_flags_to_C_names(jm->reboot_flags));
 
        jobmgr_log(jm, LOG_DEBUG, "Beginning job manager shutdown with flags: %s", reboot_flags_to_C_names(jm->reboot_flags));
 
+       jm->shutdown_time = runtime_get_wall_time() / USEC_PER_SEC;
+
+       struct tm curtime;
+       (void)localtime_r(&jm->shutdown_time, &curtime);
+
+       char date[26];
+       (void)asctime_r(&curtime, date);
+       /* Trim the new line that asctime_r(3) puts there for some reason. */
+       date[24] = 0;
+
+       if (jm == root_jobmgr && pid1_magic) {
+               jobmgr_log(jm, LOG_DEBUG | LOG_CONSOLE, "Userspace shutdown begun at: %s", date);
+       } else {
+               jobmgr_log(jm, LOG_DEBUG, "Job manager shutdown begun at: %s", date);
+       }
+
        jm->shutting_down = true;
 
        SLIST_FOREACH_SAFE(jmi, &jm->submgrs, sle, jmn) {
                jobmgr_shutdown(jmi);
        }
        jm->shutting_down = true;
 
        SLIST_FOREACH_SAFE(jmi, &jm->submgrs, sle, jmn) {
                jobmgr_shutdown(jmi);
        }
+       
+       if (jm->parentmgr == NULL && pid1_magic) {
+               (void)jobmgr_assumes(jm, kevent_mod((uintptr_t)jm, EVFILT_TIMER, EV_ADD, NOTE_SECONDS, 5, jm));
 
 
-       if (jm->hopefully_first_cnt) {
-               LIST_FOREACH(ji, &jm->jobs, sle) {
-                       if (ji->p && ji->hopefully_exits_first) {
-                               job_stop(ji);
-                       }
+               /* Spawn the shutdown monitor. */
+               if (_s_shutdown_monitor && !_s_shutdown_monitor->p) {
+                       job_log(_s_shutdown_monitor, LOG_NOTICE | LOG_CONSOLE, "Starting shutdown monitor.");
+                       job_dispatch(_s_shutdown_monitor, true);
                }
        }
 
                }
        }
 
-       if (debug_shutdown_hangs && jm->parentmgr == NULL && getpid() == 1) {
-               runtime_set_timeout(still_alive_with_check, 5);
-       }
-
        return jobmgr_do_garbage_collection(jm);
 }
 
        return jobmgr_do_garbage_collection(jm);
 }
 
@@ -719,8 +1113,7 @@ jobmgr_remove(jobmgr_t jm)
        jobmgr_t jmi;
        job_t ji;
 
        jobmgr_t jmi;
        job_t ji;
 
-       jobmgr_log(jm, LOG_DEBUG, "Removed job manager");
-
+       jobmgr_log(jm, LOG_DEBUG, "Removing job manager.");
        if (!jobmgr_assumes(jm, SLIST_EMPTY(&jm->submgrs))) {
                while ((jmi = SLIST_FIRST(&jm->submgrs))) {
                        jobmgr_remove(jmi);
        if (!jobmgr_assumes(jm, SLIST_EMPTY(&jm->submgrs))) {
                while ((jmi = SLIST_FIRST(&jm->submgrs))) {
                        jobmgr_remove(jmi);
@@ -728,34 +1121,74 @@ jobmgr_remove(jobmgr_t jm)
        }
 
        while ((ji = LIST_FIRST(&jm->jobs))) {
        }
 
        while ((ji = LIST_FIRST(&jm->jobs))) {
-               /* We should only have anonymous jobs left */
-               job_assumes(ji, ji->anonymous);
+               if (!ji->anonymous && !job_assumes(ji, ji->p == 0)) {
+                       ji->p = 0;
+               }
                job_remove(ji);
        }
 
        if (jm->req_port) {
                job_remove(ji);
        }
 
        if (jm->req_port) {
-               jobmgr_assumes(jm, launchd_mport_deallocate(jm->req_port) == KERN_SUCCESS);
+               (void)jobmgr_assumes(jm, launchd_mport_deallocate(jm->req_port) == KERN_SUCCESS);
        }
        }
-
        if (jm->jm_port) {
        if (jm->jm_port) {
-               jobmgr_assumes(jm, launchd_mport_close_recv(jm->jm_port) == KERN_SUCCESS);
+               (void)jobmgr_assumes(jm, launchd_mport_close_recv(jm->jm_port) == KERN_SUCCESS);
+       }
+
+       if (jm->req_bsport) {
+               (void)jobmgr_assumes(jm, launchd_mport_deallocate(jm->req_bsport) == KERN_SUCCESS);
+       }
+       if (jm->req_excport) {
+               (void)jobmgr_assumes(jm, launchd_mport_deallocate(jm->req_excport) == KERN_SUCCESS);
        }
        }
+       if (jm->req_asport) {
+               (void)jobmgr_assumes(jm, launchd_mport_deallocate(jm->req_asport) == KERN_SUCCESS);
+       }
+#if !TARGET_OS_EMBEDDED
+       if (jm->req_rport) {
+               kern_return_t kr = xpc_call_wakeup(jm->req_rport, jm->error);
+               if (!(kr == KERN_SUCCESS || kr == MACH_SEND_INVALID_DEST)) {
+                       /* If the originator went away, the reply port will be a dead name,
+                        * and we expect this to fail.
+                        */
+                       errno = kr;
+                       (void)jobmgr_assumes(jm, kr == KERN_SUCCESS);
+               }
+       }
+#endif
+       if (jm->req_ctx) {
+               (void)jobmgr_assumes(jm, vm_deallocate(mach_task_self(), jm->req_ctx, jm->req_ctx_sz) == KERN_SUCCESS);
+       }
+
+       time_t ts = runtime_get_wall_time() / USEC_PER_SEC;
+       struct tm curtime;
+       (void)localtime_r(&ts, &curtime);
+
+       char date[26];
+       (void)asctime_r(&curtime, date);
+       date[24] = 0;
 
 
-       if (jm == background_jobmgr) {
-               background_jobmgr = NULL;
+       time_t delta = ts - jm->shutdown_time;
+       if (jm == root_jobmgr && pid1_magic) {
+               jobmgr_log(jm, LOG_DEBUG | LOG_CONSOLE, "Userspace shutdown finished at: %s", date);
+               jobmgr_log(jm, LOG_DEBUG | LOG_CONSOLE, "Userspace shutdown took approximately %ld second%s.", delta, (delta != 1) ? "s" : "");
+       } else {
+               jobmgr_log(jm, LOG_DEBUG, "Job manager shutdown finished at: %s", date);
+               jobmgr_log(jm, LOG_DEBUG, "Job manager shutdown took approximately %ld second%s.", delta, (delta != 1) ? "s" : "");
        }
 
        if (jm->parentmgr) {
        }
 
        if (jm->parentmgr) {
-               runtime_del_ref();
+               runtime_del_weak_ref();
                SLIST_REMOVE(&jm->parentmgr->submgrs, jm, jobmgr_s, sle);
                SLIST_REMOVE(&jm->parentmgr->submgrs, jm, jobmgr_s, sle);
-       } else if (getpid() == 1) {
-               jobmgr_log(jm, LOG_DEBUG, "About to call: reboot(%s)", reboot_flags_to_C_names(jm->reboot_flags));
-               runtime_closelog();
-               jobmgr_assumes(jm, reboot(jm->reboot_flags) != -1);
+       } else if (pid1_magic) {
+               eliminate_double_reboot();
+               launchd_log_vm_stats();
+               jobmgr_log_stray_children(jm, true);
+               jobmgr_log(root_jobmgr, LOG_NOTICE | LOG_CONSOLE, "About to call: reboot(%s).", reboot_flags_to_C_names(jm->reboot_flags));
                runtime_closelog();
                runtime_closelog();
+               (void)jobmgr_assumes(jm, reboot(jm->reboot_flags) != -1);
        } else {
        } else {
-               runtime_closelog();
                jobmgr_log(jm, LOG_DEBUG, "About to exit");
                jobmgr_log(jm, LOG_DEBUG, "About to exit");
+               runtime_closelog();
                exit(EXIT_SUCCESS);
        }
        
                exit(EXIT_SUCCESS);
        }
        
@@ -771,47 +1204,101 @@ job_remove(job_t j)
        struct socketgroup *sg;
        struct machservice *ms;
        struct limititem *li;
        struct socketgroup *sg;
        struct machservice *ms;
        struct limititem *li;
-       struct mspolicy *msp;
        struct envitem *ei;
 
        struct envitem *ei;
 
-       if (j->p && j->anonymous) {
-               job_reap(j);
-       } else if (j->p) {
-               job_log(j, LOG_DEBUG, "Removal pended until the job exits");
-
-               if (!j->removal_pending) {
-                       j->removal_pending = true;
-                       job_stop(j);
+       if (j->alias) {
+               /* HACK: Egregious code duplication. But as with machservice_delete(),
+                * job aliases can't (and shouldn't) have any complex behaviors 
+                * associated with them.
+                */
+               while ((ms = SLIST_FIRST(&j->machservices))) {
+                       machservice_delete(j, ms, false);
                }
 
                }
 
+               LIST_REMOVE(j, sle);
+               LIST_REMOVE(j, label_hash_sle);
+               free(j);
+               return;
+       }
+
+#if TARGET_OS_EMBEDDED
+       if (g_embedded_privileged_action && s_embedded_privileged_job) {
+               if (!job_assumes(j, s_embedded_privileged_job->username != NULL && j->username != NULL)) {
+                       errno = EPERM;
+                       return;
+               }
+       
+               if (strcmp(j->username, s_embedded_privileged_job->username) != 0) {
+                       errno = EPERM;
+                       return;
+               }
+       } else if (g_embedded_privileged_action) {
+               errno = EINVAL;
                return;
        }
                return;
        }
+#endif
+       
+       /* Do this BEFORE we check and see whether the job is still active. If we're a
+        * sub-job, we're being removed due to the parent job removing us. Therefore, the
+        * parent job will free itself after this call completes. So if we defer removing
+        * ourselves from the parent's list, we'll crash when we finally get around to it.
+        */
+       if (j->dedicated_instance && !j->former_subjob) {
+               LIST_REMOVE(j, subjob_sle);
+               j->former_subjob = true;
+       }
+       
+       if (unlikely(j->p)) {
+               if (j->anonymous) {
+                       job_reap(j);
+               } else {
+                       job_log(j, LOG_DEBUG, "Removal pended until the job exits");
+
+                       if (!j->removal_pending) {
+                               j->removal_pending = true;
+                               job_stop(j);
+                       }
+                       
+                       return;
+               }
+       }
+       
+       if (!j->removing) {
+               j->removing = true;
+               job_dispatch_curious_jobs(j);
+       }
 
        ipc_close_all_with_job(j);
 
 
        ipc_close_all_with_job(j);
 
+       job_log(j, LOG_INFO, "Total rusage: utime %ld.%06u stime %ld.%06u maxrss %lu ixrss %lu idrss %lu isrss %lu minflt %lu majflt %lu nswap %lu inblock %lu oublock %lu msgsnd %lu msgrcv %lu nsignals %lu nvcsw %lu nivcsw %lu",
+                       j->ru.ru_utime.tv_sec, j->ru.ru_utime.tv_usec,
+                       j->ru.ru_stime.tv_sec, j->ru.ru_stime.tv_usec,
+                       j->ru.ru_maxrss, j->ru.ru_ixrss, j->ru.ru_idrss, j->ru.ru_isrss,
+                       j->ru.ru_minflt, j->ru.ru_majflt,
+                       j->ru.ru_nswap, j->ru.ru_inblock, j->ru.ru_oublock,
+                       j->ru.ru_msgsnd, j->ru.ru_msgrcv,
+                       j->ru.ru_nsignals, j->ru.ru_nvcsw, j->ru.ru_nivcsw);
+
        if (j->forced_peers_to_demand_mode) {
                job_set_global_on_demand(j, false);
        }
 
        if (j->forced_peers_to_demand_mode) {
                job_set_global_on_demand(j, false);
        }
 
-       if (!job_assumes(j, j->forkfd == 0)) {
-               job_assumes(j, runtime_close(j->forkfd) != -1);
+       if (!job_assumes(j, j->fork_fd == 0)) {
+               (void)job_assumes(j, runtime_close(j->fork_fd) != -1);
        }
 
        }
 
-       if (!job_assumes(j, j->log_redirect_fd == 0)) {
-               job_assumes(j, runtime_close(j->log_redirect_fd) != -1);
+       if (j->stdin_fd) {
+               (void)job_assumes(j, runtime_close(j->stdin_fd) != -1);
        }
 
        }
 
-       if (j->j_port) {
-               job_assumes(j, launchd_mport_close_recv(j->j_port) == KERN_SUCCESS);
+       if (!job_assumes(j, j->log_redirect_fd == 0)) {
+               (void)job_assumes(j, runtime_close(j->log_redirect_fd) != -1);
        }
 
        }
 
-       if (!job_assumes(j, j->wait_reply_port == MACH_PORT_NULL)) {
-               job_assumes(j, launchd_mport_deallocate(j->wait_reply_port) == KERN_SUCCESS);
+       if (j->j_port) {
+               (void)job_assumes(j, launchd_mport_close_recv(j->j_port) == KERN_SUCCESS);
        }
 
        }
 
-       while ((msp = SLIST_FIRST(&j->mspolicies))) {
-               mspolicy_delete(j, msp);
-       }
        while ((sg = SLIST_FIRST(&j->sockets))) {
                socketgroup_delete(j, sg);
        }
        while ((sg = SLIST_FIRST(&j->sockets))) {
                socketgroup_delete(j, sg);
        }
@@ -836,6 +1323,37 @@ job_remove(job_t j)
        while ((w4r = SLIST_FIRST(&j->removal_watchers))) {
                waiting4removal_delete(j, w4r);
        }
        while ((w4r = SLIST_FIRST(&j->removal_watchers))) {
                waiting4removal_delete(j, w4r);
        }
+       
+       struct externalevent *eei = NULL;
+       while ((eei = LIST_FIRST(&j->events))) {
+               eventsystem_ping();
+               externalevent_delete(eei);
+       }
+
+#if 0
+       /* Event systems exist independently of an actual monitor job. They're
+        * created on-demand when a job has a LaunchEvents dictionary. So we
+        * really don't need to get rid of them.
+        */
+       if (j->event_monitor) {
+               struct eventsystem *esi = NULL;
+               while ((esi = LIST_FIRST(&_s_event_systems))) {
+                       eventsystem_delete(esi);
+               }
+       }
+#else
+       if (false) {
+               /* Make gcc happy. */
+               eventsystem_delete(NULL);
+       }
+       if (j->event_monitor) {
+               if (_s_event_update_port != MACH_PORT_NULL) {
+                       (void)job_assumes(j, launchd_mport_deallocate(_s_event_update_port) == KERN_SUCCESS);
+                       _s_event_update_port = MACH_PORT_NULL;
+               }
+               _s_event_monitor = NULL;
+       }
+#endif
 
        if (j->prog) {
                free(j->prog);
 
        if (j->prog) {
                free(j->prog);
@@ -855,34 +1373,77 @@ job_remove(job_t j)
        if (j->groupname) {
                free(j->groupname);
        }
        if (j->groupname) {
                free(j->groupname);
        }
+       if (j->stdinpath) {
+               free(j->stdinpath);
+       }
        if (j->stdoutpath) {
                free(j->stdoutpath);
        }
        if (j->stderrpath) {
                free(j->stderrpath);
        }
        if (j->stdoutpath) {
                free(j->stdoutpath);
        }
        if (j->stderrpath) {
                free(j->stderrpath);
        }
+       if (j->alt_exc_handler) {
+               free(j->alt_exc_handler);
+       }
+#if HAVE_SANDBOX
        if (j->seatbelt_profile) {
                free(j->seatbelt_profile);
        }
        if (j->seatbelt_profile) {
                free(j->seatbelt_profile);
        }
+#endif
+#if HAVE_QUARANTINE
        if (j->quarantine_data) {
                free(j->quarantine_data);
        }
        if (j->quarantine_data) {
                free(j->quarantine_data);
        }
+#endif
        if (j->j_binpref) {
                free(j->j_binpref);
        }
        if (j->start_interval) {
        if (j->j_binpref) {
                free(j->j_binpref);
        }
        if (j->start_interval) {
-               runtime_del_ref();
-               job_assumes(j, kevent_mod((uintptr_t)&j->start_interval, EVFILT_TIMER, EV_DELETE, 0, 0, NULL) != -1);
+               runtime_del_weak_ref();
+               (void)job_assumes(j, kevent_mod((uintptr_t)&j->start_interval, EVFILT_TIMER, EV_DELETE, 0, 0, NULL) != -1);
        }
        if (j->poll_for_vfs_changes) {
        }
        if (j->poll_for_vfs_changes) {
-               job_assumes(j, kevent_mod((uintptr_t)&j->semaphores, EVFILT_TIMER, EV_DELETE, 0, 0, j) != -1);
+               (void)job_assumes(j, kevent_mod((uintptr_t)&j->semaphores, EVFILT_TIMER, EV_DELETE, 0, 0, j) != -1);
        }
        }
-
+       if (j->exit_timeout) {
+               /* Not a big deal if this fails. It means that the timer's already been freed. */
+               kevent_mod((uintptr_t)&j->exit_timeout, EVFILT_TIMER, EV_DELETE, 0, 0, NULL);
+       }
+       if (j->jetsam_properties) {
+               LIST_REMOVE(j, jetsam_sle);
+               j->mgr->jetsam_jobs_cnt--;
+       }
+       if (j->asport != MACH_PORT_NULL) {
+               (void)job_assumes(j, launchd_mport_deallocate(j->asport) == KERN_SUCCESS);
+       }
+       if (!uuid_is_null(j->expected_audit_uuid)) {
+               LIST_REMOVE(j, needing_session_sle);
+       }
+       if (j->embedded_special_privileges) {
+               s_embedded_privileged_job = NULL;
+       }
+       if (j->shutdown_monitor) {
+               _s_shutdown_monitor = NULL;
+       }
+       if (j->workaround9359725) {
+               /* We may have forcibly removed this job by simulating an exit. If this
+                * is the case, we don't want to hear about these events anymore, lest
+                * we get a stale context pointer and crash trying to dereference it.
+                */
+               kevent_mod((uintptr_t)j->p, EVFILT_PROC, EV_DELETE, 0, 0, NULL);
+       }
+       
        kevent_mod((uintptr_t)j, EVFILT_TIMER, EV_DELETE, 0, 0, NULL);
        kevent_mod((uintptr_t)j, EVFILT_TIMER, EV_DELETE, 0, 0, NULL);
-
+       
        LIST_REMOVE(j, sle);
        LIST_REMOVE(j, label_hash_sle);
 
        LIST_REMOVE(j, sle);
        LIST_REMOVE(j, label_hash_sle);
 
+       job_t ji = NULL;
+       job_t jit = NULL;
+       LIST_FOREACH_SAFE(ji, &j->subjobs, subjob_sle, jit) {
+               job_remove(ji);
+       }
+       
        job_log(j, LOG_DEBUG, "Removed");
 
        free(j);
        job_log(j, LOG_DEBUG, "Removed");
 
        free(j);
@@ -893,7 +1454,7 @@ socketgroup_setup(launch_data_t obj, const char *key, void *context)
 {
        launch_data_t tmp_oai;
        job_t j = context;
 {
        launch_data_t tmp_oai;
        job_t j = context;
-       unsigned int i, fd_cnt = 1;
+       size_t i, fd_cnt = 1;
        int *fds;
 
        if (launch_data_get_type(obj) == LAUNCH_DATA_ARRAY) {
        int *fds;
 
        if (launch_data_get_type(obj) == LAUNCH_DATA_ARRAY) {
@@ -949,7 +1510,7 @@ job_setup_machport(job_t j)
        }
 
        /* Sigh... at the moment, MIG has maxsize == sizeof(reply union) */
        }
 
        /* Sigh... at the moment, MIG has maxsize == sizeof(reply union) */
-       mxmsgsz = sizeof(union __RequestUnion__job_mig_protocol_vproc_subsystem);
+       mxmsgsz = (typeof(mxmsgsz)) sizeof(union __RequestUnion__job_mig_protocol_vproc_subsystem);
        if (job_mig_protocol_vproc_subsystem.maxsize > mxmsgsz) {
                mxmsgsz = job_mig_protocol_vproc_subsystem.maxsize;
        }
        if (job_mig_protocol_vproc_subsystem.maxsize > mxmsgsz) {
                mxmsgsz = job_mig_protocol_vproc_subsystem.maxsize;
        }
@@ -959,17 +1520,40 @@ job_setup_machport(job_t j)
        }
 
        if (!job_assumes(j, launchd_mport_notify_req(j->j_port, MACH_NOTIFY_NO_SENDERS) == KERN_SUCCESS)) {
        }
 
        if (!job_assumes(j, launchd_mport_notify_req(j->j_port, MACH_NOTIFY_NO_SENDERS) == KERN_SUCCESS)) {
-               job_assumes(j, launchd_mport_close_recv(j->j_port) == KERN_SUCCESS);
+               (void)job_assumes(j, launchd_mport_close_recv(j->j_port) == KERN_SUCCESS);
                goto out_bad;
        }
 
        return true;
 out_bad2:
                goto out_bad;
        }
 
        return true;
 out_bad2:
-       job_assumes(j, launchd_mport_close_recv(j->j_port) == KERN_SUCCESS);
+       (void)job_assumes(j, launchd_mport_close_recv(j->j_port) == KERN_SUCCESS);
 out_bad:
        return false;
 }
 
 out_bad:
        return false;
 }
 
+kern_return_t
+job_setup_exit_port(job_t j)
+{
+       kern_return_t kr = launchd_mport_create_recv(&j->exit_status_port);
+       if (!job_assumes(j, kr == KERN_SUCCESS)) {
+               return MACH_PORT_NULL;
+       }
+
+       struct mach_port_limits limits = {
+               .mpl_qlimit = 1,
+       };
+       kr = mach_port_set_attributes(mach_task_self(), j->exit_status_port, MACH_PORT_LIMITS_INFO, (mach_port_info_t)&limits, sizeof(limits));
+       (void)job_assumes(j, kr == KERN_SUCCESS);
+
+       kr = launchd_mport_make_send_once(j->exit_status_port, &j->exit_status_dest);
+       if (!job_assumes(j, kr == KERN_SUCCESS)) {
+               (void)job_assumes(j, launchd_mport_close_recv(j->exit_status_port) == KERN_SUCCESS);
+               j->exit_status_port = MACH_PORT_NULL;
+       }
+
+       return kr;
+}
+
 job_t 
 job_new_via_mach_init(job_t j, const char *cmd, uid_t uid, bool ond)
 {
 job_t 
 job_new_via_mach_init(job_t j, const char *cmd, uid_t uid, bool ond)
 {
@@ -985,7 +1569,7 @@ job_new_via_mach_init(job_t j, const char *cmd, uid_t uid, bool ond)
        free(argv);
 
        /* jobs can easily be denied creation during shutdown */
        free(argv);
 
        /* jobs can easily be denied creation during shutdown */
-       if (!jr) {
+       if (unlikely(jr == NULL)) {
                goto out_bad;
        }
 
                goto out_bad;
        }
 
@@ -1010,79 +1594,80 @@ out_bad:
        return NULL;
 }
 
        return NULL;
 }
 
-kern_return_t
-job_handle_mpm_wait(job_t j, mach_port_t srp, int *waitstatus)
-{
-       if (j->p) {
-               j->wait_reply_port = srp;
-               return MIG_NO_REPLY;
-       }
-
-       *waitstatus = j->last_exit_status;
-
-       return 0;
-}
-
 job_t
 job_new_anonymous(jobmgr_t jm, pid_t anonpid)
 {
 job_t
 job_new_anonymous(jobmgr_t jm, pid_t anonpid)
 {
-       int mib[] = { CTL_KERN, KERN_PROC, KERN_PROC_PID, anonpid };
-       struct kinfo_proc kp;
-       size_t len = sizeof(kp);
-       const char *zombie = NULL;
+       struct proc_bsdshortinfo proc;
        bool shutdown_state;
        job_t jp = NULL, jr = NULL;
        bool shutdown_state;
        job_t jp = NULL, jr = NULL;
+       uid_t kp_euid, kp_uid, kp_svuid;
+       gid_t kp_egid, kp_gid, kp_svgid;
 
        if (!jobmgr_assumes(jm, anonpid != 0)) {
 
        if (!jobmgr_assumes(jm, anonpid != 0)) {
+               errno = EINVAL;
                return NULL;
        }
        
        if (!jobmgr_assumes(jm, anonpid < 100000)) {
                /* The kernel current defines PID_MAX to be 99999, but that define isn't exported */
                return NULL;
        }
        
        if (!jobmgr_assumes(jm, anonpid < 100000)) {
                /* The kernel current defines PID_MAX to be 99999, but that define isn't exported */
+               errno = EINVAL;
                return NULL;
        }
 
                return NULL;
        }
 
-       if (!jobmgr_assumes(jm, sysctl(mib, 4, &kp, &len, NULL, 0) != -1)) {
+       /* libproc returns the number of bytes written into the buffer upon success,
+        * zero on failure.
+        */
+       if (proc_pidinfo(anonpid, PROC_PIDT_SHORTBSDINFO, 1, &proc, PROC_PIDT_SHORTBSDINFO_SIZE) == 0) {
+               if (errno != ESRCH) {
+                       (void)jobmgr_assumes(jm, errno == 0);
+               }
                return NULL;
        }
 
                return NULL;
        }
 
-       if (len != sizeof(kp)) {
-               jobmgr_log(jm, LOG_DEBUG, "Tried to create an anonymous job for nonexistent PID: %u", anonpid);
+       if (!jobmgr_assumes(jm, proc.pbsi_comm[0] != '\0')) {
+               errno = EINVAL;
                return NULL;
        }
 
                return NULL;
        }
 
-       if (!jobmgr_assumes(jm, kp.kp_proc.p_comm[0] != '\0')) {
-               return NULL;
+       if (unlikely(proc.pbsi_status == SZOMB)) {
+               jobmgr_log(jm, LOG_DEBUG, "Tried to create an anonymous job for zombie PID %u: %s", anonpid, proc.pbsi_comm);
        }
 
        }
 
-       if (kp.kp_proc.p_stat == SZOMB) {
-               jobmgr_log(jm, LOG_DEBUG, "Tried to create an anonymous job for zombie PID: %u", anonpid);
-               zombie = "zombie";
+       if (unlikely(proc.pbsi_flags & P_SUGID)) {
+               jobmgr_log(jm, LOG_DEBUG, "Inconsistency: P_SUGID is set on PID %u: %s", anonpid, proc.pbsi_comm);
        }
 
        }
 
-       switch (kp.kp_eproc.e_ppid) {
-       case 0:
-               /* the kernel */
-               break;
-       case 1:
-               if (getpid() != 1) {
-                       /* we cannot possibly find a parent job_t that is useful in this function */
-                       break;
-               }
-               /* fall through */
-       default:
-               jp = jobmgr_find_by_pid(jm, kp.kp_eproc.e_ppid, true);
-               jobmgr_assumes(jm, jp != NULL);
-               break;
+       kp_euid = proc.pbsi_uid;
+       kp_uid = proc.pbsi_ruid;
+       kp_svuid = proc.pbsi_svuid;
+       kp_egid = proc.pbsi_gid;
+       kp_gid = proc.pbsi_rgid;
+       kp_svgid = proc.pbsi_svgid;
+
+       if (unlikely(kp_euid != kp_uid || kp_euid != kp_svuid || kp_uid != kp_svuid || kp_egid != kp_gid || kp_egid != kp_svgid || kp_gid != kp_svgid)) {
+               jobmgr_log(jm, LOG_DEBUG, "Inconsistency: Mixed credentials (e/r/s UID %u/%u/%u GID %u/%u/%u) detected on PID %u: %s",
+                               kp_euid, kp_uid, kp_svuid, kp_egid, kp_gid, kp_svgid, anonpid, proc.pbsi_comm);
+       }
+
+       /* "Fix" for a problem that shouldn't even exist.
+        * See rdar://problem/7264615 for the symptom and rdar://problem/5020256
+        * as to why this can happen.
+        */
+       if (!jobmgr_assumes(jm, (pid_t)proc.pbsi_ppid != anonpid)) {
+               jobmgr_log(jm, LOG_WARNING, "Process has become its own parent through ptrace(3). It should find a different way to do whatever it's doing. Setting PPID to 0: %s", proc.pbsi_comm);
+               errno = EINVAL;
+               return NULL;
        }
 
        /* A total hack: Normally, job_new() returns an error during shutdown, but anonymous jobs are special. */
        }
 
        /* A total hack: Normally, job_new() returns an error during shutdown, but anonymous jobs are special. */
-       if ((shutdown_state = jm->shutting_down)) {
+       if (unlikely(shutdown_state = jm->shutting_down)) {
                jm->shutting_down = false;
        }
 
                jm->shutting_down = false;
        }
 
-       if (jobmgr_assumes(jm, (jr = job_new(jm, AUTO_PICK_LEGACY_LABEL, zombie ? zombie : kp.kp_proc.p_comm, NULL)) != NULL)) {
-               u_int proc_fflags = NOTE_EXEC|NOTE_EXIT /* |NOTE_REAP */;
+       /* We only set requestor_pid for XPC domains. */
+       const char *whichlabel = (jm->req_pid == anonpid) ? AUTO_PICK_XPC_LABEL : AUTO_PICK_ANONYMOUS_LABEL;
+       if (jobmgr_assumes(jm, (jr = job_new(jm, whichlabel, proc.pbsi_comm, NULL)) != NULL)) {
+               u_int proc_fflags = NOTE_EXEC|NOTE_FORK|NOTE_EXIT;
 
                total_anon_children++;
                jr->anonymous = true;
 
                total_anon_children++;
                jr->anonymous = true;
@@ -1091,61 +1676,253 @@ job_new_anonymous(jobmgr_t jm, pid_t anonpid)
                /* anonymous process reaping is messy */
                LIST_INSERT_HEAD(&jm->active_jobs[ACTIVE_JOB_HASH(jr->p)], jr, pid_hash_sle);
 
                /* anonymous process reaping is messy */
                LIST_INSERT_HEAD(&jm->active_jobs[ACTIVE_JOB_HASH(jr->p)], jr, pid_hash_sle);
 
-               if (kevent_mod(jr->p, EVFILT_PROC, EV_ADD, proc_fflags, 0, root_jobmgr) == -1 && job_assumes(jr, errno == ESRCH)) {
+               if (unlikely(kevent_mod(jr->p, EVFILT_PROC, EV_ADD, proc_fflags, 0, root_jobmgr) == -1) && job_assumes(jr, errno == ESRCH)) {
                        /* zombies are weird */
                        job_log(jr, LOG_ERR, "Failed to add kevent for PID %u. Will unload at MIG return", jr->p);
                        jr->unload_at_mig_return = true;
                }
 
                        /* zombies are weird */
                        job_log(jr, LOG_ERR, "Failed to add kevent for PID %u. Will unload at MIG return", jr->p);
                        jr->unload_at_mig_return = true;
                }
 
-               if (jp) {
-                       job_assumes(jr, mspolicy_copy(jr, jp));
-               }
-
-               if (shutdown_state && jm->hopefully_first_cnt == 0) {
-                       job_log(jr, LOG_APPLEONLY, "This process showed up to the party while all the guests were leaving. Odds are that it will have a miserable time");
+               if (unlikely(shutdown_state)) {
+                       job_log(jr, LOG_SCOLDING, "This process showed up to the party while all the guests were leaving. Odds are that it will have a miserable time.");
                }
 
                }
 
-               job_log(jr, LOG_DEBUG, "Created PID %u anonymously by PPID %u%s%s", anonpid, kp.kp_eproc.e_ppid, jp ? ": " : "", jp ? jp->label : "");
+               job_log(jr, LOG_DEBUG, "Created PID %u anonymously by PPID %u%s%s", anonpid, proc.pbsi_ppid, jp ? ": " : "", jp ? jp->label : "");
        }
 
        }
 
-       if (shutdown_state) {
+       if (unlikely(shutdown_state)) {
                jm->shutting_down = true;
        }
 
                jm->shutting_down = true;
        }
 
-       return jr;
-}
-
-job_t 
-job_new(jobmgr_t jm, const char *label, const char *prog, const char *const *argv)
+       /* This is down here to mitigate the effects of rdar://problem/7264615, in which a process
+        * attaches to its own parent. We need to make sure that the anonymous job has been added
+        * to the process list so that, if it's used ptrace(3) to cause a cycle in the process
+        * tree (thereby making it not a tree anymore), we'll find the tracing parent PID of the
+        * parent process, which is the child, when we go looking for it in jobmgr_find_by_pid().
+        */
+       switch (proc.pbsi_ppid) {
+               case 0:
+                       /* the kernel */
+                       break;
+               case 1:
+                       if (!pid1_magic) {
+                               /* we cannot possibly find a parent job_t that is useful in this function */
+                               break;
+                       }
+                       /* fall through */
+               default:
+                       jp = jobmgr_find_by_pid(jm, proc.pbsi_ppid, true);
+                       if (jobmgr_assumes(jm, jp != NULL)) {
+                               if (jp && !jp->anonymous && unlikely(!(proc.pbsi_flags & P_EXEC))) {
+                                       job_log(jp, LOG_DEBUG, "Called *fork(). Please switch to posix_spawn*(), pthreads or launchd. Child PID %u", proc.pbsi_pid);
+                               }
+                       }
+                       break;
+       }
+
+       return jr;
+}
+
+job_t 
+job_new_subjob(job_t j, uuid_t identifier)
+{
+       char label[0];
+       uuid_string_t idstr;
+       uuid_unparse(identifier, idstr);
+       size_t label_sz = snprintf(label, 0, "%s.%s", j->label, idstr);
+
+       job_t nj = (struct job_s *)calloc(1, sizeof(struct job_s) + label_sz + 1);
+       if (launchd_assumes(nj != NULL)) {
+               nj->kqjob_callback = job_callback;
+               nj->mgr = j->mgr;
+               nj->min_run_time = j->min_run_time;
+               nj->timeout = j->timeout;
+               nj->exit_timeout = j->exit_timeout;
+               
+               snprintf((char *)nj->label, label_sz + 1, "%s.%s", j->label, idstr);
+               
+               /* Set all our simple Booleans that are applicable. */
+               nj->debug = j->debug;
+               nj->ondemand = j->ondemand;
+               nj->checkedin = true;
+               nj->low_pri_io = j->low_pri_io;
+               nj->setmask = j->setmask;
+               nj->wait4debugger = j->wait4debugger;
+               nj->internal_exc_handler = j->internal_exc_handler;
+               nj->setnice = j->setnice;
+               nj->abandon_pg = j->abandon_pg;
+               nj->ignore_pg_at_shutdown = j->ignore_pg_at_shutdown;
+               nj->deny_job_creation = j->deny_job_creation;
+               nj->kill_via_shmem = j->kill_via_shmem;
+               nj->needs_kickoff = j->needs_kickoff;
+               nj->currently_ignored = true;
+               nj->dedicated_instance = true;
+               nj->xpc_service = j->xpc_service;
+               
+               nj->mask = j->mask;
+               uuid_copy(nj->instance_id, identifier);
+               
+               /* These jobs are purely on-demand Mach jobs. */
+               
+               /* {Hard | Soft}ResourceLimits are not supported. */
+               
+               struct machservice *msi = NULL;
+               SLIST_FOREACH(msi, &j->machservices, sle) {
+                       /* Only copy MachServices that were actually declared in the plist.
+                        * So skip over per-PID ones and ones that were created via
+                        * bootstrap_register().
+                        */
+                       if (msi->upfront) {
+                               mach_port_t mp = MACH_PORT_NULL;
+                               struct machservice *msj = machservice_new(nj, msi->name, &mp, msi->per_pid);
+                               if (job_assumes(nj, msj != NULL)) {
+                                       msj->reset = msi->reset;
+                                       msj->delete_on_destruction = msi->delete_on_destruction;
+                                       msj->drain_one_on_crash = msi->drain_one_on_crash;
+                                       msj->drain_all_on_crash = msi->drain_all_on_crash;
+                               }
+                       }
+               }
+               
+               if (j->prog) {
+                       nj->prog = strdup(j->prog);
+               }
+               if (j->argv) {
+                       size_t sz = malloc_size(j->argv);
+                       nj->argv = (char **)malloc(sz);
+                       if (job_assumes(nj, nj->argv != NULL)) {
+                               /* This is the start of our strings. */
+                               char *p = ((char *)nj->argv) + ((j->argc + 1) * sizeof(char *));
+                               
+                               size_t i = 0;
+                               for (i = 0; i < j->argc; i++) {
+                                       (void)strcpy(p, j->argv[i]);
+                                       nj->argv[i] = p;
+                                       p += (strlen(j->argv[i]) + 1);
+                               }
+                               nj->argv[i] = NULL;
+                       }
+                       
+                       nj->argc = j->argc;
+               }
+               
+               /* We ignore global environment variables. */
+               struct envitem *ei = NULL;
+               SLIST_FOREACH(ei, &j->env, sle) {
+                       (void)job_assumes(nj, envitem_new(nj, ei->key, ei->value, false, false));
+               }
+               uuid_string_t val;
+               uuid_unparse(identifier, val);
+               (void)job_assumes(nj, envitem_new(nj, LAUNCH_ENV_INSTANCEID, val, false, false));
+               
+               if (j->rootdir) {
+                       nj->rootdir = strdup(j->rootdir);
+               }
+               if (j->workingdir) {
+                       nj->workingdir = strdup(j->workingdir);
+               }
+               if (j->username) {
+                       nj->username = strdup(j->username);
+               }
+               if (j->groupname) {
+                       nj->groupname = strdup(j->groupname);
+               }
+               /* FIXME: We shouldn't redirect all the output from these jobs to the same
+                * file. We should uniquify the file names.
+                */
+               if (j->stdinpath) {
+                       nj->stdinpath = strdup(j->stdinpath);
+               }
+               if (j->stdoutpath) {
+                       nj->stdoutpath = strdup(j->stdinpath);
+               }
+               if (j->stderrpath) {
+                       nj->stderrpath = strdup(j->stderrpath);
+               }
+               if (j->alt_exc_handler) {
+                       nj->alt_exc_handler = strdup(j->alt_exc_handler);
+               }
+       #if HAVE_SANDBOX
+               if (j->seatbelt_profile) {
+                       nj->seatbelt_profile = strdup(j->seatbelt_profile);
+               }
+       #endif
+               
+       #if HAVE_QUARANTINE
+               if (j->quarantine_data) {
+                       nj->quarantine_data = strdup(j->quarantine_data);
+               }
+               nj->quarantine_data_sz = j->quarantine_data_sz;
+       #endif
+               if (j->j_binpref) {
+                       size_t sz = malloc_size(j->j_binpref);
+                       nj->j_binpref = (cpu_type_t *)malloc(sz);
+                       if (job_assumes(nj, nj->j_binpref)) {
+                               memcpy(&nj->j_binpref, &j->j_binpref, sz);
+                       }
+               }
+               
+               /* JetsamPriority is unsupported. */
+               
+               if (j->asport != MACH_PORT_NULL) {
+                       (void)job_assumes(nj, launchd_mport_copy_send(j->asport) == KERN_SUCCESS);
+                       nj->asport = j->asport;
+               }
+               
+               LIST_INSERT_HEAD(&nj->mgr->jobs, nj, sle);
+               
+               jobmgr_t where2put = root_jobmgr;
+               if (j->mgr->properties & BOOTSTRAP_PROPERTY_XPC_DOMAIN) {
+                       where2put = j->mgr;
+               }
+               LIST_INSERT_HEAD(&where2put->label_hash[hash_label(nj->label)], nj, label_hash_sle);
+               LIST_INSERT_HEAD(&j->subjobs, nj, subjob_sle);
+       }
+       
+       return nj;
+}
+
+job_t 
+job_new(jobmgr_t jm, const char *label, const char *prog, const char *const *argv)
 {
        const char *const *argv_tmp = argv;
 {
        const char *const *argv_tmp = argv;
+       char tmp_path[PATH_MAX];
        char auto_label[1000];
        const char *bn = NULL;
        char *co;
        size_t minlabel_len;
        char auto_label[1000];
        const char *bn = NULL;
        char *co;
        size_t minlabel_len;
-       int i, cc = 0;
+       size_t i, cc = 0;
        job_t j;
 
        launchd_assert(offsetof(struct job_s, kqjob_callback) == 0);
 
        job_t j;
 
        launchd_assert(offsetof(struct job_s, kqjob_callback) == 0);
 
-       if (jm->shutting_down) {
+       if (unlikely(jm->shutting_down)) {
                errno = EINVAL;
                return NULL;
        }
 
                errno = EINVAL;
                return NULL;
        }
 
-       if (prog == NULL && argv == NULL) {
+       if (unlikely(prog == NULL && argv == NULL)) {
                errno = EINVAL;
                return NULL;
        }
 
                errno = EINVAL;
                return NULL;
        }
 
-       if (label == AUTO_PICK_LEGACY_LABEL) {
-               bn = prog ? prog : basename((char *)argv[0]); /* prog for auto labels is kp.kp_kproc.p_comm */
-               snprintf(auto_label, sizeof(auto_label), "%s.%s", sizeof(void *) == 8 ? "0xdeadbeeffeedface" : "0xbabecafe", bn);
+       char *anon_or_legacy = (label == AUTO_PICK_ANONYMOUS_LABEL) ? "anonymous" : "mach_init";
+       if (unlikely(label == AUTO_PICK_LEGACY_LABEL || label == AUTO_PICK_ANONYMOUS_LABEL)) {
+               if (prog) {
+                       bn = prog;
+               } else {
+                       strlcpy(tmp_path, argv[0], sizeof(tmp_path));
+                       bn = basename(tmp_path); /* prog for auto labels is kp.kp_kproc.p_comm */
+               }
+               snprintf(auto_label, sizeof(auto_label), "%s.%s.%s", sizeof(void *) == 8 ? "0xdeadbeeffeedface" : "0xbabecafe", anon_or_legacy, bn);
                label = auto_label;
                /* This is so we can do gross things later. See NOTE_EXEC for anonymous jobs */
                minlabel_len = strlen(label) + MAXCOMLEN;
        } else {
                label = auto_label;
                /* This is so we can do gross things later. See NOTE_EXEC for anonymous jobs */
                minlabel_len = strlen(label) + MAXCOMLEN;
        } else {
-               minlabel_len = strlen(label);
+               if (label == AUTO_PICK_XPC_LABEL) {
+                       minlabel_len = snprintf(auto_label, sizeof(auto_label), "com.apple.xpc.domain-owner.%s", jm->owner);
+               } else {
+                       minlabel_len = strlen(label);
+               }
        }
 
        j = calloc(1, sizeof(struct job_s) + minlabel_len + 1);
        }
 
        j = calloc(1, sizeof(struct job_s) + minlabel_len + 1);
@@ -1154,10 +1931,10 @@ job_new(jobmgr_t jm, const char *label, const char *prog, const char *const *arg
                return NULL;
        }
 
                return NULL;
        }
 
-       if (label == auto_label) {
-               snprintf((char *)j->label, strlen(label) + 1, "%p.%s", j, bn);
+       if (unlikely(label == auto_label)) {
+               snprintf((char *)j->label, strlen(label) + 1, "%p.%s.%s", j, anon_or_legacy, bn);
        } else {
        } else {
-               strcpy((char *)j->label, label);
+               strcpy((char *)j->label, (label == AUTO_PICK_XPC_LABEL) ? auto_label : label);
        }
        j->kqjob_callback = job_callback;
        j->mgr = jm;
        }
        j->kqjob_callback = job_callback;
        j->mgr = jm;
@@ -1167,7 +1944,11 @@ job_new(jobmgr_t jm, const char *label, const char *prog, const char *const *arg
        j->currently_ignored = true;
        j->ondemand = true;
        j->checkedin = true;
        j->currently_ignored = true;
        j->ondemand = true;
        j->checkedin = true;
-
+       j->jetsam_priority = -1;
+       j->jetsam_memlimit = -1;
+       j->jetsam_seq = -1;
+       uuid_clear(j->expected_audit_uuid);
+       
        if (prog) {
                j->prog = strdup(prog);
                if (!job_assumes(j, j->prog != NULL)) {
        if (prog) {
                j->prog = strdup(prog);
                if (!job_assumes(j, j->prog != NULL)) {
@@ -1175,9 +1956,10 @@ job_new(jobmgr_t jm, const char *label, const char *prog, const char *const *arg
                }
        }
 
                }
        }
 
-       if (argv) {
-               while (*argv_tmp++)
+       if (likely(argv)) {
+               while (*argv_tmp++) {
                        j->argc++;
                        j->argc++;
+               }
 
                for (i = 0; i < j->argc; i++) {
                        cc += strlen(argv[i]) + 1;
 
                for (i = 0; i < j->argc; i++) {
                        cc += strlen(argv[i]) + 1;
@@ -1199,8 +1981,18 @@ job_new(jobmgr_t jm, const char *label, const char *prog, const char *const *arg
                j->argv[i] = NULL;
        }
 
                j->argv[i] = NULL;
        }
 
+       if (strcmp(j->label, "com.apple.WindowServer") == 0) {
+               j->has_console = true;
+       }
+
        LIST_INSERT_HEAD(&jm->jobs, j, sle);
        LIST_INSERT_HEAD(&jm->jobs, j, sle);
-       LIST_INSERT_HEAD(&label_hash[hash_label(j->label)], j, label_hash_sle);
+       
+       jobmgr_t where2put_label = root_jobmgr;
+       if (j->mgr->properties & BOOTSTRAP_PROPERTY_XPC_DOMAIN) {
+               where2put_label = j->mgr;
+       }
+       LIST_INSERT_HEAD(&where2put_label->label_hash[hash_label(j->label)], j, label_hash_sle);
+       uuid_clear(j->expected_audit_uuid);
 
        job_log(j, LOG_DEBUG, "Conceived");
 
 
        job_log(j, LOG_DEBUG, "Conceived");
 
@@ -1215,15 +2007,61 @@ out_bad:
        return NULL;
 }
 
        return NULL;
 }
 
+#ifndef __LAUNCH_DISABLE_XPC_SUPPORT__
+job_t
+job_new_alias(jobmgr_t jm, job_t src)
+{
+       job_t j = NULL;
+       if (job_find(jm, src->label)) {
+               errno = EEXIST;
+       } else {
+               j = calloc(1, sizeof(struct job_s) + strlen(src->label) + 1);
+               if (jobmgr_assumes(jm, j != NULL)) {
+                       strcpy((char *)j->label, src->label);
+                       LIST_INSERT_HEAD(&jm->jobs, j, sle);
+                       LIST_INSERT_HEAD(&jm->label_hash[hash_label(j->label)], j, label_hash_sle);
+                       /* Bad jump address. The kqueue callback for aliases should never be
+                        * invoked.
+                        */
+                       j->kqjob_callback = (kq_callback)0xfa1afe1;
+                       j->alias = src;
+                       j->mgr = jm;
+
+                       struct machservice *msi = NULL;
+                       SLIST_FOREACH(msi, &src->machservices, sle) {
+                               if (!machservice_new_alias(j, msi)) {
+                                       jobmgr_log(jm, LOG_ERR, "Failed to alias job: %s", src->label);
+                                       errno = EINVAL;
+                                       job_remove(j);
+                                       j = NULL;
+                                       break;
+                               }
+                       }
+               }
+
+               if (j) {
+                       job_log(j, LOG_DEBUG, "Aliased service into domain: %s", jm->name);
+               }
+       }
+
+       return j;
+}
+#endif
+
 job_t 
 job_import(launch_data_t pload)
 {
        job_t j = jobmgr_import2(root_jobmgr, pload);
 
 job_t 
 job_import(launch_data_t pload)
 {
        job_t j = jobmgr_import2(root_jobmgr, pload);
 
-       if (j == NULL) {
+       if (unlikely(j == NULL)) {
                return NULL;
        }
 
                return NULL;
        }
 
+       /* Since jobs are effectively stalled until they get security sessions assigned
+        * to them, we may wish to reconsider this behavior of calling the job "enabled"
+        * as far as other jobs with the OtherJobEnabled KeepAlive criterion set.
+        */
+       job_dispatch_curious_jobs(j);
        return job_dispatch(j, false);
 }
 
        return job_dispatch(j, false);
 }
 
@@ -1234,20 +2072,20 @@ job_import_bulk(launch_data_t pload)
        job_t *ja;
        size_t i, c = launch_data_array_get_count(pload);
 
        job_t *ja;
        size_t i, c = launch_data_array_get_count(pload);
 
-       ja = alloca(c * sizeof(job_t ));
+       ja = alloca(c * sizeof(job_t));
 
        for (i = 0; i < c; i++) {
 
        for (i = 0; i < c; i++) {
-               if ((ja[i] = jobmgr_import2(root_jobmgr, launch_data_array_get_index(pload, i)))) {
+               if ((likely(ja[i] = jobmgr_import2(root_jobmgr, launch_data_array_get_index(pload, i)))) && errno != ENEEDAUTH) {
                        errno = 0;
                }
                launch_data_array_set_index(resp, launch_data_new_errno(errno), i);
        }
 
        for (i = 0; i < c; i++) {
                        errno = 0;
                }
                launch_data_array_set_index(resp, launch_data_new_errno(errno), i);
        }
 
        for (i = 0; i < c; i++) {
-               if (ja[i] == NULL) {
-                       continue;
+               if (likely(ja[i])) {
+                       job_dispatch_curious_jobs(ja[i]);
+                       job_dispatch(ja[i], false);
                }
                }
-               job_dispatch(ja[i], false);
        }
 
        return resp;
        }
 
        return resp;
@@ -1266,6 +2104,13 @@ job_import_bool(job_t j, const char *key, bool value)
                        found_key = true;
                }
                break;
                        found_key = true;
                }
                break;
+       case 'b':
+       case 'B':
+               if (strcasecmp(key, LAUNCH_JOBKEY_BEGINTRANSACTIONATSHUTDOWN) == 0) {
+                       j->dirty_at_shutdown = value;
+                       found_key = true;
+               }
+               break;
        case 'k':
        case 'K':
                if (strcasecmp(key, LAUNCH_JOBKEY_KEEPALIVE) == 0) {
        case 'k':
        case 'K':
                if (strcasecmp(key, LAUNCH_JOBKEY_KEEPALIVE) == 0) {
@@ -1286,17 +2131,18 @@ job_import_bool(job_t j, const char *key, bool value)
                        j->debug = value;
                        found_key = true;
                } else if (strcasecmp(key, LAUNCH_JOBKEY_DISABLED) == 0) {
                        j->debug = value;
                        found_key = true;
                } else if (strcasecmp(key, LAUNCH_JOBKEY_DISABLED) == 0) {
-                       job_assumes(j, !value);
+                       (void)job_assumes(j, !value);
+                       found_key = true;
+               } else if (strcasecmp(key, LAUNCH_JOBKEY_DISABLEASLR) == 0) {
+                       j->disable_aslr = value;
                        found_key = true;
                }
                break;
        case 'h':
        case 'H':
                if (strcasecmp(key, LAUNCH_JOBKEY_HOPEFULLYEXITSLAST) == 0) {
                        found_key = true;
                }
                break;
        case 'h':
        case 'H':
                if (strcasecmp(key, LAUNCH_JOBKEY_HOPEFULLYEXITSLAST) == 0) {
-                       j->hopefully_exits_last = value;
-                       found_key = true;
-               } else if (strcasecmp(key, LAUNCH_JOBKEY_HOPEFULLYEXITSFIRST) == 0) {
-                       j->hopefully_exits_first = value;
+                       job_log(j, LOG_INFO, "%s has been deprecated. Please use the new %s key instead and add EnableTransactions to your launchd.plist.", LAUNCH_JOBKEY_HOPEFULLYEXITSLAST, LAUNCH_JOBKEY_BEGINTRANSACTIONATSHUTDOWN);
+                       j->dirty_at_shutdown = value;
                        found_key = true;
                }
                break;
                        found_key = true;
                }
                break;
@@ -1311,6 +2157,14 @@ job_import_bool(job_t j, const char *key, bool value)
                } else if (strcasecmp(key, LAUNCH_JOBKEY_SERVICEIPC) == 0) {
                        /* this only does something on Mac OS X 10.4 "Tiger" */
                        found_key = true;
                } else if (strcasecmp(key, LAUNCH_JOBKEY_SERVICEIPC) == 0) {
                        /* this only does something on Mac OS X 10.4 "Tiger" */
                        found_key = true;
+               } else if (strcasecmp(key, LAUNCH_JOBKEY_SHUTDOWNMONITOR) == 0) {
+                       if (_s_shutdown_monitor) {
+                               job_log(j, LOG_ERR, "Only one job may monitor shutdown.");
+                       } else {
+                               j->shutdown_monitor = true;
+                               _s_shutdown_monitor = j;
+                       }
+                       found_key = true;
                }
                break;
        case 'l':
                }
                break;
        case 'l':
@@ -1323,6 +2177,16 @@ job_import_bool(job_t j, const char *key, bool value)
                        found_key = true;
                }
                break;
                        found_key = true;
                }
                break;
+       case 'm':
+       case 'M':
+               if (strcasecmp(key, LAUNCH_JOBKEY_MACHEXCEPTIONHANDLER) == 0) {
+                       j->internal_exc_handler = value;
+                       found_key = true;
+               } else if (strcasecmp(key, LAUNCH_JOBKEY_MULTIPLEINSTANCES) == 0) {
+                       j->multiple_instances = value;
+                       found_key = true;
+               }
+               break;
        case 'i':
        case 'I':
                if (strcasecmp(key, LAUNCH_JOBKEY_INITGROUPS) == 0) {
        case 'i':
        case 'I':
                if (strcasecmp(key, LAUNCH_JOBKEY_INITGROUPS) == 0) {
@@ -1332,6 +2196,9 @@ job_import_bool(job_t j, const char *key, bool value)
                        }
                        j->no_init_groups = !value;
                        found_key = true;
                        }
                        j->no_init_groups = !value;
                        found_key = true;
+               } else if (strcasecmp(key, LAUNCH_JOBKEY_IGNOREPROCESSGROUPATSHUTDOWN) == 0) {
+                       j->ignore_pg_at_shutdown = value;
+                       found_key = true;
                }
                break;
        case 'r':
                }
                break;
        case 'r':
@@ -1349,9 +2216,30 @@ job_import_bool(job_t j, const char *key, bool value)
                if (strcasecmp(key, LAUNCH_JOBKEY_ENABLEGLOBBING) == 0) {
                        j->globargv = value;
                        found_key = true;
                if (strcasecmp(key, LAUNCH_JOBKEY_ENABLEGLOBBING) == 0) {
                        j->globargv = value;
                        found_key = true;
+               } else if (strcasecmp(key, LAUNCH_JOBKEY_ENABLETRANSACTIONS) == 0) {
+                       j->kill_via_shmem = value;
+                       found_key = true;
                } else if (strcasecmp(key, LAUNCH_JOBKEY_ENTERKERNELDEBUGGERBEFOREKILL) == 0) {
                        j->debug_before_kill = value;
                        found_key = true;
                } else if (strcasecmp(key, LAUNCH_JOBKEY_ENTERKERNELDEBUGGERBEFOREKILL) == 0) {
                        j->debug_before_kill = value;
                        found_key = true;
+               } else if (strcasecmp(key, LAUNCH_JOBKEY_EMBEDDEDPRIVILEGEDISPENSATION) == 0) {
+                       if (!s_embedded_privileged_job) {
+                               j->embedded_special_privileges = value;
+                               s_embedded_privileged_job = j;
+                       } else {
+                               job_log(j, LOG_ERR, "Job tried to claim %s after it has already been claimed.", key);
+                       }
+                       found_key = true;
+               } else if (strcasecmp(key, LAUNCH_JOBKEY_EVENTMONITOR) == 0) {
+                       if (job_assumes(j, _s_event_monitor == NULL)) {
+                               j->event_monitor = value;
+                               if (value) {
+                                       _s_event_monitor = j;
+                               }
+                       } else {
+                               job_log(j, LOG_NOTICE, "Job tried to steal event monitoring responsibility!");
+                       }
+                       found_key = true;
                }
                break;
        case 'w':
                }
                break;
        case 'w':
@@ -1365,7 +2253,7 @@ job_import_bool(job_t j, const char *key, bool value)
                break;
        }
 
                break;
        }
 
-       if (!found_key) {
+       if (unlikely(!found_key)) {
                job_log(j, LOG_WARNING, "Unknown key for boolean: %s", key);
        }
 }
                job_log(j, LOG_WARNING, "Unknown key for boolean: %s", key);
        }
 }
@@ -1376,10 +2264,31 @@ job_import_string(job_t j, const char *key, const char *value)
        char **where2put = NULL;
 
        switch (key[0]) {
        char **where2put = NULL;
 
        switch (key[0]) {
+       case 'm':
+       case 'M':
+               if (strcasecmp(key, LAUNCH_JOBKEY_MACHEXCEPTIONHANDLER) == 0) {
+                       where2put = &j->alt_exc_handler;
+               }
+               break;
        case 'p':
        case 'P':
                if (strcasecmp(key, LAUNCH_JOBKEY_PROGRAM) == 0) {
                        return;
        case 'p':
        case 'P':
                if (strcasecmp(key, LAUNCH_JOBKEY_PROGRAM) == 0) {
                        return;
+               } else if (strcasecmp(key, LAUNCH_JOBKEY_POSIXSPAWNTYPE) == 0) {
+                       if (strcasecmp(value, LAUNCH_KEY_POSIXSPAWNTYPE_TALAPP) == 0) {
+                               j->pstype = POSIX_SPAWN_OSX_TALAPP_START;
+                       } else if (strcasecmp(value, LAUNCH_KEY_POSIXSPAWNTYPE_WIDGET) == 0) {
+                               j->pstype = POSIX_SPAWN_OSX_WIDGET_START;
+                       }
+#if TARGET_OS_EMBEDDED
+                       else if (strcasecmp(value, LAUNCH_KEY_POSIXSPAWNTYPE_IOSAPP) == 0) {
+                               j->pstype = POSIX_SPAWN_IOS_APP_START;
+                       }
+#endif
+                       else {
+                               job_log(j, LOG_ERR, "Unknown value for key %s: %s", key, value);
+                       }
+                       return;
                }
                break;
        case 'l':
                }
                break;
        case 'l':
@@ -1391,7 +2300,6 @@ job_import_string(job_t j, const char *key, const char *value)
                } else if (strcasecmp(key, LAUNCH_JOBKEY_LIMITLOADFROMHOSTS) == 0) {
                        return;
                } else if (strcasecmp(key, LAUNCH_JOBKEY_LIMITLOADTOSESSIONTYPE) == 0) {
                } else if (strcasecmp(key, LAUNCH_JOBKEY_LIMITLOADFROMHOSTS) == 0) {
                        return;
                } else if (strcasecmp(key, LAUNCH_JOBKEY_LIMITLOADTOSESSIONTYPE) == 0) {
-                       job_reparent_hack(j, value);
                        return;
                }
                break;
                        return;
                }
                break;
@@ -1441,8 +2349,27 @@ job_import_string(job_t j, const char *key, const char *value)
                        where2put = &j->stdoutpath;
                } else if (strcasecmp(key, LAUNCH_JOBKEY_STANDARDERRORPATH) == 0) {
                        where2put = &j->stderrpath;
                        where2put = &j->stdoutpath;
                } else if (strcasecmp(key, LAUNCH_JOBKEY_STANDARDERRORPATH) == 0) {
                        where2put = &j->stderrpath;
+               } else if (strcasecmp(key, LAUNCH_JOBKEY_STANDARDINPATH) == 0) {
+                       where2put = &j->stdinpath;
+                       j->stdin_fd = _fd(open(value, O_RDONLY|O_CREAT|O_NOCTTY|O_NONBLOCK, DEFFILEMODE));
+                       if (job_assumes(j, j->stdin_fd != -1)) {
+                               /* open() should not block, but regular IO by the job should */
+                               (void)job_assumes(j, fcntl(j->stdin_fd, F_SETFL, 0) != -1);
+                               /* XXX -- EV_CLEAR should make named pipes happy? */
+                               (void)job_assumes(j, kevent_mod(j->stdin_fd, EVFILT_READ, EV_ADD|EV_CLEAR, 0, 0, j) != -1);
+                       } else {
+                               j->stdin_fd = 0;
+                       }
+#if HAVE_SANDBOX
                } else if (strcasecmp(key, LAUNCH_JOBKEY_SANDBOXPROFILE) == 0) {
                        where2put = &j->seatbelt_profile;
                } else if (strcasecmp(key, LAUNCH_JOBKEY_SANDBOXPROFILE) == 0) {
                        where2put = &j->seatbelt_profile;
+#endif
+               }
+               break;
+       case 'X':
+       case 'x':
+               if (strcasecmp(key, LAUNCH_JOBKEY_XPCDOMAIN) == 0) {
+                       return;
                }
                break;
        default:
                }
                break;
        default:
@@ -1450,10 +2377,13 @@ job_import_string(job_t j, const char *key, const char *value)
                break;
        }
 
                break;
        }
 
-       if (where2put) {
-               job_assumes(j, (*where2put = strdup(value)) != NULL);
+       if (likely(where2put)) {
+               (void)job_assumes(j, (*where2put = strdup(value)) != NULL);
        } else {
        } else {
-               job_log(j, LOG_WARNING, "Unknown key: %s", key);
+               /* See rdar://problem/5496612. These two are okay. */
+               if (strncmp(key, "SHAuthorizationRight", sizeof("SHAuthorizationRight")) != 0 && strncmp(key, "ServiceDescription", sizeof("ServiceDescription")) != 0) {
+                       job_log(j, LOG_WARNING, "Unknown key: %s", key);
+               }
        }
 }
 
        }
 }
 
@@ -1464,31 +2394,50 @@ job_import_integer(job_t j, const char *key, long long value)
        case 'e':
        case 'E':
                if (strcasecmp(key, LAUNCH_JOBKEY_EXITTIMEOUT) == 0) {
        case 'e':
        case 'E':
                if (strcasecmp(key, LAUNCH_JOBKEY_EXITTIMEOUT) == 0) {
-                       if (value < 0) {
+                       if (unlikely(value < 0)) {
                                job_log(j, LOG_WARNING, "%s less than zero. Ignoring.", LAUNCH_JOBKEY_EXITTIMEOUT);
                                job_log(j, LOG_WARNING, "%s less than zero. Ignoring.", LAUNCH_JOBKEY_EXITTIMEOUT);
-                       } else if (value > UINT32_MAX) {
+                       } else if (unlikely(value > UINT32_MAX)) {
                                job_log(j, LOG_WARNING, "%s is too large. Ignoring.", LAUNCH_JOBKEY_EXITTIMEOUT);
                        } else {
                                job_log(j, LOG_WARNING, "%s is too large. Ignoring.", LAUNCH_JOBKEY_EXITTIMEOUT);
                        } else {
-                               j->exit_timeout = value;
+                               j->exit_timeout = (typeof(j->exit_timeout)) value;
                        }
                        }
+               } else if (strcasecmp(key, LAUNCH_JOBKEY_EMBEDDEDMAINTHREADPRIORITY) == 0) {
+                       j->main_thread_priority = value;
                }
                break;
                }
                break;
+       case 'j':
+       case 'J':
+               if (strcasecmp(key, LAUNCH_JOBKEY_JETSAMPRIORITY) == 0) {
+                       job_log(j, LOG_WARNING | LOG_CONSOLE, "Please change the JetsamPriority key to be in a dictionary named JetsamProperties.");
+                       
+                       launch_data_t pri = launch_data_new_integer(value);
+                       if (job_assumes(j, pri != NULL)) {
+                               jetsam_property_setup(pri, LAUNCH_JOBKEY_JETSAMPRIORITY, j);
+                               launch_data_free(pri);
+                       }
+               }
        case 'n':
        case 'N':
                if (strcasecmp(key, LAUNCH_JOBKEY_NICE) == 0) {
        case 'n':
        case 'N':
                if (strcasecmp(key, LAUNCH_JOBKEY_NICE) == 0) {
-                       j->nice = value;
-                       j->setnice = true;
+                       if (unlikely(value < PRIO_MIN)) {
+                               job_log(j, LOG_WARNING, "%s less than %d. Ignoring.", LAUNCH_JOBKEY_NICE, PRIO_MIN);
+                       } else if (unlikely(value > PRIO_MAX)) {
+                               job_log(j, LOG_WARNING, "%s is greater than %d. Ignoring.", LAUNCH_JOBKEY_NICE, PRIO_MAX);
+                       } else {
+                               j->nice = (typeof(j->nice)) value;
+                               j->setnice = true;
+                       }
                }
                break;
        case 't':
        case 'T':
                if (strcasecmp(key, LAUNCH_JOBKEY_TIMEOUT) == 0) {
                }
                break;
        case 't':
        case 'T':
                if (strcasecmp(key, LAUNCH_JOBKEY_TIMEOUT) == 0) {
-                       if (value < 0) {
+                       if (unlikely(value < 0)) {
                                job_log(j, LOG_WARNING, "%s less than zero. Ignoring.", LAUNCH_JOBKEY_TIMEOUT);
                                job_log(j, LOG_WARNING, "%s less than zero. Ignoring.", LAUNCH_JOBKEY_TIMEOUT);
-                       } else if (value > UINT32_MAX) {
+                       } else if (unlikely(value > UINT32_MAX)) {
                                job_log(j, LOG_WARNING, "%s is too large. Ignoring.", LAUNCH_JOBKEY_TIMEOUT);
                        } else {
                                job_log(j, LOG_WARNING, "%s is too large. Ignoring.", LAUNCH_JOBKEY_TIMEOUT);
                        } else {
-                               j->timeout = value;
+                               j->timeout = (typeof(j->timeout)) value;
                        }
                } else if (strcasecmp(key, LAUNCH_JOBKEY_THROTTLEINTERVAL) == 0) {
                        if (value < 0) {
                        }
                } else if (strcasecmp(key, LAUNCH_JOBKEY_THROTTLEINTERVAL) == 0) {
                        if (value < 0) {
@@ -1496,7 +2445,7 @@ job_import_integer(job_t j, const char *key, long long value)
                        } else if (value > UINT32_MAX) {
                                job_log(j, LOG_WARNING, "%s is too large. Ignoring.", LAUNCH_JOBKEY_THROTTLEINTERVAL);
                        } else {
                        } else if (value > UINT32_MAX) {
                                job_log(j, LOG_WARNING, "%s is too large. Ignoring.", LAUNCH_JOBKEY_THROTTLEINTERVAL);
                        } else {
-                               j->min_run_time = value;
+                               j->min_run_time = (typeof(j->min_run_time)) value;
                        }
                }
                break;
                        }
                }
                break;
@@ -1510,18 +2459,20 @@ job_import_integer(job_t j, const char *key, long long value)
        case 's':
        case 'S':
                if (strcasecmp(key, LAUNCH_JOBKEY_STARTINTERVAL) == 0) {
        case 's':
        case 'S':
                if (strcasecmp(key, LAUNCH_JOBKEY_STARTINTERVAL) == 0) {
-                       if (value <= 0) {
+                       if (unlikely(value <= 0)) {
                                job_log(j, LOG_WARNING, "%s is not greater than zero. Ignoring.", LAUNCH_JOBKEY_STARTINTERVAL);
                                job_log(j, LOG_WARNING, "%s is not greater than zero. Ignoring.", LAUNCH_JOBKEY_STARTINTERVAL);
-                       } else if (value > UINT32_MAX) {
+                       } else if (unlikely(value > UINT32_MAX)) {
                                job_log(j, LOG_WARNING, "%s is too large. Ignoring.", LAUNCH_JOBKEY_STARTINTERVAL);
                        } else {
                                job_log(j, LOG_WARNING, "%s is too large. Ignoring.", LAUNCH_JOBKEY_STARTINTERVAL);
                        } else {
-                               runtime_add_ref();
-                               j->start_interval = value;
+                               runtime_add_weak_ref();
+                               j->start_interval = (typeof(j->start_interval)) value;
 
 
-                               job_assumes(j, kevent_mod((uintptr_t)&j->start_interval, EVFILT_TIMER, EV_ADD, NOTE_SECONDS, value, j) != -1);
+                               (void)job_assumes(j, kevent_mod((uintptr_t)&j->start_interval, EVFILT_TIMER, EV_ADD, NOTE_SECONDS, j->start_interval, j) != -1);
                        }
                        }
+#if HAVE_SANDBOX
                } else if (strcasecmp(key, LAUNCH_JOBKEY_SANDBOXFLAGS) == 0) {
                        j->seatbelt_flags = value;
                } else if (strcasecmp(key, LAUNCH_JOBKEY_SANDBOXFLAGS) == 0) {
                        j->seatbelt_flags = value;
+#endif
                }
 
                break;
                }
 
                break;
@@ -1532,11 +2483,13 @@ job_import_integer(job_t j, const char *key, long long value)
 }
 
 void
 }
 
 void
-job_import_opaque(job_t j, const char *key, launch_data_t value)
+job_import_opaque(job_t j __attribute__((unused)),
+       const char *key, launch_data_t value __attribute__((unused)))
 {
        switch (key[0]) {
        case 'q':
        case 'Q':
 {
        switch (key[0]) {
        case 'q':
        case 'Q':
+#if HAVE_QUARANTINE
                if (strcasecmp(key, LAUNCH_JOBKEY_QUARANTINEDATA) == 0) {
                        size_t tmpsz = launch_data_get_opaque_size(value);
 
                if (strcasecmp(key, LAUNCH_JOBKEY_QUARANTINEDATA) == 0) {
                        size_t tmpsz = launch_data_get_opaque_size(value);
 
@@ -1545,10 +2498,42 @@ job_import_opaque(job_t j, const char *key, launch_data_t value)
                                j->quarantine_data_sz = tmpsz;
                        }
                }
                                j->quarantine_data_sz = tmpsz;
                        }
                }
+#endif
+       case 's':
+       case 'S':
+               if (strcasecmp(key, LAUNCH_JOBKEY_SECURITYSESSIONUUID) == 0) {
+                       size_t tmpsz = launch_data_get_opaque_size(value);
+                       if (job_assumes(j, tmpsz == sizeof(uuid_t))) {
+                               memcpy(j->expected_audit_uuid, launch_data_get_opaque(value), sizeof(uuid_t));
+                       }
+               }
+               break;
+       default:
+               break;
+       }
+}
+
+static void
+policy_setup(launch_data_t obj, const char *key, void *context)
+{
+       job_t j = context;
+       bool found_key = false;
+
+       switch (key[0]) {
+       case 'd':
+       case 'D':
+               if (strcasecmp(key, LAUNCH_JOBPOLICY_DENYCREATINGOTHERJOBS) == 0) {
+                       j->deny_job_creation = launch_data_get_bool(obj);
+                       found_key = true;
+               }
                break;
        default:
                break;
        }
                break;
        default:
                break;
        }
+
+       if (unlikely(!found_key)) {
+               job_log(j, LOG_WARNING, "Unknown policy: %s", key);
+       }
 }
 
 void
 }
 
 void
@@ -1557,6 +2542,12 @@ job_import_dictionary(job_t j, const char *key, launch_data_t value)
        launch_data_t tmp;
 
        switch (key[0]) {
        launch_data_t tmp;
 
        switch (key[0]) {
+       case 'p':
+       case 'P':
+               if (strcasecmp(key, LAUNCH_JOBKEY_POLICIES) == 0) {
+                       launch_data_dict_iterate(value, policy_setup, j);
+               }
+               break;
        case 'k':
        case 'K':
                if (strcasecmp(key, LAUNCH_JOBKEY_KEEPALIVE) == 0) {
        case 'k':
        case 'K':
                if (strcasecmp(key, LAUNCH_JOBKEY_KEEPALIVE) == 0) {
@@ -1573,11 +2564,16 @@ job_import_dictionary(job_t j, const char *key, launch_data_t value)
                        }
                }
                break;
                        }
                }
                break;
+       case 'j':
+       case 'J':
+               if (strcasecmp(key, LAUNCH_JOBKEY_JETSAMPROPERTIES) == 0) {
+                       launch_data_dict_iterate(value, (void (*)(launch_data_t, const char *, void *))jetsam_property_setup, j);
+               }
        case 'e':
        case 'E':
                if (strcasecmp(key, LAUNCH_JOBKEY_ENVIRONMENTVARIABLES) == 0) {
                        launch_data_dict_iterate(value, envitem_setup, j);
        case 'e':
        case 'E':
                if (strcasecmp(key, LAUNCH_JOBKEY_ENVIRONMENTVARIABLES) == 0) {
                        launch_data_dict_iterate(value, envitem_setup, j);
-               }
+               }               
                break;
        case 'u':
        case 'U':
                break;
        case 'u':
        case 'U':
@@ -1595,8 +2591,10 @@ job_import_dictionary(job_t j, const char *key, launch_data_t value)
                        calendarinterval_new_from_obj(j, value);
                } else if (strcasecmp(key, LAUNCH_JOBKEY_SOFTRESOURCELIMITS) == 0) {
                        launch_data_dict_iterate(value, limititem_setup, j);
                        calendarinterval_new_from_obj(j, value);
                } else if (strcasecmp(key, LAUNCH_JOBKEY_SOFTRESOURCELIMITS) == 0) {
                        launch_data_dict_iterate(value, limititem_setup, j);
+#if HAVE_SANDBOX
                } else if (strcasecmp(key, LAUNCH_JOBKEY_SANDBOXFLAGS) == 0) {
                        launch_data_dict_iterate(value, seatbelt_setup_flags, j);
                } else if (strcasecmp(key, LAUNCH_JOBKEY_SANDBOXFLAGS) == 0) {
                        launch_data_dict_iterate(value, seatbelt_setup_flags, j);
+#endif
                }
                break;
        case 'h':
                }
                break;
        case 'h':
@@ -1611,8 +2609,19 @@ job_import_dictionary(job_t j, const char *key, launch_data_t value)
        case 'M':
                if (strcasecmp(key, LAUNCH_JOBKEY_MACHSERVICES) == 0) {
                        launch_data_dict_iterate(value, machservice_setup, j);
        case 'M':
                if (strcasecmp(key, LAUNCH_JOBKEY_MACHSERVICES) == 0) {
                        launch_data_dict_iterate(value, machservice_setup, j);
-               } else if (strcasecmp(key, LAUNCH_JOBKEY_MACHSERVICELOOKUPPOLICIES) == 0) {
-                       launch_data_dict_iterate(value, mspolicy_setup, j);
+               }
+               break;
+       case 'l':
+       case 'L':
+               if (strcasecmp(key, LAUNCH_JOBKEY_LAUNCHEVENTS) == 0) {
+                       launch_data_dict_iterate(value, eventsystem_setup, j);
+               } else {
+                       if (strcasecmp(key, LAUNCH_JOBKEY_LIMITLOADTOHARDWARE) == 0) {
+                               return;
+                       }
+                       if (strcasecmp(key, LAUNCH_JOBKEY_LIMITLOADFROMHARDWARE) == 0) {
+                               return;
+                       }
                }
                break;
        default:
                }
                break;
        default:
@@ -1676,7 +2685,7 @@ job_import_array(job_t j, const char *key, launch_data_t value)
                        if (job_assumes(j, j->j_binpref = malloc(value_cnt * sizeof(*j->j_binpref)))) {
                                j->j_binpref_cnt = value_cnt;
                                for (i = 0; i < value_cnt; i++) {
                        if (job_assumes(j, j->j_binpref = malloc(value_cnt * sizeof(*j->j_binpref)))) {
                                j->j_binpref_cnt = value_cnt;
                                for (i = 0; i < value_cnt; i++) {
-                                       j->j_binpref[i] = launch_data_get_integer(launch_data_array_get_index(value, i));
+                                       j->j_binpref[i] = (cpu_type_t) launch_data_get_integer(launch_data_array_get_index(value, i));
                                }
                        }
                }
                                }
                        }
                }
@@ -1701,7 +2710,7 @@ job_import_keys(launch_data_t obj, const char *key, void *context)
        job_t j = context;
        launch_data_type_t kind;
 
        job_t j = context;
        launch_data_type_t kind;
 
-       if (obj == NULL) {
+       if (!launchd_assumes(obj != NULL)) {
                return;
        }
 
                return;
        }
 
@@ -1732,7 +2741,7 @@ job_import_keys(launch_data_t obj, const char *key, void *context)
        }
 }
 
        }
 }
 
-job_t 
+job_t
 jobmgr_import2(jobmgr_t jm, launch_data_t pload)
 {
        launch_data_t tmp, ldpa;
 jobmgr_import2(jobmgr_t jm, launch_data_t pload)
 {
        launch_data_t tmp, ldpa;
@@ -1740,36 +2749,67 @@ jobmgr_import2(jobmgr_t jm, launch_data_t pload)
        const char **argv = NULL;
        job_t j;
 
        const char **argv = NULL;
        job_t j;
 
-       if (pload == NULL) {
+       if (!jobmgr_assumes(jm, pload != NULL)) {
+               errno = EINVAL;
+               return NULL;
+       }
+
+       if (unlikely(launch_data_get_type(pload) != LAUNCH_DATA_DICTIONARY)) {
                errno = EINVAL;
                return NULL;
        }
 
                errno = EINVAL;
                return NULL;
        }
 
-       if (launch_data_get_type(pload) != LAUNCH_DATA_DICTIONARY) {
+       if (unlikely(!(tmp = launch_data_dict_lookup(pload, LAUNCH_JOBKEY_LABEL)))) {
                errno = EINVAL;
                return NULL;
        }
 
                errno = EINVAL;
                return NULL;
        }
 
-       if (!(tmp = launch_data_dict_lookup(pload, LAUNCH_JOBKEY_LABEL))) {
+       if (unlikely(launch_data_get_type(tmp) != LAUNCH_DATA_STRING)) {
                errno = EINVAL;
                return NULL;
        }
 
                errno = EINVAL;
                return NULL;
        }
 
-       if (launch_data_get_type(tmp) != LAUNCH_DATA_STRING) {
+       if (unlikely(!(label = launch_data_get_string(tmp)))) {
                errno = EINVAL;
                return NULL;
        }
 
                errno = EINVAL;
                return NULL;
        }
 
-       if (!(label = launch_data_get_string(tmp))) {
+#if TARGET_OS_EMBEDDED
+       if (unlikely(g_embedded_privileged_action && s_embedded_privileged_job)) {
+               if (unlikely(!(tmp = launch_data_dict_lookup(pload, LAUNCH_JOBKEY_USERNAME)))) {
+                       errno = EPERM;
+                       return NULL;
+               }
+               
+               const char *username = NULL;
+               if (likely(tmp && launch_data_get_type(tmp) == LAUNCH_DATA_STRING)) {
+                       username = launch_data_get_string(tmp);
+               } else {
+                       errno = EPERM;
+                       return NULL;
+               }
+               
+               if (!jobmgr_assumes(jm, s_embedded_privileged_job->username != NULL && username != NULL)) {
+                       errno = EPERM;
+                       return NULL;
+               }
+               
+               if (unlikely(strcmp(s_embedded_privileged_job->username, username) != 0)) {
+                       errno = EPERM;
+                       return NULL;
+               }
+       } else if (g_embedded_privileged_action) {
                errno = EINVAL;
                return NULL;
        }
                errno = EINVAL;
                return NULL;
        }
+#endif
 
        if ((tmp = launch_data_dict_lookup(pload, LAUNCH_JOBKEY_PROGRAM)) &&
                        (launch_data_get_type(tmp) == LAUNCH_DATA_STRING)) {
                prog = launch_data_get_string(tmp);
        }
 
 
        if ((tmp = launch_data_dict_lookup(pload, LAUNCH_JOBKEY_PROGRAM)) &&
                        (launch_data_get_type(tmp) == LAUNCH_DATA_STRING)) {
                prog = launch_data_get_string(tmp);
        }
 
+       int argc = 0;
        if ((ldpa = launch_data_dict_lookup(pload, LAUNCH_JOBKEY_PROGRAMARGUMENTS))) {
                size_t i, c;
 
        if ((ldpa = launch_data_dict_lookup(pload, LAUNCH_JOBKEY_PROGRAMARGUMENTS))) {
                size_t i, c;
 
@@ -1794,36 +2834,151 @@ jobmgr_import2(jobmgr_t jm, launch_data_t pload)
                }
 
                argv[i] = NULL;
                }
 
                argv[i] = NULL;
+               argc = i;
        }
 
        }
 
-       if ((j = job_find(label)) != NULL) {
-               errno = EEXIST;
+       if (!prog && argc == 0) {
+               jobmgr_log(jm, LOG_ERR, "Job specifies neither Program nor ProgramArguments: %s", label);
+               errno = EINVAL;
                return NULL;
                return NULL;
-       } else if (label[0] == '\0' || (strncasecmp(label, "", strlen("com.apple.launchd")) == 0) ||
-                       (strtol(label, NULL, 10) != 0)) {
-               jobmgr_log(jm, LOG_ERR, "Somebody attempted to use a reserved prefix for a label: %s", label);
-               /* the empty string, com.apple.launchd and number prefixes for labels are reserved */
+       }
+
+       /* Find the requested session. You cannot load services into XPC domains in
+        * this manner.
+        */
+       launch_data_t session = launch_data_dict_lookup(pload, LAUNCH_JOBKEY_LIMITLOADTOSESSIONTYPE);
+       if (session) {
+               jobmgr_t jmt = NULL;
+               if (launch_data_get_type(session) == LAUNCH_DATA_STRING) {
+                       jmt = jobmgr_find_by_name(jm, launch_data_get_string(session));
+                       if (!jmt) {
+                               jobmgr_log(jm, LOG_ERR, "Could not find requested session: %s", launch_data_get_string(session));
+                       } else {
+                               jm = jmt;
+                       }
+               } else {
+                       jobmgr_log(jm, LOG_ERR, "Session type is not a string.");
+               }
+
+               if (!jmt) {
+                       errno = EINVAL;
+                       return NULL;
+               }
+       }
+
+       /* For legacy reasons, we have a global hash of all labels in all job
+        * managers. So rather than make it a global, we store it in the root job
+        * manager. But for an XPC domain, we store a local hash of all services in
+        * the domain.
+        */
+       jobmgr_t where2look = (jm->properties & BOOTSTRAP_PROPERTY_XPC_DOMAIN) ? jm : root_jobmgr;
+       if (unlikely((j = job_find(where2look, label)) != NULL)) {
+               if (jm->xpc_singleton) {
+                       /* There can (and probably will be) multiple attemtps to import the
+                        * same XPC service from the same framework. This is okay. It's
+                        * treated as a singleton, so just return the existing one so that
+                        * it may be aliased into the requesting process' XPC domain.
+                        */
+                       return j;
+               } else {
+                       /* If we're not a global XPC domain, then it's an error to try
+                        * importing the same job/service multiple times.
+                        */
+                       errno = EEXIST;
+                       return NULL;
+               }
+       } else if (unlikely(!jobmgr_label_test(where2look, label))) {
                errno = EINVAL;
                return NULL;
        }
                errno = EINVAL;
                return NULL;
        }
+       jobmgr_log(jm, LOG_DEBUG, "Importing %s.", label);
 
 
-       if ((j = job_new(jm, label, prog, argv))) {
+       if (likely(j = job_new(jm, label, prog, argv))) {
                launch_data_dict_iterate(pload, job_import_keys, j);
                launch_data_dict_iterate(pload, job_import_keys, j);
+               if (!uuid_is_null(j->expected_audit_uuid)) {
+                       uuid_string_t uuid_str;
+                       uuid_unparse(j->expected_audit_uuid, uuid_str);
+                       job_log(j, LOG_DEBUG, "Imported job. Waiting for session for UUID %s.", uuid_str);
+                       LIST_INSERT_HEAD(&s_needing_sessions, j, needing_session_sle);
+                       errno = ENEEDAUTH;
+               } else {
+                       job_log(j, LOG_DEBUG, "No security session specified.");
+                       j->asport = MACH_PORT_NULL;
+               }
+
+               if (j->event_monitor) {
+                       if (job_assumes(j, LIST_FIRST(&j->events) == NULL)) {
+                               struct machservice *msi = NULL;
+                               SLIST_FOREACH(msi, &j->machservices, sle) {
+                                       if (msi->event_update_port) {
+                                               break;
+                                       }
+                               }
+
+                               if (job_assumes(j, msi != NULL)) {
+                                       /* Create our send-once right so we can kick things off. */
+                                       (void)job_assumes(j, launchd_mport_make_send_once(msi->port, &_s_event_update_port) == KERN_SUCCESS);
+                                       if (!LIST_EMPTY(&_s_event_systems)) {
+                                               eventsystem_ping();
+                                       }
+                               }
+                       } else {
+                               job_log(j, LOG_ERR, "The event monitor job may not have a LaunchEvents dictionary.");
+                               job_remove(j);
+                               j = NULL;
+                       }
+               }
        }
 
        return j;
 }
 
        }
 
        return j;
 }
 
+bool
+jobmgr_label_test(jobmgr_t jm, const char *str)
+{
+       char *endstr = NULL;
+       const char *ptr;
+
+       if (str[0] == '\0') {
+               jobmgr_log(jm, LOG_ERR, "Empty job labels are not allowed");
+               return false;
+       }
+
+       for (ptr = str; *ptr; ptr++) {
+               if (iscntrl(*ptr)) {
+                       jobmgr_log(jm, LOG_ERR, "ASCII control characters are not allowed in job labels. Index: %td Value: 0x%hhx", ptr - str, *ptr);
+                       return false;
+               }
+       }
+
+       strtoll(str, &endstr, 0);
+
+       if (str != endstr) {
+               jobmgr_log(jm, LOG_ERR, "Job labels are not allowed to begin with numbers: %s", str);
+               return false;
+       }
+
+       if ((strncasecmp(str, "com.apple.launchd", strlen("com.apple.launchd")) == 0) ||
+                       (strncasecmp(str, "com.apple.launchctl", strlen("com.apple.launchctl")) == 0)) {
+               jobmgr_log(jm, LOG_ERR, "Job labels are not allowed to use a reserved prefix: %s", str);
+               return false;
+       }
+
+       return true;
+}
+
 job_t 
 job_t 
-job_find(const char *label)
+job_find(jobmgr_t jm, const char *label)
 {
        job_t ji;
 {
        job_t ji;
-
-       LIST_FOREACH(ji, &label_hash[hash_label(label)], label_hash_sle) {
-               if (ji->removal_pending) {
-                       continue; /* 5351245 */
-               } else if (ji->mgr->shutting_down) {
-                       continue; /* 5488633 */
+       
+       if (!jm) {
+               jm = root_jobmgr;
+       }
+       
+       LIST_FOREACH(ji, &jm->label_hash[hash_label(label)], label_hash_sle) {
+               if (unlikely(ji->removal_pending || ji->mgr->shutting_down)) {
+                       continue; /* 5351245 and 5488633 respectively */
                }
 
                if (strcmp(ji->label, label) == 0) {
                }
 
                if (strcmp(ji->label, label) == 0) {
@@ -1835,24 +2990,39 @@ job_find(const char *label)
        return NULL;
 }
 
        return NULL;
 }
 
+/* Should try and consolidate with job_mig_intran2() and jobmgr_find_by_pid(). */
 job_t
 job_t
-jobmgr_find_by_pid(jobmgr_t jm, pid_t p, bool create_anon)
+jobmgr_find_by_pid_deep(jobmgr_t jm, pid_t p, bool anon_okay)
 {
        job_t ji = NULL;
 {
        job_t ji = NULL;
-
        LIST_FOREACH(ji, &jm->active_jobs[ACTIVE_JOB_HASH(p)], pid_hash_sle) {
        LIST_FOREACH(ji, &jm->active_jobs[ACTIVE_JOB_HASH(p)], pid_hash_sle) {
-               if (ji->p == p) {
+               if (ji->p == p && (!ji->anonymous || (ji->anonymous && anon_okay)) ) {
+                       return ji;
+               }
+       }
+
+       jobmgr_t jmi = NULL;
+       SLIST_FOREACH(jmi, &jm->submgrs, sle) {
+               if ((ji = jobmgr_find_by_pid_deep(jmi, p, anon_okay))) {
                        break;
                }
        }
 
                        break;
                }
        }
 
-       if (ji) {
-               return ji;
-       } else if (create_anon) {
-               return job_new_anonymous(jm, p);
-       } else {
-               return NULL;
+       return ji;
+}
+
+job_t
+jobmgr_find_by_pid(jobmgr_t jm, pid_t p, bool create_anon)
+{
+       job_t ji;
+
+       LIST_FOREACH(ji, &jm->active_jobs[ACTIVE_JOB_HASH(p)], pid_hash_sle) {
+               if (ji->p == p) {
+                       return ji;
+               }
        }
        }
+
+       return create_anon ? job_new_anonymous(jm, p) : NULL;
 }
 
 job_t 
 }
 
 job_t 
@@ -1862,8 +3032,7 @@ job_mig_intran2(jobmgr_t jm, mach_port_t mport, pid_t upid)
        job_t ji;
 
        if (jm->jm_port == mport) {
        job_t ji;
 
        if (jm->jm_port == mport) {
-               jobmgr_assumes(jm, (ji = jobmgr_find_by_pid(jm, upid, true)) != NULL);
-               return ji;
+               return jobmgr_find_by_pid(jm, upid, true);
        }
 
        SLIST_FOREACH(jmi, &jm->submgrs, sle) {
        }
 
        SLIST_FOREACH(jmi, &jm->submgrs, sle) {
@@ -1886,22 +3055,19 @@ job_mig_intran2(jobmgr_t jm, mach_port_t mport, pid_t upid)
 job_t 
 job_mig_intran(mach_port_t p)
 {
 job_t 
 job_mig_intran(mach_port_t p)
 {
-       struct ldcred ldc;
+       struct ldcred *ldc = runtime_get_caller_creds();
        job_t jr;
 
        job_t jr;
 
-       runtime_get_caller_creds(&ldc);
-
-       jr = job_mig_intran2(root_jobmgr, p, ldc.pid);
+       jr = job_mig_intran2(root_jobmgr, p, ldc->pid);
 
        if (!jobmgr_assumes(root_jobmgr, jr != NULL)) {
 
        if (!jobmgr_assumes(root_jobmgr, jr != NULL)) {
-               int mib[] = { CTL_KERN, KERN_PROC, KERN_PROC_PID, 0 };
-               struct kinfo_proc kp;
-               size_t len = sizeof(kp);
-
-               mib[3] = ldc.pid;
-
-               if (jobmgr_assumes(root_jobmgr, sysctl(mib, 4, &kp, &len, NULL, 0) != -1) && jobmgr_assumes(root_jobmgr, len == sizeof(kp))) {
-                       jobmgr_log(root_jobmgr, LOG_ERR, "%s() was confused by PID %u UID %u EUID %u Mach Port 0x%x: %s", __func__, ldc.pid, ldc.uid, ldc.euid, p, kp.kp_proc.p_comm);
+               struct proc_bsdshortinfo proc;
+               if (proc_pidinfo(ldc->pid, PROC_PIDT_SHORTBSDINFO, 1, &proc, PROC_PIDT_SHORTBSDINFO_SIZE) == 0) {
+                       if (errno != ESRCH) {
+                               (void)jobmgr_assumes(root_jobmgr, errno == 0);
+                       } else {
+                               jobmgr_log(root_jobmgr, LOG_ERR, "%s() was confused by PID %u UID %u EUID %u Mach Port 0x%x: %s", __func__, ldc->pid, ldc->uid, ldc->euid, p, proc.pbsi_comm);
+                       }
                }
        }
 
                }
        }
 
@@ -1931,7 +3097,7 @@ job_mig_destructor(job_t j)
         * 'j' can be invalid at this point. We should fix this up after Leopard ships.
         */
 
         * 'j' can be invalid at this point. We should fix this up after Leopard ships.
         */
 
-       if (j && j != workaround_5477111 && j->unload_at_mig_return) {
+       if (unlikely(j && (j != workaround_5477111) && j->unload_at_mig_return)) {
                job_log(j, LOG_NOTICE, "Unloading PID %u at MIG return.", j->p);
                job_remove(j);
        }
                job_log(j, LOG_NOTICE, "Unloading PID %u at MIG return.", j->p);
                job_remove(j);
        }
@@ -1975,36 +3141,48 @@ job_export_all(void)
 void
 job_log_stray_pg(job_t j)
 {
 void
 job_log_stray_pg(job_t j)
 {
-       int mib[] = { CTL_KERN, KERN_PROC, KERN_PROC_PGRP, j->p };
-       size_t i, kp_cnt, len = 10*1024*1024;
-       struct kinfo_proc *kp;
+       pid_t *pids = NULL;
+       size_t len = sizeof(pid_t) * get_kern_max_proc();
+       int i = 0, kp_cnt = 0;
+       
+       if (!do_apple_internal_logging) {
+               return;
+       }
 
 
-       if (!job_assumes(j, (kp = malloc(len)) != NULL)) {
+       runtime_ktrace(RTKT_LAUNCHD_FINDING_STRAY_PG, j->p, 0, 0);
+
+       if (!job_assumes(j, (pids = malloc(len)) != NULL)) {
                return;
        }
                return;
        }
-       if (!job_assumes(j, sysctl(mib, 4, kp, &len, NULL, 0) != -1)) {
+       if (!job_assumes(j, (kp_cnt = proc_listpgrppids(j->p, pids, len)) != -1)) {
                goto out;
        }
                goto out;
        }
-
-       kp_cnt = len / sizeof(struct kinfo_proc);
-
+       
        for (i = 0; i < kp_cnt; i++) {
        for (i = 0; i < kp_cnt; i++) {
-               pid_t p_i = kp[i].kp_proc.p_pid;
-               pid_t pp_i = kp[i].kp_eproc.e_ppid;
-               const char *z = (kp[i].kp_proc.p_stat == SZOMB) ? "zombie " : "";
-               const char *n = kp[i].kp_proc.p_comm;
-
+               pid_t p_i = pids[i];
                if (p_i == j->p) {
                        continue;
                } else if (!job_assumes(j, p_i != 0 && p_i != 1)) {
                        continue;
                }
                if (p_i == j->p) {
                        continue;
                } else if (!job_assumes(j, p_i != 0 && p_i != 1)) {
                        continue;
                }
+               
+               struct proc_bsdshortinfo proc;
+               if (proc_pidinfo(p_i, PROC_PIDT_SHORTBSDINFO, 1, &proc, PROC_PIDT_SHORTBSDINFO_SIZE) == 0) {
+                       if (errno != ESRCH) {
+                               job_assumes(j, errno == 0);
+                       }
+                       continue;
+               }
+               
+               pid_t pp_i = proc.pbsi_ppid;
+               const char *z = (proc.pbsi_status == SZOMB) ? "zombie " : "";
+               const char *n = proc.pbsi_comm;
 
 
-               job_log(j, LOG_WARNING, "Stray %sprocess with PGID equal to this dead job: PID %u PPID %u %s", z, p_i, pp_i, n);
+               job_log(j, LOG_WARNING, "Stray %sprocess with PGID equal to this dead job: PID %u PPID %u PGID %u %s", z, p_i, pp_i, proc.pbsi_pgid, n);
        }
 
 out:
        }
 
 out:
-       free(kp);
+       free(pids);
 }
 
 void
 }
 
 void
@@ -2013,27 +3191,32 @@ job_reap(job_t j)
        struct rusage ru;
        int status;
 
        struct rusage ru;
        int status;
 
+       bool is_system_bootstrapper = j->is_bootstrapper && pid1_magic && !j->mgr->parentmgr;
+       
        job_log(j, LOG_DEBUG, "Reaping");
 
        job_log(j, LOG_DEBUG, "Reaping");
 
-       if (j->weird_bootstrap) {
-               mach_msg_size_t mxmsgsz = sizeof(union __RequestUnion__job_mig_protocol_vproc_subsystem);
-
-               if (job_mig_protocol_vproc_subsystem.maxsize > mxmsgsz) {
-                       mxmsgsz = job_mig_protocol_vproc_subsystem.maxsize;
-               }
+       if (j->shmem) {
+               (void)job_assumes(j, vm_deallocate(mach_task_self(), (vm_address_t)j->shmem, getpagesize()) == 0);
+               j->shmem = NULL;
+       }
 
 
-               job_assumes(j, runtime_add_mport(j->mgr->jm_port, protocol_vproc_server, mxmsgsz) == KERN_SUCCESS);
-               j->weird_bootstrap = false;
+       if (unlikely(j->weird_bootstrap)) {
+               int64_t junk = 0;
+               job_mig_swap_integer(j, VPROC_GSK_WEIRD_BOOTSTRAP, 0, 0, &junk);
        }
 
        }
 
-       if (j->log_redirect_fd && !j->wait4pipe_eof) {
-               job_assumes(j, runtime_close(j->log_redirect_fd) != -1);
-               j->log_redirect_fd = 0;
+       if (j->log_redirect_fd && !j->legacy_LS_job) {
+               job_log_stdouterr(j); /* one last chance */
+
+               if (j->log_redirect_fd) {
+                       (void)job_assumes(j, runtime_close(j->log_redirect_fd) != -1);
+                       j->log_redirect_fd = 0;
+               }
        }
 
        }
 
-       if (j->forkfd) {
-               job_assumes(j, runtime_close(j->forkfd) != -1);
-               j->forkfd = 0;
+       if (j->fork_fd) {
+               (void)job_assumes(j, runtime_close(j->fork_fd) != -1);
+               j->fork_fd = 0;
        }
 
        if (j->anonymous) {
        }
 
        if (j->anonymous) {
@@ -2046,26 +3229,44 @@ job_reap(job_t j)
                 */
                job_log_stray_pg(j);
                if (!j->abandon_pg) {
                 */
                job_log_stray_pg(j);
                if (!j->abandon_pg) {
-                       job_assumes(j, runtime_killpg(j->p, SIGTERM) != -1 || errno == ESRCH);
+                       if (unlikely(runtime_killpg(j->p, SIGTERM) == -1 && errno != ESRCH)) {
+#ifdef __LP64__
+                               job_log(j, LOG_APPLEONLY, "Bug: 5487498");
+#else
+                               (void)job_assumes(j, false);
+#endif
+                       }
                }
 
                }
 
-               /*
-                * 5020256
+               /* We have to work around one of two kernel bugs here. ptrace(3) may
+                * have abducted the child away from us and reparented it to the tracing
+                * process. If the process then exits, we still get NOTE_EXIT, but we
+                * cannot reap it because the kernel may not have restored the true
+                * parent/child relationship in time.
+                *
+                * See <rdar://problem/5020256>.
                 *
                 *
-                * The current implementation of ptrace() causes the traced process to
-                * be abducted away from the true parent and adopted by the tracer.
+                * The other bug is if the shutdown monitor has suspended a task and not
+                * resumed it before exiting. In this case, the kernel will not clean up
+                * after the shutdown monitor. It will, instead, leave the task
+                * task suspended and not process any pending signals on the event loop
+                * for the task.
                 *
                 *
-                * Once the tracing process relinquishes control, the kernel then
-                * restores the true parent/child relationship.
+                * There are a variety of other kernel bugs that could prevent a process
+                * from exiting, usually having to do with faulty hardware or talking to
+                * misbehaving drivers that mark a thread as uninterruptible and
+                * deadlock/hang before unmarking it as such. So we have to work around
+                * that too.
                 *
                 *
-                * Unfortunately, the wait*() family of APIs is unaware of the temporarily
-                * data structures changes, and they return an error if reality hasn't
-                * been restored by the time they are called.
+                * See <rdar://problem/9284889&9359725>.
                 */
                 */
-               if (!job_assumes(j, wait4(j->p, &status, 0, &ru) != -1)) {
-                       job_log(j, LOG_NOTICE, "Working around 5020256. Assuming the job crashed.");
-
-                       status = W_EXITCODE(0, SIGSEGV);
+               if (j->workaround9359725) {
+                       job_log(j, LOG_NOTICE, "Simulated exit: <rdar://problem/9359725>");
+                       status = W_EXITCODE(-1, SIGSEGV);
+                       memset(&ru, 0, sizeof(ru));
+               } else if (wait4(j->p, &status, 0, &ru) == -1) {
+                       job_log(j, LOG_NOTICE, "Assuming job exited: <rdar://problem/5020256>: %d: %s", errno, strerror(errno));
+                       status = W_EXITCODE(-1, SIGSEGV);
                        memset(&ru, 0, sizeof(ru));
                }
        }
                        memset(&ru, 0, sizeof(ru));
                }
        }
@@ -2073,32 +3274,18 @@ job_reap(job_t j)
        if (j->exit_timeout) {
                kevent_mod((uintptr_t)&j->exit_timeout, EVFILT_TIMER, EV_DELETE, 0, 0, NULL);
        }
        if (j->exit_timeout) {
                kevent_mod((uintptr_t)&j->exit_timeout, EVFILT_TIMER, EV_DELETE, 0, 0, NULL);
        }
-
-       if (j->anonymous) {
-               total_anon_children--;
-       } else {
-               runtime_del_ref();
-               total_children--;
-       }
+       
        LIST_REMOVE(j, pid_hash_sle);
 
        LIST_REMOVE(j, pid_hash_sle);
 
-       if (j->wait_reply_port) {
-               job_log(j, LOG_DEBUG, "MPM wait reply being sent");
-               job_assumes(j, job_mig_wait_reply(j->wait_reply_port, 0, status) == 0);
-               j->wait_reply_port = MACH_PORT_NULL;
-       }
-
-       if (j->sent_sigterm_time) {
-               uint64_t td_sec, td_usec, td = (mach_absolute_time() - j->sent_sigterm_time) * tbi.numer / tbi.denom;
+       if (j->sent_signal_time) {
+               uint64_t td_sec, td_usec, td = runtime_get_nanoseconds_since(j->sent_signal_time);
 
                td_sec = td / NSEC_PER_SEC;
                td_usec = (td % NSEC_PER_SEC) / NSEC_PER_USEC;
 
 
                td_sec = td / NSEC_PER_SEC;
                td_usec = (td % NSEC_PER_SEC) / NSEC_PER_USEC;
 
-               job_log(j, LOG_INFO, "Exited %lld.%06lld seconds after %s was sent",
-                               td_sec, td_usec, signal_to_C_name(j->sent_sigkill ? SIGKILL : SIGTERM));
+               job_log(j, LOG_DEBUG, "Exited %llu.%06llu seconds after the first signal was sent", td_sec, td_usec);
        }
 
        }
 
-#if DO_RUSAGE_SUMMATION
        timeradd(&ru.ru_utime, &j->ru.ru_utime, &j->ru.ru_utime);
        timeradd(&ru.ru_stime, &j->ru.ru_stime, &j->ru.ru_stime);
        j->ru.ru_maxrss += ru.ru_maxrss;
        timeradd(&ru.ru_utime, &j->ru.ru_utime, &j->ru.ru_utime);
        timeradd(&ru.ru_stime, &j->ru.ru_stime, &j->ru.ru_stime);
        j->ru.ru_maxrss += ru.ru_maxrss;
@@ -2115,35 +3302,170 @@ job_reap(job_t j)
        j->ru.ru_nsignals += ru.ru_nsignals;
        j->ru.ru_nvcsw += ru.ru_nvcsw;
        j->ru.ru_nivcsw += ru.ru_nivcsw;
        j->ru.ru_nsignals += ru.ru_nsignals;
        j->ru.ru_nvcsw += ru.ru_nvcsw;
        j->ru.ru_nivcsw += ru.ru_nivcsw;
-#endif
 
        if (WIFEXITED(status) && WEXITSTATUS(status) != 0) {
 
        if (WIFEXITED(status) && WEXITSTATUS(status) != 0) {
-               job_log(j, LOG_WARNING, "Exited with exit code: %d", WEXITSTATUS(status));
+               int level = LOG_WARNING;
+               if (!j->did_exec && (j->fail_cnt++ % LAUNCHD_LOG_FAILED_EXEC_FREQ) != 0) {
+                       level = LOG_DEBUG;
+               }
+
+               job_log(j, level, "Exited with code: %d", WEXITSTATUS(status));
+       } else {
+               j->fail_cnt = 0;
        }
 
        if (WIFSIGNALED(status)) {
                int s = WTERMSIG(status);
        }
 
        if (WIFSIGNALED(status)) {
                int s = WTERMSIG(status);
-               if (SIGKILL == s || SIGTERM == s) {
+               if ((SIGKILL == s || SIGTERM == s) && !j->stopped) {
                        job_log(j, LOG_NOTICE, "Exited: %s", strsignal(s));
                        job_log(j, LOG_NOTICE, "Exited: %s", strsignal(s));
-               } else {
-                       job_log(j, LOG_WARNING, "Exited abnormally: %s", strsignal(s));
+               } else if (!j->stopped && !j->clean_kill) {                     
+                       switch (s) {
+                       /* Signals which indicate a crash. */
+                       case SIGILL:
+                       case SIGABRT:
+                       case SIGFPE:
+                       case SIGBUS:
+                       case SIGSEGV:
+                       case SIGSYS:
+                       /* If the kernel has posted NOTE_EXIT and the signal sent to the process was
+                        * SIGTRAP, assume that it's a crash.
+                        */
+                       case SIGTRAP:
+                               j->crashed = true;
+                               job_log(j, LOG_WARNING, "Job appears to have crashed: %s", strsignal(s));
+                               break;
+                       default:
+                               job_log(j, LOG_WARNING, "Exited abnormally: %s", strsignal(s));
+                               break;
+                       }
+                       
+                       if (is_system_bootstrapper && j->crashed) {
+                               job_log(j, LOG_ERR | LOG_CONSOLE, "The %s bootstrapper has crashed: %s", j->mgr->name, strsignal(s));
+                       }
                }
        }
 
                }
        }
 
-       if (j->hopefully_exits_first) {
-               j->mgr->hopefully_first_cnt--;
-       } else if (!j->anonymous && !j->hopefully_exits_last) {
-               j->mgr->normal_active_cnt--;
+       j->reaped = true;
+       
+       struct machservice *msi = NULL;
+       if (j->crashed || !(j->did_exec || j->anonymous)) {
+               SLIST_FOREACH(msi, &j->machservices, sle) {
+                       if (j->crashed && !msi->isActive && (msi->drain_one_on_crash || msi->drain_all_on_crash)) {
+                               machservice_drain_port(msi);
+                       }
+                       
+                       if (!j->did_exec && msi->reset && job_assumes(j, !msi->isActive)) {
+                               machservice_resetport(j, msi);
+                       }
+               }
+       }
+
+       /* HACK: Essentially duplicating the logic directly above. But this has
+        * gotten really hairy, and I don't want to try consolidating it right now.
+        */
+       if (j->xpc_service && !j->xpcproxy_did_exec) {
+               job_log(j, LOG_ERR, "XPC Service could not exec(3). Resetting port.");
+               SLIST_FOREACH(msi, &j->machservices, sle) {
+                       /* Drain the messages but do not reset the port. If xpcproxy could
+                        * not exec(3), then we don't want to continue trying, since there
+                        * is very likely a serious configuration error with the service.
+                        *
+                        * <rdar://problem/8986802>
+                        */
+                       machservice_resetport(j, msi);
+               }
        }
        }
+
+       struct suspended_peruser *spi = NULL;
+       while ((spi = LIST_FIRST(&j->suspended_perusers))) {
+               job_log(j, LOG_ERR, "Job exited before resuming per-user launchd for UID %u. Will forcibly resume.", spi->j->mach_uid);
+               spi->j->peruser_suspend_count--;
+               if (spi->j->peruser_suspend_count == 0) {
+                       job_dispatch(spi->j, false);
+               }
+               LIST_REMOVE(spi, sle);
+               free(spi);
+       }
+
        j->last_exit_status = status;
        j->last_exit_status = status;
+
+       if (j->exit_status_dest) {
+               errno = helper_downcall_wait(j->exit_status_dest, j->last_exit_status);
+               if (errno && errno != MACH_SEND_INVALID_DEST) {
+                       (void)job_assumes(j, errno == 0);
+               }
+
+               j->exit_status_dest = MACH_PORT_NULL;
+       }
+
+       if (j->spawn_reply_port) {
+               /* If the child never called exec(3), we must send a spawn() reply so
+                * that the requestor can get exit status from it. If we fail to send
+                * the reply for some reason, we have to deallocate the exit status port
+                * ourselves.
+                */
+               kern_return_t kr = job_mig_spawn2_reply(j->spawn_reply_port, BOOTSTRAP_SUCCESS, j->p, j->exit_status_port);
+               if (kr) {
+                       if (kr != MACH_SEND_INVALID_DEST) {
+                               errno = kr;
+                               (void)job_assumes(j, errno == KERN_SUCCESS);
+                       }
+
+                       (void)job_assumes(j, launchd_mport_close_recv(j->exit_status_port) == KERN_SUCCESS);
+               }
+
+               j->exit_status_port = MACH_PORT_NULL;
+               j->spawn_reply_port = MACH_PORT_NULL;
+       }
+
+       if (j->anonymous) {
+               total_anon_children--;
+               if (j->holds_ref) {
+                       runtime_del_ref();
+               }
+       } else {
+               runtime_del_ref();
+               total_children--;
+       }
+       
+       if (j->has_console) {
+               g_wsp = 0;
+       }
+
+       if (j->shutdown_monitor) {
+               job_log(j, LOG_NOTICE | LOG_CONSOLE, "Shutdown monitor has exited.");
+               _s_shutdown_monitor = NULL;
+               j->shutdown_monitor = false;
+       }
+
+       if (j->event_monitor && !j->mgr->shutting_down) {
+               msi = NULL;
+               SLIST_FOREACH(msi, &j->machservices, sle) {
+                       if (msi->event_update_port) {
+                               break;
+                       }
+               }
+               /* Only do this if we've gotten the port-destroyed notification already.
+                * If we haven't yet, the port destruction handler will do this.
+                */
+               if (job_assumes(j, msi != NULL) && !msi->isActive) {
+                       if (_s_event_update_port == MACH_PORT_NULL) {
+                               (void)job_assumes(j, launchd_mport_make_send_once(msi->port, &_s_event_update_port) == KERN_SUCCESS);
+                       }
+                       eventsystem_ping();
+               }
+       }
+       
+       if (!j->anonymous) {
+               j->mgr->normal_active_cnt--;
+       }
+       j->sent_signal_time = 0;
        j->sent_sigkill = false;
        j->sent_sigkill = false;
+       j->clean_kill = false;
+       j->sent_kill_via_shmem = false;
+       j->lastlookup = NULL;
+       j->lastlookup_gennum = 0;
        j->p = 0;
        j->p = 0;
-
-       /*
-        * We need to someday evaluate other jobs and find those who wish to track the
-        * active/inactive state of this job. The current job_dispatch() logic makes
-        * this messy, given that jobs can be deleted at dispatch.
-        */
 }
 
 void
 }
 
 void
@@ -2169,9 +3491,63 @@ jobmgr_dispatch_all(jobmgr_t jm, bool newmounthack)
        }
 }
 
        }
 }
 
+void
+job_dispatch_curious_jobs(job_t j)
+{      
+       job_t ji = NULL, jt = NULL;
+       SLIST_FOREACH_SAFE(ji, &s_curious_jobs, curious_jobs_sle, jt) {
+               struct semaphoreitem *si = NULL;
+               SLIST_FOREACH(si, &ji->semaphores, sle) {                       
+                       if (!(si->why == OTHER_JOB_ENABLED || si->why == OTHER_JOB_DISABLED)) {
+                               continue;
+                       }
+                       
+                       if (strcmp(si->what, j->label) == 0) {
+                               job_log(ji, LOG_DEBUG, "Dispatching out of interest in \"%s\".", j->label);
+                               
+                               if (!ji->removing) {
+                                       job_dispatch(ji, false);
+                               } else {
+                                       job_log(ji, LOG_NOTICE, "The following job is circularly dependent upon this one: %s", j->label);
+                               }
+                               
+                               /* ji could be removed here, so don't do anything with it or its semaphores
+                                * after this point.
+                                */
+                               break;
+                       }
+               }
+       }
+}
+
 job_t
 job_dispatch(job_t j, bool kickstart)
 {
 job_t
 job_dispatch(job_t j, bool kickstart)
 {
+       /* Don't dispatch a job if it has no audit session set. */
+       if (!uuid_is_null(j->expected_audit_uuid)) {
+               return NULL;
+       }
+       if (j->alias) {
+               j = j->alias;
+       }
+
+#if TARGET_OS_EMBEDDED
+       if (g_embedded_privileged_action && s_embedded_privileged_job) {
+               if (!job_assumes(j, s_embedded_privileged_job->username != NULL && j->username != NULL)) {
+                       errno = EPERM;
+                       return NULL;
+               }
+       
+               if (strcmp(j->username, s_embedded_privileged_job->username) != 0) {
+                       errno = EPERM;
+                       return NULL;
+               }
+       } else if (g_embedded_privileged_action) {
+               errno = EINVAL;
+               return NULL;
+       }
+#endif
+
        /*
         * The whole job removal logic needs to be consolidated. The fact that
         * a job can be removed from just about anywhere makes it easy to have
        /*
         * The whole job removal logic needs to be consolidated. The fact that
         * a job can be removed from just about anywhere makes it easy to have
@@ -2179,14 +3555,21 @@ job_dispatch(job_t j, bool kickstart)
         * used after the deallocation. In particular, during job iteration.
         *
         * This is a classic example. The act of dispatching a job may delete it.
         * used after the deallocation. In particular, during job iteration.
         *
         * This is a classic example. The act of dispatching a job may delete it.
-        */
+        */     
        if (!job_active(j)) {
                if (job_useless(j)) {
                        job_remove(j);
                        return NULL;
        if (!job_active(j)) {
                if (job_useless(j)) {
                        job_remove(j);
                        return NULL;
-               } else if (kickstart || job_keepalive(j)) {
+               }
+               if (unlikely(j->per_user && j->peruser_suspend_count > 0)) {
+                       return NULL;
+               }
+               
+               if (kickstart || job_keepalive(j)) {
+                       job_log(j, LOG_DEBUG, "Starting job (kickstart = %s)", kickstart ? "true" : "false");
                        job_start(j);
                } else {
                        job_start(j);
                } else {
+                       job_log(j, LOG_DEBUG, "Watching job (kickstart = %s)", kickstart ? "true" : "false");
                        job_watch(j);
 
                        /*
                        job_watch(j);
 
                        /*
@@ -2200,7 +3583,7 @@ job_dispatch(job_t j, bool kickstart)
                        }
                }
        } else {
                        }
                }
        } else {
-               job_log(j, LOG_DEBUG, "Tried to dispatch an already active job.");
+               job_log(j, LOG_DEBUG, "Tried to dispatch an already active job (%s).", job_active(j));
        }
 
        return j;
        }
 
        return j;
@@ -2232,11 +3615,13 @@ job_log_stdouterr(job_t j)
 
        rsz = read(j->log_redirect_fd, buf, BIG_PIPE_SIZE);
 
 
        rsz = read(j->log_redirect_fd, buf, BIG_PIPE_SIZE);
 
-       if (rsz == 0) {
+       if (unlikely(rsz == 0)) {
                job_log(j, LOG_DEBUG, "Standard out/error pipe closed");
                close_log_redir = true;
                job_log(j, LOG_DEBUG, "Standard out/error pipe closed");
                close_log_redir = true;
-       } else if (!job_assumes(j, rsz != -1)) {
-               close_log_redir = true;
+       } else if (rsz == -1) {
+               if (!job_assumes(j, errno == EAGAIN)) {
+                       close_log_redir = true;
+               }
        } else {
                buf[rsz] = '\0';
 
        } else {
                buf[rsz] = '\0';
 
@@ -2249,8 +3634,8 @@ job_log_stdouterr(job_t j)
 
        free(buf);
 
 
        free(buf);
 
-       if (close_log_redir) {
-               job_assumes(j, runtime_close(j->log_redirect_fd) != -1);
+       if (unlikely(close_log_redir)) {
+               (void)job_assumes(j, runtime_close(j->log_redirect_fd) != -1);
                j->log_redirect_fd = 0;
                job_dispatch(j, false);
        }
                j->log_redirect_fd = 0;
                job_dispatch(j, false);
        }
@@ -2259,43 +3644,214 @@ job_log_stdouterr(job_t j)
 void
 job_kill(job_t j)
 {
 void
 job_kill(job_t j)
 {
-       if (!j->p || j->anonymous) {
+       if (unlikely(!j->p || j->anonymous)) {
                return;
        }
 
                return;
        }
 
-       job_assumes(j, runtime_kill(j->p, SIGKILL) != -1);
+       (void)job_assumes(j, runtime_kill(j->p, SIGKILL) != -1);
 
        j->sent_sigkill = true;
 
        j->sent_sigkill = true;
+       (void)job_assumes(j, kevent_mod((uintptr_t)&j->exit_timeout, EVFILT_TIMER, EV_ADD|EV_ONESHOT, NOTE_SECONDS, LAUNCHD_SIGKILL_TIMER, j) != -1);
+
+       job_log(j, LOG_DEBUG, "Sent SIGKILL signal");
+}
+
+void
+job_open_shutdown_transaction(job_t j)
+{
+       if (j->kill_via_shmem) {
+               if (j->shmem) {
+                       job_log(j, LOG_DEBUG, "Opening shutdown transaction for job.");
+                       (void)__sync_add_and_fetch(&j->shmem->vp_shmem_transaction_cnt, 1);
+               } else {
+                       job_log(j, LOG_DEBUG, "Job wants to be dirty at shutdown, but it has not set up shared memory. Treating normally.");
+                       j->dirty_at_shutdown = false;
+               }
+       } else {
+               job_log(j, LOG_DEBUG, "Job wants to be dirty at shutdown, but it is not Instant Off-compliant. Treating normally.");
+               j->dirty_at_shutdown = false;
+       }
+}
+
+void
+job_close_shutdown_transaction(job_t j)
+{
+       if (j->dirty_at_shutdown) {
+               job_log(j, LOG_DEBUG, "Closing shutdown transaction for job.");
+               if (__sync_sub_and_fetch(&j->shmem->vp_shmem_transaction_cnt, 1) == -1) {
+                       job_log(j, LOG_DEBUG, "Job is now clean. Killing.");
+                       job_kill(j);
+               }
+               j->dirty_at_shutdown = false;
+       }
+}
+
+void
+job_log_children_without_exec(job_t j)
+{
+       pid_t *pids = NULL;
+       size_t len = sizeof(pid_t) * get_kern_max_proc();
+       int i = 0, kp_cnt = 0;
+       
+       if (!do_apple_internal_logging || j->anonymous || j->per_user) {
+               return;
+       }
+
+       if (!job_assumes(j, (pids = malloc(len)) != NULL)) {
+               return;
+       }
+       if (!job_assumes(j, (kp_cnt = proc_listchildpids(j->p, pids, len)) != -1)) {
+               goto out;
+       }
+
+       for (i = 0; i < kp_cnt; i++) {
+               struct proc_bsdshortinfo proc;
+               if (proc_pidinfo(pids[i], PROC_PIDT_SHORTBSDINFO, 1, &proc, PROC_PIDT_SHORTBSDINFO_SIZE) == 0) {
+                       if (errno != ESRCH) {
+                               job_assumes(j, errno == 0);
+                       }
+                       continue;
+               }
+               if (proc.pbsi_flags & P_EXEC) {
+                       continue;
+               }
+
+               job_log(j, LOG_DEBUG, "Called *fork(). Please switch to posix_spawn*(), pthreads or launchd. Child PID %u", pids[i]);
+       }
+
+out:
+       free(pids);
+}
+
+void
+job_cleanup_after_tracer(job_t j)
+{
+       j->tracing_pid = 0;
+       if (j->reap_after_trace) {
+               job_log(j, LOG_DEBUG | LOG_CONSOLE, "Reaping job now that attached tracer is gone.");
+               struct kevent kev;
+               EV_SET(&kev, j->p, 0, 0, NOTE_EXIT, 0, 0);
 
 
-       job_assumes(j, kevent_mod((uintptr_t)&j->exit_timeout, EVFILT_TIMER,
-                               EV_ADD, NOTE_SECONDS, LAUNCHD_SIGKILL_TIMER, j) != -1);
+               /* Fake a kevent to keep our logic consistent. */
+               job_callback_proc(j, &kev);
 
 
-       job_log(j, LOG_DEBUG, "Sent SIGKILL signal.");
+               /* Normally, after getting a EVFILT_PROC event, we do garbage collection
+                * on the root job manager. To make our fakery complete, we will do garbage
+                * collection at the beginning of the next run loop cycle (after we're done
+                * draining the current queue of kevents).
+                */
+               (void)job_assumes(j, kevent_mod((uintptr_t)&root_jobmgr->reboot_flags, EVFILT_TIMER, EV_ADD | EV_ONESHOT, NOTE_NSECONDS, 1, root_jobmgr) != -1);
+       }
 }
 
 void
 }
 
 void
-job_callback_proc(job_t j, int flags, int fflags)
+job_callback_proc(job_t j, struct kevent *kev)
 {
 {
-       if ((fflags & NOTE_EXEC) && j->anonymous) {
-               int mib[] = { CTL_KERN, KERN_PROC, KERN_PROC_PID, j->p };
-               struct kinfo_proc kp;
-               size_t len = sizeof(kp);
+       bool program_changed = false;
+       int fflags = kev->fflags;
+       
+       job_log(j, LOG_DEBUG, "EVFILT_PROC event for job.");
+       log_kevent_struct(LOG_DEBUG, kev, 0);
+       
+       if (fflags & NOTE_EXIT) {
+               if (j->p == (pid_t)kev->ident && !j->anonymous) {
+                       /* Note that the third argument to proc_pidinfo() is a magic argument for
+                        * PROC_PIDT_SHORTBSDINFO. Specifically, passing 1 means "don't fail on a zombie
+                        * PID".
+                        */
+                       struct proc_bsdshortinfo proc;
+                       if (job_assumes(j, proc_pidinfo(j->p, PROC_PIDT_SHORTBSDINFO, 1, &proc, PROC_PIDT_SHORTBSDINFO_SIZE) > 0)) {
+                               if (!job_assumes(j, (pid_t)proc.pbsi_ppid == getpid())) {
+                                       /* Someone has attached to the process with ptrace(). There's a race here. 
+                                        * If we determine that we are not the parent process and then fail to attach 
+                                        * a kevent to the parent PID (who is probably using ptrace()), we can take that as an
+                                        * indication that the parent exited between sysctl(3) and kevent_mod(). The
+                                        * reparenting of the PID should be atomic to us, so in that case, we reap the
+                                        * job as normal.
+                                        *
+                                        * Otherwise, we wait for the death of the parent tracer and then reap, just as we
+                                        * would if a job died while we were sampling it at shutdown.
+                                        *
+                                        * Note that we foolishly assume that in the process *tree* a node cannot be its
+                                        * own parent. Apparently, that is not correct. If this is the case, we forsake
+                                        * the process to its own devices. Let it reap itself.
+                                        */
+                                       if (!job_assumes(j, proc.pbsi_ppid != kev->ident)) {
+                                               job_log(j, LOG_WARNING, "Job is its own parent and has (somehow) exited. Leaving it to waste away.");
+                                               return;
+                                       }
+                                       if (job_assumes(j, kevent_mod(proc.pbsi_ppid, EVFILT_PROC, EV_ADD, NOTE_EXIT, 0, j) != -1)) {
+                                               j->tracing_pid = proc.pbsi_ppid;
+                                               j->reap_after_trace = true;
+                                               return;
+                                       }
+                               }
+                       }
+               } else if (!j->anonymous) {
+                       if (j->tracing_pid == (pid_t)kev->ident) {
+                               job_cleanup_after_tracer(j);
+                               
+                               return;
+                       } else if (j->tracing_pid && !j->reap_after_trace) {
+                               /* The job exited before our sample completed. */
+                               job_log(j, LOG_DEBUG | LOG_CONSOLE, "Job has exited. Will reap after tracing PID %i exits.", j->tracing_pid);
+                               j->reap_after_trace = true;
+                               return;
+                       }
+               }
+       }
+               
+       if (fflags & NOTE_EXEC) {
+               program_changed = true;
 
 
-               if (job_assumes(j, sysctl(mib, 4, &kp, &len, NULL, 0) != -1)) {
-                       char newlabel[1000];
+               if (j->anonymous) {
+                       struct proc_bsdshortinfo proc;
+                       if (proc_pidinfo(j->p, PROC_PIDT_SHORTBSDINFO, 1, &proc, PROC_PIDT_SHORTBSDINFO_SIZE) > 0) {
+                               char newlabel[1000];
+
+                               snprintf(newlabel, sizeof(newlabel), "%p.anonymous.%s", j, proc.pbsi_comm);
+
+                               job_log(j, LOG_INFO, "Program changed. Updating the label to: %s", newlabel);
+                               j->lastlookup = NULL;
+                               j->lastlookup_gennum = 0;
+
+                               LIST_REMOVE(j, label_hash_sle);
+                               strcpy((char *)j->label, newlabel);
+                               
+                               jobmgr_t where2put = root_jobmgr;
+                               if (j->mgr->properties & BOOTSTRAP_PROPERTY_XPC_DOMAIN) {
+                                       where2put = j->mgr;
+                               }
+                               LIST_INSERT_HEAD(&where2put->label_hash[hash_label(j->label)], j, label_hash_sle);
+                       } else if (errno != ESRCH) {
+                               job_assumes(j, errno == 0);
+                       }
+               } else {
+                       if (j->spawn_reply_port) {
+                               errno = job_mig_spawn2_reply(j->spawn_reply_port, BOOTSTRAP_SUCCESS, j->p, j->exit_status_port);
+                               if (errno) {
+                                       if (errno != MACH_SEND_INVALID_DEST) {
+                                               (void)job_assumes(j, errno == KERN_SUCCESS);
+                                       }
+                                       (void)job_assumes(j, launchd_mport_close_recv(j->exit_status_port) == KERN_SUCCESS);
+                               }
 
 
-                       snprintf(newlabel, sizeof(newlabel), "%p.%s", j, kp.kp_proc.p_comm);
+                               j->spawn_reply_port = MACH_PORT_NULL;
+                               j->exit_status_port = MACH_PORT_NULL;
+                       }
 
 
-                       job_log(j, LOG_DEBUG, "Program changed. Updating the label to: %s", newlabel);
+                       if (j->xpc_service && j->did_exec) {
+                               j->xpcproxy_did_exec = true;
+                       }
 
 
-                       LIST_REMOVE(j, label_hash_sle);
-                       strcpy((char *)j->label, newlabel);
-                       LIST_INSERT_HEAD(&label_hash[hash_label(j->label)], j, label_hash_sle);
+                       j->did_exec = true;
+                       job_log(j, LOG_DEBUG, "Program changed");
                }
        }
 
        if (fflags & NOTE_FORK) {
                }
        }
 
        if (fflags & NOTE_FORK) {
-               job_log(j, LOG_DEBUG, "Called fork()");
+               job_log(j, LOG_DEBUG, "fork()ed%s", program_changed ? ". For this message only: We don't know whether this event happened before or after execve()." : "");
+               job_log_children_without_exec(j);
        }
 
        if (fflags & NOTE_EXIT) {
        }
 
        if (fflags & NOTE_EXIT) {
@@ -2308,47 +3864,54 @@ job_callback_proc(job_t j, int flags, int fflags)
                        j = job_dispatch(j, false);
                }
        }
                        j = job_dispatch(j, false);
                }
        }
-
-       /* NOTE_REAP sanity checking is disabled for now while we try and diagnose 5289559 */
-#if 0
-       if (j && (fflags & NOTE_REAP)) {
-               job_assumes(j, flags & EV_ONESHOT);
-               job_assumes(j, flags & EV_EOF);
-
-               job_assumes(j, j->p == 0);
-       }
-#endif
 }
 
 void
 job_callback_timer(job_t j, void *ident)
 {
        if (j == ident) {
 }
 
 void
 job_callback_timer(job_t j, void *ident)
 {
        if (j == ident) {
+               job_log(j, LOG_DEBUG, "j == ident (%p)", ident);
                job_dispatch(j, true);
        } else if (&j->semaphores == ident) {
                job_dispatch(j, true);
        } else if (&j->semaphores == ident) {
+               job_log(j, LOG_DEBUG, "&j->semaphores == ident (%p)", ident);
                job_dispatch(j, false);
        } else if (&j->start_interval == ident) {
                job_dispatch(j, false);
        } else if (&j->start_interval == ident) {
+               job_log(j, LOG_DEBUG, "&j->start_interval == ident (%p)", ident);
                j->start_pending = true;
                job_dispatch(j, false);
        } else if (&j->exit_timeout == ident) {
                j->start_pending = true;
                job_dispatch(j, false);
        } else if (&j->exit_timeout == ident) {
+               if (!job_assumes(j, j->p != 0)) {
+                       return;
+               }
+
                if (j->sent_sigkill) {
                if (j->sent_sigkill) {
-                       uint64_t td = (mach_absolute_time() - j->sent_sigterm_time) * tbi.numer / tbi.denom;
+                       uint64_t td = runtime_get_nanoseconds_since(j->sent_signal_time);
 
                        td /= NSEC_PER_SEC;
 
                        td /= NSEC_PER_SEC;
-                       td -= j->exit_timeout;
+                       td -= j->clean_kill ? 0 : j->exit_timeout;
 
 
-                       job_log(j, LOG_ERR, "Did not die after sending SIGKILL %llu seconds ago...", td);
+                       job_log(j, LOG_WARNING | LOG_CONSOLE, "Job has not died after being %skilled %llu seconds ago. Simulating exit.", j->clean_kill ? "cleanly " : "", td);
+                       j->workaround9359725 = true;
+
+                       if (g_trap_sigkill_bugs) {
+                               job_log(j, LOG_NOTICE | LOG_CONSOLE, "Trapping into kernel debugger. You can continue the machine after it has been debugged, and shutdown will proceed normally.");
+                               (void)job_assumes(j, host_reboot(mach_host_self(), HOST_REBOOT_DEBUGGER) == KERN_SUCCESS);
+                       }
+
+                       struct kevent bogus_exit;
+                       EV_SET(&bogus_exit, j->p, EVFILT_PROC, 0, NOTE_EXIT, 0, 0);
+                       jobmgr_callback(j->mgr, &bogus_exit);
                } else {
                } else {
-                       job_force_sampletool(j);
-                       if (j->debug_before_kill) {
-                               job_log(j, LOG_NOTICE, "Exit timeout elapsed. Entering the kernel debugger.");
-                               job_assumes(j, host_reboot(mach_host_self(), HOST_REBOOT_DEBUGGER) == KERN_SUCCESS);
+                       if (unlikely(j->debug_before_kill)) {
+                               job_log(j, LOG_NOTICE, "Exit timeout elapsed. Entering the kernel debugger");
+                               (void)job_assumes(j, host_reboot(mach_host_self(), HOST_REBOOT_DEBUGGER) == KERN_SUCCESS);
                        }
                        }
-                       job_log(j, LOG_WARNING, "Exit timeout elapsed (%u seconds). Killing.", j->exit_timeout);
+
+                       job_log(j, LOG_WARNING | LOG_CONSOLE, "Exit timeout elapsed (%u seconds). Killing", j->exit_timeout);
                        job_kill(j);
                }
        } else {
                        job_kill(j);
                }
        } else {
-               job_assumes(j, false);
+               (void)job_assumes(j, false);
        }
 }
 
        }
 }
 
@@ -2357,6 +3920,8 @@ job_callback_read(job_t j, int ident)
 {
        if (ident == j->log_redirect_fd) {
                job_log_stdouterr(j);
 {
        if (ident == j->log_redirect_fd) {
                job_log_stdouterr(j);
+       } else if (ident == j->stdin_fd) {
+               job_dispatch(j, true);
        } else {
                socketgroup_callback(j);
        }
        } else {
                socketgroup_callback(j);
        }
@@ -2372,7 +3937,7 @@ jobmgr_reap_bulk(jobmgr_t jm, struct kevent *kev)
                jobmgr_reap_bulk(jmi, kev);
        }
 
                jobmgr_reap_bulk(jmi, kev);
        }
 
-       if ((j = jobmgr_find_by_pid(jm, kev->ident, false))) {
+       if ((j = jobmgr_find_by_pid(jm, (pid_t)kev->ident, false))) {
                kev->udata = j;
                job_callback(j, kev);
        }
                kev->udata = j;
                job_callback(j, kev);
        }
@@ -2382,33 +3947,83 @@ void
 jobmgr_callback(void *obj, struct kevent *kev)
 {
        jobmgr_t jm = obj;
 jobmgr_callback(void *obj, struct kevent *kev)
 {
        jobmgr_t jm = obj;
+       job_t ji;
 
        switch (kev->filter) {
        case EVFILT_PROC:
                jobmgr_reap_bulk(jm, kev);
 
        switch (kev->filter) {
        case EVFILT_PROC:
                jobmgr_reap_bulk(jm, kev);
-               if (launchd_assumes(root_jobmgr != NULL)) {
-                       root_jobmgr = jobmgr_do_garbage_collection(root_jobmgr);
-               }
+               root_jobmgr = jobmgr_do_garbage_collection(root_jobmgr);
                break;
        case EVFILT_SIGNAL:
                switch (kev->ident) {
                break;
        case EVFILT_SIGNAL:
                switch (kev->ident) {
-               case SIGTERM:
+               case SIGTERM:                   
+                       jobmgr_log(jm, LOG_DEBUG, "Got SIGTERM. Shutting down.");
                        return launchd_shutdown();
                case SIGUSR1:
                        return calendarinterval_callback();
                        return launchd_shutdown();
                case SIGUSR1:
                        return calendarinterval_callback();
-               default:
-                       return (void)jobmgr_assumes(jm, false);
-               }
-               break;
-       case EVFILT_FS:
-               if (kev->fflags & VQ_MOUNT) {
-                       jobmgr_dispatch_all(jm, true);
-               }
-               jobmgr_dispatch_all_semaphores(jm);
+               case SIGUSR2:
+                       fake_shutdown_in_progress = true;
+                       runtime_setlogmask(LOG_UPTO(LOG_DEBUG));
+
+                       runtime_closelog(); /* HACK -- force 'start' time to be set */
+
+                       if (pid1_magic) {
+                               int64_t now = runtime_get_wall_time();
+
+                               jobmgr_log(jm, LOG_NOTICE, "Anticipatory shutdown began at: %lld.%06llu", now / USEC_PER_SEC, now % USEC_PER_SEC);
+
+                               LIST_FOREACH(ji, &root_jobmgr->jobs, sle) {
+                                       if (ji->per_user && ji->p) {
+                                               (void)job_assumes(ji, runtime_kill(ji->p, SIGUSR2) != -1);
+                                       }
+                               }
+                       } else {
+                               jobmgr_log(jm, LOG_NOTICE, "Anticipatory per-user launchd shutdown");
+                       }
+
+                       return;
+               default:
+                       return (void)jobmgr_assumes(jm, false);
+               }
+               break;
+       case EVFILT_FS:
+               if (kev->fflags & VQ_MOUNT) {
+                       jobmgr_dispatch_all(jm, true);
+               }
+               jobmgr_dispatch_all_semaphores(jm);
                break;
        case EVFILT_TIMER:
                break;
        case EVFILT_TIMER:
-               if (jobmgr_assumes(jm, kev->ident == (uintptr_t)&sorted_calendar_events)) {
+               if (kev->ident == (uintptr_t)&sorted_calendar_events) {
                        calendarinterval_callback();
                        calendarinterval_callback();
+               } else if (kev->ident == (uintptr_t)jm) {
+                       jobmgr_log(jm, LOG_DEBUG, "Shutdown timer firing.");
+                       jobmgr_still_alive_with_check(jm);
+               } else if (kev->ident == (uintptr_t)&jm->reboot_flags) {
+                       jobmgr_do_garbage_collection(jm);
+               } else if (kev->ident == (uintptr_t)&g_runtime_busy_time) {
+                       jobmgr_log(jm, LOG_DEBUG, "Idle exit timer fired. Shutting down.");
+                       if (jobmgr_assumes(jm, runtime_busy_cnt == 0)) {
+                               return launchd_shutdown();
+                       }
+               }
+               break;
+       case EVFILT_VNODE:
+               if (kev->ident == (uintptr_t)s_no_hang_fd) {
+                       int _no_hang_fd = open("/dev/autofs_nowait", O_EVTONLY | O_NONBLOCK);
+                       if (unlikely(_no_hang_fd != -1)) {
+                               jobmgr_log(root_jobmgr, LOG_DEBUG, "/dev/autofs_nowait has appeared!");
+                               (void)jobmgr_assumes(root_jobmgr, kevent_mod((uintptr_t)s_no_hang_fd, EVFILT_VNODE, EV_DELETE, 0, 0, NULL) != -1);
+                               (void)jobmgr_assumes(root_jobmgr, runtime_close(s_no_hang_fd) != -1);
+                               s_no_hang_fd = _fd(_no_hang_fd);
+                       }
+               } else if (pid1_magic && g_console && kev->ident == (uintptr_t)fileno(g_console)) {
+                       int cfd = -1;
+                       if (launchd_assumes((cfd = open(_PATH_CONSOLE, O_WRONLY | O_NOCTTY)) != -1)) {
+                               _fd(cfd);
+                               if (!launchd_assumes((g_console = fdopen(cfd, "w")) != NULL)) {
+                                       close(cfd);
+                               }
+                       }
                }
                break;
        default:
                }
                break;
        default:
@@ -2425,13 +4040,13 @@ job_callback(void *obj, struct kevent *kev)
 
        switch (kev->filter) {
        case EVFILT_PROC:
 
        switch (kev->filter) {
        case EVFILT_PROC:
-               return job_callback_proc(j, kev->flags, kev->fflags);
+               return job_callback_proc(j, kev);
        case EVFILT_TIMER:
        case EVFILT_TIMER:
-               return job_callback_timer(j, (void *)kev->ident);
+               return job_callback_timer(j, (void *) kev->ident);
        case EVFILT_VNODE:
                return semaphoreitem_callback(j, kev);
        case EVFILT_READ:
        case EVFILT_VNODE:
                return semaphoreitem_callback(j, kev);
        case EVFILT_READ:
-               return job_callback_read(j, kev->ident);
+               return job_callback_read(j, (int) kev->ident);
        case EVFILT_MACHPORT:
                return (void)job_dispatch(j, true);
        default:
        case EVFILT_MACHPORT:
                return (void)job_dispatch(j, true);
        default:
@@ -2442,34 +4057,32 @@ job_callback(void *obj, struct kevent *kev)
 void
 job_start(job_t j)
 {
 void
 job_start(job_t j)
 {
-       uint64_t td, tnow = mach_absolute_time();
+       uint64_t td;
        int spair[2];
        int execspair[2];
        int oepair[2];
        char nbuf[64];
        pid_t c;
        bool sipc = false;
        int spair[2];
        int execspair[2];
        int oepair[2];
        char nbuf[64];
        pid_t c;
        bool sipc = false;
-       u_int proc_fflags = /* NOTE_EXEC|NOTE_FORK| */ NOTE_EXIT /* |NOTE_REAP */;
-
+       u_int proc_fflags = NOTE_EXIT|NOTE_FORK|NOTE_EXEC;
+       
        if (!job_assumes(j, j->mgr != NULL)) {
                return;
        }
        if (!job_assumes(j, j->mgr != NULL)) {
                return;
        }
-
-       if (job_active(j)) {
+       
+       if (unlikely(job_active(j))) {
                job_log(j, LOG_DEBUG, "Already started");
                return;
        }
                job_log(j, LOG_DEBUG, "Already started");
                return;
        }
-
-       job_assumes(j, tnow > j->start_time);
-
+       
        /*
         * Some users adjust the wall-clock and then expect software to not notice.
        /*
         * Some users adjust the wall-clock and then expect software to not notice.
-        * Therefore, launchd must use an absolute clock instead of gettimeofday()
-        * or time() wherever possible.
+        * Therefore, launchd must use an absolute clock instead of the wall clock
+        * wherever possible.
         */
         */
-       td = (tnow - j->start_time) * tbi.numer / tbi.denom;
+       td = runtime_get_nanoseconds_since(j->start_time);
        td /= NSEC_PER_SEC;
        td /= NSEC_PER_SEC;
-
+       
        if (j->start_time && (td < j->min_run_time) && !j->legacy_mach_job && !j->inetcompat) {
                time_t respawn_delta = j->min_run_time - (uint32_t)td;
 
        if (j->start_time && (td < j->min_run_time) && !j->legacy_mach_job && !j->inetcompat) {
                time_t respawn_delta = j->min_run_time - (uint32_t)td;
 
@@ -2477,91 +4090,109 @@ job_start(job_t j)
                 * We technically should ref-count throttled jobs to prevent idle exit,
                 * but we're not directly tracking the 'throttled' state at the moment.
                 */
                 * We technically should ref-count throttled jobs to prevent idle exit,
                 * but we're not directly tracking the 'throttled' state at the moment.
                 */
+               int level = LOG_WARNING;
+               if (!j->did_exec && ((j->fail_cnt - 1) % LAUNCHD_LOG_FAILED_EXEC_FREQ) != 0) {
+                       level = LOG_DEBUG;
+               }
 
 
-               job_log(j, LOG_WARNING, "Throttling respawn: Will start in %ld seconds", respawn_delta);
-               job_assumes(j, kevent_mod((uintptr_t)j, EVFILT_TIMER, EV_ADD|EV_ONESHOT, NOTE_SECONDS, respawn_delta, j) != -1);
+               job_log(j, level, "Throttling respawn: Will start in %ld seconds", respawn_delta);
+               (void)job_assumes(j, kevent_mod((uintptr_t)j, EVFILT_TIMER, EV_ADD|EV_ONESHOT, NOTE_SECONDS, respawn_delta, j) != -1);
                job_ignore(j);
                return;
        }
                job_ignore(j);
                return;
        }
-
-       j->sent_sigterm_time = 0;
-
-       if (!j->legacy_mach_job) {
-               sipc = (!SLIST_EMPTY(&j->sockets) || !SLIST_EMPTY(&j->machservices));
+       
+       if (likely(!j->legacy_mach_job)) {
+               sipc = ((!SLIST_EMPTY(&j->sockets) || !SLIST_EMPTY(&j->machservices)) && !j->deny_job_creation) || j->embedded_special_privileges;
        }
 
        }
 
-       j->checkedin = false;
-
        if (sipc) {
        if (sipc) {
-               job_assumes(j, socketpair(AF_UNIX, SOCK_STREAM, 0, spair) != -1);
+               (void)job_assumes(j, socketpair(AF_UNIX, SOCK_STREAM, 0, spair) != -1);
        }
        }
-
-       job_assumes(j, socketpair(AF_UNIX, SOCK_STREAM, 0, execspair) != -1);
-
-       if (!j->legacy_mach_job && job_assumes(j, pipe(oepair) != -1)) {
+       
+       (void)job_assumes(j, socketpair(AF_UNIX, SOCK_STREAM, 0, execspair) != -1);
+       
+       if (likely(!j->legacy_mach_job) && job_assumes(j, pipe(oepair) != -1)) {
                j->log_redirect_fd = _fd(oepair[0]);
                j->log_redirect_fd = _fd(oepair[0]);
-               job_assumes(j, fcntl(j->log_redirect_fd, F_SETFL, O_NONBLOCK) != -1);
-               job_assumes(j, kevent_mod(j->log_redirect_fd, EVFILT_READ, EV_ADD, 0, 0, j) != -1);
+               (void)job_assumes(j, fcntl(j->log_redirect_fd, F_SETFL, O_NONBLOCK) != -1);
+               (void)job_assumes(j, kevent_mod(j->log_redirect_fd, EVFILT_READ, EV_ADD, 0, 0, j) != -1);
        }
        }
-
-       j->start_time = tnow;
-
+       
        switch (c = runtime_fork(j->weird_bootstrap ? j->j_port : j->mgr->jm_port)) {
        case -1:
                job_log_error(j, LOG_ERR, "fork() failed, will try again in one second");
        switch (c = runtime_fork(j->weird_bootstrap ? j->j_port : j->mgr->jm_port)) {
        case -1:
                job_log_error(j, LOG_ERR, "fork() failed, will try again in one second");
-               job_assumes(j, runtime_close(execspair[0]) == 0);
-               job_assumes(j, runtime_close(execspair[1]) == 0);
+               (void)job_assumes(j, kevent_mod((uintptr_t)j, EVFILT_TIMER, EV_ADD|EV_ONESHOT, NOTE_SECONDS, 1, j) != -1);
+               job_ignore(j);
+               
+               (void)job_assumes(j, runtime_close(execspair[0]) == 0);
+               (void)job_assumes(j, runtime_close(execspair[1]) == 0);
                if (sipc) {
                if (sipc) {
-                       job_assumes(j, runtime_close(spair[0]) == 0);
-                       job_assumes(j, runtime_close(spair[1]) == 0);
+                       (void)job_assumes(j, runtime_close(spair[0]) == 0);
+                       (void)job_assumes(j, runtime_close(spair[1]) == 0);
+               }
+               if (likely(!j->legacy_mach_job)) {
+                       (void)job_assumes(j, runtime_close(oepair[0]) != -1);
+                       (void)job_assumes(j, runtime_close(oepair[1]) != -1);
+                       j->log_redirect_fd = 0;
                }
                break;
        case 0:
                }
                break;
        case 0:
-               if (_vproc_post_fork_ping()) {
+               if (unlikely(_vproc_post_fork_ping())) {
                        _exit(EXIT_FAILURE);
                }
                if (!j->legacy_mach_job) {
                        _exit(EXIT_FAILURE);
                }
                if (!j->legacy_mach_job) {
-                       job_assumes(j, dup2(oepair[1], STDOUT_FILENO) != -1);
-                       job_assumes(j, dup2(oepair[1], STDERR_FILENO) != -1);
-                       job_assumes(j, runtime_close(oepair[1]) != -1);
+                       (void)job_assumes(j, dup2(oepair[1], STDOUT_FILENO) != -1);
+                       (void)job_assumes(j, dup2(oepair[1], STDERR_FILENO) != -1);
+                       (void)job_assumes(j, runtime_close(oepair[1]) != -1);
                }
                }
-               job_assumes(j, runtime_close(execspair[0]) == 0);
+               (void)job_assumes(j, runtime_close(execspair[0]) == 0);
                /* wait for our parent to say they've attached a kevent to us */
                read(_fd(execspair[1]), &c, sizeof(c));
                /* wait for our parent to say they've attached a kevent to us */
                read(_fd(execspair[1]), &c, sizeof(c));
-
+               
                if (sipc) {
                if (sipc) {
-                       job_assumes(j, runtime_close(spair[0]) == 0);
+                       (void)job_assumes(j, runtime_close(spair[0]) == 0);
                        snprintf(nbuf, sizeof(nbuf), "%d", spair[1]);
                        setenv(LAUNCHD_TRUSTED_FD_ENV, nbuf, 1);
                }
                job_start_child(j);
                break;
        default:
                        snprintf(nbuf, sizeof(nbuf), "%d", spair[1]);
                        setenv(LAUNCHD_TRUSTED_FD_ENV, nbuf, 1);
                }
                job_start_child(j);
                break;
        default:
+               j->start_time = runtime_get_opaque_time();
+               
                job_log(j, LOG_DEBUG, "Started as PID: %u", c);
                job_log(j, LOG_DEBUG, "Started as PID: %u", c);
-
+               
+               j->did_exec = false;
+               j->xpcproxy_did_exec = false;
+               j->checkedin = false;
                j->start_pending = false;
                j->start_pending = false;
-
+               j->reaped = false;
+               j->crashed = false;
+               j->stopped = false;
+               if (j->needs_kickoff) {
+                       j->needs_kickoff = false;
+                       
+                       if (SLIST_EMPTY(&j->semaphores)) {
+                               j->ondemand = false;
+                       }
+               }
+               
+               if (j->has_console) {
+                       g_wsp = c;
+               }
+               
                runtime_add_ref();
                total_children++;
                LIST_INSERT_HEAD(&j->mgr->active_jobs[ACTIVE_JOB_HASH(c)], j, pid_hash_sle);
                runtime_add_ref();
                total_children++;
                LIST_INSERT_HEAD(&j->mgr->active_jobs[ACTIVE_JOB_HASH(c)], j, pid_hash_sle);
-
-               if (JOB_BOOTCACHE_HACK_CHECK(j)) {
-                       did_first_per_user_launchd_BootCache_hack = true;
-               }
-
-               if (!j->legacy_mach_job) {
-                       job_assumes(j, runtime_close(oepair[1]) != -1);
+               
+               if (likely(!j->legacy_mach_job)) {
+                       (void)job_assumes(j, runtime_close(oepair[1]) != -1);
                }
                j->p = c;
                }
                j->p = c;
-               if (j->hopefully_exits_first) {
-                       j->mgr->hopefully_first_cnt++;
-               } else if (!j->hopefully_exits_last) {
-                       j->mgr->normal_active_cnt++;
-               }
-               j->forkfd = _fd(execspair[0]);
-               job_assumes(j, runtime_close(execspair[1]) == 0);
+
+               j->mgr->normal_active_cnt++;
+               j->fork_fd = _fd(execspair[0]);
+               (void)job_assumes(j, runtime_close(execspair[1]) == 0);
                if (sipc) {
                if (sipc) {
-                       job_assumes(j, runtime_close(spair[1]) == 0);
+                       (void)job_assumes(j, runtime_close(spair[1]) == 0);
                        ipc_open(_fd(spair[0]), j);
                }
                if (job_assumes(j, kevent_mod(c, EVFILT_PROC, EV_ADD, proc_fflags, 0, root_jobmgr ? root_jobmgr : j->mgr) != -1)) {
                        ipc_open(_fd(spair[0]), j);
                }
                if (job_assumes(j, kevent_mod(c, EVFILT_PROC, EV_ADD, proc_fflags, 0, root_jobmgr ? root_jobmgr : j->mgr) != -1)) {
@@ -2569,53 +4200,41 @@ job_start(job_t j)
                } else {
                        job_reap(j);
                }
                } else {
                        job_reap(j);
                }
+               
+               j->wait4debugger_oneshot = false;
 
 
-               if (!j->stall_before_exec) {
+               struct envitem *ei = NULL, *et = NULL;
+               SLIST_FOREACH_SAFE(ei, &j->env, sle, et) {
+                       if (ei->one_shot) {
+                               SLIST_REMOVE(&j->env, ei, envitem, sle);
+                       }
+               }
+                       
+               if (likely(!j->stall_before_exec)) {
                        job_uncork_fork(j);
                }
                break;
        }
 }
 
                        job_uncork_fork(j);
                }
                break;
        }
 }
 
-void
-do_first_per_user_launchd_hack(void)
-{
-       char *bcct_tool[] = { "/usr/sbin/BootCacheControl", "tag", NULL };
-       int dummystatus;
-       pid_t bcp;
-
-       if (launchd_assumes((bcp = vfork()) != -1)) {
-               if (bcp == 0) {
-                       execve(bcct_tool[0], bcct_tool, environ);
-                       _exit(EXIT_FAILURE);
-               } else {
-                       launchd_assumes(waitpid(bcp, &dummystatus, 0) != -1);
-               }
-       }
-}
-
 void
 job_start_child(job_t j)
 {
 void
 job_start_child(job_t j)
 {
+       typeof(posix_spawn) *psf;
        const char *file2exec = "/usr/libexec/launchproxy";
        const char **argv;
        posix_spawnattr_t spattr;
        int gflags = GLOB_NOSORT|GLOB_NOCHECK|GLOB_TILDE|GLOB_DOOFFS;
        const char *file2exec = "/usr/libexec/launchproxy";
        const char **argv;
        posix_spawnattr_t spattr;
        int gflags = GLOB_NOSORT|GLOB_NOCHECK|GLOB_TILDE|GLOB_DOOFFS;
-       pid_t junk_pid;
        glob_t g;
        short spflags = POSIX_SPAWN_SETEXEC;
        size_t binpref_out_cnt = 0;
        glob_t g;
        short spflags = POSIX_SPAWN_SETEXEC;
        size_t binpref_out_cnt = 0;
-       int i;
-
-       if (JOB_BOOTCACHE_HACK_CHECK(j)) {
-               do_first_per_user_launchd_hack();
-       }
+       size_t i;
 
 
-       job_assumes(j, posix_spawnattr_init(&spattr) == 0);
+       (void)job_assumes(j, posix_spawnattr_init(&spattr) == 0);
 
        job_setup_attributes(j);
 
 
        job_setup_attributes(j);
 
-       if (j->argv && j->globargv) {
+       if (unlikely(j->argv && j->globargv)) {
                g.gl_offs = 1;
                for (i = 0; i < j->argc; i++) {
                        if (i > 0) {
                g.gl_offs = 1;
                for (i = 0; i < j->argc; i++) {
                        if (i > 0) {
@@ -2628,7 +4247,7 @@ job_start_child(job_t j)
                }
                g.gl_pathv[0] = (char *)file2exec;
                argv = (const char **)g.gl_pathv;
                }
                g.gl_pathv[0] = (char *)file2exec;
                argv = (const char **)g.gl_pathv;
-       } else if (j->argv) {
+       } else if (likely(j->argv)) {
                argv = alloca((j->argc + 2) * sizeof(char *));
                argv[0] = file2exec;
                for (i = 0; i < j->argc; i++) {
                argv = alloca((j->argc + 2) * sizeof(char *));
                argv[0] = file2exec;
                for (i = 0; i < j->argc; i++) {
@@ -2642,32 +4261,42 @@ job_start_child(job_t j)
                argv[2] = NULL;
        }
 
                argv[2] = NULL;
        }
 
-       if (!j->inetcompat) {
+       if (likely(!j->inetcompat)) {
                argv++;
        }
 
                argv++;
        }
 
-       if (j->wait4debugger) {
-               job_log(j, LOG_WARNING, "Spawned and waiting for the debugger to attach before continuing...");
+       if (unlikely(j->wait4debugger || j->wait4debugger_oneshot)) {
+               if (!j->legacy_LS_job) {
+                       job_log(j, LOG_WARNING, "Spawned and waiting for the debugger to attach before continuing...");
+               }
                spflags |= POSIX_SPAWN_START_SUSPENDED;
        }
 
                spflags |= POSIX_SPAWN_START_SUSPENDED;
        }
 
-       job_assumes(j, posix_spawnattr_setflags(&spattr, spflags) == 0);
+       if (unlikely(j->disable_aslr)) {
+               spflags |= _POSIX_SPAWN_DISABLE_ASLR;
+       }
+       spflags |= j->pstype;
+
+       (void)job_assumes(j, posix_spawnattr_setflags(&spattr, spflags) == 0);
 
 
-       if (j->j_binpref_cnt) {
-               job_assumes(j, posix_spawnattr_setbinpref_np(&spattr, j->j_binpref_cnt, j->j_binpref, &binpref_out_cnt) == 0);
-               job_assumes(j, binpref_out_cnt == j->j_binpref_cnt);
+       if (unlikely(j->j_binpref_cnt)) {
+               (void)job_assumes(j, posix_spawnattr_setbinpref_np(&spattr, j->j_binpref_cnt, j->j_binpref, &binpref_out_cnt) == 0);
+               (void)job_assumes(j, binpref_out_cnt == j->j_binpref_cnt);
        }
 
        }
 
+#if HAVE_QUARANTINE
        if (j->quarantine_data) {
                qtn_proc_t qp;
 
                if (job_assumes(j, qp = qtn_proc_alloc())) {
                        if (job_assumes(j, qtn_proc_init_with_data(qp, j->quarantine_data, j->quarantine_data_sz) == 0)) {
        if (j->quarantine_data) {
                qtn_proc_t qp;
 
                if (job_assumes(j, qp = qtn_proc_alloc())) {
                        if (job_assumes(j, qtn_proc_init_with_data(qp, j->quarantine_data, j->quarantine_data_sz) == 0)) {
-                               job_assumes(j, qtn_proc_apply_to_self(qp) == 0);
+                               (void)job_assumes(j, qtn_proc_apply_to_self(qp) == 0);
                        }
                }
        }
                        }
                }
        }
+#endif
 
 
+#if HAVE_SANDBOX
        if (j->seatbelt_profile) {
                char *seatbelt_err_buf = NULL;
 
        if (j->seatbelt_profile) {
                char *seatbelt_err_buf = NULL;
 
@@ -2678,17 +4307,28 @@ job_start_child(job_t j)
                        goto out_bad;
                }
        }
                        goto out_bad;
                }
        }
+#endif
+
+       psf = j->prog ? posix_spawn : posix_spawnp;
+
+       if (likely(!j->inetcompat)) {
+               file2exec = j->prog ? j->prog : argv[0];
+       }
 
 
-       if (j->prog) {
-               errno = posix_spawn(&junk_pid, j->inetcompat ? file2exec : j->prog, NULL, &spattr, (char *const*)argv, environ);
-               job_log_error(j, LOG_ERR, "posix_spawn(\"%s\", ...)", j->prog);
-       } else {
-               errno = posix_spawnp(&junk_pid, j->inetcompat ? file2exec : argv[0], NULL, &spattr, (char *const*)argv, environ);
-               job_log_error(j, LOG_ERR, "posix_spawnp(\"%s\", ...)", argv[0]);
+       errno = psf(NULL, file2exec, NULL, &spattr, (char *const *)argv, environ);
+       if (errno != EBADARCH) {
+               int level = LOG_ERR;
+               if ((j->fail_cnt++ % LAUNCHD_LOG_FAILED_EXEC_FREQ) != 0) {
+                       level = LOG_DEBUG;
+               }
+               job_log_error(j, level, "posix_spawn(\"%s\", ...)", file2exec);
+               errno = EXIT_FAILURE;
        }
 
        }
 
+#if HAVE_SANDBOX
 out_bad:
 out_bad:
-       _exit(EXIT_FAILURE);
+#endif
+       _exit(errno);
 }
 
 void
 }
 
 void
@@ -2731,7 +4371,7 @@ jobmgr_setup_env_from_other_jobs(jobmgr_t jm)
                jobmgr_setup_env_from_other_jobs(jm->parentmgr);
        }
 
                jobmgr_setup_env_from_other_jobs(jm->parentmgr);
        }
 
-       LIST_FOREACH(ji, &jm->jobs, sle) {
+       LIST_FOREACH(ji, &jm->global_env_jobs, global_env_sle) {
                SLIST_FOREACH(ei, &ji->global_env, sle) {
                        setenv(ei->key, ei->value, 1);
                }
                SLIST_FOREACH(ei, &ji->global_env, sle) {
                        setenv(ei->key, ei->value, 1);
                }
@@ -2739,44 +4379,143 @@ jobmgr_setup_env_from_other_jobs(jobmgr_t jm)
 }
 
 void
 }
 
 void
-job_find_and_blame_pids_with_weird_uids(job_t j)
+job_log_pids_with_weird_uids(job_t j)
 {
 {
-       int mib[] = { CTL_KERN, KERN_PROC, KERN_PROC_ALL };
-       size_t i, kp_cnt, len = 10*1024*1024;
-       struct kinfo_proc *kp = malloc(len);
+       size_t len = sizeof(pid_t) * get_kern_max_proc();
+       pid_t *pids = NULL;
        uid_t u = j->mach_uid;
        uid_t u = j->mach_uid;
+       int i = 0, kp_cnt = 0;
+       
+       if (!do_apple_internal_logging) {
+               return;
+       }
 
 
-       if (!job_assumes(j, kp != NULL)) {
+       pids = malloc(len);
+       if (!job_assumes(j, pids != NULL)) {
                return;
        }
                return;
        }
-       if (!job_assumes(j, sysctl(mib, 3, kp, &len, NULL, 0) != -1)) {
+
+       runtime_ktrace(RTKT_LAUNCHD_FINDING_WEIRD_UIDS, j->p, u, 0);
+
+       /* libproc actually has some serious performance drawbacks when used over sysctl(3) in
+        * scenarios like this. Whereas sysctl(3) can give us back all the kinfo_proc's in
+        * one kernel call, libproc requires that we get a list of PIDs we're interested in
+        * (in this case, all PIDs on the system) and then get a single proc_bsdshortinfo
+        * struct back in a single call for each one.
+        *
+        * This kind of thing is also more inherently racy than sysctl(3). While sysctl(3)
+        * returns a snapshot, it returns the whole shebang at once. Any PIDs given to us by
+        * libproc could go stale before we call proc_pidinfo().
+        *
+        * Note that proc_list*() APIs return the number of PIDs given back, not the number
+        * of bytes written to the buffer.
+        */
+       if (!job_assumes(j, (kp_cnt = proc_listallpids(pids, len)) != -1)) {
                goto out;
        }
 
                goto out;
        }
 
-       kp_cnt = len / sizeof(struct kinfo_proc);
-
        for (i = 0; i < kp_cnt; i++) {
        for (i = 0; i < kp_cnt; i++) {
-               uid_t i_euid = kp[i].kp_eproc.e_ucred.cr_uid;
-               uid_t i_uid = kp[i].kp_eproc.e_pcred.p_ruid;
-               uid_t i_svuid = kp[i].kp_eproc.e_pcred.p_svuid;
-               pid_t i_pid = kp[i].kp_proc.p_pid;
+               struct proc_bsdshortinfo proc;
+               /* We perhaps should not log a bug here if we get ESRCH back, due to the race
+                * detailed above.
+                */
+               if (proc_pidinfo(pids[i], PROC_PIDT_SHORTBSDINFO, 1, &proc, PROC_PIDT_SHORTBSDINFO_SIZE) == 0) {
+                       if (errno != ESRCH) {
+                               job_assumes(j, errno == 0);
+                       }
+                       continue;
+               }
+               
+               uid_t i_euid = proc.pbsi_uid;
+               uid_t i_uid = proc.pbsi_ruid;
+               uid_t i_svuid = proc.pbsi_svuid;
+               pid_t i_pid = pids[i];
 
                if (i_euid != u && i_uid != u && i_svuid != u) {
                        continue;
                }
 
 
                if (i_euid != u && i_uid != u && i_svuid != u) {
                        continue;
                }
 
-               job_log(j, LOG_ERR, "PID %u \"%s\" has no account to back it! Real/effective/saved UIDs: %u/%u/%u",
-                               i_pid, kp[i].kp_proc.p_comm, i_uid, i_euid, i_svuid);
+               job_log(j, LOG_ERR, "PID %u \"%s\" has no account to back it! Real/effective/saved UIDs: %u/%u/%u", i_pid, proc.pbsi_comm, i_uid, i_euid, i_svuid);
 
 /* Temporarily disabled due to 5423935 and 4946119. */
 #if 0
                /* Ask the accountless process to exit. */
 
 /* Temporarily disabled due to 5423935 and 4946119. */
 #if 0
                /* Ask the accountless process to exit. */
-               job_assumes(j, runtime_kill(i_pid, SIGTERM) != -1);
+               (void)job_assumes(j, runtime_kill(i_pid, SIGTERM) != -1);
 #endif
        }
 
 out:
 #endif
        }
 
 out:
-       free(kp);
+       free(pids);
+}
+
+void
+job_postfork_test_user(job_t j)
+{
+       /* This function is all about 5201578 */
+
+       const char *home_env_var = getenv("HOME");
+       const char *user_env_var = getenv("USER");
+       const char *logname_env_var = getenv("LOGNAME");
+       uid_t tmp_uid, local_uid = getuid();
+       gid_t tmp_gid, local_gid = getgid();
+       char shellpath[PATH_MAX];
+       char homedir[PATH_MAX];
+       char loginname[2000];
+       struct passwd *pwe;
+
+
+       if (!job_assumes(j, home_env_var && user_env_var && logname_env_var
+                               && strcmp(user_env_var, logname_env_var) == 0)) {
+               goto out_bad;
+       }
+
+       if ((pwe = getpwnam(user_env_var)) == NULL) {
+               job_log(j, LOG_ERR, "The account \"%s\" has been deleted out from under us!", user_env_var);
+               goto out_bad;
+       }
+
+       /*
+        * We must copy the results of getpw*().
+        *
+        * Why? Because subsequent API calls may call getpw*() as a part of
+        * their implementation. Since getpw*() returns a [now thread scoped]
+        * global, we must therefore cache the results before continuing.
+        */
+
+       tmp_uid = pwe->pw_uid;
+       tmp_gid = pwe->pw_gid;
+
+       strlcpy(shellpath, pwe->pw_shell, sizeof(shellpath));
+       strlcpy(loginname, pwe->pw_name, sizeof(loginname));
+       strlcpy(homedir, pwe->pw_dir, sizeof(homedir));
+
+       if (strcmp(loginname, logname_env_var) != 0) {
+               job_log(j, LOG_ERR, "The %s environmental variable changed out from under us!", "USER");
+               goto out_bad;
+       }
+       if (strcmp(homedir, home_env_var) != 0) {
+               job_log(j, LOG_ERR, "The %s environmental variable changed out from under us!", "HOME");
+               goto out_bad;
+       }
+       if (local_uid != tmp_uid) {
+               job_log(j, LOG_ERR, "The %cID of the account (%u) changed out from under us (%u)!",
+                               'U', tmp_uid, local_uid);
+               goto out_bad;
+       }
+       if (local_gid != tmp_gid) {
+               job_log(j, LOG_ERR, "The %cID of the account (%u) changed out from under us (%u)!",
+                               'G', tmp_gid, local_gid);
+               goto out_bad;
+       }
+
+       return;
+out_bad:
+#if 0
+       (void)job_assumes(j, runtime_kill(getppid(), SIGTERM) != -1);
+       _exit(EXIT_FAILURE);
+#else
+       job_log(j, LOG_WARNING, "In a future build of the OS, this error will be fatal.");
+#endif
 }
 
 void
 }
 
 void
@@ -2792,7 +4531,7 @@ job_postfork_become_user(job_t j)
        uid_t desired_uid = -1;
 
        if (getuid() != 0) {
        uid_t desired_uid = -1;
 
        if (getuid() != 0) {
-               return;
+               return job_postfork_test_user(j);
        }
 
        /*
        }
 
        /*
@@ -2811,7 +4550,7 @@ job_postfork_become_user(job_t j)
        } else if (j->mach_uid) {
                if ((pwe = getpwuid(j->mach_uid)) == NULL) {
                        job_log(j, LOG_ERR, "getpwuid(\"%u\") failed", j->mach_uid);
        } else if (j->mach_uid) {
                if ((pwe = getpwuid(j->mach_uid)) == NULL) {
                        job_log(j, LOG_ERR, "getpwuid(\"%u\") failed", j->mach_uid);
-                       job_find_and_blame_pids_with_weird_uids(j);
+                       job_log_pids_with_weird_uids(j);
                        _exit(EXIT_FAILURE);
                }
        } else {
                        _exit(EXIT_FAILURE);
                }
        } else {
@@ -2833,22 +4572,22 @@ job_postfork_become_user(job_t j)
        strlcpy(loginname, pwe->pw_name, sizeof(loginname));
        strlcpy(homedir, pwe->pw_dir, sizeof(homedir));
 
        strlcpy(loginname, pwe->pw_name, sizeof(loginname));
        strlcpy(homedir, pwe->pw_dir, sizeof(homedir));
 
-       if (pwe->pw_expire && time(NULL) >= pwe->pw_expire) {
+       if (unlikely(pwe->pw_expire && time(NULL) >= pwe->pw_expire)) {
                job_log(j, LOG_ERR, "Expired account");
                _exit(EXIT_FAILURE);
        }
 
 
                job_log(j, LOG_ERR, "Expired account");
                _exit(EXIT_FAILURE);
        }
 
 
-       if (j->username && strcmp(j->username, loginname) != 0) {
+       if (unlikely(j->username && strcmp(j->username, loginname) != 0)) {
                job_log(j, LOG_WARNING, "Suspicious setup: User \"%s\" maps to user: %s", j->username, loginname);
                job_log(j, LOG_WARNING, "Suspicious setup: User \"%s\" maps to user: %s", j->username, loginname);
-       } else if (j->mach_uid && (j->mach_uid != desired_uid)) {
+       } else if (unlikely(j->mach_uid && (j->mach_uid != desired_uid))) {
                job_log(j, LOG_WARNING, "Suspicious setup: UID %u maps to UID %u", j->mach_uid, desired_uid);
        }
 
        if (j->groupname) {
                struct group *gre;
 
                job_log(j, LOG_WARNING, "Suspicious setup: UID %u maps to UID %u", j->mach_uid, desired_uid);
        }
 
        if (j->groupname) {
                struct group *gre;
 
-               if ((gre = getgrnam(j->groupname)) == NULL) {
+               if (unlikely((gre = getgrnam(j->groupname)) == NULL)) {
                        job_log(j, LOG_ERR, "getgrnam(\"%s\") failed", j->groupname);
                        _exit(EXIT_FAILURE);
                }
                        job_log(j, LOG_ERR, "getgrnam(\"%s\") failed", j->groupname);
                        _exit(EXIT_FAILURE);
                }
@@ -2869,10 +4608,25 @@ job_postfork_become_user(job_t j)
         * called after setgid(). See 4616864 for more information.
         */
 
         * called after setgid(). See 4616864 for more information.
         */
 
-       if (!j->no_init_groups) {
+       if (likely(!j->no_init_groups)) {
+       #if 1
                if (!job_assumes(j, initgroups(loginname, desired_gid) != -1)) {
                        _exit(EXIT_FAILURE);
                }
                if (!job_assumes(j, initgroups(loginname, desired_gid) != -1)) {
                        _exit(EXIT_FAILURE);
                }
+       #else
+               /* Do our own little initgroups(). We do this to guarantee that we're
+                * always opted into dynamic group resolution in the kernel. initgroups(3)
+                * does not make this guarantee.
+                */
+               int groups[NGROUPS], ngroups;
+               
+               /* A failure here isn't fatal, and we'll still get data we can use. */
+               (void)job_assumes(j, getgrouplist(j->username, desired_gid, groups, &ngroups) != -1);
+               
+               if (!job_assumes(j, syscall(SYS_initgroups, ngroups, groups, desired_uid) != -1)) {
+                       _exit(EXIT_FAILURE);
+               }
+       #endif
        }
 
        if (!job_assumes(j, setuid(desired_uid) != -1)) {
        }
 
        if (!job_assumes(j, setuid(desired_uid) != -1)) {
@@ -2881,7 +4635,7 @@ job_postfork_become_user(job_t j)
 
        r = confstr(_CS_DARWIN_USER_TEMP_DIR, tmpdirpath, sizeof(tmpdirpath));
 
 
        r = confstr(_CS_DARWIN_USER_TEMP_DIR, tmpdirpath, sizeof(tmpdirpath));
 
-       if (r > 0 && r < sizeof(tmpdirpath)) {
+       if (likely(r > 0 && r < sizeof(tmpdirpath))) {
                setenv("TMPDIR", tmpdirpath, 0);
        }
 
                setenv("TMPDIR", tmpdirpath, 0);
        }
 
@@ -2897,8 +4651,8 @@ job_setup_attributes(job_t j)
        struct limititem *li;
        struct envitem *ei;
 
        struct limititem *li;
        struct envitem *ei;
 
-       if (j->setnice) {
-               job_assumes(j, setpriority(PRIO_PROCESS, 0, j->nice) != -1);
+       if (unlikely(j->setnice)) {
+               (void)job_assumes(j, setpriority(PRIO_PROCESS, 0, j->nice) != -1);
        }
 
        SLIST_FOREACH(li, &j->limits, sle) {
        }
 
        SLIST_FOREACH(li, &j->limits, sle) {
@@ -2920,30 +4674,35 @@ job_setup_attributes(job_t j)
                }
        }
 
                }
        }
 
-       if (!j->inetcompat && j->session_create) {
+       if (unlikely(!j->inetcompat && j->session_create)) {
                launchd_SessionCreate();
        }
 
                launchd_SessionCreate();
        }
 
-       if (j->low_pri_io) {
-               job_assumes(j, setiopolicy_np(IOPOL_TYPE_DISK, IOPOL_SCOPE_PROCESS, IOPOL_THROTTLE) != -1);
+       if (unlikely(j->low_pri_io)) {
+               (void)job_assumes(j, setiopolicy_np(IOPOL_TYPE_DISK, IOPOL_SCOPE_PROCESS, IOPOL_THROTTLE) != -1);
        }
        }
-       if (j->rootdir) {
-               job_assumes(j, chroot(j->rootdir) != -1);
-               job_assumes(j, chdir(".") != -1);
+       if (unlikely(j->rootdir)) {
+               (void)job_assumes(j, chroot(j->rootdir) != -1);
+               (void)job_assumes(j, chdir(".") != -1);
        }
 
        job_postfork_become_user(j);
 
        }
 
        job_postfork_become_user(j);
 
-       if (j->workingdir) {
-               job_assumes(j, chdir(j->workingdir) != -1);
+       if (unlikely(j->workingdir)) {
+               (void)job_assumes(j, chdir(j->workingdir) != -1);
        }
 
        }
 
-       if (j->setmask) {
+       if (unlikely(j->setmask)) {
                umask(j->mask);
        }
 
                umask(j->mask);
        }
 
-       job_setup_fd(j, STDOUT_FILENO, j->stdoutpath, O_WRONLY|O_APPEND|O_CREAT);
-       job_setup_fd(j, STDERR_FILENO, j->stderrpath, O_WRONLY|O_APPEND|O_CREAT);
+       if (j->stdin_fd) {
+               (void)job_assumes(j, dup2(j->stdin_fd, STDIN_FILENO) != -1);
+       } else {
+               job_setup_fd(j, STDIN_FILENO, j->stdinpath, O_RDONLY|O_CREAT);
+       }
+       job_setup_fd(j, STDOUT_FILENO, j->stdoutpath, O_WRONLY|O_CREAT|O_APPEND);
+       job_setup_fd(j, STDERR_FILENO, j->stderrpath, O_WRONLY|O_CREAT|O_APPEND);
 
        jobmgr_setup_env_from_other_jobs(j->mgr);
 
 
        jobmgr_setup_env_from_other_jobs(j->mgr);
 
@@ -2951,15 +4710,34 @@ job_setup_attributes(job_t j)
                setenv(ei->key, ei->value, 1);
        }
 
                setenv(ei->key, ei->value, 1);
        }
 
+       if (do_apple_internal_logging) {
+               setenv(LAUNCHD_DO_APPLE_INTERNAL_LOGGING, "true", 1);
+       }
+
+#if !TARGET_OS_EMBEDDED        
+       if (j->jetsam_properties) {
+               (void)job_assumes(j, proc_setpcontrol(PROC_SETPC_TERMINATE) == 0);
+       }
+#endif
+
+#if TARGET_OS_EMBEDDED
+       if (j->main_thread_priority != 0) {
+               struct sched_param params;
+               bzero(&params, sizeof(params));
+               params.sched_priority = j->main_thread_priority;
+               (void)job_assumes(j, pthread_setschedparam(pthread_self(), SCHED_OTHER, &params) != -1);
+       }
+#endif
+
        /*
         * We'd like to call setsid() unconditionally, but we have reason to
         * believe that prevents launchd from being able to send signals to
         * setuid children. We'll settle for process-groups.
         */
        if (getppid() != 1) {
        /*
         * We'd like to call setsid() unconditionally, but we have reason to
         * believe that prevents launchd from being able to send signals to
         * setuid children. We'll settle for process-groups.
         */
        if (getppid() != 1) {
-               job_assumes(j, setpgid(0, 0) != -1);
+               (void)job_assumes(j, setpgid(0, 0) != -1);
        } else {
        } else {
-               job_assumes(j, setsid() != -1);
+               (void)job_assumes(j, setsid() != -1);
        }
 }
 
        }
 }
 
@@ -2977,8 +4755,8 @@ job_setup_fd(job_t j, int target_fd, const char *path, int flags)
                return;
        }
 
                return;
        }
 
-       job_assumes(j, dup2(fd, target_fd) != -1);
-       job_assumes(j, runtime_close(fd) == 0);
+       (void)job_assumes(j, dup2(fd, target_fd) != -1);
+       (void)job_assumes(j, runtime_close(fd) == 0);
 }
 
 int
 }
 
 int
@@ -2988,7 +4766,7 @@ dir_has_files(job_t j, const char *path)
        struct dirent *de;
        bool r = 0;
 
        struct dirent *de;
        bool r = 0;
 
-       if (!dd) {
+       if (unlikely(!dd)) {
                return -1;
        }
 
                return -1;
        }
 
@@ -2999,7 +4777,7 @@ dir_has_files(job_t j, const char *path)
                }
        }
 
                }
        }
 
-       job_assumes(j, closedir(dd) == 0);
+       (void)job_assumes(j, closedir(dd) == 0);
        return r;
 }
 
        return r;
 }
 
@@ -3044,9 +4822,6 @@ calendarinterval_setalarm(job_t j, struct calendarinterval *ci)
 
        head_later = LIST_FIRST(&sorted_calendar_events)->when_next;
 
 
        head_later = LIST_FIRST(&sorted_calendar_events)->when_next;
 
-       /* Workaround 5225889 */
-       kevent_mod((uintptr_t)&sorted_calendar_events, EVFILT_TIMER, EV_DELETE, 0, 0, root_jobmgr);
-
        if (job_assumes(j, kevent_mod((uintptr_t)&sorted_calendar_events, EVFILT_TIMER, EV_ADD, NOTE_ABSOLUTE|NOTE_SECONDS, head_later, root_jobmgr) != -1)) {
                char time_string[100];
                size_t time_string_len;
        if (job_assumes(j, kevent_mod((uintptr_t)&sorted_calendar_events, EVFILT_TIMER, EV_ADD, NOTE_ABSOLUTE|NOTE_SECONDS, head_later, root_jobmgr) != -1)) {
                char time_string[100];
                size_t time_string_len;
@@ -3054,7 +4829,7 @@ calendarinterval_setalarm(job_t j, struct calendarinterval *ci)
                ctime_r(&later, time_string);
                time_string_len = strlen(time_string);
 
                ctime_r(&later, time_string);
                time_string_len = strlen(time_string);
 
-               if (time_string_len && time_string[time_string_len - 1] == '\n') {
+               if (likely(time_string_len && time_string[time_string_len - 1] == '\n')) {
                        time_string[time_string_len - 1] = '\0';
                }
 
                        time_string[time_string_len - 1] = '\0';
                }
 
@@ -3079,45 +4854,66 @@ extract_rcsid_substr(const char *i, char *o, size_t osz)
 }
 
 void
 }
 
 void
-jobmgr_log_bug(jobmgr_t jm, const char *rcs_rev, const char *path, unsigned int line, const char *test)
+jobmgr_log_bug(jobmgr_t jm, unsigned int line)
 {
 {
+       static const char *file;
        int saved_errno = errno;
        int saved_errno = errno;
-       const char *file = strrchr(path, '/');
        char buf[100];
 
        char buf[100];
 
-       extract_rcsid_substr(rcs_rev, buf, sizeof(buf));
+       runtime_ktrace1(RTKT_LAUNCHD_BUG);
+
+       extract_rcsid_substr(__rcs_file_version__, buf, sizeof(buf));
 
        if (!file) {
 
        if (!file) {
-               file = path;
-       } else {
-               file += 1;
+               file = strrchr(__FILE__, '/');
+               if (!file) {
+                       file = __FILE__;
+               } else {
+                       file += 1;
+               }
        }
 
        }
 
-       jobmgr_log(jm, LOG_NOTICE, "Bug: %s:%u (%s):%u: %s", file, line, buf, saved_errno, test);
+       /* the only time 'jm' should not be set is if setting up the first bootstrap fails for some reason */
+       if (likely(jm)) {
+               jobmgr_log(jm, LOG_NOTICE, "Bug: %s:%u (%s):%u", file, line, buf, saved_errno);
+       } else {
+               runtime_syslog(LOG_NOTICE, "Bug: %s:%u (%s):%u", file, line, buf, saved_errno);
+       }
 }
 
 void
 }
 
 void
-job_log_bug(job_t j, const char *rcs_rev, const char *path, unsigned int line, const char *test)
+job_log_bug(job_t j, unsigned int line)
 {
 {
+       static const char *file;
        int saved_errno = errno;
        int saved_errno = errno;
-       const char *file = strrchr(path, '/');
        char buf[100];
 
        char buf[100];
 
-       extract_rcsid_substr(rcs_rev, buf, sizeof(buf));
+       runtime_ktrace1(RTKT_LAUNCHD_BUG);
+
+       extract_rcsid_substr(__rcs_file_version__, buf, sizeof(buf));
 
        if (!file) {
 
        if (!file) {
-               file = path;
-       } else {
-               file += 1;
+               file = strrchr(__FILE__, '/');
+               if (!file) {
+                       file = __FILE__;
+               } else {
+                       file += 1;
+               }
        }
 
        }
 
-       job_log(j, LOG_NOTICE, "Bug: %s:%u (%s):%u: %s", file, line, buf, saved_errno, test);
+       if (likely(j)) {
+               job_log(j, LOG_NOTICE, "Bug: %s:%u (%s):%u", file, line, buf, saved_errno);
+       } else {
+               runtime_syslog(LOG_NOTICE, "Bug: %s:%u (%s):%u", file, line, buf, saved_errno);
+       }
 }
 
 void
 job_logv(job_t j, int pri, int err, const char *msg, va_list ap)
 {
 }
 
 void
 job_logv(job_t j, int pri, int err, const char *msg, va_list ap)
 {
-       struct runtime_syslog_attr attr = { "com.apple.launchd", j->label, j->mgr->name, pri, getuid(), getpid(), j->p };
+       const char *label2use = j ? j->label : "com.apple.launchd.NULL";
+       const char *mgr2use = j ? j->mgr->name : "NULL";
+       struct runtime_syslog_attr attr = { g_my_label, label2use, mgr2use, pri, getuid(), getpid(), j ? j->p : 0 };
        char *newmsg;
        int oldmask = 0;
        size_t newmsgsz;
        char *newmsg;
        int oldmask = 0;
        size_t newmsgsz;
@@ -3135,18 +4931,26 @@ job_logv(job_t j, int pri, int err, const char *msg, va_list ap)
        newmsg = alloca(newmsgsz);
 
        if (err) {
        newmsg = alloca(newmsgsz);
 
        if (err) {
+#if !TARGET_OS_EMBEDDED
                snprintf(newmsg, newmsgsz, "%s: %s", msg, strerror(err));
                snprintf(newmsg, newmsgsz, "%s: %s", msg, strerror(err));
+#else
+               snprintf(newmsg, newmsgsz, "(%s) %s: %s", label2use, msg, strerror(err));
+#endif
        } else {
        } else {
+#if !TARGET_OS_EMBEDDED
                snprintf(newmsg, newmsgsz, "%s", msg);
                snprintf(newmsg, newmsgsz, "%s", msg);
+#else
+               snprintf(newmsg, newmsgsz, "(%s) %s", label2use, msg);
+#endif
        }
 
        }
 
-       if (j->debug) {
+       if (j && unlikely(j->debug)) {
                oldmask = setlogmask(LOG_UPTO(LOG_DEBUG));
        }
 
        runtime_vsyslog(&attr, newmsg, ap);
 
                oldmask = setlogmask(LOG_UPTO(LOG_DEBUG));
        }
 
        runtime_vsyslog(&attr, newmsg, ap);
 
-       if (j->debug) {
+       if (j && unlikely(j->debug)) {
                setlogmask(oldmask);
        }
 }
                setlogmask(oldmask);
        }
 }
@@ -3222,7 +5026,7 @@ jobmgr_logv(jobmgr_t jm, int pri, int err, const char *msg, va_list ap)
        if (jm->parentmgr) {
                jobmgr_logv(jm->parentmgr, pri, 0, newmsg, ap);
        } else {
        if (jm->parentmgr) {
                jobmgr_logv(jm->parentmgr, pri, 0, newmsg, ap);
        } else {
-               struct runtime_syslog_attr attr = { "com.apple.launchd", "com.apple.launchd", jm->name, pri, getuid(), getpid(), getpid() };
+               struct runtime_syslog_attr attr = { g_my_label, g_my_label, jm->name, pri, getuid(), getpid(), getpid() };
 
                runtime_vsyslog(&attr, newmsg, ap);
        }
 
                runtime_vsyslog(&attr, newmsg, ap);
        }
@@ -3233,48 +5037,72 @@ semaphoreitem_ignore(job_t j, struct semaphoreitem *si)
 {
        if (si->fd != -1) {
                job_log(j, LOG_DEBUG, "Ignoring Vnode: %d", si->fd);
 {
        if (si->fd != -1) {
                job_log(j, LOG_DEBUG, "Ignoring Vnode: %d", si->fd);
-               job_assumes(j, kevent_mod(si->fd, EVFILT_VNODE, EV_DELETE, 0, 0, NULL) != -1);
+               (void)job_assumes(j, kevent_mod(si->fd, EVFILT_VNODE, EV_DELETE, 0, 0, NULL) != -1);
        }
 }
 
 void
 semaphoreitem_watch(job_t j, struct semaphoreitem *si)
 {
        }
 }
 
 void
 semaphoreitem_watch(job_t j, struct semaphoreitem *si)
 {
-       char parentdir_path[PATH_MAX], *which_path = si->what;
+       char *parentdir, tmp_path[PATH_MAX];
        int saved_errno = 0;
        int saved_errno = 0;
-       int fflags = 0;
-       
-       strlcpy(parentdir_path, dirname(si->what), sizeof(parentdir_path));
+       int fflags = NOTE_DELETE|NOTE_RENAME;
 
        switch (si->why) {
 
        switch (si->why) {
-       case PATH_EXISTS:
-               fflags = NOTE_DELETE|NOTE_RENAME|NOTE_REVOKE|NOTE_EXTEND|NOTE_WRITE;
-               break;
-       case PATH_MISSING:
-               fflags = NOTE_DELETE|NOTE_RENAME;
-               break;
        case DIR_NOT_EMPTY:
        case PATH_CHANGES:
        case DIR_NOT_EMPTY:
        case PATH_CHANGES:
-               fflags = NOTE_DELETE|NOTE_RENAME|NOTE_REVOKE|NOTE_EXTEND|NOTE_WRITE|NOTE_ATTRIB|NOTE_LINK;
+               fflags |= NOTE_ATTRIB|NOTE_LINK;
+               /* fall through */
+       case PATH_EXISTS:
+               fflags |= NOTE_REVOKE|NOTE_EXTEND|NOTE_WRITE;
+               /* fall through */
+       case PATH_MISSING:
                break;
        default:
                return;
        }
 
                break;
        default:
                return;
        }
 
+       /* dirname() may modify tmp_path */
+       strlcpy(tmp_path, si->what, sizeof(tmp_path));
+
+       if (!job_assumes(j, (parentdir = dirname(tmp_path)))) {
+               return;
+       }
+
        /* See 5321044 for why we do the do-while loop and 5415523 for why ENOENT is checked */
        do {
                if (si->fd == -1) {
        /* See 5321044 for why we do the do-while loop and 5415523 for why ENOENT is checked */
        do {
                if (si->fd == -1) {
-                       if ((si->fd = _fd(open(which_path, O_EVTONLY|O_NOCTTY))) == -1) {
-                               which_path = parentdir_path;
-                               si->fd = _fd(open(which_path, O_EVTONLY|O_NOCTTY));
+                       struct stat sb;
+                       if (stat(si->what, &sb) == 0) {
+                               /* If we're watching a character or block device, only watch the parent directory. 
+                                * See rdar://problem/6489900 for the gory details. Basically, holding an open file
+                                * descriptor to a devnode could end up (a) blocking us on open(2) until someone else
+                                * open(2)s the file (like a character device that waits for a carrier signal) or 
+                                * (b) preventing other processes from obtaining an exclusive lock on the file, even
+                                * though we're opening it with O_EVTONLY.
+                                *
+                                * The main point of contention is that O_EVTONLY doesn't actually mean "event only".
+                                * It means "Don't prevent unmounts of this descriptor's volume". We work around this
+                                * for dev nodes by only watching the parent directory and stat(2)ing our desired file
+                                * each time the parent changes to see if it appeared or disappeared.
+                                */
+                               if (S_ISREG(sb.st_mode) || S_ISDIR(sb.st_mode)) {
+                                       si->fd = _fd(open(si->what, O_EVTONLY | O_NOCTTY | O_NONBLOCK));
+                               }
+                       }
+                       
+                       if (si->fd == -1) {
+                               si->watching_parent = job_assumes(j, (si->fd = _fd(open(parentdir, O_EVTONLY | O_NOCTTY | O_NONBLOCK))) != -1);
+                       } else {
+                               si->watching_parent = false;
                        }
                }
 
                if (si->fd == -1) {
                        }
                }
 
                if (si->fd == -1) {
-                       return job_log_error(j, LOG_ERR, "Path monitoring failed on \"%s\"", which_path);
+                       return job_log_error(j, LOG_ERR, "Path monitoring failed on \"%s\"", si->what);
                }
 
                }
 
-               job_log(j, LOG_DEBUG, "Watching Vnode: %d", si->fd);
+               job_log(j, LOG_DEBUG, "Watching %svnode (%s): %d", si->watching_parent ? "parent ": "", si->what, si->fd);
 
                if (kevent_mod(si->fd, EVFILT_VNODE, EV_ADD, fflags, 0, j) == -1) {
                        saved_errno = errno;
 
                if (kevent_mod(si->fd, EVFILT_VNODE, EV_ADD, fflags, 0, j) == -1) {
                        saved_errno = errno;
@@ -3284,10 +5112,10 @@ semaphoreitem_watch(job_t j, struct semaphoreitem *si)
                         * attached to short lived zombie processes after fork()
                         * but before kevent().
                         */
                         * attached to short lived zombie processes after fork()
                         * but before kevent().
                         */
-                       job_assumes(j, runtime_close(si->fd) == 0);
+                       (void)job_assumes(j, runtime_close(si->fd) == 0);
                        si->fd = -1;
                }
                        si->fd = -1;
                }
-       } while ((si->fd == -1) && (saved_errno == ENOENT));
+       } while (unlikely((si->fd == -1) && (saved_errno == ENOENT)));
 
        if (saved_errno == ENOTSUP) {
                /*
 
        if (saved_errno == ENOTSUP) {
                /*
@@ -3299,7 +5127,7 @@ semaphoreitem_watch(job_t j, struct semaphoreitem *si)
 
                if (!j->poll_for_vfs_changes) {
                        j->poll_for_vfs_changes = true;
 
                if (!j->poll_for_vfs_changes) {
                        j->poll_for_vfs_changes = true;
-                       job_assumes(j, kevent_mod((uintptr_t)&j->semaphores, EVFILT_TIMER, EV_ADD, NOTE_SECONDS, 3, j) != -1);
+                       (void)job_assumes(j, kevent_mod((uintptr_t)&j->semaphores, EVFILT_TIMER, EV_ADD, NOTE_SECONDS, 3, j) != -1);
                }
        }
 }
                }
        }
 }
@@ -3316,6 +5144,7 @@ semaphoreitem_callback(job_t j, struct kevent *kev)
                case PATH_EXISTS:
                case PATH_MISSING:
                case DIR_NOT_EMPTY:
                case PATH_EXISTS:
                case PATH_MISSING:
                case DIR_NOT_EMPTY:
+                       job_log(j, LOG_DEBUG, "P%s changed (%u): %s", si->watching_parent ? "arent path" : "ath", si->why, si->what);
                        break;
                default:
                        continue;
                        break;
                default:
                        continue;
@@ -3352,26 +5181,42 @@ semaphoreitem_callback(job_t j, struct kevent *kev)
 
        if (invalidation_reason[0]) {
                job_log(j, LOG_DEBUG, "Path %s: %s", invalidation_reason, si->what);
 
        if (invalidation_reason[0]) {
                job_log(j, LOG_DEBUG, "Path %s: %s", invalidation_reason, si->what);
-               job_assumes(j, runtime_close(si->fd) == 0);
+               (void)job_assumes(j, runtime_close(si->fd) == 0);
                si->fd = -1; /* this will get fixed in semaphoreitem_watch() */
        }
 
                si->fd = -1; /* this will get fixed in semaphoreitem_watch() */
        }
 
-       job_log(j, LOG_DEBUG, "Watch path modified: %s", si->what);
-
-       if (si->why == PATH_CHANGES) {
-               j->start_pending = true;
+       if (!si->watching_parent) {
+               if (si->why == PATH_CHANGES) {
+                       j->start_pending = true;
+               } else {
+                       semaphoreitem_watch(j, si);
+               }
+       } else { /* Something happened to the parent directory. See if our target file appeared. */
+               if (!invalidation_reason[0]) {
+                       (void)job_assumes(j, runtime_close(si->fd) == 0);
+                       si->fd = -1; /* this will get fixed in semaphoreitem_watch() */
+                       semaphoreitem_watch(j, si);
+               }
+               /* Need to think about what should happen if the parent directory goes invalid. */
        }
        }
-
+       
        job_dispatch(j, false);
 }
 
        job_dispatch(j, false);
 }
 
+struct cal_dict_walk {
+       job_t j;
+       struct tm tmptm;
+};
+
 void
 calendarinterval_new_from_obj_dict_walk(launch_data_t obj, const char *key, void *context)
 {
 void
 calendarinterval_new_from_obj_dict_walk(launch_data_t obj, const char *key, void *context)
 {
-       struct tm *tmptm = context;
+       struct cal_dict_walk *cdw = context;
+       struct tm *tmptm = &cdw->tmptm;
+       job_t j = cdw->j;
        int64_t val;
 
        int64_t val;
 
-       if (LAUNCH_DATA_INTEGER != launch_data_get_type(obj)) {
+       if (unlikely(LAUNCH_DATA_INTEGER != launch_data_get_type(obj))) {
                /* hack to let caller know something went wrong */
                tmptm->tm_sec = -1;
                return;
                /* hack to let caller know something went wrong */
                tmptm->tm_sec = -1;
                return;
@@ -3379,48 +5224,76 @@ calendarinterval_new_from_obj_dict_walk(launch_data_t obj, const char *key, void
 
        val = launch_data_get_integer(obj);
 
 
        val = launch_data_get_integer(obj);
 
-       if (strcasecmp(key, LAUNCH_JOBKEY_CAL_MINUTE) == 0) {
-               tmptm->tm_min = val;
+       if (val < 0) {
+               job_log(j, LOG_WARNING, "The interval for key \"%s\" is less than zero.", key);
+       } else if (strcasecmp(key, LAUNCH_JOBKEY_CAL_MINUTE) == 0) {
+               if (val > 59) {
+                       job_log(j, LOG_WARNING, "The interval for key \"%s\" is not between 0 and 59 (inclusive).", key);
+                       tmptm->tm_sec = -1;
+               } else {
+                       tmptm->tm_min = (typeof(tmptm->tm_min)) val;
+               }
        } else if (strcasecmp(key, LAUNCH_JOBKEY_CAL_HOUR) == 0) {
        } else if (strcasecmp(key, LAUNCH_JOBKEY_CAL_HOUR) == 0) {
-               tmptm->tm_hour = val;
+               if (val > 23) {
+                       job_log(j, LOG_WARNING, "The interval for key \"%s\" is not between 0 and 23 (inclusive).", key);
+                       tmptm->tm_sec = -1;
+               } else {
+                       tmptm->tm_hour = (typeof(tmptm->tm_hour)) val;
+               }
        } else if (strcasecmp(key, LAUNCH_JOBKEY_CAL_DAY) == 0) {
        } else if (strcasecmp(key, LAUNCH_JOBKEY_CAL_DAY) == 0) {
-               tmptm->tm_mday = val;
+               if (val < 1 || val > 31) {
+                       job_log(j, LOG_WARNING, "The interval for key \"%s\" is not between 1 and 31 (inclusive).", key);
+                       tmptm->tm_sec = -1;
+               } else {
+                       tmptm->tm_mday = (typeof(tmptm->tm_mday)) val;
+               }
        } else if (strcasecmp(key, LAUNCH_JOBKEY_CAL_WEEKDAY) == 0) {
        } else if (strcasecmp(key, LAUNCH_JOBKEY_CAL_WEEKDAY) == 0) {
-               tmptm->tm_wday = val;
+               if (val > 7) {
+                       job_log(j, LOG_WARNING, "The interval for key \"%s\" is not between 0 and 7 (inclusive).", key);
+                       tmptm->tm_sec = -1;
+               } else {
+                       tmptm->tm_wday = (typeof(tmptm->tm_wday)) val;
+               }
        } else if (strcasecmp(key, LAUNCH_JOBKEY_CAL_MONTH) == 0) {
        } else if (strcasecmp(key, LAUNCH_JOBKEY_CAL_MONTH) == 0) {
-               tmptm->tm_mon = val;
-               tmptm->tm_mon -= 1; /* 4798263 cron compatibility */
+               if (val > 12) {
+                       job_log(j, LOG_WARNING, "The interval for key \"%s\" is not between 0 and 12 (inclusive).", key);
+                       tmptm->tm_sec = -1;
+               } else {
+                       tmptm->tm_mon = (typeof(tmptm->tm_mon)) val;
+                       tmptm->tm_mon -= 1; /* 4798263 cron compatibility */
+               }
        }
 }
 
 bool
 calendarinterval_new_from_obj(job_t j, launch_data_t obj)
 {
        }
 }
 
 bool
 calendarinterval_new_from_obj(job_t j, launch_data_t obj)
 {
-       struct tm tmptm;
+       struct cal_dict_walk cdw;
 
 
-       memset(&tmptm, 0, sizeof(0));
+       cdw.j = j;
+       memset(&cdw.tmptm, 0, sizeof(0));
 
 
-       tmptm.tm_min = -1;
-       tmptm.tm_hour = -1;
-       tmptm.tm_mday = -1;
-       tmptm.tm_wday = -1;
-       tmptm.tm_mon = -1;
+       cdw.tmptm.tm_min = -1;
+       cdw.tmptm.tm_hour = -1;
+       cdw.tmptm.tm_mday = -1;
+       cdw.tmptm.tm_wday = -1;
+       cdw.tmptm.tm_mon = -1;
 
        if (!job_assumes(j, obj != NULL)) {
                return false;
        }
 
 
        if (!job_assumes(j, obj != NULL)) {
                return false;
        }
 
-       if (LAUNCH_DATA_DICTIONARY != launch_data_get_type(obj)) {
+       if (unlikely(LAUNCH_DATA_DICTIONARY != launch_data_get_type(obj))) {
                return false;
        }
 
                return false;
        }
 
-       launch_data_dict_iterate(obj, calendarinterval_new_from_obj_dict_walk, &tmptm);
+       launch_data_dict_iterate(obj, calendarinterval_new_from_obj_dict_walk, &cdw);
 
 
-       if (tmptm.tm_sec == -1) {
+       if (unlikely(cdw.tmptm.tm_sec == -1)) {
                return false;
        }
 
                return false;
        }
 
-       return calendarinterval_new(j, &tmptm);
+       return calendarinterval_new(j, &cdw.tmptm);
 }
 
 bool
 }
 
 bool
@@ -3439,7 +5312,7 @@ calendarinterval_new(job_t j, struct tm *w)
        
        calendarinterval_setalarm(j, ci);
 
        
        calendarinterval_setalarm(j, ci);
 
-       runtime_add_ref();
+       runtime_add_weak_ref();
 
        return true;
 }
 
        return true;
 }
@@ -3452,7 +5325,7 @@ calendarinterval_delete(job_t j, struct calendarinterval *ci)
 
        free(ci);
 
 
        free(ci);
 
-       runtime_del_ref();
+       runtime_del_weak_ref();
 }
 
 void
 }
 
 void
@@ -3461,8 +5334,8 @@ calendarinterval_sanity_check(void)
        struct calendarinterval *ci = LIST_FIRST(&sorted_calendar_events);
        time_t now = time(NULL);
 
        struct calendarinterval *ci = LIST_FIRST(&sorted_calendar_events);
        time_t now = time(NULL);
 
-       if (ci && (ci->when_next < now)) {
-               jobmgr_assumes(root_jobmgr, raise(SIGUSR1) != -1);
+       if (unlikely(ci && (ci->when_next < now))) {
+               (void)jobmgr_assumes(root_jobmgr, raise(SIGUSR1) != -1);
        }
 }
 
        }
 }
 
@@ -3488,7 +5361,7 @@ calendarinterval_callback(void)
 }
 
 bool
 }
 
 bool
-socketgroup_new(job_t j, const char *name, int *fds, unsigned int fd_cnt, bool junkfds)
+socketgroup_new(job_t j, const char *name, int *fds, size_t fd_cnt, bool junkfds)
 {
        struct socketgroup *sg = calloc(1, sizeof(struct socketgroup) + strlen(name) + 1);
 
 {
        struct socketgroup *sg = calloc(1, sizeof(struct socketgroup) + strlen(name) + 1);
 
@@ -3506,11 +5379,11 @@ socketgroup_new(job_t j, const char *name, int *fds, unsigned int fd_cnt, bool j
        }
 
        memcpy(sg->fds, fds, fd_cnt * sizeof(int));
        }
 
        memcpy(sg->fds, fds, fd_cnt * sizeof(int));
-       strcpy(sg->name, name);
+       strcpy(sg->name_init, name);
 
        SLIST_INSERT_HEAD(&j->sockets, sg, sle);
 
 
        SLIST_INSERT_HEAD(&j->sockets, sg, sle);
 
-       runtime_add_ref();
+       runtime_add_weak_ref();
 
        return true;
 }
 
        return true;
 }
@@ -3529,11 +5402,11 @@ socketgroup_delete(job_t j, struct socketgroup *sg)
                /* 5480306 */
                if (job_assumes(j, getsockname(sg->fds[i], (struct sockaddr *)&ss, &ss_len) != -1)
                                && job_assumes(j, ss_len > 0) && (ss.ss_family == AF_UNIX)) {
                /* 5480306 */
                if (job_assumes(j, getsockname(sg->fds[i], (struct sockaddr *)&ss, &ss_len) != -1)
                                && job_assumes(j, ss_len > 0) && (ss.ss_family == AF_UNIX)) {
-                       job_assumes(j, unlink(sun->sun_path) != -1);
+                       (void)job_assumes(j, unlink(sun->sun_path) != -1);
                        /* We might conditionally need to delete a directory here */
                }
 #endif
                        /* We might conditionally need to delete a directory here */
                }
 #endif
-               job_assumes(j, runtime_close(sg->fds[i]) != -1);
+               (void)job_assumes(j, runtime_close(sg->fds[i]) != -1);
        }
 
        SLIST_REMOVE(&j->sockets, sg, socketgroup, sle);
        }
 
        SLIST_REMOVE(&j->sockets, sg, socketgroup, sle);
@@ -3541,7 +5414,7 @@ socketgroup_delete(job_t j, struct socketgroup *sg)
        free(sg->fds);
        free(sg);
 
        free(sg->fds);
        free(sg);
 
-       runtime_del_ref();
+       runtime_del_weak_ref();
 }
 
 void
 }
 
 void
@@ -3551,7 +5424,7 @@ socketgroup_kevent_mod(job_t j, struct socketgroup *sg, bool do_add)
        char buf[10000];
        unsigned int i, buf_off = 0;
 
        char buf[10000];
        unsigned int i, buf_off = 0;
 
-       if (sg->junkfds) {
+       if (unlikely(sg->junkfds)) {
                return;
        }
 
                return;
        }
 
@@ -3562,12 +5435,12 @@ socketgroup_kevent_mod(job_t j, struct socketgroup *sg, bool do_add)
 
        job_log(j, LOG_DEBUG, "%s Sockets:%s", do_add ? "Watching" : "Ignoring", buf);
 
 
        job_log(j, LOG_DEBUG, "%s Sockets:%s", do_add ? "Watching" : "Ignoring", buf);
 
-       job_assumes(j, kevent_bulk_mod(kev, sg->fd_cnt) != -1);
+       (void)job_assumes(j, kevent_bulk_mod(kev, sg->fd_cnt) != -1);
 
        for (i = 0; i < sg->fd_cnt; i++) {
 
        for (i = 0; i < sg->fd_cnt; i++) {
-               job_assumes(j, kev[i].flags & EV_ERROR);
-               errno = kev[i].data;
-               job_assumes(j, kev[i].data == 0);
+               (void)job_assumes(j, kev[i].flags & EV_ERROR);
+               errno = (typeof(errno)) kev[i].data;
+               (void)job_assumes(j, kev[i].data == 0);
        }
 }
 
        }
 }
 
@@ -3590,7 +5463,7 @@ socketgroup_callback(job_t j)
 }
 
 bool
 }
 
 bool
-envitem_new(job_t j, const char *k, const char *v, bool global)
+envitem_new(job_t j, const char *k, const char *v, bool global, bool one_shot)
 {
        struct envitem *ei = calloc(1, sizeof(struct envitem) + strlen(k) + 1 + strlen(v) + 1);
 
 {
        struct envitem *ei = calloc(1, sizeof(struct envitem) + strlen(k) + 1 + strlen(v) + 1);
 
@@ -3598,11 +5471,15 @@ envitem_new(job_t j, const char *k, const char *v, bool global)
                return false;
        }
 
                return false;
        }
 
-       strcpy(ei->key, k);
-       ei->value = ei->key + strlen(k) + 1;
+       strcpy(ei->key_init, k);
+       ei->value = ei->key_init + strlen(k) + 1;
        strcpy(ei->value, v);
        strcpy(ei->value, v);
+       ei->one_shot = one_shot;
 
        if (global) {
 
        if (global) {
+               if (SLIST_EMPTY(&j->global_env)) {
+                       LIST_INSERT_HEAD(&j->mgr->global_env_jobs, j, global_env_sle);
+               }
                SLIST_INSERT_HEAD(&j->global_env, ei, sle);
        } else {
                SLIST_INSERT_HEAD(&j->env, ei, sle);
                SLIST_INSERT_HEAD(&j->global_env, ei, sle);
        } else {
                SLIST_INSERT_HEAD(&j->env, ei, sle);
@@ -3618,6 +5495,9 @@ envitem_delete(job_t j, struct envitem *ei, bool global)
 {
        if (global) {
                SLIST_REMOVE(&j->global_env, ei, envitem, sle);
 {
        if (global) {
                SLIST_REMOVE(&j->global_env, ei, envitem, sle);
+               if (SLIST_EMPTY(&j->global_env)) {
+                       LIST_REMOVE(j, global_env_sle);
+               }
        } else {
                SLIST_REMOVE(&j->env, ei, envitem, sle);
        }
        } else {
                SLIST_REMOVE(&j->env, ei, envitem, sle);
        }
@@ -3634,7 +5514,27 @@ envitem_setup(launch_data_t obj, const char *key, void *context)
                return;
        }
 
                return;
        }
 
-       envitem_new(j, key, launch_data_get_string(obj), j->importing_global_env);
+       if (strncmp(LAUNCHD_TRUSTED_FD_ENV, key, sizeof(LAUNCHD_TRUSTED_FD_ENV) - 1) != 0) {
+               envitem_new(j, key, launch_data_get_string(obj), j->importing_global_env, false);
+       } else {
+               job_log(j, LOG_DEBUG, "Ignoring reserved environmental variable: %s", key);
+       }
+}
+
+void
+envitem_setup_one_shot(launch_data_t obj, const char *key, void *context)
+{
+       job_t j = context;
+       
+       if (launch_data_get_type(obj) != LAUNCH_DATA_STRING) {
+               return;
+       }
+       
+       if (strncmp(LAUNCHD_TRUSTED_FD_ENV, key, sizeof(LAUNCHD_TRUSTED_FD_ENV) - 1) != 0) {
+               envitem_new(j, key, launch_data_get_string(obj), j->importing_global_env, true);
+       } else {
+               job_log(j, LOG_DEBUG, "Ignoring reserved environmental variable: %s", key);
+       }       
 }
 
 bool
 }
 
 bool
@@ -3679,6 +5579,7 @@ limititem_delete(job_t j, struct limititem *li)
        free(li);
 }
 
        free(li);
 }
 
+#if HAVE_SANDBOX
 void
 seatbelt_setup_flags(launch_data_t obj, const char *key, void *context)
 {
 void
 seatbelt_setup_flags(launch_data_t obj, const char *key, void *context)
 {
@@ -3697,12 +5598,13 @@ seatbelt_setup_flags(launch_data_t obj, const char *key, void *context)
                j->seatbelt_flags |= SANDBOX_NAMED;
        }
 }
                j->seatbelt_flags |= SANDBOX_NAMED;
        }
 }
+#endif
 
 void
 limititem_setup(launch_data_t obj, const char *key, void *context)
 {
        job_t j = context;
 
 void
 limititem_setup(launch_data_t obj, const char *key, void *context)
 {
        job_t j = context;
-       int i, limits_cnt = (sizeof(launchd_keys2limits) / sizeof(launchd_keys2limits[0]));
+       size_t i, limits_cnt = (sizeof(launchd_keys2limits) / sizeof(launchd_keys2limits[0]));
        rlim_t rl;
 
        if (launch_data_get_type(obj) != LAUNCH_DATA_INTEGER) {
        rlim_t rl;
 
        if (launch_data_get_type(obj) != LAUNCH_DATA_INTEGER) {
@@ -3727,10 +5629,8 @@ limititem_setup(launch_data_t obj, const char *key, void *context)
 bool
 job_useless(job_t j)
 {
 bool
 job_useless(job_t j)
 {
-       /* Yes, j->unload_at_exit and j->only_once seem the same, but they'll differ someday... */
-
-       if ((j->unload_at_exit || j->only_once) && j->start_time != 0) {
-               if (j->unload_at_exit && j->j_port) {
+       if ((j->legacy_LS_job || j->only_once) && j->start_time != 0) {
+               if (j->legacy_LS_job && j->j_port) {
                        return false;
                }
                job_log(j, LOG_INFO, "Exited. Was only configured to run once.");
                        return false;
                }
                job_log(j, LOG_INFO, "Exited. Was only configured to run once.");
@@ -3738,8 +5638,13 @@ job_useless(job_t j)
        } else if (j->removal_pending) {
                job_log(j, LOG_DEBUG, "Exited while removal was pending.");
                return true;
        } else if (j->removal_pending) {
                job_log(j, LOG_DEBUG, "Exited while removal was pending.");
                return true;
+       } else if (j->shutdown_monitor) {
+               return false;
        } else if (j->mgr->shutting_down) {
                job_log(j, LOG_DEBUG, "Exited while shutdown in progress. Processes remaining: %lu/%lu", total_children, total_anon_children);
        } else if (j->mgr->shutting_down) {
                job_log(j, LOG_DEBUG, "Exited while shutdown in progress. Processes remaining: %lu/%lu", total_children, total_anon_children);
+               if (total_children == 0 && !j->anonymous) {
+                       job_log(j, LOG_DEBUG | LOG_CONSOLE, "Job was last to exit during shutdown of: %s.", j->mgr->name);
+               }
                return true;
        } else if (j->legacy_mach_job) {
                if (SLIST_EMPTY(&j->machservices)) {
                return true;
        } else if (j->legacy_mach_job) {
                if (SLIST_EMPTY(&j->machservices)) {
@@ -3749,6 +5654,18 @@ job_useless(job_t j)
                        job_log(j, LOG_WARNING, "Failed to check-in!");
                        return true;
                }
                        job_log(j, LOG_WARNING, "Failed to check-in!");
                        return true;
                }
+       } else {
+               /* If the job's executable does not have any valid architectures (for
+                * example, if it's a PowerPC-only job), then we don't even bother
+                * trying to relaunch it, as we have no reasonable expectation that
+                * the situation will change.
+                *
+                * <rdar://problem/9106979>
+                */
+               if (!j->did_exec && WEXITSTATUS(j->last_exit_status) == EBADARCH) {
+                       job_log(j, LOG_ERR, "Job executable does not contain supported architectures. Unloading it. Its plist should be removed.");
+                       return true;
+               }
        }
 
        return false;
        }
 
        return false;
@@ -3763,6 +5680,11 @@ job_keepalive(job_t j)
        struct machservice *ms;
        struct stat sb;
        bool good_exit = (WIFEXITED(j->last_exit_status) && WEXITSTATUS(j->last_exit_status) == 0);
        struct machservice *ms;
        struct stat sb;
        bool good_exit = (WIFEXITED(j->last_exit_status) && WEXITSTATUS(j->last_exit_status) == 0);
+       bool is_not_kextd = (do_apple_internal_logging || (strcmp(j->label, "com.apple.kextd") != 0));
+
+       if (unlikely(j->mgr->shutting_down)) {
+               return false;
+       }
 
        /*
         * 5066316
 
        /*
         * 5066316
@@ -3770,7 +5692,12 @@ job_keepalive(job_t j)
         * We definitely need to revisit this after Leopard ships. Please see
         * launchctl.c for the other half of this hack.
         */
         * We definitely need to revisit this after Leopard ships. Please see
         * launchctl.c for the other half of this hack.
         */
-       if (j->mgr->global_on_demand_cnt > 0 && strcmp(j->label, "com.apple.kextd") != 0) {
+       if (unlikely((j->mgr->global_on_demand_cnt > 0) && is_not_kextd)) {
+               return false;
+       }
+
+       if (unlikely(j->needs_kickoff)) {
+               job_log(j, LOG_DEBUG, "KeepAlive check: Job needs to be kicked off on-demand before KeepAlive sets in.");
                return false;
        }
 
                return false;
        }
 
@@ -3791,13 +5718,22 @@ job_keepalive(job_t j)
                        continue;
                }
                if (status.mps_msgcount) {
                        continue;
                }
                if (status.mps_msgcount) {
-                       job_log(j, LOG_DEBUG, "KeepAlive check: job restarted due to %d queued Mach messages on service: %s",
+                       job_log(j, LOG_DEBUG, "KeepAlive check: %d queued Mach messages on service: %s",
                                        status.mps_msgcount, ms->name);
                        return true;
                }
        }
                                        status.mps_msgcount, ms->name);
                        return true;
                }
        }
-
-
+       
+       /* TODO: Coalesce external events and semaphore items, since they're basically
+        * the same thing.
+        */
+       struct externalevent *ei = NULL;
+       LIST_FOREACH(ei, &j->events, job_le) {
+               if (ei->state == ei->wanted_state) {
+                       return true;
+               }
+       }
+       
        SLIST_FOREACH(si, &j->semaphores, sle) {
                bool wanted_state = false;
                int qdir_file_cnt;
        SLIST_FOREACH(si, &j->semaphores, sle) {
                bool wanted_state = false;
                int qdir_file_cnt;
@@ -3820,10 +5756,17 @@ job_keepalive(job_t j)
                                return true;
                        }
                        break;
                                return true;
                        }
                        break;
+               case CRASHED:
+                       wanted_state = true;
+               case DID_NOT_CRASH:
+                       if (j->crashed == wanted_state) {
+                               return true;
+                       }
+                       break;
                case OTHER_JOB_ENABLED:
                        wanted_state = true;
                case OTHER_JOB_DISABLED:
                case OTHER_JOB_ENABLED:
                        wanted_state = true;
                case OTHER_JOB_DISABLED:
-                       if ((bool)job_find(si->what) == wanted_state) {
+                       if ((bool)job_find(NULL, si->what) == wanted_state) {
                                job_log(j, LOG_DEBUG, "KeepAlive: The following job is %s: %s", wanted_state ? "enabled" : "disabled", si->what);
                                return true;
                        }
                                job_log(j, LOG_DEBUG, "KeepAlive: The following job is %s: %s", wanted_state ? "enabled" : "disabled", si->what);
                                return true;
                        }
@@ -3831,7 +5774,7 @@ job_keepalive(job_t j)
                case OTHER_JOB_ACTIVE:
                        wanted_state = true;
                case OTHER_JOB_INACTIVE:
                case OTHER_JOB_ACTIVE:
                        wanted_state = true;
                case OTHER_JOB_INACTIVE:
-                       if ((other_j = job_find(si->what))) {
+                       if ((other_j = job_find(NULL, si->what))) {
                                if ((bool)other_j->p == wanted_state) {
                                        job_log(j, LOG_DEBUG, "KeepAlive: The following job is %s: %s", wanted_state ? "active" : "inactive", si->what);
                                        return true;
                                if ((bool)other_j->p == wanted_state) {
                                        job_log(j, LOG_DEBUG, "KeepAlive: The following job is %s: %s", wanted_state ? "active" : "inactive", si->what);
                                        return true;
@@ -3842,12 +5785,22 @@ job_keepalive(job_t j)
                        wanted_state = true;
                case PATH_MISSING:
                        if ((bool)(stat(si->what, &sb) == 0) == wanted_state) {
                        wanted_state = true;
                case PATH_MISSING:
                        if ((bool)(stat(si->what, &sb) == 0) == wanted_state) {
-                               if (si->fd != -1) {
-                                       job_assumes(j, runtime_close(si->fd) == 0);
-                                       si->fd = -1;
-                               }
                                job_log(j, LOG_DEBUG, "KeepAlive: The following path %s: %s", wanted_state ? "exists" : "is missing", si->what);
                                return true;
                                job_log(j, LOG_DEBUG, "KeepAlive: The following path %s: %s", wanted_state ? "exists" : "is missing", si->what);
                                return true;
+                       } else {
+                               if (wanted_state) { /* File is not there but we wish it was. */
+                                       if (si->fd != -1 && !si->watching_parent) { /* Need to be watching the parent now. */
+                                               (void)job_assumes(j, runtime_close(si->fd) == 0);
+                                               si->fd = -1;
+                                               semaphoreitem_watch(j, si);
+                                       }
+                               } else { /* File is there but we wish it wasn't. */
+                                       if (si->fd != -1 && si->watching_parent) { /* Need to watch the file now. */
+                                               (void)job_assumes(j, runtime_close(si->fd) == 0);
+                                               si->fd = -1;
+                                               semaphoreitem_watch(j, si);
+                                       }
+                               }
                        }
                        break;
                case PATH_CHANGES:
                        }
                        break;
                case PATH_CHANGES:
@@ -3866,37 +5819,27 @@ job_keepalive(job_t j)
        return false;
 }
 
        return false;
 }
 
-const char *
-job_prog(job_t j)
-{
-       if (j->prog) {
-               return j->prog;
-       } else if (j->argv) {
-               return j->argv[0];
-       } else {
-               return "";
-       }
-}
-
 const char *
 job_active(job_t j)
 {
        struct machservice *ms;
 const char *
 job_active(job_t j)
 {
        struct machservice *ms;
-
+       if (j->p && j->shutdown_monitor) {
+               return "Monitoring shutdown";
+       }
        if (j->p) {
                return "PID is still valid";
        }
 
        if (j->mgr->shutting_down && j->log_redirect_fd) {
        if (j->p) {
                return "PID is still valid";
        }
 
        if (j->mgr->shutting_down && j->log_redirect_fd) {
-               job_assumes(j, runtime_close(j->log_redirect_fd) != -1);
+               (void)job_assumes(j, runtime_close(j->log_redirect_fd) != -1);
                j->log_redirect_fd = 0;
        }
 
        if (j->log_redirect_fd) {
                j->log_redirect_fd = 0;
        }
 
        if (j->log_redirect_fd) {
-               if (job_assumes(j, j->wait4pipe_eof)) {
+               if (job_assumes(j, j->legacy_LS_job)) {
                        return "Standard out/error is still valid";
                } else {
                        return "Standard out/error is still valid";
                } else {
-                       job_assumes(j, runtime_close(j->log_redirect_fd) != -1);
+                       (void)job_assumes(j, runtime_close(j->log_redirect_fd) != -1);
                        j->log_redirect_fd = 0;
                }
        }
                        j->log_redirect_fd = 0;
                }
        }
@@ -3906,7 +5849,7 @@ job_active(job_t j)
        }
 
        SLIST_FOREACH(ms, &j->machservices, sle) {
        }
 
        SLIST_FOREACH(ms, &j->machservices, sle) {
-               if (ms->recv && ms->isActive) {
+               if (ms->recv && machservice_active(ms)) {
                        return "Mach service is still active";
                }
        }
                        return "Mach service is still active";
                }
        }
@@ -3918,42 +5861,43 @@ void
 machservice_watch(job_t j, struct machservice *ms)
 {
        if (ms->recv) {
 machservice_watch(job_t j, struct machservice *ms)
 {
        if (ms->recv) {
-               job_assumes(j, runtime_add_mport(ms->port, NULL, 0) == KERN_SUCCESS);
+               (void)job_assumes(j, runtime_add_mport(ms->port, NULL, 0) == KERN_SUCCESS);
        }
 }
 
 void
 machservice_ignore(job_t j, struct machservice *ms)
 {
        }
 }
 
 void
 machservice_ignore(job_t j, struct machservice *ms)
 {
-       job_assumes(j, runtime_remove_mport(ms->port) == KERN_SUCCESS);
+       (void)job_assumes(j, runtime_remove_mport(ms->port) == KERN_SUCCESS);
 }
 
 void
 machservice_resetport(job_t j, struct machservice *ms)
 {
        LIST_REMOVE(ms, port_hash_sle);
 }
 
 void
 machservice_resetport(job_t j, struct machservice *ms)
 {
        LIST_REMOVE(ms, port_hash_sle);
-       job_assumes(j, launchd_mport_close_recv(ms->port) == KERN_SUCCESS);
-       job_assumes(j, launchd_mport_deallocate(ms->port) == KERN_SUCCESS);
+       (void)job_assumes(j, launchd_mport_close_recv(ms->port) == KERN_SUCCESS);
+       (void)job_assumes(j, launchd_mport_deallocate(ms->port) == KERN_SUCCESS);
        ms->gen_num++;
        ms->gen_num++;
-       job_assumes(j, launchd_mport_create_recv(&ms->port) == KERN_SUCCESS);
-       job_assumes(j, launchd_mport_make_send(ms->port) == KERN_SUCCESS);
+       (void)job_assumes(j, launchd_mport_create_recv(&ms->port) == KERN_SUCCESS);
+       (void)job_assumes(j, launchd_mport_make_send(ms->port) == KERN_SUCCESS);
        LIST_INSERT_HEAD(&port_hash[HASH_PORT(ms->port)], ms, port_hash_sle);
 }
 
 struct machservice *
 machservice_new(job_t j, const char *name, mach_port_t *serviceport, bool pid_local)
 {
        LIST_INSERT_HEAD(&port_hash[HASH_PORT(ms->port)], ms, port_hash_sle);
 }
 
 struct machservice *
 machservice_new(job_t j, const char *name, mach_port_t *serviceport, bool pid_local)
 {
-       struct machservice *ms;
+       struct machservice *ms = calloc(1, sizeof(struct machservice) + strlen(name) + 1);
 
 
-       if ((ms = calloc(1, sizeof(struct machservice) + strlen(name) + 1)) == NULL) {
+       if (!job_assumes(j, ms != NULL)) {
                return NULL;
        }
 
        strcpy((char *)ms->name, name);
        ms->job = j;
                return NULL;
        }
 
        strcpy((char *)ms->name, name);
        ms->job = j;
+       ms->gen_num = 1;
        ms->per_pid = pid_local;
 
        ms->per_pid = pid_local;
 
-       if (*serviceport == MACH_PORT_NULL) {
+       if (likely(*serviceport == MACH_PORT_NULL)) {
                if (!job_assumes(j, launchd_mport_create_recv(&ms->port) == KERN_SUCCESS)) {
                        goto out_bad;
                }
                if (!job_assumes(j, launchd_mport_create_recv(&ms->port) == KERN_SUCCESS)) {
                        goto out_bad;
                }
@@ -3969,22 +5913,57 @@ machservice_new(job_t j, const char *name, mach_port_t *serviceport, bool pid_lo
        }
 
        SLIST_INSERT_HEAD(&j->machservices, ms, sle);
        }
 
        SLIST_INSERT_HEAD(&j->machservices, ms, sle);
-       LIST_INSERT_HEAD(&j->mgr->ms_hash[hash_ms(ms->name)], ms, name_hash_sle);
+
+       jobmgr_t where2put = j->mgr;
+       /* XPC domains are separate from Mach bootstraps. */
+       if (!(j->mgr->properties & BOOTSTRAP_PROPERTY_XPC_DOMAIN)) {
+               if (g_flat_mach_namespace && !(j->mgr->properties & BOOTSTRAP_PROPERTY_EXPLICITSUBSET)) {
+                       where2put = root_jobmgr;
+               }
+       }
+       
+       /* Don't allow MachServices added by multiple-instance jobs to be looked up by others.
+        * We could just do this with a simple bit, but then we'd have to uniquify the
+        * names ourselves to avoid collisions. This is just easier.
+        */
+       if (!j->dedicated_instance) {
+               LIST_INSERT_HEAD(&where2put->ms_hash[hash_ms(ms->name)], ms, name_hash_sle);    
+       }
        LIST_INSERT_HEAD(&port_hash[HASH_PORT(ms->port)], ms, port_hash_sle);
 
        LIST_INSERT_HEAD(&port_hash[HASH_PORT(ms->port)], ms, port_hash_sle);
 
-       job_log(j, LOG_INFO, "Mach service added: %s", name);
+       job_log(j, LOG_DEBUG, "Mach service added%s: %s", (j->mgr->properties & BOOTSTRAP_PROPERTY_EXPLICITSUBSET) ? " to private namespace" : "", name);
 
        return ms;
 out_bad2:
 
        return ms;
 out_bad2:
-       job_assumes(j, launchd_mport_close_recv(ms->port) == KERN_SUCCESS);
+       (void)job_assumes(j, launchd_mport_close_recv(ms->port) == KERN_SUCCESS);
 out_bad:
        free(ms);
        return NULL;
 }
 
 out_bad:
        free(ms);
        return NULL;
 }
 
+#ifndef __LAUNCH_DISABLE_XPC_SUPPORT__
+struct machservice *
+machservice_new_alias(job_t j, struct machservice *orig)
+{
+       struct machservice *ms = calloc(1, sizeof(struct machservice) + strlen(orig->name) + 1);
+       if (job_assumes(j, ms != NULL)) {
+               strcpy((char *)ms->name, orig->name);
+               ms->alias = orig;
+               ms->job = j;
+
+               LIST_INSERT_HEAD(&j->mgr->ms_hash[hash_ms(ms->name)], ms, name_hash_sle);
+               SLIST_INSERT_HEAD(&j->machservices, ms, sle);
+               jobmgr_log(j->mgr, LOG_DEBUG, "Service aliased into job manager: %s", orig->name);
+       }
+
+       return ms;
+}
+#endif
+
 bootstrap_status_t
 machservice_status(struct machservice *ms)
 {
 bootstrap_status_t
 machservice_status(struct machservice *ms)
 {
+       ms = ms->alias ? ms->alias : ms;
        if (ms->isActive) {
                return BOOTSTRAP_STATUS_ACTIVE;
        } else if (ms->job->ondemand) {
        if (ms->isActive) {
                return BOOTSTRAP_STATUS_ACTIVE;
        } else if (ms->job->ondemand) {
@@ -3997,34 +5976,46 @@ machservice_status(struct machservice *ms)
 void
 job_setup_exception_port(job_t j, task_t target_task)
 {
 void
 job_setup_exception_port(job_t j, task_t target_task)
 {
+       struct machservice *ms;
        thread_state_flavor_t f = 0;
        thread_state_flavor_t f = 0;
+       mach_port_t exc_port = the_exception_server;
 
 
-       if (!the_exception_server) {
+       if (unlikely(j->alt_exc_handler)) {
+               ms = jobmgr_lookup_service(j->mgr, j->alt_exc_handler, true, 0);
+               if (likely(ms)) {
+                       exc_port = machservice_port(ms);
+               } else {
+                       job_log(j, LOG_WARNING, "Falling back to default Mach exception handler. Could not find: %s", j->alt_exc_handler);
+               }
+       } else if (unlikely(j->internal_exc_handler)) {
+               exc_port = runtime_get_kernel_port();
+       } else if (unlikely(!exc_port)) {
                return;
        }
 
                return;
        }
 
-#if defined (__ppc__)
+#if defined (__ppc__) || defined(__ppc64__)
        f = PPC_THREAD_STATE64;
        f = PPC_THREAD_STATE64;
-#elif defined(__i386__)
+#elif defined(__i386__) || defined(__x86_64__)
        f = x86_THREAD_STATE;
        f = x86_THREAD_STATE;
+#elif defined(__arm__)
+       f = ARM_THREAD_STATE;
+#else
+#error "unknown architecture"
 #endif
 
 #endif
 
-       if (target_task) {
-               job_assumes(j, task_set_exception_ports(target_task, EXC_MASK_CRASH, the_exception_server,
-                                       EXCEPTION_STATE_IDENTITY | MACH_EXCEPTION_CODES, f) == KERN_SUCCESS);
-       } else if (getpid() == 1) {
+       if (likely(target_task)) {
+               (void)job_assumes(j, task_set_exception_ports(target_task, EXC_MASK_CRASH, exc_port, EXCEPTION_STATE_IDENTITY | MACH_EXCEPTION_CODES, f) == KERN_SUCCESS);
+       } else if (pid1_magic && the_exception_server) {
                mach_port_t mhp = mach_host_self();
                mach_port_t mhp = mach_host_self();
-               job_assumes(j, host_set_exception_ports(mhp, EXC_MASK_CRASH, the_exception_server,
-                                       EXCEPTION_STATE_IDENTITY | MACH_EXCEPTION_CODES, f) == KERN_SUCCESS);
+               (void)job_assumes(j, host_set_exception_ports(mhp, EXC_MASK_CRASH, the_exception_server, EXCEPTION_STATE_IDENTITY | MACH_EXCEPTION_CODES, f) == KERN_SUCCESS);
                job_assumes(j, launchd_mport_deallocate(mhp) == KERN_SUCCESS);
        }
                job_assumes(j, launchd_mport_deallocate(mhp) == KERN_SUCCESS);
        }
-
 }
 
 void
 }
 
 void
-job_set_exeception_port(job_t j, mach_port_t port)
+job_set_exception_port(job_t j, mach_port_t port)
 {
 {
-       if (!the_exception_server) {
+       if (unlikely(!the_exception_server)) {
                the_exception_server = port;
                job_setup_exception_port(j, 0);
        } else {
                the_exception_server = port;
                job_setup_exception_port(j, 0);
        } else {
@@ -4046,14 +6037,15 @@ machservice_setup_options(launch_data_t obj, const char *key, void *context)
 
        switch (launch_data_get_type(obj)) {
        case LAUNCH_DATA_INTEGER:
 
        switch (launch_data_get_type(obj)) {
        case LAUNCH_DATA_INTEGER:
-               which_port = launch_data_get_integer(obj);
+               which_port = (int)launch_data_get_integer(obj); /* XXX we should bound check this... */
                if (strcasecmp(key, LAUNCH_JOBKEY_MACH_TASKSPECIALPORT) == 0) {
                        switch (which_port) {
                        case TASK_KERNEL_PORT:
                        case TASK_HOST_PORT:
                        case TASK_NAME_PORT:
                        case TASK_BOOTSTRAP_PORT:
                if (strcasecmp(key, LAUNCH_JOBKEY_MACH_TASKSPECIALPORT) == 0) {
                        switch (which_port) {
                        case TASK_KERNEL_PORT:
                        case TASK_HOST_PORT:
                        case TASK_NAME_PORT:
                        case TASK_BOOTSTRAP_PORT:
-                       /* I find it a little odd that zero isn't reserved in the header */
+                       /* I find it a little odd that zero isn't reserved in the header.
+                        * Normally Mach is fairly good about this convention... */
                        case 0:
                                job_log(ms->job, LOG_WARNING, "Tried to set a reserved task special port: %d", which_port);
                                break;
                        case 0:
                                job_log(ms->job, LOG_WARNING, "Tried to set a reserved task special port: %d", which_port);
                                break;
@@ -4062,9 +6054,9 @@ machservice_setup_options(launch_data_t obj, const char *key, void *context)
                                SLIST_INSERT_HEAD(&special_ports, ms, special_port_sle);
                                break;
                        }
                                SLIST_INSERT_HEAD(&special_ports, ms, special_port_sle);
                                break;
                        }
-               } else if (strcasecmp(key, LAUNCH_JOBKEY_MACH_HOSTSPECIALPORT) == 0 && getpid() == 1) {
+               } else if (strcasecmp(key, LAUNCH_JOBKEY_MACH_HOSTSPECIALPORT) == 0 && pid1_magic) {
                        if (which_port > HOST_MAX_SPECIAL_KERNEL_PORT) {
                        if (which_port > HOST_MAX_SPECIAL_KERNEL_PORT) {
-                               job_assumes(ms->job, (errno = host_set_special_port(mhp, which_port, ms->port)) == KERN_SUCCESS);
+                               (void)job_assumes(ms->job, (errno = host_set_special_port(mhp, which_port, ms->port)) == KERN_SUCCESS);
                        } else {
                                job_log(ms->job, LOG_WARNING, "Tried to set a reserved host special port: %d", which_port);
                        }
                        } else {
                                job_log(ms->job, LOG_WARNING, "Tried to set a reserved host special port: %d", which_port);
                        }
@@ -4078,14 +6070,26 @@ machservice_setup_options(launch_data_t obj, const char *key, void *context)
                } else if (strcasecmp(key, LAUNCH_JOBKEY_MACH_HIDEUNTILCHECKIN) == 0) {
                        ms->hide = b;
                } else if (strcasecmp(key, LAUNCH_JOBKEY_MACH_EXCEPTIONSERVER) == 0) {
                } else if (strcasecmp(key, LAUNCH_JOBKEY_MACH_HIDEUNTILCHECKIN) == 0) {
                        ms->hide = b;
                } else if (strcasecmp(key, LAUNCH_JOBKEY_MACH_EXCEPTIONSERVER) == 0) {
-                       job_set_exeception_port(ms->job, ms->port);
+                       job_set_exception_port(ms->job, ms->port);
                } else if (strcasecmp(key, LAUNCH_JOBKEY_MACH_KUNCSERVER) == 0) {
                        ms->kUNCServer = b;
                } else if (strcasecmp(key, LAUNCH_JOBKEY_MACH_KUNCSERVER) == 0) {
                        ms->kUNCServer = b;
-                       job_assumes(ms->job, host_set_UNDServer(mhp, ms->port) == KERN_SUCCESS);
+                       (void)job_assumes(ms->job, host_set_UNDServer(mhp, ms->port) == KERN_SUCCESS);
+               } else if (strcasecmp(key, LAUNCH_JOBKEY_MACH_PINGEVENTUPDATES) == 0) {
+                       ms->event_update_port = b;
+               }
+               break;
+       case LAUNCH_DATA_STRING:
+               if (strcasecmp(key, LAUNCH_JOBKEY_MACH_DRAINMESSAGESONCRASH) == 0) {
+                       const char *option = launch_data_get_string(obj);
+                       if (strcasecmp(option, "One") == 0) {
+                               ms->drain_one_on_crash = true;
+                       } else if (strcasecmp(option, "All") == 0) {
+                               ms->drain_all_on_crash = true;
+                       }
                }
                break;
        case LAUNCH_DATA_DICTIONARY:
                }
                break;
        case LAUNCH_DATA_DICTIONARY:
-               job_set_exeception_port(ms->job, ms->port);
+               job_set_exception_port(ms->job, ms->port);
                break;
        default:
                break;
                break;
        default:
                break;
@@ -4101,18 +6105,18 @@ machservice_setup(launch_data_t obj, const char *key, void *context)
        struct machservice *ms;
        mach_port_t p = MACH_PORT_NULL;
 
        struct machservice *ms;
        mach_port_t p = MACH_PORT_NULL;
 
-       if ((ms = jobmgr_lookup_service(j->mgr, key, false, 0))) {
+       if (unlikely(ms = jobmgr_lookup_service(j->mgr, key, false, 0))) {
                job_log(j, LOG_WARNING, "Conflict with job: %s over Mach service: %s", ms->job->label, key);
                return;
        }
 
                job_log(j, LOG_WARNING, "Conflict with job: %s over Mach service: %s", ms->job->label, key);
                return;
        }
 
-       if ((ms = machservice_new(j, key, &p, false)) == NULL) {
-               job_log_error(j, LOG_WARNING, "Cannot add service: %s", key);
+       if (!job_assumes(j, (ms = machservice_new(j, key, &p, false)) != NULL)) {
                return;
        }
 
        ms->isActive = false;
                return;
        }
 
        ms->isActive = false;
-
+       ms->upfront = true;
+       
        if (launch_data_get_type(obj) == LAUNCH_DATA_DICTIONARY) {
                launch_data_dict_iterate(obj, machservice_setup_options, ms);
        }
        if (launch_data_get_type(obj) == LAUNCH_DATA_DICTIONARY) {
                launch_data_dict_iterate(obj, machservice_setup_options, ms);
        }
@@ -4121,9 +6125,7 @@ machservice_setup(launch_data_t obj, const char *key, void *context)
 jobmgr_t
 jobmgr_do_garbage_collection(jobmgr_t jm)
 {
 jobmgr_t
 jobmgr_do_garbage_collection(jobmgr_t jm)
 {
-       jobmgr_t jmi, jmn;
-       job_t ji, jn;
-
+       jobmgr_t jmi = NULL, jmn = NULL;
        SLIST_FOREACH_SAFE(jmi, &jm->submgrs, sle, jmn) {
                jobmgr_do_garbage_collection(jmi);
        }
        SLIST_FOREACH_SAFE(jmi, &jm->submgrs, sle, jmn) {
                jobmgr_do_garbage_collection(jmi);
        }
@@ -4131,118 +6133,202 @@ jobmgr_do_garbage_collection(jobmgr_t jm)
        if (!jm->shutting_down) {
                return jm;
        }
        if (!jm->shutting_down) {
                return jm;
        }
-
-       jobmgr_log(jm, LOG_DEBUG, "Garbage collecting.");
-
-       /*
-        * Normally, we wait for all resources of a job (Unix PIDs/FDs and Mach ports)
-        * to reset before we conider the job truly dead and ready to be spawned again.
-        *
-        * In order to work around 5487724 and 3456090, we're going to call reboot()
-        * when the last PID dies and not wait for the associated resources to reset.
-        */
-       if (getpid() == 1 && jm->parentmgr == NULL && total_children == 0) {
-               jobmgr_log(jm, LOG_DEBUG, "About to force a call to: reboot(%s)", reboot_flags_to_C_names(jm->reboot_flags));
-               runtime_closelog();
-               jobmgr_assumes(jm, reboot(jm->reboot_flags) != -1);
+       
+       if (SLIST_EMPTY(&jm->submgrs)) {
+               jobmgr_log(jm, LOG_DEBUG, "No submanagers left.");
+       } else {
+               jobmgr_log(jm, LOG_DEBUG, "Still have submanagers.");
        }
 
        }
 
-       if (jm->hopefully_first_cnt) {
-               return jm;
-       }
+       size_t actives = 0;
+       job_t ji = NULL, jn = NULL;
+       LIST_FOREACH_SAFE(ji, &jm->jobs, sle, jn) {
+               if (ji->anonymous) {
+                       continue;
+               }
+               
+               /* Let the shutdown monitor be up until the very end. */
+               if (ji->shutdown_monitor) {
+                       continue;
+               }
 
 
-       if (jm->parentmgr && jm->parentmgr->shutting_down && jm->parentmgr->hopefully_first_cnt) {
-               return jm;
-       }
+               /* On our first pass through, open a transaction for all the jobs that
+                * need to be dirty at shutdown. We'll close these transactions once the
+                * jobs that do not need to be dirty at shutdown have all exited.
+                */
+               if (ji->dirty_at_shutdown && !jm->shutdown_jobs_dirtied) {
+                       job_open_shutdown_transaction(ji);
+               }
 
 
-       if (!jm->sent_stop_to_normal_jobs) {
-               jobmgr_log(jm, LOG_DEBUG, "Asking \"normal\" jobs to exit.");
+               const char *active = job_active(ji);
+               if (!active) {
+                       job_remove(ji);
+               } else {
+                       job_log(ji, LOG_DEBUG, "Job is active: %s", active);
+                       job_stop(ji);
+
+                       if (ji->p && !ji->dirty_at_shutdown) {
+                               /* We really only care if the job has not yet been reaped.
+                                * There's no reason to delay shutdown if a Mach port has not
+                                * yet been sent back to us, for example. While we're shutting
+                                * all the "normal" jobs down, do not count the
+                                * dirty-at-shutdown jobs toward the total of actives.
+                                *
+                                * Note that there's a potential race here where we may not get
+                                * a port back in time, so that when we hit jobmgr_remove(), we
+                                * end up removing the job and then our attempt to close the
+                                * Mach port will fail. But at that point, the failure won't
+                                * even make it to the syslog, so not a big deal.
+                                */
+                               actives++;
+                       }
 
 
-               LIST_FOREACH_SAFE(ji, &jm->jobs, sle, jn) {
-                       if (!job_active(ji)) {
-                               job_remove(ji);
-                       } else if (!ji->hopefully_exits_last) {
-                               job_stop(ji);
+                       if (ji->clean_kill) {
+                               job_log(ji, LOG_DEBUG, "Job was killed cleanly.");
+                       } else {
+                               job_log(ji, LOG_DEBUG, "Job was sent SIGTERM%s.", ji->sent_sigkill ? " and SIGKILL" : "");
                        }
                }
                        }
                }
-
-               jm->sent_stop_to_normal_jobs = true;
        }
 
        }
 
-       if (jm->normal_active_cnt) {
-               return jm;
-       }
+       jm->shutdown_jobs_dirtied = true;
+       if (actives == 0) {
+               if (!jm->shutdown_jobs_cleaned) {
+                       LIST_FOREACH(ji, &jm->jobs, sle) {
+                               if (!ji->anonymous) {
+                                       job_close_shutdown_transaction(ji);
+                                       actives++;
+                               }
+                       }
 
 
-       if (!jm->sent_stop_to_hopefully_last_jobs) {
-               jobmgr_log(jm, LOG_DEBUG, "Asking \"hopefully last\" jobs to exit.");
+                       jm->shutdown_jobs_cleaned = true;
+               } else if (jm->monitor_shutdown && _s_shutdown_monitor) {
+                       /* The rest of shutdown has completed, so we can kill the shutdown
+                        * monitor now like it was any other job.
+                        */
+                       _s_shutdown_monitor->shutdown_monitor = false;
+                       actives = 1;
 
 
-               LIST_FOREACH(ji, &jm->jobs, sle) {
-                       if (ji->p && ji->anonymous) {
-                               continue;
-                       } else if (ji->p && job_assumes(ji, ji->hopefully_exits_last)) {
-                               job_stop(ji);
-                       }
+                       job_log(_s_shutdown_monitor, LOG_NOTICE | LOG_CONSOLE, "Stopping shutdown monitor.");
+                       job_stop(_s_shutdown_monitor);
+                       _s_shutdown_monitor = NULL;
                }
                }
-
-               jm->sent_stop_to_hopefully_last_jobs = true;
        }
 
        }
 
-       if (!SLIST_EMPTY(&jm->submgrs)) {
-               return jm;
+       jobmgr_t r = jm;
+       if (SLIST_EMPTY(&jm->submgrs) && actives == 0) {
+               jobmgr_log(jm, LOG_DEBUG, "Removing.");
+               jobmgr_remove(jm);
+               r = NULL;
        }
        }
+       
+       return r;
+}
 
 
-       LIST_FOREACH(ji, &jm->jobs, sle) {
-               if (!ji->anonymous) {
-                       return jm;
+void
+jobmgr_kill_stray_children(jobmgr_t jm, pid_t *p, size_t np)
+{
+       /* I maintain that stray processes should be at the mercy of launchd during shutdown,
+        * but nevertheless, things like diskimages-helper can stick around, and SIGKILLing 
+        * them can result in data loss. So we send SIGTERM to all the strays and don't wait
+        * for them to exit before moving on.
+        * 
+        * See rdar://problem/6562592
+        */
+       size_t i = 0;
+       for (i = 0; i < np; i++) {
+               if (p[i] != 0) {
+                       jobmgr_log(jm, LOG_DEBUG | LOG_CONSOLE, "Sending SIGTERM to PID %u and continuing...", p[i]);
+                       (void)jobmgr_assumes(jm, runtime_kill(p[i], SIGTERM) != -1);
                }
        }
                }
        }
-
-       jobmgr_log_stray_children(jm);
-       jobmgr_remove(jm);
-       return NULL;
 }
 
 void
 }
 
 void
-jobmgr_log_stray_children(jobmgr_t jm)
+jobmgr_log_stray_children(jobmgr_t jm, bool kill_strays)
 {
 {
-       int mib[] = { CTL_KERN, KERN_PROC, KERN_PROC_ALL };
-       size_t i, kp_cnt, len = 10*1024*1024;
-       struct kinfo_proc *kp;
-
-       if (jm->parentmgr || getpid() != 1) {
+       size_t kp_skipped = 0, len = sizeof(pid_t) * get_kern_max_proc();
+       pid_t *pids = NULL;
+       int i = 0, kp_cnt = 0;
+       
+       if (likely(jm->parentmgr || !pid1_magic)) {
                return;
        }
 
                return;
        }
 
-       if (!jobmgr_assumes(jm, (kp = malloc(len)) != NULL)) {
+       if (!jobmgr_assumes(jm, (pids = malloc(len)) != NULL)) {
                return;
        }
                return;
        }
-       if (!jobmgr_assumes(jm, sysctl(mib, 3, kp, &len, NULL, 0) != -1)) {
+
+       runtime_ktrace0(RTKT_LAUNCHD_FINDING_ALL_STRAYS);
+
+       if (!jobmgr_assumes(jm, (kp_cnt = proc_listallpids(pids, len)) != -1)) {
                goto out;
        }
 
                goto out;
        }
 
-       kp_cnt = len / sizeof(struct kinfo_proc);
-
+       pid_t *ps = (pid_t *)calloc(sizeof(pid_t), kp_cnt);
        for (i = 0; i < kp_cnt; i++) {
        for (i = 0; i < kp_cnt; i++) {
-               pid_t p_i = kp[i].kp_proc.p_pid;
-               pid_t pp_i = kp[i].kp_eproc.e_ppid;
-               pid_t pg_i = kp[i].kp_eproc.e_pgid;
-               const char *z = (kp[i].kp_proc.p_stat == SZOMB) ? "zombie " : "";
-               const char *n = kp[i].kp_proc.p_comm;
+               struct proc_bsdshortinfo proc;
+               if (proc_pidinfo(pids[i], PROC_PIDT_SHORTBSDINFO, 1, &proc, PROC_PIDT_SHORTBSDINFO_SIZE) == 0) {
+                       if (errno != ESRCH) {
+                               jobmgr_assumes(jm, errno == 0);
+                       }
 
 
-               if (p_i == 0 || p_i == 1) {
+                       kp_skipped++;
+                       continue;
+               }
+               
+               pid_t p_i = pids[i];
+               pid_t pp_i = proc.pbsi_ppid;
+               pid_t pg_i = proc.pbsi_pgid;
+               const char *z = (proc.pbsi_status == SZOMB) ? "zombie " : "";
+               const char *n = proc.pbsi_comm;
+
+               if (unlikely(p_i == 0 || p_i == 1)) {
+                       kp_skipped++;
                        continue;
                }
 
                        continue;
                }
 
-               jobmgr_log(jm, LOG_WARNING, "Stray %sprocess at shutdown: PID %u PPID %u PGID %u %s", z, p_i, pp_i, pg_i, n);
+               if (_s_shutdown_monitor && pp_i == _s_shutdown_monitor->p) {
+                       kp_skipped++;
+                       continue;
+               }
+               
+               /* We might have some jobs hanging around that we've decided to shut down in spite of. */
+               job_t j = jobmgr_find_by_pid(jm, p_i, false);
+               if (!j || (j && j->anonymous)) {
+                       jobmgr_log(jm, LOG_INFO | LOG_CONSOLE, "Stray %s%s at shutdown: PID %u PPID %u PGID %u %s", z, j ? "anonymous job" : "process", p_i, pp_i, pg_i, n);
+                       
+                       int status = 0;
+                       if (pp_i == getpid() && !jobmgr_assumes(jm, proc.pbsi_status != SZOMB)) {
+                               if (jobmgr_assumes(jm, waitpid(p_i, &status, WNOHANG) == 0)) {
+                                       jobmgr_log(jm, LOG_INFO | LOG_CONSOLE, "Unreaped zombie stray exited with status %i.", WEXITSTATUS(status));
+                               }
+                               kp_skipped++;
+                       } else {
+                               job_t leader = jobmgr_find_by_pid(jm, pg_i, false);
+                               /* See rdar://problem/6745714. Some jobs have child processes that back kernel state,
+                                * so we don't want to terminate them. Long-term, I'd really like to provide shutdown
+                                * hints to the kernel along the way, so that it could shutdown certain subsystems when
+                                * their userspace emissaries go away, before the call to reboot(2).
+                                */
+                               if (leader && leader->ignore_pg_at_shutdown) {
+                                       kp_skipped++;
+                               } else {
+                                       ps[i] = p_i;
+                               }
+                       }
+               } else {
+                       kp_skipped++;
+               }
+       }
 
 
-               /*
-                * The kernel team requested that launchd not do this for Leopard.
-                * jobmgr_assumes(jm, runtime_kill(p_i, SIGKILL) != -1);
-                */
+       if ((kp_cnt - kp_skipped > 0) && kill_strays) {
+               jobmgr_kill_stray_children(jm, ps, kp_cnt - kp_skipped);
        }
 
        }
 
+       free(ps);
 out:
 out:
-       free(kp);
+       free(pids);
 }
 
 jobmgr_t 
 }
 
 jobmgr_t 
@@ -4259,13 +6345,13 @@ job_uncork_fork(job_t j)
        job_log(j, LOG_DEBUG, "Uncorking the fork().");
        /* this unblocks the child and avoids a race
         * between the above fork() and the kevent_mod() */
        job_log(j, LOG_DEBUG, "Uncorking the fork().");
        /* this unblocks the child and avoids a race
         * between the above fork() and the kevent_mod() */
-       job_assumes(j, write(j->forkfd, &c, sizeof(c)) == sizeof(c));
-       job_assumes(j, runtime_close(j->forkfd) != -1);
-       j->forkfd = 0;
+       (void)job_assumes(j, write(j->fork_fd, &c, sizeof(c)) == sizeof(c));
+       (void)job_assumes(j, runtime_close(j->fork_fd) != -1);
+       j->fork_fd = 0;
 }
 
 jobmgr_t 
 }
 
 jobmgr_t 
-jobmgr_new(jobmgr_t jm, mach_port_t requestorport, mach_port_t transfer_port, bool sflag, const char *name)
+jobmgr_new(jobmgr_t jm, mach_port_t requestorport, mach_port_t transfer_port, bool sflag, const char *name, bool skip_init, mach_port_t asport)
 {
        mach_msg_size_t mxmsgsz;
        job_t bootstrapper = NULL;
 {
        mach_msg_size_t mxmsgsz;
        job_t bootstrapper = NULL;
@@ -4273,19 +6359,23 @@ jobmgr_new(jobmgr_t jm, mach_port_t requestorport, mach_port_t transfer_port, bo
 
        launchd_assert(offsetof(struct jobmgr_s, kqjobmgr_callback) == 0);
 
 
        launchd_assert(offsetof(struct jobmgr_s, kqjobmgr_callback) == 0);
 
-       if (jm && requestorport == MACH_PORT_NULL) {
+       if (unlikely(jm && requestorport == MACH_PORT_NULL)) {
                jobmgr_log(jm, LOG_ERR, "Mach sub-bootstrap create request requires a requester port");
                return NULL;
        }
 
                jobmgr_log(jm, LOG_ERR, "Mach sub-bootstrap create request requires a requester port");
                return NULL;
        }
 
-       jmr = calloc(1, sizeof(struct jobmgr_s) + (name ? (strlen(name) + 1) : 128));
-       
-       if (jmr == NULL) {
+       jmr = calloc(1, sizeof(struct jobmgr_s) + (name ? (strlen(name) + 1) : NAME_MAX + 1));
+
+       if (!jobmgr_assumes(jm, jmr != NULL)) {
                return NULL;
        }
 
                return NULL;
        }
 
+       if (jm == NULL) {
+               root_jobmgr = jmr;
+       }
+
        jmr->kqjobmgr_callback = jobmgr_callback;
        jmr->kqjobmgr_callback = jobmgr_callback;
-       strcpy(jmr->name, name ? name : "Under construction");
+       strcpy(jmr->name_init, name ? name : "Under construction");
 
        jmr->req_port = requestorport;
 
 
        jmr->req_port = requestorport;
 
@@ -4298,9 +6388,9 @@ jobmgr_new(jobmgr_t jm, mach_port_t requestorport, mach_port_t transfer_port, bo
        }
 
        if (transfer_port != MACH_PORT_NULL) {
        }
 
        if (transfer_port != MACH_PORT_NULL) {
-               jobmgr_assumes(jmr, jm != NULL);
+               (void)jobmgr_assumes(jmr, jm != NULL);
                jmr->jm_port = transfer_port;
                jmr->jm_port = transfer_port;
-       } else if (!jm && getpid() != 1) {
+       } else if (!jm && !pid1_magic) {
                char *trusted_fd = getenv(LAUNCHD_TRUSTED_FD_ENV);
                name_t service_buf;
 
                char *trusted_fd = getenv(LAUNCHD_TRUSTED_FD_ENV);
                name_t service_buf;
 
@@ -4311,11 +6401,11 @@ jobmgr_new(jobmgr_t jm, mach_port_t requestorport, mach_port_t transfer_port, bo
                }
 
                if (trusted_fd) {
                }
 
                if (trusted_fd) {
-                       int dfd, lfd = strtol(trusted_fd, NULL, 10);
+                       int dfd, lfd = (int) strtol(trusted_fd, NULL, 10);
 
                        if ((dfd = dup(lfd)) >= 0) {
 
                        if ((dfd = dup(lfd)) >= 0) {
-                               jobmgr_assumes(jmr, runtime_close(dfd) != -1);
-                               jobmgr_assumes(jmr, runtime_close(lfd) != -1);
+                               (void)jobmgr_assumes(jmr, runtime_close(dfd) != -1);
+                               (void)jobmgr_assumes(jmr, runtime_close(lfd) != -1);
                        }
 
                        unsetenv(LAUNCHD_TRUSTED_FD_ENV);
                        }
 
                        unsetenv(LAUNCHD_TRUSTED_FD_ENV);
@@ -4333,22 +6423,34 @@ jobmgr_new(jobmgr_t jm, mach_port_t requestorport, mach_port_t transfer_port, bo
        }
 
        if (!name) {
        }
 
        if (!name) {
-               sprintf(jmr->name, "%u", MACH_PORT_INDEX(jmr->jm_port));
+               sprintf(jmr->name_init, "%u", MACH_PORT_INDEX(jmr->jm_port));
        }
 
        /* Sigh... at the moment, MIG has maxsize == sizeof(reply union) */
        }
 
        /* Sigh... at the moment, MIG has maxsize == sizeof(reply union) */
-       mxmsgsz = sizeof(union __RequestUnion__job_mig_protocol_vproc_subsystem);
+       mxmsgsz = (typeof(mxmsgsz)) sizeof(union __RequestUnion__job_mig_protocol_vproc_subsystem);
        if (job_mig_protocol_vproc_subsystem.maxsize > mxmsgsz) {
                mxmsgsz = job_mig_protocol_vproc_subsystem.maxsize;
        }
 
        if (job_mig_protocol_vproc_subsystem.maxsize > mxmsgsz) {
                mxmsgsz = job_mig_protocol_vproc_subsystem.maxsize;
        }
 
+       /* Total hacks. But the MIG server loop is too generic, and the more dynamic
+        * parts of it haven't been tested, or if they have, it was a very long time
+        * ago.
+        */
+       if (xpc_events_xpc_events_subsystem.maxsize > mxmsgsz) {
+               mxmsgsz = xpc_events_xpc_events_subsystem.maxsize;
+       }
+       if (xpc_domain_xpc_domain_subsystem.maxsize > mxmsgsz) {
+               mxmsgsz = xpc_domain_xpc_domain_subsystem.maxsize;
+       }
+
        if (!jm) {
        if (!jm) {
-               jobmgr_assumes(jmr, kevent_mod(SIGTERM, EVFILT_SIGNAL, EV_ADD, 0, 0, jmr) != -1);
-               jobmgr_assumes(jmr, kevent_mod(SIGUSR1, EVFILT_SIGNAL, EV_ADD, 0, 0, jmr) != -1);
-               jobmgr_assumes(jmr, kevent_mod(0, EVFILT_FS, EV_ADD, VQ_MOUNT|VQ_UNMOUNT|VQ_UPDATE, 0, jmr) != -1);
+               (void)jobmgr_assumes(jmr, kevent_mod(SIGTERM, EVFILT_SIGNAL, EV_ADD, 0, 0, jmr) != -1);
+               (void)jobmgr_assumes(jmr, kevent_mod(SIGUSR1, EVFILT_SIGNAL, EV_ADD, 0, 0, jmr) != -1);
+               (void)jobmgr_assumes(jmr, kevent_mod(SIGUSR2, EVFILT_SIGNAL, EV_ADD, 0, 0, jmr) != -1);
+               (void)jobmgr_assumes(jmr, kevent_mod(0, EVFILT_FS, EV_ADD, VQ_MOUNT|VQ_UNMOUNT|VQ_UPDATE, 0, jmr) != -1);
        }
 
        }
 
-       if (name) {
+       if (name && !skip_init) {
                bootstrapper = jobmgr_init_session(jmr, name, sflag);
        }
 
                bootstrapper = jobmgr_init_session(jmr, name, sflag);
        }
 
@@ -4361,11 +6463,20 @@ jobmgr_new(jobmgr_t jm, mach_port_t requestorport, mach_port_t transfer_port, bo
        jobmgr_log(jmr, LOG_DEBUG, "Created job manager%s%s", jm ? " with parent: " : ".", jm ? jm->name : "");
 
        if (bootstrapper) {
        jobmgr_log(jmr, LOG_DEBUG, "Created job manager%s%s", jm ? " with parent: " : ".", jm ? jm->name : "");
 
        if (bootstrapper) {
-               jobmgr_assumes(jmr, job_dispatch(bootstrapper, true) != NULL);
+               bootstrapper->asport = asport;
+               
+               jobmgr_log(jmr, LOG_DEBUG, "Bootstrapping new job manager with audit session %u", asport);
+               (void)jobmgr_assumes(jmr, job_dispatch(bootstrapper, true) != NULL);
+       } else {
+               jmr->req_asport = asport;
+       }
+
+       if (asport != MACH_PORT_NULL) {
+               (void)jobmgr_assumes(jmr, launchd_mport_copy_send(asport) == KERN_SUCCESS);
        }
 
        if (jmr->parentmgr) {
        }
 
        if (jmr->parentmgr) {
-               runtime_add_ref();
+               runtime_add_weak_ref();
        }
 
        return jmr;
        }
 
        return jmr;
@@ -4373,10 +6484,102 @@ jobmgr_new(jobmgr_t jm, mach_port_t requestorport, mach_port_t transfer_port, bo
 out_bad:
        if (jmr) {
                jobmgr_remove(jmr);
 out_bad:
        if (jmr) {
                jobmgr_remove(jmr);
+               if (jm == NULL) {
+                       root_jobmgr = NULL;
+               }
        }
        return NULL;
 }
 
        }
        return NULL;
 }
 
+#ifndef __LAUNCH_DISABLE_XPC_SUPPORT__
+jobmgr_t
+jobmgr_new_xpc_singleton_domain(jobmgr_t jm, name_t name)
+{
+       jobmgr_t new = NULL;
+
+       /* These job managers are basically singletons, so we use the root Mach
+        * bootstrap port as their requestor ports so they'll never go away.
+        */
+       mach_port_t req_port = root_jobmgr->jm_port;
+       if (jobmgr_assumes(jm, launchd_mport_make_send(req_port) == KERN_SUCCESS)) {
+               new = jobmgr_new(root_jobmgr, req_port, MACH_PORT_NULL, false, name, true, MACH_PORT_NULL);
+               if (new) {
+                       new->properties |= BOOTSTRAP_PROPERTY_XPC_SINGLETON;
+                       new->properties |= BOOTSTRAP_PROPERTY_XPC_DOMAIN;
+                       new->xpc_singleton = true;
+               }
+       }
+
+       return new;
+}
+
+jobmgr_t
+jobmgr_find_xpc_per_user_domain(jobmgr_t jm, uid_t uid)
+{
+       jobmgr_t jmi = NULL;
+       LIST_FOREACH(jmi, &_s_xpc_user_domains, xpc_le) {
+               if (jmi->req_euid == uid) {
+                       return jmi;
+               }
+       }
+
+       name_t name;
+       (void)snprintf(name, sizeof(name), "com.apple.xpc.domain.peruser.%u", uid);
+       jmi = jobmgr_new_xpc_singleton_domain(jm, name);
+       if (jobmgr_assumes(jm, jmi != NULL)) {
+               /* We need to create a per-user launchd for this UID if there isn't one
+                * already so we can grab the bootstrap port.
+                */
+               job_t puj = jobmgr_lookup_per_user_context_internal(NULL, uid, &jmi->req_bsport);
+               if (jobmgr_assumes(jmi, puj != NULL)) {
+                       (void)jobmgr_assumes(jmi, launchd_mport_copy_send(puj->asport) == KERN_SUCCESS);
+                       (void)jobmgr_assumes(jmi, launchd_mport_copy_send(jmi->req_bsport) == KERN_SUCCESS);
+                       jmi->shortdesc = "per-user";
+                       jmi->req_asport = puj->asport;
+                       jmi->req_asid = puj->asid;
+                       jmi->req_euid = uid;
+                       jmi->req_egid = -1;
+
+                       LIST_INSERT_HEAD(&_s_xpc_user_domains, jmi, xpc_le);
+               } else {
+                       jobmgr_remove(jmi);
+               }
+       }
+
+       return jmi;
+}
+
+jobmgr_t
+jobmgr_find_xpc_per_session_domain(jobmgr_t jm, au_asid_t asid)
+{
+       jobmgr_t jmi = NULL;
+       LIST_FOREACH(jmi, &_s_xpc_session_domains, xpc_le) {
+               if (jmi->req_asid == asid) {
+                       return jmi;
+               }
+       }
+
+       name_t name;
+       (void)snprintf(name, sizeof(name), "com.apple.xpc.domain.persession.%i", asid);
+       jmi = jobmgr_new_xpc_singleton_domain(jm, name);
+       if (jobmgr_assumes(jm, jmi != NULL)) {
+               (void)jobmgr_assumes(jmi, launchd_mport_make_send(root_jobmgr->jm_port) == KERN_SUCCESS);
+               jmi->shortdesc = "per-session";
+               jmi->req_bsport = root_jobmgr->jm_port;
+               (void)jobmgr_assumes(jmi, audit_session_port(asid, &jmi->req_asport) == 0);
+               jmi->req_asid = asid;
+               jmi->req_euid = -1;
+               jmi->req_egid = -1;
+
+               LIST_INSERT_HEAD(&_s_xpc_session_domains, jmi, xpc_le);
+       } else {
+               jobmgr_remove(jmi);
+       }
+
+       return jmi;
+}
+#endif
+
 job_t
 jobmgr_init_session(jobmgr_t jm, const char *session_type, bool sflag)
 {
 job_t
 jobmgr_init_session(jobmgr_t jm, const char *session_type, bool sflag)
 {
@@ -4386,18 +6589,30 @@ jobmgr_init_session(jobmgr_t jm, const char *session_type, bool sflag)
 
        snprintf(thelabel, sizeof(thelabel), "com.apple.launchctl.%s", session_type);
        bootstrapper = job_new(jm, thelabel, NULL, bootstrap_tool);
 
        snprintf(thelabel, sizeof(thelabel), "com.apple.launchctl.%s", session_type);
        bootstrapper = job_new(jm, thelabel, NULL, bootstrap_tool);
-       if (jobmgr_assumes(jm, bootstrapper != NULL) && (jm->parentmgr || getuid())) {
+       
+       if (jobmgr_assumes(jm, bootstrapper != NULL) && (jm->parentmgr || !pid1_magic)) {
+               bootstrapper->is_bootstrapper = true;
                char buf[100];
 
                /* <rdar://problem/5042202> launchd-201: can't ssh in with AFP OD account (hangs) */
                snprintf(buf, sizeof(buf), "0x%X:0:0", getuid());
                char buf[100];
 
                /* <rdar://problem/5042202> launchd-201: can't ssh in with AFP OD account (hangs) */
                snprintf(buf, sizeof(buf), "0x%X:0:0", getuid());
-               envitem_new(bootstrapper, "__CF_USER_TEXT_ENCODING", buf, false);
+               envitem_new(bootstrapper, "__CF_USER_TEXT_ENCODING", buf, false, false);
                bootstrapper->weird_bootstrap = true;
                bootstrapper->weird_bootstrap = true;
-               jobmgr_assumes(jm, job_setup_machport(bootstrapper));
+               (void)jobmgr_assumes(jm, job_setup_machport(bootstrapper));
+       } else if (bootstrapper && strncmp(session_type, VPROCMGR_SESSION_SYSTEM, sizeof(VPROCMGR_SESSION_SYSTEM)) == 0) {
+               bootstrapper->is_bootstrapper = true;
+               if (jobmgr_assumes(jm, pid1_magic)) {
+                       /* Have our system bootstrapper print out to the console. */
+                       bootstrapper->stdoutpath = strdup(_PATH_CONSOLE);
+                       bootstrapper->stderrpath = strdup(_PATH_CONSOLE);
+
+                       if (g_console) {
+                               (void)jobmgr_assumes(jm, kevent_mod((uintptr_t)fileno(g_console), EVFILT_VNODE, EV_ADD | EV_ONESHOT, NOTE_REVOKE, 0, jm) != -1);
+                       }
+               }
        }
 
        jm->session_initialized = true;
        }
 
        jm->session_initialized = true;
-
        return bootstrapper;
 }
 
        return bootstrapper;
 }
 
@@ -4419,14 +6634,14 @@ jobmgr_delete_anything_with_port(jobmgr_t jm, mach_port_t port)
 
        if (jm == root_jobmgr) {
                if (port == inherited_bootstrap_port) {
 
        if (jm == root_jobmgr) {
                if (port == inherited_bootstrap_port) {
-                       launchd_assumes(launchd_mport_deallocate(port) == KERN_SUCCESS);
+                       (void)jobmgr_assumes(jm, launchd_mport_deallocate(port) == KERN_SUCCESS);
                        inherited_bootstrap_port = MACH_PORT_NULL;
 
                        return jobmgr_shutdown(jm);
                }
 
                LIST_FOREACH_SAFE(ms, &port_hash[HASH_PORT(port)], port_hash_sle, next_ms) {
                        inherited_bootstrap_port = MACH_PORT_NULL;
 
                        return jobmgr_shutdown(jm);
                }
 
                LIST_FOREACH_SAFE(ms, &port_hash[HASH_PORT(port)], port_hash_sle, next_ms) {
-                       if (ms->port == port) {
+                       if (ms->port == port && !ms->recv) {
                                machservice_delete(ms->job, ms, true);
                        }
                }
                                machservice_delete(ms->job, ms, true);
                        }
                }
@@ -4437,7 +6652,7 @@ jobmgr_delete_anything_with_port(jobmgr_t jm, mach_port_t port)
        }
 
        if (jm->req_port == port) {
        }
 
        if (jm->req_port == port) {
-               jobmgr_log(jm, LOG_DEBUG, "Request port died: 0x%x", port);
+               jobmgr_log(jm, LOG_DEBUG, "Request port died: %i", MACH_PORT_INDEX(port));
                return jobmgr_shutdown(jm);
        }
 
                return jobmgr_shutdown(jm);
        }
 
@@ -4448,24 +6663,49 @@ struct machservice *
 jobmgr_lookup_service(jobmgr_t jm, const char *name, bool check_parent, pid_t target_pid)
 {
        struct machservice *ms;
 jobmgr_lookup_service(jobmgr_t jm, const char *name, bool check_parent, pid_t target_pid)
 {
        struct machservice *ms;
+       job_t target_j;
 
 
-       if (target_pid) {
-               jobmgr_assumes(jm, !check_parent);
-       }
+       jobmgr_log(jm, LOG_DEBUG, "Looking up %sservice %s", target_pid ? "per-PID " : "", name);
 
 
-       LIST_FOREACH(ms, &jm->ms_hash[hash_ms(name)], name_hash_sle) {
-               if ((target_pid && ms->per_pid && ms->job->p == target_pid) || (!target_pid && !ms->per_pid)) {
-                       if (strcmp(name, ms->name) == 0) {
+       if (target_pid) {
+               /* This is a hack to let FileSyncAgent look up per-PID Mach services from the Background
+                * bootstrap in other bootstraps.
+                */
+               
+               /* Start in the given bootstrap. */
+               if (unlikely((target_j = jobmgr_find_by_pid(jm, target_pid, false)) == NULL)) {
+                       /* If we fail, do a deep traversal. */
+                       if (unlikely((target_j = jobmgr_find_by_pid_deep(root_jobmgr, target_pid, true)) == NULL)) {
+                               jobmgr_log(jm, LOG_DEBUG, "Didn't find PID %i", target_pid);
+                               return NULL;
+                       }
+               }
+               
+               SLIST_FOREACH(ms, &target_j->machservices, sle) {
+                       if (ms->per_pid && strcmp(name, ms->name) == 0) {
                                return ms;
                        }
                }
                                return ms;
                        }
                }
-       }
 
 
-       if (jm->parentmgr == NULL) {
+               job_log(target_j, LOG_DEBUG, "Didn't find per-PID Mach service: %s", name);
                return NULL;
        }
                return NULL;
        }
+       
+       jobmgr_t where2look = jm;
+       /* XPC domains are separate from Mach bootstraps. */
+       if (!(jm->properties & BOOTSTRAP_PROPERTY_XPC_DOMAIN)) {
+               if (g_flat_mach_namespace && !(jm->properties & BOOTSTRAP_PROPERTY_EXPLICITSUBSET)) {
+                       where2look = root_jobmgr;
+               }
+       }
+       
+       LIST_FOREACH(ms, &where2look->ms_hash[hash_ms(name)], name_hash_sle) {
+               if (!ms->per_pid && strcmp(name, ms->name) == 0) {
+                       return ms;
+               }
+       }
 
 
-       if (!check_parent) {
+       if (jm->parentmgr == NULL || !check_parent) {
                return NULL;
        }
 
                return NULL;
        }
 
@@ -4502,32 +6742,93 @@ machservice_name(struct machservice *ms)
        return ms->name;
 }
 
        return ms->name;
 }
 
+void
+machservice_drain_port(struct machservice *ms)
+{
+       bool drain_one = ms->drain_one_on_crash;
+       bool drain_all = ms->drain_all_on_crash;
+       
+       if (!job_assumes(ms->job, (drain_one || drain_all) == true)) {
+               return;
+       }
+
+       job_log(ms->job, LOG_INFO, "Draining %s...", ms->name);
+       
+       char req_buff[sizeof(union __RequestUnion__catch_mach_exc_subsystem) * 2];
+       char rep_buff[sizeof(union __ReplyUnion__catch_mach_exc_subsystem)];
+       mig_reply_error_t *req_hdr = (mig_reply_error_t *)&req_buff;
+       mig_reply_error_t *rep_hdr = (mig_reply_error_t *)&rep_buff;
+
+       mach_msg_return_t mr = ~MACH_MSG_SUCCESS;
+       
+       do {
+               /* This should be a direct check on the Mach service to see if it's an exception-handling
+                * port, and it will break things if ReportCrash or SafetyNet start advertising other
+                * Mach services. But for now, it should be okay.
+                */
+               if (ms->job->alt_exc_handler || ms->job->internal_exc_handler) {
+                       mr = launchd_exc_runtime_once(ms->port, sizeof(req_buff), sizeof(rep_buff), req_hdr, rep_hdr, 0);
+               } else {
+                       mach_msg_options_t options =    MACH_RCV_MSG            |
+                                                                                       MACH_RCV_TIMEOUT        ;
+
+                       mr = mach_msg((mach_msg_header_t *)req_hdr, options, 0, sizeof(req_buff), ms->port, 0, MACH_PORT_NULL);
+                       switch (mr) {
+                       case MACH_MSG_SUCCESS:
+                               mach_msg_destroy((mach_msg_header_t *)req_hdr);
+                               break;
+                       case MACH_RCV_TIMED_OUT:
+                               break;
+                       case MACH_RCV_TOO_LARGE:
+                               runtime_syslog(LOG_WARNING, "Tried to receive message that was larger than %lu bytes", sizeof(req_buff));
+                               break;
+                       default:
+                               break;
+                       }
+               }
+       } while (drain_all && mr != MACH_RCV_TIMED_OUT);
+}
+
 void
 machservice_delete(job_t j, struct machservice *ms, bool port_died)
 {
 void
 machservice_delete(job_t j, struct machservice *ms, bool port_died)
 {
-       if (ms->debug_on_close) {
+       if (ms->alias) {
+               /* HACK: Egregious code duplication. But dealing with aliases is a
+                * pretty simple affair since they can't and shouldn't have any complex
+                * behaviors associated with them.
+                */
+               LIST_REMOVE(ms, name_hash_sle);
+               SLIST_REMOVE(&j->machservices, ms, machservice, sle);
+               free(ms);
+               return;
+       }
+
+       if (unlikely(ms->debug_on_close)) {
                job_log(j, LOG_NOTICE, "About to enter kernel debugger because of Mach port: 0x%x", ms->port);
                job_log(j, LOG_NOTICE, "About to enter kernel debugger because of Mach port: 0x%x", ms->port);
-               job_assumes(j, host_reboot(mach_host_self(), HOST_REBOOT_DEBUGGER) == KERN_SUCCESS);
+               (void)job_assumes(j, host_reboot(mach_host_self(), HOST_REBOOT_DEBUGGER) == KERN_SUCCESS);
        }
 
        }
 
-       if (ms->recv && job_assumes(j, !ms->isActive)) {
-               job_assumes(j, launchd_mport_close_recv(ms->port) == KERN_SUCCESS);
+       if (ms->recv && job_assumes(j, !machservice_active(ms))) {
+               job_log(j, LOG_DEBUG, "Closing receive right for %s", ms->name);
+               (void)job_assumes(j, launchd_mport_close_recv(ms->port) == KERN_SUCCESS);
        }
 
        }
 
-       job_assumes(j, launchd_mport_deallocate(ms->port) == KERN_SUCCESS);
+       (void)job_assumes(j, launchd_mport_deallocate(ms->port) == KERN_SUCCESS);
 
 
-       if (ms->port == the_exception_server) {
+       if (unlikely(ms->port == the_exception_server)) {
                the_exception_server = 0;
        }
 
                the_exception_server = 0;
        }
 
-       job_log(j, LOG_INFO, "Mach service deleted%s: %s", port_died ? " (port died)" : "", ms->name);
+       job_log(j, LOG_DEBUG, "Mach service deleted%s: %s", port_died ? " (port died)" : "", ms->name);
 
        if (ms->special_port_num) {
                SLIST_REMOVE(&special_ports, ms, machservice, special_port_sle);
        }
 
        if (ms->special_port_num) {
                SLIST_REMOVE(&special_ports, ms, machservice, special_port_sle);
        }
-
        SLIST_REMOVE(&j->machservices, ms, machservice, sle);
        SLIST_REMOVE(&j->machservices, ms, machservice, sle);
-       LIST_REMOVE(ms, name_hash_sle);
+
+       if (!(j->dedicated_instance || ms->event_channel)) {
+               LIST_REMOVE(ms, name_hash_sle);
+       }
        LIST_REMOVE(ms, port_hash_sle);
 
        free(ms);
        LIST_REMOVE(ms, port_hash_sle);
 
        free(ms);
@@ -4545,7 +6846,7 @@ machservice_request_notifications(struct machservice *ms)
                job_checkin(ms->job);
        }
 
                job_checkin(ms->job);
        }
 
-       job_assumes(ms->job, launchd_mport_notify_req(ms->port, which) == KERN_SUCCESS);
+       (void)job_assumes(ms->job, launchd_mport_notify_req(ms->port, which) == KERN_SUCCESS);
 }
 
 #define NELEM(x)       (sizeof(x)/sizeof(x[0]))
 }
 
 #define NELEM(x)       (sizeof(x)/sizeof(x[0]))
@@ -4607,10 +6908,16 @@ job_checkin(job_t j)
        j->checkedin = true;
 }
 
        j->checkedin = true;
 }
 
+bool job_is_god(job_t j)
+{
+       return j->embedded_special_privileges;
+}
+
 bool
 job_ack_port_destruction(mach_port_t p)
 {
        struct machservice *ms;
 bool
 job_ack_port_destruction(mach_port_t p)
 {
        struct machservice *ms;
+       job_t j;
 
        LIST_FOREACH(ms, &port_hash[HASH_PORT(p)], port_hash_sle) {
                if (ms->recv && (ms->port == p)) {
 
        LIST_FOREACH(ms, &port_hash[HASH_PORT(p)], port_hash_sle) {
                if (ms->recv && (ms->port == p)) {
@@ -4618,18 +6925,61 @@ job_ack_port_destruction(mach_port_t p)
                }
        }
 
                }
        }
 
-       if (!ms) {
+       if (!jobmgr_assumes(root_jobmgr, ms != NULL)) {
                return false;
        }
 
                return false;
        }
 
-       ms->isActive = false;
+       j = ms->job;
 
 
-       if (ms->reset) {
-               machservice_resetport(ms->job, ms);
+       jobmgr_log(root_jobmgr, LOG_DEBUG, "Receive right returned to us: %s", ms->name);
+       
+       /* Without being the exception handler, NOTE_EXIT is our only way to tell if the job 
+        * crashed, and we can't rely on NOTE_EXIT always being processed after all the job's
+        * receive rights have been returned.
+        *
+        * So when we get receive rights back, check to see if the job has been reaped yet. If
+        * not, then we add this service to a list of services to be drained on crash if it's 
+        * requested that behavior. So, for a job with N receive rights all requesting that they
+        * be drained on crash, we can safely handle the following sequence of events.
+        * 
+        * ReceiveRight0Returned
+        * ReceiveRight1Returned
+        * ReceiveRight2Returned
+        * NOTE_EXIT (reap, get exit status)
+        * ReceiveRight3Returned
+        * .
+        * .
+        * .
+        * ReceiveRight(N - 1)Returned
+        */
+       
+       if (ms->drain_one_on_crash || ms->drain_all_on_crash) {
+               if (j->crashed && j->reaped) {
+                       job_log(j, LOG_DEBUG, "Job has crashed. Draining port...");
+                       machservice_drain_port(ms);
+               } else if (!(j->crashed || j->reaped)) {
+                       job_log(j, LOG_DEBUG, "Job's exit status is still unknown. Deferring drain.");
+               }
        }
        }
-
-       job_log(ms->job, LOG_DEBUG, "Receive right returned to us: %s", ms->name);
-       job_dispatch(ms->job, false);
+       
+       /* If we get this notification after the job has been reaped, then we want to ping
+        * the event port to keep things going.
+        */
+       if (ms->event_update_port && !j->p && job_assumes(j, j->event_monitor)) {
+               if (_s_event_update_port == MACH_PORT_NULL) {
+                       (void)job_assumes(j, launchd_mport_make_send_once(ms->port, &_s_event_update_port) == KERN_SUCCESS);
+               }
+               eventsystem_ping();
+       }
+       
+       ms->isActive = false;
+       if (ms->delete_on_destruction) {
+               machservice_delete(j, ms, false);
+       } else if (ms->reset) {
+               machservice_resetport(j, ms);
+       }
+       
+       job_dispatch(j, false);
 
        root_jobmgr = jobmgr_do_garbage_collection(root_jobmgr);
 
 
        root_jobmgr = jobmgr_do_garbage_collection(root_jobmgr);
 
@@ -4641,7 +6991,7 @@ job_ack_no_senders(job_t j)
 {
        j->priv_port_has_senders = false;
 
 {
        j->priv_port_has_senders = false;
 
-       job_assumes(j, launchd_mport_close_recv(j->j_port) == KERN_SUCCESS);
+       (void)job_assumes(j, launchd_mport_close_recv(j->j_port) == KERN_SUCCESS);
        j->j_port = 0;
 
        job_log(j, LOG_DEBUG, "No more senders on privileged Mach bootstrap port");
        j->j_port = 0;
 
        job_log(j, LOG_DEBUG, "No more senders on privileged Mach bootstrap port");
@@ -4649,134 +6999,34 @@ job_ack_no_senders(job_t j)
        job_dispatch(j, false);
 }
 
        job_dispatch(j, false);
 }
 
-jobmgr_t 
-job_get_bs(job_t j)
+bool
+semaphoreitem_new(job_t j, semaphore_reason_t why, const char *what)
 {
 {
-       if (job_assumes(j, j->mgr != NULL)) {
-               return j->mgr;
+       struct semaphoreitem *si;
+       size_t alloc_sz = sizeof(struct semaphoreitem);
+
+       if (what) {
+               alloc_sz += strlen(what) + 1;
        }
 
        }
 
-       return NULL;
-}
-
-bool
-job_is_anonymous(job_t j)
-{
-       return j->anonymous;
-}
-
-void
-job_force_sampletool(job_t j)
-{
-       struct stat sb;
-       char logfile[PATH_MAX];
-       char pidstr[100];
-       char *sample_args[] = { "sample", pidstr, "1", "-mayDie", "-file", logfile, NULL };
-       char *contents = NULL;
-       int logfile_fd = -1;
-       int console_fd = -1;
-       int wstatus;
-       pid_t sp;
-
-       if (!debug_shutdown_hangs) {
-               return;
-       }
-       
-       snprintf(pidstr, sizeof(pidstr), "%u", j->p);
-       snprintf(logfile, sizeof(logfile), SHUTDOWN_LOG_DIR "/%s-%u.sample.txt", j->label, j->p);
-
-       if (!job_assumes(j, unlink(logfile) != -1 || errno == ENOENT)) {
-               goto out;
-       }
-
-       /*
-        * This will stall launchd for as long as the 'sample' tool runs.
-        *
-        * We didn't give the 'sample' tool a bootstrap port, so it therefore
-        * can't deadlock against launchd.
-        */
-       if (!job_assumes(j, (errno = posix_spawnp(&sp, sample_args[0], NULL, NULL, sample_args, environ)) == 0)) {
-               goto out;
-       }
-
-       job_log(j, LOG_DEBUG, "Waiting for 'sample' to finish.");
-
-       if (!job_assumes(j, waitpid(sp, &wstatus, 0) != -1)) {
-               goto out;
-       }
-
-       /*
-        * This won't work if the VFS or filesystems are sick:
-        * sync();
-        */
-
-       if (!job_assumes(j, WIFEXITED(wstatus) && WEXITSTATUS(wstatus) == 0)) {
-               goto out;
-       }
-
-       if (!job_assumes(j, (logfile_fd = open(logfile, O_RDONLY|O_NOCTTY)) != -1)) {
-               goto out;
-       }
-
-       if (!job_assumes(j, (console_fd = open(_PATH_CONSOLE, O_WRONLY|O_APPEND|O_NOCTTY)) != -1)) {
-               goto out;
-       }
-
-       if (!job_assumes(j, fstat(logfile_fd, &sb) != -1)) {
-               goto out;
-       }
-
-       contents = malloc(sb.st_size);
-
-       if (!job_assumes(j, contents != NULL)) {
-               goto out;
-       }
-
-       if (!job_assumes(j, read(logfile_fd, contents, sb.st_size) == sb.st_size)) {
-               goto out;
-       }
-
-       job_assumes(j, write(console_fd, contents, sb.st_size) == sb.st_size);
-
-out:
-       if (contents) {
-               free(contents);
-       }
-
-       if (logfile_fd != -1) {
-               job_assumes(j, runtime_fsync(logfile_fd) != -1);
-               job_assumes(j, runtime_close(logfile_fd) != -1);
-       }
-
-       if (console_fd != -1) {
-               job_assumes(j, runtime_close(console_fd) != -1);
-       }
-
-       job_log(j, LOG_DEBUG, "Finished sampling.");
-}
-
-bool
-semaphoreitem_new(job_t j, semaphore_reason_t why, const char *what)
-{
-       struct semaphoreitem *si;
-       size_t alloc_sz = sizeof(struct semaphoreitem);
-
-       if (what) {
-               alloc_sz += strlen(what) + 1;
-       }
-
-       if (!job_assumes(j, si = calloc(1, alloc_sz))) {
-               return false;
-       }
+       if (!job_assumes(j, si = calloc(1, alloc_sz))) {
+               return false;
+       }
 
        si->fd = -1;
        si->why = why;
 
        if (what) {
 
        si->fd = -1;
        si->why = why;
 
        if (what) {
-               strcpy(si->what, what);
+               strcpy(si->what_init, what);
        }
 
        SLIST_INSERT_HEAD(&j->semaphores, si, sle);
        }
 
        SLIST_INSERT_HEAD(&j->semaphores, si, sle);
+       
+       if ((why == OTHER_JOB_ENABLED || why == OTHER_JOB_DISABLED) && !j->nosy) {
+               job_log(j, LOG_DEBUG, "Job is interested in \"%s\".", what);
+               SLIST_INSERT_HEAD(&s_curious_jobs, j, curious_jobs_sle);
+               j->nosy = true;
+       }
 
        semaphoreitem_runtime_mod_ref(si, true);
 
 
        semaphoreitem_runtime_mod_ref(si, true);
 
@@ -4804,9 +7054,9 @@ semaphoreitem_runtime_mod_ref(struct semaphoreitem *si, bool add)
        }
 
        if (add) {
        }
 
        if (add) {
-               runtime_add_ref();
+               runtime_add_weak_ref();
        } else {
        } else {
-               runtime_del_ref();
+               runtime_del_weak_ref();
        }
 }
 
        }
 }
 
@@ -4818,9 +7068,15 @@ semaphoreitem_delete(job_t j, struct semaphoreitem *si)
        SLIST_REMOVE(&j->semaphores, si, semaphoreitem, sle);
 
        if (si->fd != -1) {
        SLIST_REMOVE(&j->semaphores, si, semaphoreitem, sle);
 
        if (si->fd != -1) {
-               job_assumes(j, runtime_close(si->fd) != -1);
+               (void)job_assumes(j, runtime_close(si->fd) != -1);
        }
        }
-
+       
+       /* We'll need to rethink this if it ever becomes possible to dynamically add or remove semaphores. */
+       if ((si->why == OTHER_JOB_ENABLED || si->why == OTHER_JOB_DISABLED) && j->nosy) {
+               j->nosy = false;
+               SLIST_REMOVE(&s_curious_jobs, j, job_s, curious_jobs_sle);
+       }
+       
        free(si);
 }
 
        free(si);
 }
 
@@ -4851,8 +7107,14 @@ semaphoreitem_setup(launch_data_t obj, const char *key, void *context)
                        why = launch_data_get_bool(obj) ? SUCCESSFUL_EXIT : FAILED_EXIT;
                        semaphoreitem_new(j, why, NULL);
                        j->start_pending = true;
                        why = launch_data_get_bool(obj) ? SUCCESSFUL_EXIT : FAILED_EXIT;
                        semaphoreitem_new(j, why, NULL);
                        j->start_pending = true;
+               } else if (strcasecmp(key, LAUNCH_JOBKEY_KEEPALIVE_AFTERINITIALDEMAND) == 0) {
+                       j->needs_kickoff = launch_data_get_bool(obj);
+               } else if (strcasecmp(key, LAUNCH_JOBKEY_KEEPALIVE_CRASHED) == 0) {
+                       why = launch_data_get_bool(obj) ? CRASHED : DID_NOT_CRASH;
+                       semaphoreitem_new(j, why, NULL);
+                       j->start_pending = true;
                } else {
                } else {
-                       job_assumes(j, false);
+                       (void)job_assumes(j, false);
                }
                break;
        case LAUNCH_DATA_DICTIONARY:
                }
                break;
        case LAUNCH_DATA_DICTIONARY:
@@ -4866,18 +7128,163 @@ semaphoreitem_setup(launch_data_t obj, const char *key, void *context)
                        sdic.why_true = OTHER_JOB_ENABLED;
                        sdic.why_false = OTHER_JOB_DISABLED;
                } else {
                        sdic.why_true = OTHER_JOB_ENABLED;
                        sdic.why_false = OTHER_JOB_DISABLED;
                } else {
-                       job_assumes(j, false);
+                       (void)job_assumes(j, false);
                        break;
                }
 
                launch_data_dict_iterate(obj, semaphoreitem_setup_dict_iter, &sdic);
                break;
        default:
                        break;
                }
 
                launch_data_dict_iterate(obj, semaphoreitem_setup_dict_iter, &sdic);
                break;
        default:
-               job_assumes(j, false);
+               (void)job_assumes(j, false);
                break;
        }
 }
 
                break;
        }
 }
 
+bool
+externalevent_new(job_t j, struct eventsystem *sys, char *evname, launch_data_t event)
+{
+       struct externalevent *ee = (struct externalevent *)calloc(1, sizeof(struct externalevent) + strlen(evname) + 1);
+       if (job_assumes(j, ee != NULL)) {
+               ee->event = launch_data_copy(event);
+               if (job_assumes(j, ee->event != NULL)) {
+                       strcpy(ee->name, evname);
+                       ee->job = j;
+                       ee->id = sys->curid;
+                       ee->sys = sys;
+                       ee->state = false;
+                       ee->wanted_state = true;
+                       sys->curid++;
+                       
+                       LIST_INSERT_HEAD(&j->events, ee, job_le);
+                       LIST_INSERT_HEAD(&sys->events, ee, sys_le);
+                       
+                       job_log(j, LOG_DEBUG, "New event: %s:%s", sys->name, evname);
+               } else {
+                       free(ee);
+                       ee = NULL;
+               }
+       }
+
+       eventsystem_ping();
+       return ee;
+}
+
+void
+externalevent_delete(struct externalevent *ee)
+{
+       launch_data_free(ee->event);
+       LIST_REMOVE(ee, job_le);
+       LIST_REMOVE(ee, sys_le);
+       
+       free(ee);
+
+       eventsystem_ping();
+}
+
+void
+externalevent_setup(launch_data_t obj, const char *key, void *context)
+{
+       struct externalevent_iter_ctx *ctx = (struct externalevent_iter_ctx *)context;
+       (void)job_assumes(ctx->j, externalevent_new(ctx->j, ctx->sys, (char *)key, obj));
+}
+
+struct externalevent *
+externalevent_find(const char *sysname, uint64_t id)
+{
+       struct externalevent *ei = NULL;
+       
+       struct eventsystem *es = eventsystem_find(sysname);
+       if (launchd_assumes(es != NULL)) {
+               LIST_FOREACH(ei, &es->events, sys_le) {
+                       if (ei->id == id) {
+                               break;
+                       }
+               }
+       }
+       
+       return ei;
+}
+
+struct eventsystem *
+eventsystem_new(const char *name)
+{
+       struct eventsystem *es = (struct eventsystem *)calloc(1, sizeof(struct eventsystem) + strlen(name) + 1);
+       if (launchd_assumes(es != NULL)) {
+               strcpy(es->name, name);
+               LIST_INSERT_HEAD(&_s_event_systems, es, global_le);
+       }
+
+       return es;
+}
+
+void
+eventsystem_delete(struct eventsystem *es)
+{
+       struct externalevent *ei = NULL;
+       while ((ei = LIST_FIRST(&es->events))) {
+               externalevent_delete(ei);
+       }
+       
+       LIST_REMOVE(es, global_le);
+       
+       free(es);
+}
+
+void
+eventsystem_setup(launch_data_t obj, const char *key, void *context)
+{
+       job_t j = (job_t)context;
+       if (!job_assumes(j, launch_data_get_type(obj) == LAUNCH_DATA_DICTIONARY)) {
+               return;
+       }
+       
+       struct eventsystem *sys = eventsystem_find(key);
+       if (unlikely(sys == NULL)) {
+               sys = eventsystem_new(key);
+               job_log(j, LOG_DEBUG, "New event system: %s", key);
+       }
+       
+       if (job_assumes(j, sys != NULL)) {
+               struct externalevent_iter_ctx ctx = {
+                       .j = j,
+                       .sys = sys,
+               };
+               launch_data_dict_iterate(obj, externalevent_setup, &ctx);
+               sys->has_updates = true;
+       }
+}
+
+struct eventsystem *
+eventsystem_find(const char *name)
+{
+       struct eventsystem *esi = NULL;
+       LIST_FOREACH(esi, &_s_event_systems, global_le) {
+               if (strcmp(name, esi->name) == 0) {
+                       break;
+               }
+       }
+       
+       return esi;
+}
+
+void
+eventsystem_ping(void)
+{
+       /* We don't wrap this in an assumes() macro because we could potentially
+        * call this function many times before the helper job gets back to us
+        * and gives us another send-once right. So if it's MACH_PORT_NULL, that
+        * means that we've sent a ping, but the helper hasn't yet checked in to
+        * get the new set of notifications.
+        */
+       if (_s_event_update_port != MACH_PORT_NULL) {
+               kern_return_t kr = helper_downcall_ping(_s_event_update_port);
+               if (kr != KERN_SUCCESS) {
+                       runtime_syslog(LOG_NOTICE, "helper_downcall_ping(): kr = 0x%x", kr);
+               }
+               _s_event_update_port = MACH_PORT_NULL;
+       }
+}
+
 void
 jobmgr_dispatch_all_semaphores(jobmgr_t jm)
 {
 void
 jobmgr_dispatch_all_semaphores(jobmgr_t jm)
 {
@@ -5068,33 +7475,86 @@ cronemu_min(struct tm *wtm, int min)
        return true;
 }
 
        return true;
 }
 
+kern_return_t
+job_mig_setup_shmem(job_t j, mach_port_t *shmem_port)
+{
+       memory_object_size_t size_of_page, size_of_page_orig;
+       vm_address_t vm_addr;
+       kern_return_t kr;
+
+       if (!launchd_assumes(j != NULL)) {
+               return BOOTSTRAP_NO_MEMORY;
+       }
+
+       if (unlikely(j->anonymous)) {
+               job_log(j, LOG_DEBUG, "Anonymous job tried to setup shared memory");
+               return BOOTSTRAP_NOT_PRIVILEGED;
+       }
+
+       if (unlikely(j->shmem)) {
+               job_log(j, LOG_ERR, "Tried to setup shared memory more than once");
+               return BOOTSTRAP_NOT_PRIVILEGED;
+       }
+
+       size_of_page_orig = size_of_page = getpagesize();
+
+       kr = vm_allocate(mach_task_self(), &vm_addr, size_of_page, true);
+
+       if (!job_assumes(j, kr == 0)) {
+               return kr;
+       }
+
+       j->shmem = (typeof(j->shmem))vm_addr;
+       j->shmem->vp_shmem_standby_timeout = j->timeout;
+
+       kr = mach_make_memory_entry_64(mach_task_self(), &size_of_page,
+                       (memory_object_offset_t)vm_addr, VM_PROT_READ|VM_PROT_WRITE, shmem_port, 0);
+
+       if (job_assumes(j, kr == 0)) {
+               (void)job_assumes(j, size_of_page == size_of_page_orig);
+       }
+
+       /* no need to inherit this in child processes */
+       (void)job_assumes(j, vm_inherit(mach_task_self(), (vm_address_t)j->shmem, size_of_page_orig, VM_INHERIT_NONE) == 0);
+
+       return kr;
+}
+
 kern_return_t
 job_mig_create_server(job_t j, cmd_t server_cmd, uid_t server_uid, boolean_t on_demand, mach_port_t *server_portp)
 {
 kern_return_t
 job_mig_create_server(job_t j, cmd_t server_cmd, uid_t server_uid, boolean_t on_demand, mach_port_t *server_portp)
 {
-       struct ldcred ldc;
+       struct ldcred *ldc = runtime_get_caller_creds();
        job_t js;
 
        if (!launchd_assumes(j != NULL)) {
                return BOOTSTRAP_NO_MEMORY;
        }
 
        job_t js;
 
        if (!launchd_assumes(j != NULL)) {
                return BOOTSTRAP_NO_MEMORY;
        }
 
-       runtime_get_caller_creds(&ldc);
+       if (unlikely(j->deny_job_creation)) {
+               return BOOTSTRAP_NOT_PRIVILEGED;
+       }
+
+#if HAVE_SANDBOX
+       const char **argv = (const char **)mach_cmd2argv(server_cmd);
+       if (unlikely(argv == NULL)) {
+               return BOOTSTRAP_NO_MEMORY;
+       }
+       if (unlikely(sandbox_check(ldc->pid, "job-creation", SANDBOX_FILTER_PATH, argv[0]) > 0)) {
+               free(argv);
+               return BOOTSTRAP_NOT_PRIVILEGED;
+       }
+       free(argv);
+#endif
 
        job_log(j, LOG_DEBUG, "Server create attempt: %s", server_cmd);
 
 
        job_log(j, LOG_DEBUG, "Server create attempt: %s", server_cmd);
 
-#define LET_MERE_MORTALS_ADD_SERVERS_TO_PID1
-       /* XXX - This code should go away once the per session launchd is integrated with the rest of the system */
-#ifdef LET_MERE_MORTALS_ADD_SERVERS_TO_PID1
-       if (getpid() == 1) {
-               if (ldc.euid && server_uid && (ldc.euid != server_uid)) {
-                       job_log(j, LOG_WARNING, "Server create: \"%s\": Will run as UID %d, not UID %d as they told us to",
-                                       server_cmd, ldc.euid, server_uid);
-                       server_uid = ldc.euid;
+       if (pid1_magic) {
+               if (ldc->euid || ldc->uid) {
+                       job_log(j, LOG_WARNING, "Server create attempt moved to per-user launchd: %s", server_cmd);
+                       return VPROC_ERR_TRY_PER_USER;
                }
                }
-       } else
-#endif
-       if (getuid()) {
-               if (server_uid != getuid()) {
+       } else {
+               if (unlikely(server_uid != getuid())) {
                        job_log(j, LOG_WARNING, "Server create: \"%s\": As UID %d, we will not be able to switch to UID %d",
                                        server_cmd, getuid(), server_uid);
                }
                        job_log(j, LOG_WARNING, "Server create: \"%s\": As UID %d, we will not be able to switch to UID %d",
                                        server_cmd, getuid(), server_uid);
                }
@@ -5103,7 +7563,7 @@ job_mig_create_server(job_t j, cmd_t server_cmd, uid_t server_uid, boolean_t on_
 
        js = job_new_via_mach_init(j, server_cmd, server_uid, on_demand);
 
 
        js = job_new_via_mach_init(j, server_cmd, server_uid, on_demand);
 
-       if (js == NULL) {
+       if (unlikely(js == NULL)) {
                return BOOTSTRAP_NO_MEMORY;
        }
 
                return BOOTSTRAP_NO_MEMORY;
        }
 
@@ -5114,23 +7574,39 @@ job_mig_create_server(job_t j, cmd_t server_cmd, uid_t server_uid, boolean_t on_
 kern_return_t
 job_mig_send_signal(job_t j, mach_port_t srp, name_t targetlabel, int sig)
 {
 kern_return_t
 job_mig_send_signal(job_t j, mach_port_t srp, name_t targetlabel, int sig)
 {
-       struct ldcred ldc;
+       struct ldcred *ldc = runtime_get_caller_creds();
        job_t otherj;
 
        if (!launchd_assumes(j != NULL)) {
                return BOOTSTRAP_NO_MEMORY;
        }
 
        job_t otherj;
 
        if (!launchd_assumes(j != NULL)) {
                return BOOTSTRAP_NO_MEMORY;
        }
 
-       runtime_get_caller_creds(&ldc);
-
-       if (ldc.euid != 0 && ldc.euid != getuid()) {
+       if (unlikely(ldc->euid != 0 && ldc->euid != getuid()) || j->deny_job_creation) {
+       #if TARGET_OS_EMBEDDED  
+               if (!j->embedded_special_privileges) {
+                       return BOOTSTRAP_NOT_PRIVILEGED;
+               }
+       #else
                return BOOTSTRAP_NOT_PRIVILEGED;
                return BOOTSTRAP_NOT_PRIVILEGED;
+       #endif
        }
 
        }
 
-       if (!(otherj = job_find(targetlabel))) {
+#if HAVE_SANDBOX
+       if (unlikely(sandbox_check(ldc->pid, "job-creation", SANDBOX_FILTER_NONE) > 0)) {
+               return BOOTSTRAP_NOT_PRIVILEGED;
+       }
+#endif
+       
+       if (unlikely(!(otherj = job_find(NULL, targetlabel)))) {
                return BOOTSTRAP_UNKNOWN_SERVICE;
        }
 
                return BOOTSTRAP_UNKNOWN_SERVICE;
        }
 
+#if TARGET_OS_EMBEDDED
+       if (j->embedded_special_privileges && strcmp(j->username, otherj->username) != 0) {
+               return BOOTSTRAP_NOT_PRIVILEGED;
+       }
+#endif 
+
        if (sig == VPROC_MAGIC_UNLOAD_SIGNAL) {
                bool do_block = otherj->p;
 
        if (sig == VPROC_MAGIC_UNLOAD_SIGNAL) {
                bool do_block = otherj->p;
 
@@ -5143,13 +7619,33 @@ job_mig_send_signal(job_t j, mach_port_t srp, name_t targetlabel, int sig)
                if (do_block) {
                        job_log(j, LOG_DEBUG, "Blocking MIG return of job_remove(): %s", otherj->label);
                        /* this is messy. We shouldn't access 'otherj' after job_remove(), but we check otherj->p first... */
                if (do_block) {
                        job_log(j, LOG_DEBUG, "Blocking MIG return of job_remove(): %s", otherj->label);
                        /* this is messy. We shouldn't access 'otherj' after job_remove(), but we check otherj->p first... */
-                       job_assumes(otherj, waiting4removal_new(otherj, srp));
+                       (void)job_assumes(otherj, waiting4removal_new(otherj, srp));
                        return MIG_NO_REPLY;
                } else {
                        return 0;
                }
                        return MIG_NO_REPLY;
                } else {
                        return 0;
                }
+       } else if (sig == VPROC_MAGIC_TRYKILL_SIGNAL) {
+               if (!j->kill_via_shmem) {
+                       return BOOTSTRAP_NOT_PRIVILEGED;
+               }
+
+               if (!j->shmem) {
+                       j->sent_kill_via_shmem = true;
+                       (void)job_assumes(j, runtime_kill(otherj->p, SIGKILL) != -1);
+                       return 0;
+               }
+
+#if !TARGET_OS_EMBEDDED
+               if (__sync_bool_compare_and_swap(&j->shmem->vp_shmem_transaction_cnt, 0, -1)) {
+                       j->shmem->vp_shmem_flags |= VPROC_SHMEM_EXITING;
+                       j->sent_kill_via_shmem = true;
+                       (void)job_assumes(j, runtime_kill(otherj->p, SIGKILL) != -1);
+                       return 0;
+               }
+#endif
+               return BOOTSTRAP_NOT_PRIVILEGED;
        } else if (otherj->p) {
        } else if (otherj->p) {
-               job_assumes(j, runtime_kill(otherj->p, sig) != -1);
+               (void)job_assumes(j, runtime_kill(otherj->p, sig) != -1);
        }
 
        return 0;
        }
 
        return 0;
@@ -5158,7 +7654,7 @@ job_mig_send_signal(job_t j, mach_port_t srp, name_t targetlabel, int sig)
 kern_return_t
 job_mig_log_forward(job_t j, vm_offset_t inval, mach_msg_type_number_t invalCnt)
 {
 kern_return_t
 job_mig_log_forward(job_t j, vm_offset_t inval, mach_msg_type_number_t invalCnt)
 {
-       struct ldcred ldc;
+       struct ldcred *ldc = runtime_get_caller_creds();
 
        if (!launchd_assumes(j != NULL)) {
                return BOOTSTRAP_NO_MEMORY;
 
        if (!launchd_assumes(j != NULL)) {
                return BOOTSTRAP_NO_MEMORY;
@@ -5168,23 +7664,19 @@ job_mig_log_forward(job_t j, vm_offset_t inval, mach_msg_type_number_t invalCnt)
                return BOOTSTRAP_NOT_PRIVILEGED;
        }
 
                return BOOTSTRAP_NOT_PRIVILEGED;
        }
 
-       runtime_get_caller_creds(&ldc);
-
-       return runtime_log_forward(ldc.euid, ldc.egid, inval, invalCnt);
+       return runtime_log_forward(ldc->euid, ldc->egid, inval, invalCnt);
 }
 
 kern_return_t
 job_mig_log_drain(job_t j, mach_port_t srp, vm_offset_t *outval, mach_msg_type_number_t *outvalCnt)
 {
 }
 
 kern_return_t
 job_mig_log_drain(job_t j, mach_port_t srp, vm_offset_t *outval, mach_msg_type_number_t *outvalCnt)
 {
-       struct ldcred ldc;
+       struct ldcred *ldc = runtime_get_caller_creds();
 
        if (!launchd_assumes(j != NULL)) {
                return BOOTSTRAP_NO_MEMORY;
        }
 
 
        if (!launchd_assumes(j != NULL)) {
                return BOOTSTRAP_NO_MEMORY;
        }
 
-       runtime_get_caller_creds(&ldc);
-
-       if (ldc.euid) {
+       if (unlikely(ldc->euid)) {
                return BOOTSTRAP_NOT_PRIVILEGED;
        }
 
                return BOOTSTRAP_NOT_PRIVILEGED;
        }
 
@@ -5192,27 +7684,21 @@ job_mig_log_drain(job_t j, mach_port_t srp, vm_offset_t *outval, mach_msg_type_n
 }
 
 kern_return_t
 }
 
 kern_return_t
-job_mig_swap_complex(job_t j, vproc_gsk_t inkey, vproc_gsk_t outkey,
-               vm_offset_t inval, mach_msg_type_number_t invalCnt,
-               vm_offset_t *outval, mach_msg_type_number_t *outvalCnt) 
+job_mig_swap_complex(job_t j, vproc_gsk_t inkey, vproc_gsk_t outkey, vm_offset_t inval, mach_msg_type_number_t invalCnt, vm_offset_t *outval, mach_msg_type_number_t *outvalCnt)
 {
        const char *action;
 {
        const char *action;
-       launch_data_t input_obj, output_obj;
+       launch_data_t input_obj = NULL, output_obj = NULL;
        size_t data_offset = 0;
        size_t packed_size;
        size_t data_offset = 0;
        size_t packed_size;
-       struct ldcred ldc;
-
-       runtime_get_caller_creds(&ldc);
+       struct ldcred *ldc = runtime_get_caller_creds();
 
        if (!launchd_assumes(j != NULL)) {
                return BOOTSTRAP_NO_MEMORY;
        }
 
        if (!launchd_assumes(j != NULL)) {
                return BOOTSTRAP_NO_MEMORY;
        }
-
-       if (inkey && ldc.euid && ldc.euid != getuid()) {
+       if (unlikely(inkey && ldc->euid && ldc->euid != getuid())) {
                return BOOTSTRAP_NOT_PRIVILEGED;
        }
                return BOOTSTRAP_NOT_PRIVILEGED;
        }
-
-       if (inkey && outkey && !job_assumes(j, inkey == outkey)) {
+       if (unlikely(inkey && outkey && !job_assumes(j, inkey == outkey))) {
                return 1;
        }
 
                return 1;
        }
 
@@ -5232,7 +7718,11 @@ job_mig_swap_complex(job_t j, vproc_gsk_t inkey, vproc_gsk_t outkey,
                return 1;
        }
 
                return 1;
        }
 
-       if (invalCnt && !job_assumes(j, (input_obj = launch_data_unpack((void *)inval, invalCnt, NULL, 0, &data_offset, NULL)) != NULL)) {
+       /* Note to future maintainers: launch_data_unpack() does NOT return a heap object. The data
+        * is decoded in-place. So do not call launch_data_free() on input_obj.
+        */
+       runtime_ktrace0(RTKT_LAUNCHD_DATA_UNPACK);
+       if (unlikely(invalCnt && !job_assumes(j, (input_obj = launch_data_unpack((void *)inval, invalCnt, NULL, 0, &data_offset, NULL)) != NULL))) {
                goto out_bad;
        }
 
                goto out_bad;
        }
 
@@ -5242,6 +7732,7 @@ job_mig_swap_complex(job_t j, vproc_gsk_t inkey, vproc_gsk_t outkey,
                        goto out_bad;
                }
                jobmgr_export_env_from_other_jobs(j->mgr, output_obj);
                        goto out_bad;
                }
                jobmgr_export_env_from_other_jobs(j->mgr, output_obj);
+               runtime_ktrace0(RTKT_LAUNCHD_DATA_PACK);
                if (!job_assumes(j, launch_data_pack(output_obj, (void *)*outval, *outvalCnt, NULL, NULL) != 0)) {
                        goto out_bad;
                }
                if (!job_assumes(j, launch_data_pack(output_obj, (void *)*outval, *outvalCnt, NULL, NULL) != 0)) {
                        goto out_bad;
                }
@@ -5252,10 +7743,46 @@ job_mig_swap_complex(job_t j, vproc_gsk_t inkey, vproc_gsk_t outkey,
                        goto out_bad;
                }
                ipc_revoke_fds(output_obj);
                        goto out_bad;
                }
                ipc_revoke_fds(output_obj);
+               runtime_ktrace0(RTKT_LAUNCHD_DATA_PACK);
+               packed_size = launch_data_pack(output_obj, (void *)*outval, *outvalCnt, NULL, NULL);
+               if (!job_assumes(j, packed_size != 0)) {
+                       goto out_bad;
+               }
+               launch_data_free(output_obj);
+               break;
+       case VPROC_GSK_MGR_NAME:
+               if (!job_assumes(j, (output_obj = launch_data_new_string(j->mgr->name)) != NULL)) {
+                       goto out_bad;
+               }
+               packed_size = launch_data_pack(output_obj, (void *)*outval, *outvalCnt, NULL, NULL);
+               if (!job_assumes(j, packed_size != 0)) {
+                       goto out_bad;
+               }
+               
+               launch_data_free(output_obj);
+               break;
+       case VPROC_GSK_JOB_OVERRIDES_DB:
+               if (!job_assumes(j, (output_obj = launch_data_new_string(launchd_data_base_path(LAUNCHD_DB_TYPE_OVERRIDES))) != NULL)) {
+                       goto out_bad;
+               }
+               packed_size = launch_data_pack(output_obj, (void *)*outval, *outvalCnt, NULL, NULL);
+               if (!job_assumes(j, packed_size != 0)) {
+                       goto out_bad;
+               }
+               
+               launch_data_free(output_obj);
+               break;
+       case VPROC_GSK_JOB_CACHE_DB:
+               if (!job_assumes(j, (output_obj = launch_data_new_string(launchd_data_base_path(LAUNCHD_DB_TYPE_JOBCACHE))) != NULL)) {
+                       goto out_bad;
+               }
                packed_size = launch_data_pack(output_obj, (void *)*outval, *outvalCnt, NULL, NULL);
                if (!job_assumes(j, packed_size != 0)) {
                        goto out_bad;
                }
                packed_size = launch_data_pack(output_obj, (void *)*outval, *outvalCnt, NULL, NULL);
                if (!job_assumes(j, packed_size != 0)) {
                        goto out_bad;
                }
+               
+               job_log(j, LOG_DEBUG, "Location of job cache database: %s", launch_data_get_string(output_obj));
+               
                launch_data_free(output_obj);
                break;
        case 0:
                launch_data_free(output_obj);
                break;
        case 0:
@@ -5268,23 +7795,32 @@ job_mig_swap_complex(job_t j, vproc_gsk_t inkey, vproc_gsk_t outkey,
        }
 
        if (invalCnt) switch (inkey) {
        }
 
        if (invalCnt) switch (inkey) {
-       case VPROC_GSK_ENVIRONMENT:
-               job_assumes(j, false);
-               break;
-       case 0:
-               break;
-       default:
-               goto out_bad;
+               case VPROC_GSK_ENVIRONMENT:     
+                       if (launch_data_get_type(input_obj) == LAUNCH_DATA_DICTIONARY) {
+                               if (j->p) {
+                                       job_log(j, LOG_INFO, "Setting environment for a currently active job. This environment will take effect on the next invocation of the job.");
+                               }
+                               launch_data_dict_iterate(input_obj, envitem_setup_one_shot, j);
+                       }
+                       break;
+               case 0:
+                       break;
+               default:
+                       goto out_bad;
        }
        }
-
+       
        mig_deallocate(inval, invalCnt);
        mig_deallocate(inval, invalCnt);
-
        return 0;
        return 0;
-
+       
 out_bad:
 out_bad:
+       mig_deallocate(inval, invalCnt);
        if (*outval) {
                mig_deallocate(*outval, *outvalCnt);
        }
        if (*outval) {
                mig_deallocate(*outval, *outvalCnt);
        }
+       if (output_obj) {
+               launch_data_free(output_obj);
+       }
+       
        return 1;
 }
 
        return 1;
 }
 
@@ -5293,20 +7829,18 @@ job_mig_swap_integer(job_t j, vproc_gsk_t inkey, vproc_gsk_t outkey, int64_t inv
 {
        const char *action;
        kern_return_t kr = 0;
 {
        const char *action;
        kern_return_t kr = 0;
-       struct ldcred ldc;
+       struct ldcred *ldc = runtime_get_caller_creds();
        int oldmask;
 
        int oldmask;
 
-       runtime_get_caller_creds(&ldc);
-
        if (!launchd_assumes(j != NULL)) {
                return BOOTSTRAP_NO_MEMORY;
        }
 
        if (!launchd_assumes(j != NULL)) {
                return BOOTSTRAP_NO_MEMORY;
        }
 
-       if (inkey && ldc.euid && ldc.euid != getuid()) {
+       if (unlikely(inkey && ldc->euid && ldc->euid != getuid())) {
                return BOOTSTRAP_NOT_PRIVILEGED;
        }
 
                return BOOTSTRAP_NOT_PRIVILEGED;
        }
 
-       if (inkey && outkey && !job_assumes(j, inkey == outkey)) {
+       if (unlikely(inkey && outkey && !job_assumes(j, inkey == outkey))) {
                return 1;
        }
 
                return 1;
        }
 
@@ -5321,6 +7855,9 @@ job_mig_swap_integer(job_t j, vproc_gsk_t inkey, vproc_gsk_t outkey, int64_t inv
        job_log(j, LOG_DEBUG, "%s key: %u", action, inkey ? inkey : outkey);
 
        switch (outkey) {
        job_log(j, LOG_DEBUG, "%s key: %u", action, inkey ? inkey : outkey);
 
        switch (outkey) {
+       case VPROC_GSK_ABANDON_PROCESS_GROUP:
+               *outval = j->abandon_pg;
+               break;
        case VPROC_GSK_LAST_EXIT_STATUS:
                *outval = j->last_exit_status;
                break;
        case VPROC_GSK_LAST_EXIT_STATUS:
                *outval = j->last_exit_status;
                break;
@@ -5355,6 +7892,16 @@ job_mig_swap_integer(job_t j, vproc_gsk_t inkey, vproc_gsk_t outkey, int64_t inv
                *outval = oldmask;
                umask(oldmask);
                break;
                *outval = oldmask;
                umask(oldmask);
                break;
+       case VPROC_GSK_TRANSACTIONS_ENABLED:
+               job_log(j, LOG_DEBUG, "Reading transaction model status.");
+               *outval = j->kill_via_shmem;
+               break;
+       case VPROC_GSK_WAITFORDEBUGGER:
+               *outval = j->wait4debugger;
+               break;
+       case VPROC_GSK_EMBEDDEDROOTEQUIVALENT:
+               *outval = j->embedded_special_privileges;
+               break;
        case 0:
                *outval = 0;
                break;
        case 0:
                *outval = 0;
                break;
@@ -5364,47 +7911,155 @@ job_mig_swap_integer(job_t j, vproc_gsk_t inkey, vproc_gsk_t outkey, int64_t inv
        }
 
        switch (inkey) {
        }
 
        switch (inkey) {
+       case VPROC_GSK_ABANDON_PROCESS_GROUP:
+               j->abandon_pg = (bool)inval;
+               break;
        case VPROC_GSK_GLOBAL_ON_DEMAND:
        case VPROC_GSK_GLOBAL_ON_DEMAND:
+               job_log(j, LOG_DEBUG, "Job is setting global on-demand mode to %s (j->forced_peers_to_demand_mode = %s)", (bool)inval ? "true" : "false", j->forced_peers_to_demand_mode ? "true" : "false");
                kr = job_set_global_on_demand(j, (bool)inval) ? 0 : 1;
                break;
        case VPROC_GSK_BASIC_KEEPALIVE:
                j->ondemand = !inval;
                break;
        case VPROC_GSK_START_INTERVAL:
                kr = job_set_global_on_demand(j, (bool)inval) ? 0 : 1;
                break;
        case VPROC_GSK_BASIC_KEEPALIVE:
                j->ondemand = !inval;
                break;
        case VPROC_GSK_START_INTERVAL:
-               if ((uint64_t)inval > UINT32_MAX) {
+               if (inval > UINT32_MAX || inval < 0) {
                        kr = 1;
                } else if (inval) {
                        if (j->start_interval == 0) {
                        kr = 1;
                } else if (inval) {
                        if (j->start_interval == 0) {
-                               runtime_add_ref();
-                       } else {
-                               /* Workaround 5225889 */
-                               job_assumes(j, kevent_mod((uintptr_t)&j->start_interval, EVFILT_TIMER, EV_DELETE, 0, 0, j) != -1);
+                               runtime_add_weak_ref();
                        }
                        }
-                       j->start_interval = inval;
-                       job_assumes(j, kevent_mod((uintptr_t)&j->start_interval, EVFILT_TIMER, EV_ADD, NOTE_SECONDS, j->start_interval, j) != -1);
+                       j->start_interval = (typeof(j->start_interval)) inval;
+                       (void)job_assumes(j, kevent_mod((uintptr_t)&j->start_interval, EVFILT_TIMER, EV_ADD, NOTE_SECONDS, j->start_interval, j) != -1);
                } else if (j->start_interval) {
                } else if (j->start_interval) {
-                       job_assumes(j, kevent_mod((uintptr_t)&j->start_interval, EVFILT_TIMER, EV_DELETE, 0, 0, NULL) != -1);
+                       (void)job_assumes(j, kevent_mod((uintptr_t)&j->start_interval, EVFILT_TIMER, EV_DELETE, 0, 0, NULL) != -1);
                        if (j->start_interval != 0) {
                        if (j->start_interval != 0) {
-                               runtime_del_ref();
+                               runtime_del_weak_ref();
                        }
                        j->start_interval = 0;
                }
                break;
        case VPROC_GSK_IDLE_TIMEOUT:
                        }
                        j->start_interval = 0;
                }
                break;
        case VPROC_GSK_IDLE_TIMEOUT:
-               if ((unsigned int)inval > 0) {
-                       j->timeout = inval;
+               if (inval < 0 || inval > UINT32_MAX) {
+                       kr = 1;
+               } else {
+                       j->timeout = (typeof(j->timeout)) inval;
                }
                break;
        case VPROC_GSK_EXIT_TIMEOUT:
                }
                break;
        case VPROC_GSK_EXIT_TIMEOUT:
-               if ((unsigned int)inval > 0) {
-                       j->exit_timeout = inval;
+               if (inval < 0 || inval > UINT32_MAX) {
+                       kr = 1;
+               } else {
+                       j->exit_timeout = (typeof(j->exit_timeout)) inval;
                }
                break;
        case VPROC_GSK_GLOBAL_LOG_MASK:
                }
                break;
        case VPROC_GSK_GLOBAL_LOG_MASK:
-               runtime_setlogmask(inval);
+               if (inval < 0 || inval > UINT32_MAX) {
+                       kr = 1;
+               } else {
+                       runtime_setlogmask((int) inval);
+               }
                break;
        case VPROC_GSK_GLOBAL_UMASK:
                break;
        case VPROC_GSK_GLOBAL_UMASK:
-               umask(inval);
+               launchd_assert(sizeof (mode_t) == 2);
+               if (inval < 0 || inval > UINT16_MAX) {
+                       kr = 1;
+               } else {
+#if HAVE_SANDBOX
+                       if (unlikely(sandbox_check(ldc->pid, "job-creation", SANDBOX_FILTER_NONE) > 0)) {
+                               kr = 1;
+                       } else {
+                               umask((mode_t) inval);
+                       }
+#endif
+               }
+               break;
+       case VPROC_GSK_TRANSACTIONS_ENABLED:
+               if (!job_assumes(j, inval != 0)) {
+                       job_log(j, LOG_WARNING, "Attempt to unregister from transaction model. This is not supported.");
+                       kr = 1;
+               } else {
+                       j->kill_via_shmem = (bool)inval;
+               }
+               break;
+       case VPROC_GSK_WEIRD_BOOTSTRAP:
+               if (job_assumes(j, j->weird_bootstrap)) {
+                       job_log(j, LOG_DEBUG, "Unsetting weird bootstrap.");
+                       
+                       mach_msg_size_t mxmsgsz = (typeof(mxmsgsz)) sizeof(union __RequestUnion__job_mig_protocol_vproc_subsystem);
+                       
+                       if (job_mig_protocol_vproc_subsystem.maxsize > mxmsgsz) {
+                               mxmsgsz = job_mig_protocol_vproc_subsystem.maxsize;
+                       }
+                       
+                       (void)job_assumes(j, runtime_add_mport(j->mgr->jm_port, protocol_vproc_server, mxmsgsz) == KERN_SUCCESS);
+                       j->weird_bootstrap = false;
+               }
+               break;
+       case VPROC_GSK_WAITFORDEBUGGER:
+               j->wait4debugger_oneshot = inval;
+               break;
+       case VPROC_GSK_PERUSER_SUSPEND:
+               if (job_assumes(j, pid1_magic && ldc->euid == 0)) {
+                       mach_port_t junk = MACH_PORT_NULL;
+                       job_t jpu = jobmgr_lookup_per_user_context_internal(j, (uid_t)inval, &junk);
+                       if (job_assumes(j, jpu != NULL)) {
+                               struct suspended_peruser *spi = NULL;
+                               LIST_FOREACH(spi, &j->suspended_perusers, sle) {
+                                       if ((int64_t)(spi->j->mach_uid) == inval) {
+                                               job_log(j, LOG_WARNING, "Job tried to suspend per-user launchd for UID %lli twice.", inval);
+                                               break;
+                                       }
+                               }
+
+                               if (spi == NULL) {
+                                       job_log(j, LOG_INFO, "Job is suspending the per-user launchd for UID %lli.", inval);
+                                       spi = (struct suspended_peruser *)calloc(sizeof(struct suspended_peruser), 1);
+                                       if (job_assumes(j, spi != NULL)) {
+                                               /* Stop listening for events.
+                                                *
+                                                * See <rdar://problem/9014146>.
+                                                */
+                                               if (jpu->peruser_suspend_count == 0) {
+                                                       job_ignore(jpu);
+                                               }
+
+                                               spi->j = jpu;
+                                               spi->j->peruser_suspend_count++;
+                                               LIST_INSERT_HEAD(&j->suspended_perusers, spi, sle);
+                                               job_stop(spi->j);
+                                               *outval = jpu->p;
+                                       } else {
+                                               kr = BOOTSTRAP_NO_MEMORY;
+                                       }
+                               }
+                       }
+               } else {
+                       kr = 1;
+               }
+               break;
+       case VPROC_GSK_PERUSER_RESUME:
+               if (job_assumes(j, pid1_magic == true)) {
+                       struct suspended_peruser *spi = NULL, *spt = NULL;
+                       LIST_FOREACH_SAFE(spi, &j->suspended_perusers, sle, spt) {
+                               if ((int64_t)(spi->j->mach_uid) == inval) {
+                                       spi->j->peruser_suspend_count--;
+                                       LIST_REMOVE(spi, sle);
+                                       job_log(j, LOG_INFO, "Job is resuming the per-user launchd for UID %lli.", inval);
+                                       break;
+                               }
+                       }
+                       
+                       if (!job_assumes(j, spi != NULL)) {
+                               job_log(j, LOG_WARNING, "Job tried to resume per-user launchd for UID %lli that it did not suspend.", inval);
+                               kr = BOOTSTRAP_NOT_PRIVILEGED;
+                       } else if (spi->j->peruser_suspend_count == 0) {
+                               job_watch(spi->j);
+                               job_dispatch(spi->j, false);
+                               free(spi);
+                       }
+               } else {
+                       kr = 1;
+               }
                break;
        case 0:
                break;
                break;
        case 0:
                break;
@@ -5417,7 +8072,7 @@ job_mig_swap_integer(job_t j, vproc_gsk_t inkey, vproc_gsk_t outkey, int64_t inv
 }
 
 kern_return_t
 }
 
 kern_return_t
-job_mig_post_fork_ping(job_t j, task_t child_task)
+job_mig_post_fork_ping(job_t j, task_t child_task, mach_port_t *asport)
 {
        struct machservice *ms;
 
 {
        struct machservice *ms;
 
@@ -5437,7 +8092,7 @@ job_mig_post_fork_ping(job_t j, task_t child_task)
 
                errno = task_set_special_port(child_task, ms->special_port_num, ms->port);
 
 
                errno = task_set_special_port(child_task, ms->special_port_num, ms->port);
 
-               if (errno) {
+               if (unlikely(errno)) {
                        int desired_log_level = LOG_ERR;
 
                        if (j->anonymous) {
                        int desired_log_level = LOG_ERR;
 
                        if (j->anonymous) {
@@ -5454,7 +8109,22 @@ job_mig_post_fork_ping(job_t j, task_t child_task)
                }
        }
 
                }
        }
 
-       job_assumes(j, launchd_mport_deallocate(child_task) == KERN_SUCCESS);
+       /* MIG will not zero-initialize this pointer, so we must always do so. See
+        * <rdar://problem/8562593>.
+        */
+       *asport = MACH_PORT_NULL;
+#if !TARGET_OS_EMBEDDED
+       if (!j->anonymous) {
+               /* XPC services will spawn into the root security session by default.
+                * xpcproxy will switch them away if needed.
+                */
+               if (!(j->mgr->properties & BOOTSTRAP_PROPERTY_XPC_DOMAIN)) {
+                       job_log(j, LOG_DEBUG, "Returning j->asport: %u", j->asport);
+                       *asport = j->asport;
+               }
+       }
+#endif
+       (void)job_assumes(j, launchd_mport_deallocate(child_task) == KERN_SUCCESS);
 
        return 0;
 }
 
        return 0;
 }
@@ -5463,42 +8133,49 @@ kern_return_t
 job_mig_reboot2(job_t j, uint64_t flags)
 {
        char who_started_the_reboot[2048] = "";
 job_mig_reboot2(job_t j, uint64_t flags)
 {
        char who_started_the_reboot[2048] = "";
-       struct kinfo_proc kp;
-       struct ldcred ldc;
+       struct proc_bsdshortinfo proc;
+       struct ldcred *ldc = runtime_get_caller_creds();
        pid_t pid_to_log;
 
        if (!launchd_assumes(j != NULL)) {
                return BOOTSTRAP_NO_MEMORY;
        }
 
        pid_t pid_to_log;
 
        if (!launchd_assumes(j != NULL)) {
                return BOOTSTRAP_NO_MEMORY;
        }
 
-       if (getpid() != 1) {
+       if (unlikely(!pid1_magic)) {
                return BOOTSTRAP_NOT_PRIVILEGED;
        }
 
                return BOOTSTRAP_NOT_PRIVILEGED;
        }
 
-       runtime_get_caller_creds(&ldc);
-
-       if (ldc.euid) {
+#if !TARGET_OS_EMBEDDED
+       if (unlikely(ldc->euid)) {
+#else
+       if (unlikely(ldc->euid) && !j->embedded_special_privileges) {
+#endif
                return BOOTSTRAP_NOT_PRIVILEGED;
        }
 
                return BOOTSTRAP_NOT_PRIVILEGED;
        }
 
-       for (pid_to_log = ldc.pid; pid_to_log; pid_to_log = kp.kp_eproc.e_ppid) {
-               int mib[] = { CTL_KERN, KERN_PROC, KERN_PROC_PID, pid_to_log };
-               size_t who_offset, len = sizeof(kp);
-
-               if (!job_assumes(j, sysctl(mib, 4, &kp, &len, NULL, 0) != -1)) {
+       for (pid_to_log = ldc->pid; pid_to_log; pid_to_log = proc.pbsi_ppid) {
+               size_t who_offset;
+               if (proc_pidinfo(pid_to_log, PROC_PIDT_SHORTBSDINFO, 1, &proc, PROC_PIDT_SHORTBSDINFO_SIZE) == 0) {
+                       if (errno != ESRCH) {
+                               job_assumes(j, errno == 0);
+                       }
                        return 1;
                }
 
                        return 1;
                }
 
+               if (!job_assumes(j, pid_to_log != (pid_t)proc.pbsi_ppid)) {
+                       job_log(j, LOG_WARNING, "Job which is its own parent started reboot.");
+                       snprintf(who_started_the_reboot, sizeof(who_started_the_reboot), "%s[%u]->%s[%u]->%s[%u]->...", proc.pbsi_comm, pid_to_log, proc.pbsi_comm, pid_to_log, proc.pbsi_comm, pid_to_log);
+                       break;
+               }
+
                who_offset = strlen(who_started_the_reboot);
                snprintf(who_started_the_reboot + who_offset, sizeof(who_started_the_reboot) - who_offset,
                who_offset = strlen(who_started_the_reboot);
                snprintf(who_started_the_reboot + who_offset, sizeof(who_started_the_reboot) - who_offset,
-                               " %s[%u]%s", kp.kp_proc.p_comm, pid_to_log, kp.kp_eproc.e_ppid ? " ->" : "");
+                               " %s[%u]%s", proc.pbsi_comm, pid_to_log, proc.pbsi_ppid ? " ->" : "");
        }
 
        root_jobmgr->reboot_flags = (int)flags;
        }
 
        root_jobmgr->reboot_flags = (int)flags;
-
-       launchd_shutdown();
-
        job_log(j, LOG_DEBUG, "reboot2() initiated by:%s", who_started_the_reboot);
        job_log(j, LOG_DEBUG, "reboot2() initiated by:%s", who_started_the_reboot);
+       launchd_shutdown();
 
        return 0;
 }
 
        return 0;
 }
@@ -5510,9 +8187,20 @@ job_mig_getsocket(job_t j, name_t spr)
                return BOOTSTRAP_NO_MEMORY;
        }
 
                return BOOTSTRAP_NO_MEMORY;
        }
 
+       if (j->deny_job_creation) {
+               return BOOTSTRAP_NOT_PRIVILEGED;
+       }
+
+#if HAVE_SANDBOX
+       struct ldcred *ldc = runtime_get_caller_creds(); 
+       if (unlikely(sandbox_check(ldc->pid, "job-creation", SANDBOX_FILTER_NONE) > 0)) {
+               return BOOTSTRAP_NOT_PRIVILEGED;
+       }
+#endif
+
        ipc_server_init();
 
        ipc_server_init();
 
-       if (!sockpath) {
+       if (unlikely(!sockpath)) {
                return BOOTSTRAP_NO_MEMORY;
        }
 
                return BOOTSTRAP_NO_MEMORY;
        }
 
@@ -5537,54 +8225,10 @@ job_mig_log(job_t j, int pri, int err, logmsg_t msg)
        return 0;
 }
 
        return 0;
 }
 
-void
-ensure_root_bkgd_setup(void)
-{
-       if (background_jobmgr || getpid() != 1) {
-               return;
-       }
-
-       if (!jobmgr_assumes(root_jobmgr, (background_jobmgr = jobmgr_new(root_jobmgr, mach_task_self(), MACH_PORT_NULL, false, VPROCMGR_SESSION_BACKGROUND)) != NULL)) {
-               return;
-       }
-
-       background_jobmgr->req_port = 0;
-       jobmgr_assumes(root_jobmgr, launchd_mport_make_send(background_jobmgr->jm_port) == KERN_SUCCESS);
-}
-
-kern_return_t
-job_mig_lookup_per_user_context(job_t j, uid_t which_user, mach_port_t *up_cont)
+job_t
+jobmgr_lookup_per_user_context_internal(job_t j, uid_t which_user, mach_port_t *mp)
 {
 {
-       struct ldcred ldc;
-       job_t ji;
-
-       if (!launchd_assumes(j != NULL)) {
-               return BOOTSTRAP_NO_MEMORY;
-       }
-
-       job_log(j, LOG_DEBUG, "Looking up per user launchd for UID: %u", which_user);
-
-       runtime_get_caller_creds(&ldc);
-
-       if (getpid() != 1) {
-               job_log(j, LOG_ERR, "Only PID 1 supports per user launchd lookups.");
-               return BOOTSTRAP_NOT_PRIVILEGED;
-       }
-
-       if (ldc.euid || ldc.uid) {
-               which_user = ldc.euid ? ldc.euid : ldc.uid;
-       }
-
-       *up_cont = MACH_PORT_NULL;
-
-       if (which_user == 0) {
-               ensure_root_bkgd_setup();
-
-               *up_cont = background_jobmgr->jm_port;
-
-               return 0;
-       }
-
+       job_t ji = NULL;
        LIST_FOREACH(ji, &root_jobmgr->jobs, sle) {
                if (!ji->per_user) {
                        continue;
        LIST_FOREACH(ji, &root_jobmgr->jobs, sle) {
                if (!ji->per_user) {
                        continue;
@@ -5600,76 +8244,206 @@ job_mig_lookup_per_user_context(job_t j, uid_t which_user, mach_port_t *up_cont)
                }
                break;
        }
                }
                break;
        }
-
-       if (ji == NULL) {
+       
+       if (unlikely(ji == NULL)) {
                struct machservice *ms;
                char lbuf[1024];
                struct machservice *ms;
                char lbuf[1024];
-
+               
                job_log(j, LOG_DEBUG, "Creating per user launchd job for UID: %u", which_user);
                job_log(j, LOG_DEBUG, "Creating per user launchd job for UID: %u", which_user);
-
+               
                sprintf(lbuf, "com.apple.launchd.peruser.%u", which_user);
                sprintf(lbuf, "com.apple.launchd.peruser.%u", which_user);
-
+               
                ji = job_new(root_jobmgr, lbuf, "/sbin/launchd", NULL);
                ji = job_new(root_jobmgr, lbuf, "/sbin/launchd", NULL);
+               
+               if (ji != NULL) {
+                       auditinfo_addr_t auinfo = {
+                               .ai_termid = { .at_type = AU_IPv4 },
+                               .ai_auid = which_user,
+                               .ai_asid = AU_ASSIGN_ASID,
+                       };
+
+                       if (setaudit_addr(&auinfo, sizeof(auinfo)) == 0) {
+                               job_log(ji, LOG_DEBUG, "Created new security session for per-user launchd: %u", auinfo.ai_asid);
+                               (void)job_assumes(ji, (ji->asport = audit_session_self()) != MACH_PORT_NULL);
+
+                               /* Kinda lame that we have to do this, but we can't create an
+                                * audit session without joining it.
+                                */
+                               (void)job_assumes(ji, audit_session_join(g_audit_session_port));
+                               ji->asid = auinfo.ai_asid;
+                       } else {
+                               job_log(ji, LOG_WARNING, "Could not set audit session!");
+                               job_remove(ji);
+                               return NULL;
+                       }
 
 
-               if (ji == NULL) {
-                       return BOOTSTRAP_NO_MEMORY;
-               }
+                       ji->mach_uid = which_user;
+                       ji->per_user = true;
+                       ji->kill_via_shmem = true;
+
+                       struct stat sb;
+                       char pu_db[PATH_MAX];
+                       snprintf(pu_db, sizeof(pu_db), LAUNCHD_DB_PREFIX "/%s", lbuf);
+                       
+                       bool created = false;
+                       int err = stat(pu_db, &sb);
+                       if ((err == -1 && errno == ENOENT) || (err == 0 && !S_ISDIR(sb.st_mode))) {
+                               if (err == 0) {
+                                       char move_aside[PATH_MAX];
+                                       snprintf(move_aside, sizeof(move_aside), LAUNCHD_DB_PREFIX "/%s.movedaside", lbuf);
+                                       
+                                       (void)job_assumes(ji, rename(pu_db, move_aside) != -1);
+                               }
 
 
-               ji->mach_uid = which_user;
-               ji->per_user = true;
+                               (void)job_assumes(ji, mkdir(pu_db, S_IRWXU) != -1);
+                               (void)job_assumes(ji, chown(pu_db, which_user, 0) != -1);
+                               created = true;
+                       }
+                       
+                       if (!created) {
+                               if (!job_assumes(ji, sb.st_uid == which_user)) {
+                                       (void)job_assumes(ji, chown(pu_db, which_user, 0) != -1);
+                               }
+                               if (!job_assumes(ji, sb.st_gid == 0)) {
+                                       (void)job_assumes(ji, chown(pu_db, which_user, 0) != -1);
+                               }
+                               if (!job_assumes(ji, sb.st_mode == (S_IRWXU | S_IFDIR))) {
+                                       (void)job_assumes(ji, chmod(pu_db, S_IRWXU) != -1);
+                               }
+                       }
+                       
+                       if ((ms = machservice_new(ji, lbuf, mp, false)) == NULL) {
+                               job_remove(ji);
+                               ji = NULL;
+                       } else {
+                               ms->per_user_hack = true;
+                               ms->hide = true;
 
 
-               if ((ms = machservice_new(ji, lbuf, up_cont, false)) == NULL) {
-                       job_remove(ji);
-                       return BOOTSTRAP_NO_MEMORY;
+                               ji = job_dispatch(ji, false);
+                       }
                }
                }
-
-               ms->per_user_hack = true;
-               ms->hide = true;
-
-               ji = job_dispatch(ji, false);
        } else {
        } else {
+               *mp = machservice_port(SLIST_FIRST(&ji->machservices));
                job_log(j, LOG_DEBUG, "Per user launchd job found for UID: %u", which_user);
        }
                job_log(j, LOG_DEBUG, "Per user launchd job found for UID: %u", which_user);
        }
+       
+       return ji;
+}
 
 
-       if (job_assumes(j, ji != NULL)) {
-               *up_cont = machservice_port(SLIST_FIRST(&ji->machservices));
+kern_return_t
+job_mig_lookup_per_user_context(job_t j, uid_t which_user, mach_port_t *up_cont)
+{
+       struct ldcred *ldc = runtime_get_caller_creds();
+       job_t jpu;
+       
+#if TARGET_OS_EMBEDDED
+       /* There is no need for per-user launchd's on embedded. */
+       job_log(j, LOG_ERR, "Per-user launchds are not supported on this platform.");
+       return BOOTSTRAP_NOT_PRIVILEGED;
+#endif
+       
+#if HAVE_SANDBOX
+       if (unlikely(sandbox_check(ldc->pid, "mach-per-user-lookup", SANDBOX_FILTER_NONE) > 0)) {
+               return BOOTSTRAP_NOT_PRIVILEGED;
        }
        }
-
+#endif
+       
+       if (!launchd_assumes(j != NULL)) {
+               return BOOTSTRAP_NO_MEMORY;
+       }
+       
+       job_log(j, LOG_INFO, "Looking up per user launchd for UID: %u", which_user);
+       
+       if (unlikely(!pid1_magic)) {
+               job_log(j, LOG_ERR, "Only PID 1 supports per user launchd lookups.");
+               return BOOTSTRAP_NOT_PRIVILEGED;
+       }
+       
+       if (ldc->euid || ldc->uid) {
+               which_user = ldc->euid ?: ldc->uid;
+       }
+       
+       *up_cont = MACH_PORT_NULL;
+       
+       jpu = jobmgr_lookup_per_user_context_internal(j, which_user, up_cont);
+       
        return 0;
 }
 
 kern_return_t
        return 0;
 }
 
 kern_return_t
-job_mig_check_in(job_t j, name_t servicename, mach_port_t *serviceportp)
+job_mig_check_in2(job_t j, name_t servicename, mach_port_t *serviceportp, uuid_t instance_id, uint64_t flags)
 {
 {
-       static pid_t last_warned_pid = 0;
-       struct machservice *ms;
-       struct ldcred ldc;
+       bool per_pid_service = flags & BOOTSTRAP_PER_PID_SERVICE;
+       bool strict = flags & BOOTSTRAP_STRICT_CHECKIN;
+       struct ldcred *ldc = runtime_get_caller_creds();
+       struct machservice *ms = NULL;
+       job_t jo;
 
        if (!launchd_assumes(j != NULL)) {
                return BOOTSTRAP_NO_MEMORY;
        }
 
 
        if (!launchd_assumes(j != NULL)) {
                return BOOTSTRAP_NO_MEMORY;
        }
 
-       runtime_get_caller_creds(&ldc);
+       if (j->dedicated_instance) {
+               struct machservice *msi = NULL;
+               SLIST_FOREACH(msi, &j->machservices, sle) {
+                       if (strncmp(servicename, msi->name, sizeof(name_t) - 1) == 0) {
+                               uuid_copy(instance_id, j->instance_id);
+                               ms = msi;
+                               break;
+                       }
+               }
+       } else {
+               ms = jobmgr_lookup_service(j->mgr, servicename, false, per_pid_service ? ldc->pid : 0);
+       }
 
 
-       ms = jobmgr_lookup_service(j->mgr, servicename, true, 0);
+       if (strict) {
+               if (likely(ms != NULL)) {
+                       if (ms->job != j) {
+                               return BOOTSTRAP_NOT_PRIVILEGED;
+                       } else if (ms->isActive) {
+                               return BOOTSTRAP_SERVICE_ACTIVE;
+                       }
+               } else {
+                       return BOOTSTRAP_UNKNOWN_SERVICE;
+               }
+       } else if (ms == NULL) {
+               if (job_assumes(j, !j->dedicated_instance)) {
+                       *serviceportp = MACH_PORT_NULL;
+                       
+                       if (unlikely((ms = machservice_new(j, servicename, serviceportp, per_pid_service)) == NULL)) {
+                               return BOOTSTRAP_NO_MEMORY;
+                       }
+                       
+                       /* Treat this like a legacy job. */
+                       if (!j->legacy_mach_job) {
+                               ms->isActive = true;
+                               ms->recv = false;
+                       }
+                       
+                       if (!(j->anonymous || j->legacy_LS_job || j->legacy_mach_job)) {
+                               job_log(j, LOG_SCOLDING, "Please add the following service to the configuration file for this job: %s", servicename);
+                       }
+               } else {
+                       return BOOTSTRAP_UNKNOWN_SERVICE;
+               }
+       } else {
+               if (unlikely((jo = machservice_job(ms)) != j)) {
+                       static pid_t last_warned_pid;
 
 
-       if (ms == NULL) {
-               job_log(j, LOG_DEBUG, "Check-in of Mach service failed. Unknown: %s", servicename);
-               return BOOTSTRAP_UNKNOWN_SERVICE;
-       }
-       if (machservice_job(ms) != j) {
-               if (last_warned_pid != ldc.pid) {
-                       job_log(j, LOG_NOTICE, "Check-in of Mach service failed. PID %d is not privileged: %s",
-                                       ldc.pid, servicename);
-                       last_warned_pid = ldc.pid;
+                       if (last_warned_pid != ldc->pid) {
+                               job_log(jo, LOG_WARNING, "The following job tried to hijack the service \"%s\" from this job: %s", servicename, j->label);
+                               last_warned_pid = ldc->pid;
+                       }
+
+                       return BOOTSTRAP_NOT_PRIVILEGED;
+               }
+               if (unlikely(machservice_active(ms))) {
+                       job_log(j, LOG_WARNING, "Check-in of Mach service failed. Already active: %s", servicename);
+                       return BOOTSTRAP_SERVICE_ACTIVE;
                }
                }
-                return BOOTSTRAP_NOT_PRIVILEGED;
-       }
-       if (machservice_active(ms)) {
-               job_log(j, LOG_WARNING, "Check-in of Mach service failed. Already active: %s", servicename);
-               return BOOTSTRAP_SERVICE_ACTIVE;
        }
 
        }
 
+       job_checkin(j);
        machservice_request_notifications(ms);
 
        job_log(j, LOG_INFO, "Check-in of service: %s", servicename);
        machservice_request_notifications(ms);
 
        job_log(j, LOG_INFO, "Check-in of service: %s", servicename);
@@ -5682,36 +8456,37 @@ kern_return_t
 job_mig_register2(job_t j, name_t servicename, mach_port_t serviceport, uint64_t flags)
 {
        struct machservice *ms;
 job_mig_register2(job_t j, name_t servicename, mach_port_t serviceport, uint64_t flags)
 {
        struct machservice *ms;
-       struct ldcred ldc;
+       struct ldcred *ldc = runtime_get_caller_creds();
 
        if (!launchd_assumes(j != NULL)) {
                return BOOTSTRAP_NO_MEMORY;
        }
 
 
        if (!launchd_assumes(j != NULL)) {
                return BOOTSTRAP_NO_MEMORY;
        }
 
-       runtime_get_caller_creds(&ldc);
-
-#if 0
-       job_log(j, LOG_APPLEONLY, "bootstrap_register() is deprecated. Service: %s", servicename);
-#endif
+       if (!(flags & BOOTSTRAP_PER_PID_SERVICE) && !j->legacy_LS_job) {
+               job_log(j, LOG_SCOLDING, "Performance: bootstrap_register() is deprecated. Service: %s", servicename);
+       }
 
        job_log(j, LOG_DEBUG, "%sMach service registration attempt: %s", flags & BOOTSTRAP_PER_PID_SERVICE ? "Per PID " : "", servicename);
 
 
        job_log(j, LOG_DEBUG, "%sMach service registration attempt: %s", flags & BOOTSTRAP_PER_PID_SERVICE ? "Per PID " : "", servicename);
 
+       /* 5641783 for the embedded hack */
+#if !TARGET_OS_EMBEDDED
        /*
         * From a per-user/session launchd's perspective, SecurityAgent (UID
         * 92) is a rogue application (not our UID, not root and not a child of
         * us). We'll have to reconcile this design friction at a later date.
         */
        /*
         * From a per-user/session launchd's perspective, SecurityAgent (UID
         * 92) is a rogue application (not our UID, not root and not a child of
         * us). We'll have to reconcile this design friction at a later date.
         */
-       if (j->anonymous && job_get_bs(j)->parentmgr == NULL && ldc.uid != 0 && ldc.uid != getuid() && ldc.uid != 92) {
-               if (getpid() == 1) {
+       if (unlikely(j->anonymous && j->mgr->parentmgr == NULL && ldc->uid != 0 && ldc->uid != getuid() && ldc->uid != 92)) {
+               if (pid1_magic) {
                        return VPROC_ERR_TRY_PER_USER;
                } else {
                        return BOOTSTRAP_NOT_PRIVILEGED;
                }
        }
                        return VPROC_ERR_TRY_PER_USER;
                } else {
                        return BOOTSTRAP_NOT_PRIVILEGED;
                }
        }
+#endif
        
        
-       ms = jobmgr_lookup_service(j->mgr, servicename, false, flags & BOOTSTRAP_PER_PID_SERVICE ? ldc.pid : 0);
+       ms = jobmgr_lookup_service(j->mgr, servicename, false, flags & BOOTSTRAP_PER_PID_SERVICE ? ldc->pid : 0);
 
 
-       if (ms) {
+       if (unlikely(ms)) {
                if (machservice_job(ms) != j) {
                        return BOOTSTRAP_NOT_PRIVILEGED;
                }
                if (machservice_job(ms) != j) {
                        return BOOTSTRAP_NOT_PRIVILEGED;
                }
@@ -5719,76 +8494,165 @@ job_mig_register2(job_t j, name_t servicename, mach_port_t serviceport, uint64_t
                        job_log(j, LOG_DEBUG, "Mach service registration failed. Already active: %s", servicename);
                        return BOOTSTRAP_SERVICE_ACTIVE;
                }
                        job_log(j, LOG_DEBUG, "Mach service registration failed. Already active: %s", servicename);
                        return BOOTSTRAP_SERVICE_ACTIVE;
                }
+               if (ms->recv && (serviceport != MACH_PORT_NULL)) {
+                       job_log(j, LOG_ERR, "bootstrap_register() erroneously called instead of bootstrap_check_in(). Mach service: %s", servicename);
+                       return BOOTSTRAP_NOT_PRIVILEGED;
+               }
                job_checkin(j);
                machservice_delete(j, ms, false);
        }
 
                job_checkin(j);
                machservice_delete(j, ms, false);
        }
 
-       if (serviceport != MACH_PORT_NULL) {
-               if ((ms = machservice_new(j, servicename, &serviceport, flags & BOOTSTRAP_PER_PID_SERVICE ? true : false))) {
+       if (likely(serviceport != MACH_PORT_NULL)) {
+               if (likely(ms = machservice_new(j, servicename, &serviceport, flags & BOOTSTRAP_PER_PID_SERVICE ? true : false))) {
                        machservice_request_notifications(ms);
                } else {
                        return BOOTSTRAP_NO_MEMORY;
                }
        }
 
                        machservice_request_notifications(ms);
                } else {
                        return BOOTSTRAP_NO_MEMORY;
                }
        }
 
+       
        return BOOTSTRAP_SUCCESS;
 }
 
 kern_return_t
        return BOOTSTRAP_SUCCESS;
 }
 
 kern_return_t
-job_mig_look_up2(job_t j, name_t servicename, mach_port_t *serviceportp, mach_msg_type_name_t *ptype, pid_t target_pid, uint64_t flags)
+job_mig_look_up2(job_t j, mach_port_t srp, name_t servicename, mach_port_t *serviceportp, pid_t target_pid, uuid_t instance_id, uint64_t flags)
 {
 {
-       struct machservice *ms;
-       struct ldcred ldc;
+       struct machservice *ms = NULL;
+       struct ldcred *ldc = runtime_get_caller_creds();
        kern_return_t kr;
        kern_return_t kr;
+       bool per_pid_lookup = flags & BOOTSTRAP_PER_PID_SERVICE;
+       bool specific_instance = flags & BOOTSTRAP_SPECIFIC_INSTANCE;
+       bool strict_lookup = flags & BOOTSTRAP_STRICT_LOOKUP;
+       bool privileged = flags & BOOTSTRAP_PRIVILEGED_SERVER;
 
        if (!launchd_assumes(j != NULL)) {
                return BOOTSTRAP_NO_MEMORY;
        }
 
 
        if (!launchd_assumes(j != NULL)) {
                return BOOTSTRAP_NO_MEMORY;
        }
 
-       runtime_get_caller_creds(&ldc);
+       bool xpc_req = j->mgr->properties & BOOTSTRAP_PROPERTY_XPC_DOMAIN;
 
 
-       if (getpid() == 1 && j->anonymous && job_get_bs(j)->parentmgr == NULL && ldc.uid != 0 && ldc.euid != 0) {
+       /* 5641783 for the embedded hack */
+#if !TARGET_OS_EMBEDDED
+       if (unlikely(pid1_magic && j->anonymous && j->mgr->parentmgr == NULL && ldc->uid != 0 && ldc->euid != 0)) {
                return VPROC_ERR_TRY_PER_USER;
        }
                return VPROC_ERR_TRY_PER_USER;
        }
+#endif
 
 
-       if (!mspolicy_check(j, servicename, flags & BOOTSTRAP_PER_PID_SERVICE)) {
-               job_log(j, LOG_NOTICE, "Policy denied Mach service lookup: %s", servicename);
+#if HAVE_SANDBOX
+       /* We don't do sandbox checking for XPC domains because, by definition, all
+        * the services within your domain should be accessibly to you.
+        */
+       if (!xpc_req && unlikely(sandbox_check(ldc->pid, "mach-lookup", per_pid_lookup ? SANDBOX_FILTER_LOCAL_NAME : SANDBOX_FILTER_GLOBAL_NAME, servicename) > 0)) {
                return BOOTSTRAP_NOT_PRIVILEGED;
        }
                return BOOTSTRAP_NOT_PRIVILEGED;
        }
+#endif
 
 
-       if (flags & BOOTSTRAP_PER_PID_SERVICE) {
+       if (per_pid_lookup) {
                ms = jobmgr_lookup_service(j->mgr, servicename, false, target_pid);
        } else {
                ms = jobmgr_lookup_service(j->mgr, servicename, false, target_pid);
        } else {
-               ms = jobmgr_lookup_service(j->mgr, servicename, true, 0);
+               if (xpc_req) {
+                       /* Requests from XPC domains stay local. */
+                       ms = jobmgr_lookup_service(j->mgr, servicename, false, 0);
+               } else {
+                       /* A strict lookup which is privileged won't even bother trying to
+                        * find a service if we're not hosting the root Mach bootstrap.
+                        */
+                       if (strict_lookup && privileged) {
+                               if (inherited_bootstrap_port == MACH_PORT_NULL) {
+                                       ms = jobmgr_lookup_service(j->mgr, servicename, true, 0);
+                               }
+                       } else {
+                               ms = jobmgr_lookup_service(j->mgr, servicename, true, 0);
+                       }
+               }
        }
 
        }
 
-       if (ms && machservice_hidden(ms) && !job_active(machservice_job(ms))) {
-               ms = NULL;
-       } else if (ms && ms->per_user_hack) {
-               ms = NULL;
-       }
+       if (likely(ms)) {
+               ms = ms->alias ? ms->alias : ms;
+               if (unlikely(specific_instance && ms->job->multiple_instances)) {
+                       job_t ji = NULL;
+                       job_t instance = NULL;
+                       LIST_FOREACH(ji, &ms->job->subjobs, subjob_sle) {
+                               if (uuid_compare(instance_id, ji->instance_id) == 0) {
+                                       instance = ji;
+                                       break;
+                               }
+                       }
 
 
-       if (ms) {
-               launchd_assumes(machservice_port(ms) != MACH_PORT_NULL);
-               job_log(j, LOG_DEBUG, "%sMach service lookup: %s", flags & BOOTSTRAP_PER_PID_SERVICE ? "Per PID " : "", servicename);
+                       if (unlikely(instance == NULL)) {
+                               job_log(ms->job, LOG_DEBUG, "Creating new instance of job based on lookup of service %s", ms->name);
+                               instance = job_new_subjob(ms->job, instance_id);
+                               if (job_assumes(j, instance != NULL)) {
+                                       /* Disable this support for now. We only support having 
+                                        * multi-instance jobs within private XPC domains.
+                                        */
 #if 0
 #if 0
-               /* After Leopard ships, we should enable this */
-               if (j->lastlookup == ms && j->lastlookup_gennum == ms->gen_num && !j->per_user) {
-                       ms->bad_perf_cnt++;
-                       job_log(j, LOG_APPLEONLY, "Performance opportunity: Number of bootstrap_lookup(... \"%s\" ...) calls that should have been cached: %llu",
-                                       servicename, ms->bad_perf_cnt);
+                                       /* If the job is multi-instance, in a singleton XPC domain
+                                        * and the request is not coming from within that singleton
+                                        * domain, we need to alias the new job into the requesting
+                                        * domain.
+                                        */
+                                       if (!j->mgr->xpc_singleton && xpc_req) {
+                                               (void)job_assumes(instance, job_new_alias(j->mgr, instance));
+                                       }
+#endif
+                                       job_dispatch(instance, false);
+                               }
+                       }
+                       
+                       ms = NULL;
+                       if (job_assumes(j, instance != NULL)) {
+                               struct machservice *msi = NULL;
+                               SLIST_FOREACH(msi, &instance->machservices, sle) {
+                                       /* sizeof(servicename) will return the size of a pointer, even though it's
+                                        * an array type, because when passing arrays as parameters in C, they
+                                        * implicitly degrade to pointers.
+                                        */
+                                       if (strncmp(servicename, msi->name, sizeof(name_t) - 1) == 0) {
+                                               ms = msi;
+                                               break;
+                                       }
+                               }
+                       }
+               } else {
+                       if (machservice_hidden(ms) && !machservice_active(ms)) {
+                               ms = NULL;
+                       } else if (unlikely(ms->per_user_hack)) {
+                               ms = NULL;
+                       }
+               }
+       }
+
+       if (likely(ms)) {
+               (void)job_assumes(j, machservice_port(ms) != MACH_PORT_NULL);
+               job_log(j, LOG_DEBUG, "%sMach service lookup: %s", per_pid_lookup ? "Per PID " : "", servicename);
+
+               if (unlikely(!per_pid_lookup && j->lastlookup == ms && j->lastlookup_gennum == ms->gen_num && !j->per_user)) {
+                       /* we need to think more about the per_pid_lookup logic before logging about repeated lookups */
+                       job_log(j, LOG_DEBUG, "Performance: Please fix the framework that talks to \"%s\" to cache the Mach port for service: %s", ms->job->label, servicename);
                }
                }
+
                j->lastlookup = ms;
                j->lastlookup_gennum = ms->gen_num;
                j->lastlookup = ms;
                j->lastlookup_gennum = ms->gen_num;
-#endif
+
                *serviceportp = machservice_port(ms);
                *serviceportp = machservice_port(ms);
-               *ptype = MACH_MSG_TYPE_COPY_SEND;
+
                kr = BOOTSTRAP_SUCCESS;
                kr = BOOTSTRAP_SUCCESS;
-       } else if (!(flags & BOOTSTRAP_PER_PID_SERVICE) && (inherited_bootstrap_port != MACH_PORT_NULL)) {
+       } else if (strict_lookup && !privileged) {
+               /* Hack: We need to simulate XPC's desire not to establish a hierarchy. So if
+                * XPC is doing the lookup, and it's not a privileged lookup, we won't forward.
+                * But if it is a privileged lookup (that is, was looked up in XPC_DOMAIN_LOCAL_SYSTEM)
+                * then we must forward.
+                */
+               return BOOTSTRAP_UNKNOWN_SERVICE;
+       } else if (inherited_bootstrap_port != MACH_PORT_NULL) {
+               /* Requests from within an XPC domain don't get forwarded. */
                job_log(j, LOG_DEBUG, "Mach service lookup forwarded: %s", servicename);
                job_log(j, LOG_DEBUG, "Mach service lookup forwarded: %s", servicename);
-               *ptype = MACH_MSG_TYPE_MOVE_SEND;
-               kr = bootstrap_look_up(inherited_bootstrap_port, servicename, serviceportp);
-       } else if (getpid() == 1 && j->anonymous && ldc.euid >= 500 && strcasecmp(job_get_bs(j)->name, VPROCMGR_SESSION_LOGINWINDOW) == 0) {
+               /* Clients potentially check the audit token of the reply to verify that the returned send right is trustworthy. */
+               (void)job_assumes(j, vproc_mig_look_up2_forward(inherited_bootstrap_port, srp, servicename, target_pid, instance_id, flags) == 0);
+               /* The previous routine moved the reply port, we're forced to return MIG_NO_REPLY now */
+               return MIG_NO_REPLY;
+       } else if (pid1_magic && j->anonymous && ldc->euid >= 500 && strcasecmp(j->mgr->name, VPROCMGR_SESSION_LOGINWINDOW) == 0) {
                /*
                 * 5240036 Should start background session when a lookup of CCacheServer occurs
                 *
                /*
                 * 5240036 Should start background session when a lookup of CCacheServer occurs
                 *
@@ -5797,7 +8661,7 @@ job_mig_look_up2(job_t j, name_t servicename, mach_port_t *serviceportp, mach_ms
                 */
                return VPROC_ERR_TRY_PER_USER;
        } else {
                 */
                return VPROC_ERR_TRY_PER_USER;
        } else {
-               job_log(j, LOG_DEBUG, "%sMach service lookup failed: %s", flags & BOOTSTRAP_PER_PID_SERVICE ? "Per PID " : "", servicename);
+               job_log(j, LOG_DEBUG, "%sMach service lookup failed: %s", per_pid_lookup ? "Per PID " : "", servicename);
                kr = BOOTSTRAP_UNKNOWN_SERVICE;
        }
 
                kr = BOOTSTRAP_UNKNOWN_SERVICE;
        }
 
@@ -5805,7 +8669,7 @@ job_mig_look_up2(job_t j, name_t servicename, mach_port_t *serviceportp, mach_ms
 }
 
 kern_return_t
 }
 
 kern_return_t
-job_mig_parent(job_t j, mach_port_t *parentport, mach_msg_type_name_t *pptype)
+job_mig_parent(job_t j, mach_port_t srp, mach_port_t *parentport)
 {
        if (!launchd_assumes(j != NULL)) {
                return BOOTSTRAP_NO_MEMORY;
 {
        if (!launchd_assumes(j != NULL)) {
                return BOOTSTRAP_NO_MEMORY;
@@ -5814,41 +8678,60 @@ job_mig_parent(job_t j, mach_port_t *parentport, mach_msg_type_name_t *pptype)
        job_log(j, LOG_DEBUG, "Requested parent bootstrap port");
        jobmgr_t jm = j->mgr;
 
        job_log(j, LOG_DEBUG, "Requested parent bootstrap port");
        jobmgr_t jm = j->mgr;
 
-       *pptype = MACH_MSG_TYPE_MAKE_SEND;
-
        if (jobmgr_parent(jm)) {
                *parentport = jobmgr_parent(jm)->jm_port;
        } else if (MACH_PORT_NULL == inherited_bootstrap_port) {
                *parentport = jm->jm_port;
        } else {
        if (jobmgr_parent(jm)) {
                *parentport = jobmgr_parent(jm)->jm_port;
        } else if (MACH_PORT_NULL == inherited_bootstrap_port) {
                *parentport = jm->jm_port;
        } else {
-               *pptype = MACH_MSG_TYPE_COPY_SEND;
-               *parentport = inherited_bootstrap_port;
+               (void)job_assumes(j, vproc_mig_parent_forward(inherited_bootstrap_port, srp) == 0);
+               /* The previous routine moved the reply port, we're forced to return MIG_NO_REPLY now */
+               return MIG_NO_REPLY;
+       }
+       return BOOTSTRAP_SUCCESS;
+}
+
+kern_return_t
+job_mig_get_root_bootstrap(job_t j, mach_port_t *rootbsp)
+{
+       if (inherited_bootstrap_port == MACH_PORT_NULL) {
+               *rootbsp = root_jobmgr->jm_port;
+               (void)job_assumes(j, launchd_mport_make_send(root_jobmgr->jm_port) == KERN_SUCCESS);
+       } else {
+               *rootbsp = inherited_bootstrap_port;
+               (void)job_assumes(j, launchd_mport_copy_send(inherited_bootstrap_port) == KERN_SUCCESS);
        }
        }
+
        return BOOTSTRAP_SUCCESS;
 }
 
 kern_return_t
        return BOOTSTRAP_SUCCESS;
 }
 
 kern_return_t
-job_mig_info(job_t j, name_array_t *servicenamesp, unsigned int *servicenames_cnt,
-               bootstrap_status_array_t *serviceactivesp, unsigned int *serviceactives_cnt)
+job_mig_info(job_t j, name_array_t *servicenamesp, unsigned int *servicenames_cnt, name_array_t *servicejobsp, unsigned int *servicejobs_cnt, bootstrap_status_array_t *serviceactivesp, unsigned int *serviceactives_cnt, uint64_t flags)
 {
        name_array_t service_names = NULL;
 {
        name_array_t service_names = NULL;
+       name_array_t service_jobs = NULL;
        bootstrap_status_array_t service_actives = NULL;
        unsigned int cnt = 0, cnt2 = 0;
        bootstrap_status_array_t service_actives = NULL;
        unsigned int cnt = 0, cnt2 = 0;
-       struct machservice *ms;
        jobmgr_t jm;
        jobmgr_t jm;
-       job_t ji;
 
        if (!launchd_assumes(j != NULL)) {
                return BOOTSTRAP_NO_MEMORY;
        }
 
 
        if (!launchd_assumes(j != NULL)) {
                return BOOTSTRAP_NO_MEMORY;
        }
 
-       jm = j->mgr;
+       if (g_flat_mach_namespace) {
+               if ((j->mgr->properties & BOOTSTRAP_PROPERTY_EXPLICITSUBSET) || (flags & BOOTSTRAP_FORCE_LOCAL)) {
+                       jm = j->mgr;
+               } else {
+                       jm = root_jobmgr;
+               }
+       } else {
+               jm = j->mgr;
+       }
 
 
-       LIST_FOREACH(ji, &jm->jobs, sle) {
-               SLIST_FOREACH(ms, &ji->machservices, sle) {
-                       if (!ms->per_pid) {
-                               cnt++;
-                       }
+       unsigned int i = 0;
+       struct machservice *msi = NULL;
+       for (i = 0; i < MACHSERVICE_HASH_SIZE; i++) {
+               LIST_FOREACH(msi, &jm->ms_hash[i], name_hash_sle) {
+                       cnt += !msi->per_pid ? 1 : 0;
                }
        }
 
                }
        }
 
@@ -5857,31 +8740,43 @@ job_mig_info(job_t j, name_array_t *servicenamesp, unsigned int *servicenames_cn
        }
 
        mig_allocate((vm_address_t *)&service_names, cnt * sizeof(service_names[0]));
        }
 
        mig_allocate((vm_address_t *)&service_names, cnt * sizeof(service_names[0]));
-       if (!launchd_assumes(service_names != NULL)) {
+       if (!job_assumes(j, service_names != NULL)) {
+               goto out_bad;
+       }
+
+       mig_allocate((vm_address_t *)&service_jobs, cnt * sizeof(service_jobs[0]));
+       if (!job_assumes(j, service_jobs != NULL)) {
                goto out_bad;
        }
 
        mig_allocate((vm_address_t *)&service_actives, cnt * sizeof(service_actives[0]));
                goto out_bad;
        }
 
        mig_allocate((vm_address_t *)&service_actives, cnt * sizeof(service_actives[0]));
-       if (!launchd_assumes(service_actives != NULL)) {
+       if (!job_assumes(j, service_actives != NULL)) {
                goto out_bad;
        }
 
                goto out_bad;
        }
 
-       LIST_FOREACH(ji, &jm->jobs, sle) {
-               SLIST_FOREACH(ms, &ji->machservices, sle) {
-                       if (!ms->per_pid) {
-                               strlcpy(service_names[cnt2], machservice_name(ms), sizeof(service_names[0]));
-                               service_actives[cnt2] = machservice_status(ms);
+       for (i = 0; i < MACHSERVICE_HASH_SIZE; i++) {
+               LIST_FOREACH(msi, &jm->ms_hash[i], name_hash_sle) {
+                       if (!msi->per_pid) {
+                               strlcpy(service_names[cnt2], machservice_name(msi), sizeof(service_names[0]));
+                               msi = msi->alias ? msi->alias : msi;
+                               if (msi->job->mgr->shortdesc) {
+                                       strlcpy(service_jobs[cnt2], msi->job->mgr->shortdesc, sizeof(service_jobs[0]));
+                               } else {
+                                       strlcpy(service_jobs[cnt2], msi->job->label, sizeof(service_jobs[0]));
+                               }
+                               service_actives[cnt2] = machservice_status(msi);
                                cnt2++;
                        }
                }
        }
 
                                cnt2++;
                        }
                }
        }
 
-       launchd_assumes(cnt == cnt2);
+       (void)job_assumes(j, cnt == cnt2);
 
 out:
        *servicenamesp = service_names;
 
 out:
        *servicenamesp = service_names;
+       *servicejobsp = service_jobs;
        *serviceactivesp = service_actives;
        *serviceactivesp = service_actives;
-       *servicenames_cnt = *serviceactives_cnt = cnt;
+       *servicenames_cnt = *servicejobs_cnt = *serviceactives_cnt = cnt;
 
        return BOOTSTRAP_SUCCESS;
 
 
        return BOOTSTRAP_SUCCESS;
 
@@ -5889,6 +8784,9 @@ out_bad:
        if (service_names) {
                mig_deallocate((vm_address_t)service_names, cnt * sizeof(service_names[0]));
        }
        if (service_names) {
                mig_deallocate((vm_address_t)service_names, cnt * sizeof(service_names[0]));
        }
+       if (service_jobs) {
+               mig_deallocate((vm_address_t)service_jobs, cnt * sizeof(service_jobs[0]));
+       }
        if (service_actives) {
                mig_deallocate((vm_address_t)service_actives, cnt * sizeof(service_actives[0]));
        }
        if (service_actives) {
                mig_deallocate((vm_address_t)service_actives, cnt * sizeof(service_actives[0]));
        }
@@ -5896,32 +8794,289 @@ out_bad:
        return BOOTSTRAP_NO_MEMORY;
 }
 
        return BOOTSTRAP_NO_MEMORY;
 }
 
-void
-job_reparent_hack(job_t j, const char *where)
+kern_return_t
+job_mig_lookup_children(job_t j, mach_port_array_t *child_ports, mach_msg_type_number_t *child_ports_cnt, name_array_t *child_names, mach_msg_type_number_t *child_names_cnt, bootstrap_property_array_t *child_properties,mach_msg_type_number_t *child_properties_cnt)
 {
 {
-       jobmgr_t jmi, jmi2;
+       kern_return_t kr = BOOTSTRAP_NO_MEMORY;
+       if (!launchd_assumes(j != NULL)) {
+               return BOOTSTRAP_NO_MEMORY;
+       }
+       
+       struct ldcred *ldc = runtime_get_caller_creds();
+       
+       /* Only allow root processes to look up children, even if we're in the per-user launchd.
+        * Otherwise, this could be used to cross sessions, which counts as a security vulnerability
+        * in a non-flat namespace.
+        */
+       if (ldc->euid != 0) {
+               job_log(j, LOG_WARNING, "Attempt to look up children of bootstrap by unprivileged job.");
+               return BOOTSTRAP_NOT_PRIVILEGED;
+       }
+       
+       unsigned int cnt = 0;
+       
+       jobmgr_t jmr = j->mgr;
+       jobmgr_t jmi = NULL;
+       SLIST_FOREACH(jmi, &jmr->submgrs, sle) {
+               cnt++;
+       }
+       
+       /* Find our per-user launchds if we're PID 1. */
+       job_t ji = NULL;
+       if (pid1_magic) {
+               LIST_FOREACH(ji, &jmr->jobs, sle) {
+                       cnt += ji->per_user ? 1 : 0;
+               }
+       }
+       
+       if (cnt == 0) {
+               return BOOTSTRAP_NO_CHILDREN;
+       }
+       
+       mach_port_array_t _child_ports = NULL;
+       mig_allocate((vm_address_t *)&_child_ports, cnt * sizeof(_child_ports[0]));
+       if (!job_assumes(j, _child_ports != NULL)) {
+               kr = BOOTSTRAP_NO_MEMORY;
+               goto out_bad;
+       }
+       
+       name_array_t _child_names = NULL;
+       mig_allocate((vm_address_t *)&_child_names, cnt * sizeof(_child_names[0]));
+       if (!job_assumes(j, _child_names != NULL)) {
+               kr = BOOTSTRAP_NO_MEMORY;
+               goto out_bad;
+       }
+       
+       bootstrap_property_array_t _child_properties = NULL;
+       mig_allocate((vm_address_t *)&_child_properties, cnt * sizeof(_child_properties[0]));
+       if (!job_assumes(j, _child_properties != NULL)) {
+               kr = BOOTSTRAP_NO_MEMORY;
+               goto out_bad;
+       }
+       
+       unsigned int cnt2 = 0;
+       SLIST_FOREACH(jmi, &jmr->submgrs, sle) {
+               if (jobmgr_assumes(jmi, launchd_mport_make_send(jmi->jm_port) == KERN_SUCCESS)) {
+                       _child_ports[cnt2] = jmi->jm_port;
+               } else {
+                       _child_ports[cnt2] = MACH_PORT_NULL;
+               }
+               
+               strlcpy(_child_names[cnt2], jmi->name, sizeof(_child_names[0]));
+               _child_properties[cnt2] = jmi->properties;
+               
+               cnt2++;
+       }
+       
+       if (pid1_magic) LIST_FOREACH( ji, &jmr->jobs, sle) {
+               if (ji->per_user) {
+                       if (job_assumes(ji, SLIST_FIRST(&ji->machservices)->per_user_hack == true)) {
+                               mach_port_t port = machservice_port(SLIST_FIRST(&ji->machservices));
+                               
+                               if (job_assumes(ji, launchd_mport_copy_send(port) == KERN_SUCCESS)) {
+                                       _child_ports[cnt2] = port;
+                               } else {
+                                       _child_ports[cnt2] = MACH_PORT_NULL;
+                               }
+                       } else {
+                               _child_ports[cnt2] = MACH_PORT_NULL;
+                       }
+                       
+                       strlcpy(_child_names[cnt2], ji->label, sizeof(_child_names[0]));
+                       _child_properties[cnt2] |= BOOTSTRAP_PROPERTY_PERUSER;
+                       
+                       cnt2++;
+               }
+       }
+       
+       *child_names_cnt = cnt;
+       *child_ports_cnt = cnt;
+       *child_properties_cnt = cnt;
+       
+       *child_names = _child_names;
+       *child_ports = _child_ports;
+       *child_properties = _child_properties;
+       
+       unsigned int i = 0;
+       for (i = 0; i < cnt; i++) {
+               job_log(j, LOG_DEBUG, "child_names[%u] = %s", i, (char *)_child_names[i]);
+       }
+       
+       return BOOTSTRAP_SUCCESS;
+out_bad:
+       if (_child_ports) {
+               mig_deallocate((vm_address_t)_child_ports, cnt * sizeof(_child_ports[0]));
+       }
+       
+       if (_child_names) {
+               mig_deallocate((vm_address_t)_child_names, cnt * sizeof(_child_ports[0]));
+       }
+       
+       if (_child_properties) {
+               mig_deallocate((vm_address_t)_child_properties, cnt * sizeof(_child_properties[0]));
+       }
+       
+       return kr;
+}
+
+kern_return_t
+job_mig_transaction_count_for_pid(job_t j, pid_t p, int32_t *cnt, boolean_t *condemned)
+{
+       kern_return_t kr = KERN_FAILURE;
+       struct ldcred *ldc = runtime_get_caller_creds();
+       if ((ldc->euid != geteuid()) && (ldc->euid != 0)) {
+               return BOOTSTRAP_NOT_PRIVILEGED;
+       }
+       
+       job_t j_for_pid = jobmgr_find_by_pid_deep(j->mgr, p, false);
+       if (j_for_pid) {
+               if (j_for_pid->kill_via_shmem) {
+                       if (j_for_pid->shmem) {
+                               *cnt = j_for_pid->shmem->vp_shmem_transaction_cnt;
+                               *condemned = j_for_pid->shmem->vp_shmem_flags & VPROC_SHMEM_EXITING;
+                               *cnt += *condemned ? 1 : 0;
+                       } else {
+                               *cnt = 0;
+                               *condemned = false;
+                       }
+                       
+                       kr = BOOTSTRAP_SUCCESS;
+               } else {
+                       kr = BOOTSTRAP_NO_MEMORY;
+               }
+       } else {
+               kr = BOOTSTRAP_UNKNOWN_SERVICE;
+       }
+       
+       return kr;
+}
+
+kern_return_t
+job_mig_pid_is_managed(job_t j __attribute__((unused)), pid_t p, boolean_t *managed)
+{
+       struct ldcred *ldc = runtime_get_caller_creds();
+       if ((ldc->euid != geteuid()) && (ldc->euid != 0)) {
+               return BOOTSTRAP_NOT_PRIVILEGED;
+       }
+       
+       /* This is so loginwindow doesn't try to quit GUI apps that have been launched
+        * directly by launchd as agents.
+        */
+       job_t j_for_pid = jobmgr_find_by_pid_deep(root_jobmgr, p, false);
+       if (j_for_pid && !j_for_pid->anonymous && !j_for_pid->legacy_LS_job) {
+               *managed = true;
+       }
+       
+       return BOOTSTRAP_SUCCESS;
+}
+
+kern_return_t
+job_mig_port_for_label(job_t j __attribute__((unused)), name_t label, mach_port_t *mp)
+{
+       struct ldcred *ldc = runtime_get_caller_creds();
+       kern_return_t kr = BOOTSTRAP_NOT_PRIVILEGED;
+
+#if HAVE_SANDBOX
+       if (unlikely(sandbox_check(ldc->pid, "job-creation", SANDBOX_FILTER_NONE) > 0)) {
+               return BOOTSTRAP_NOT_PRIVILEGED;
+       }
+#endif
+
+       mach_port_t _mp = MACH_PORT_NULL;
+       if (!j->deny_job_creation && (ldc->euid == 0 || ldc->euid == geteuid())) {
+               job_t target_j = job_find(NULL, label);
+               if (jobmgr_assumes(root_jobmgr, target_j != NULL)) {
+                       if (target_j->j_port == MACH_PORT_NULL) {
+                               (void)job_assumes(target_j, job_setup_machport(target_j) == true);
+                       }
+                       
+                       _mp = target_j->j_port;
+                       kr = _mp != MACH_PORT_NULL ? BOOTSTRAP_SUCCESS : BOOTSTRAP_NO_MEMORY;
+               } else {
+                       kr = BOOTSTRAP_NO_MEMORY;
+               }
+       }
+
+       *mp = _mp;
+       return kr;
+}
+
+#if !TARGET_OS_EMBEDDED
+kern_return_t
+job_mig_set_security_session(job_t j, uuid_t uuid, mach_port_t asport)
+{
+       uuid_string_t uuid_str;
+       uuid_unparse(uuid, uuid_str);
+       job_log(j, LOG_DEBUG, "Setting session %u for UUID %s...", asport, uuid_str);
+       
+       job_t ji = NULL, jt = NULL;
+       LIST_FOREACH_SAFE(ji, &s_needing_sessions, sle, jt) {
+               uuid_string_t uuid_str2;
+               uuid_unparse(ji->expected_audit_uuid, uuid_str2);
+
+               if (uuid_compare(uuid, ji->expected_audit_uuid) == 0) {
+                       uuid_clear(ji->expected_audit_uuid);
+                       if (asport != MACH_PORT_NULL ) {
+                               job_log(ji, LOG_DEBUG, "Job should join session with port %u", asport);
+                               (void)job_assumes(j, launchd_mport_copy_send(asport) == KERN_SUCCESS);
+                       } else {
+                               job_log(ji, LOG_DEBUG, "No session to set for job. Using our session.");
+                       }
+                       
+                       ji->asport = asport;
+                       LIST_REMOVE(ji, needing_session_sle);
+                       job_dispatch(ji, false);
+               }
+       }
+       
+       /* Each job that the session port was set for holds a reference. At the end of
+        * the loop, there will be one extra reference belonging to this MiG protocol.
+        * We need to release it so that the session goes away when all the jobs
+        * referencing it are unloaded.
+        */
+       (void)job_assumes(j, launchd_mport_deallocate(asport) == KERN_SUCCESS);
+
+       return KERN_SUCCESS;
+}
+#else
+kern_return_t
+job_mig_set_security_session(job_t j __attribute__((unused)), uuid_t uuid __attribute__((unused)), mach_port_t session __attribute__((unused)))
+{
+       return KERN_SUCCESS;
+}
+#endif
 
 
-       ensure_root_bkgd_setup();
+jobmgr_t 
+jobmgr_find_by_name(jobmgr_t jm, const char *where)
+{
+       jobmgr_t jmi, jmi2;
 
        /* NULL is only passed for our custom API for LaunchServices. If that is the case, we do magic. */
        if (where == NULL) {
 
        /* NULL is only passed for our custom API for LaunchServices. If that is the case, we do magic. */
        if (where == NULL) {
-               if (strcasecmp(j->mgr->name, VPROCMGR_SESSION_LOGINWINDOW) == 0) {
+               if (strcasecmp(jm->name, VPROCMGR_SESSION_LOGINWINDOW) == 0) {
                        where = VPROCMGR_SESSION_LOGINWINDOW;
                } else {
                        where = VPROCMGR_SESSION_AQUA;
                }
        }
 
                        where = VPROCMGR_SESSION_LOGINWINDOW;
                } else {
                        where = VPROCMGR_SESSION_AQUA;
                }
        }
 
-       if (strcasecmp(j->mgr->name, where) == 0) {
-               return;
+       if (strcasecmp(jm->name, where) == 0) {
+               return jm;
+       }
+       
+       if (strcasecmp(where, VPROCMGR_SESSION_BACKGROUND) == 0 && !pid1_magic) {
+               jmi = root_jobmgr;
+               goto jm_found;
        }
 
        }
 
-       SLIST_FOREACH(jmi, &root_jobmgr->submgrs, sle) {
-               if (jmi->shutting_down) {
+       SLIST_FOREACH(jmi, &root_jobmgr->submgrs, sle) {        
+               if (unlikely(jmi->shutting_down)) {
+                       continue;
+               } else if (jmi->properties & BOOTSTRAP_PROPERTY_XPC_DOMAIN) {
                        continue;
                } else if (strcasecmp(jmi->name, where) == 0) {
                        goto jm_found;
                        continue;
                } else if (strcasecmp(jmi->name, where) == 0) {
                        goto jm_found;
-               } else if (strcasecmp(jmi->name, VPROCMGR_SESSION_BACKGROUND) == 0 && getpid() == 1) {
+               } else if (strcasecmp(jmi->name, VPROCMGR_SESSION_BACKGROUND) == 0 && pid1_magic) {
                        SLIST_FOREACH(jmi2, &jmi->submgrs, sle) {
                                if (strcasecmp(jmi2->name, where) == 0) {
                                        jmi = jmi2;
                        SLIST_FOREACH(jmi2, &jmi->submgrs, sle) {
                                if (strcasecmp(jmi2->name, where) == 0) {
                                        jmi = jmi2;
@@ -5930,127 +9085,27 @@ job_reparent_hack(job_t j, const char *where)
                        }
                }
        }
                        }
                }
        }
-
+       
 jm_found:
 jm_found:
-       if (job_assumes(j, jmi != NULL)) {
-               struct machservice *msi;
-
-               SLIST_FOREACH(msi, &j->machservices, sle) {
-                       LIST_REMOVE(msi, name_hash_sle);
-               }
-
-               LIST_REMOVE(j, sle);
-               LIST_INSERT_HEAD(&jmi->jobs, j, sle);
-               j->mgr = jmi;
-
-               SLIST_FOREACH(msi, &j->machservices, sle) {
-                       LIST_INSERT_HEAD(&j->mgr->ms_hash[hash_ms(msi->name)], msi, name_hash_sle);
-               }
-       }
+       return jmi;
 }
 
 kern_return_t
 }
 
 kern_return_t
-job_mig_move_subset(job_t j, mach_port_t target_subset, name_t session_type)
+job_mig_move_subset(job_t j, mach_port_t target_subset, name_t session_type, mach_port_t asport, uint64_t flags)
 {
        mach_msg_type_number_t l2l_i, l2l_port_cnt = 0;
        mach_port_array_t l2l_ports = NULL;
        mach_port_t reqport, rcvright;
        kern_return_t kr = 1;
        launch_data_t out_obj_array = NULL;
 {
        mach_msg_type_number_t l2l_i, l2l_port_cnt = 0;
        mach_port_array_t l2l_ports = NULL;
        mach_port_t reqport, rcvright;
        kern_return_t kr = 1;
        launch_data_t out_obj_array = NULL;
-       struct ldcred ldc;
+       struct ldcred *ldc = runtime_get_caller_creds();
        jobmgr_t jmr = NULL;
 
        if (!launchd_assumes(j != NULL)) {
                return BOOTSTRAP_NO_MEMORY;
        }
 
        jobmgr_t jmr = NULL;
 
        if (!launchd_assumes(j != NULL)) {
                return BOOTSTRAP_NO_MEMORY;
        }
 
-       runtime_get_caller_creds(&ldc);
-
-       if (target_subset == MACH_PORT_NULL) {
-               job_t j2;
-
-               if (j->mgr->session_initialized) {
-                       if (ldc.uid == 0 && getpid() == 1) {
-                               if (strcmp(j->mgr->name, VPROCMGR_SESSION_LOGINWINDOW) == 0) {
-                                       job_t ji, jn;
-
-                                       LIST_FOREACH_SAFE(ji, &j->mgr->jobs, sle, jn) {
-                                               if (!ji->anonymous) {
-                                                       job_remove(ji);
-                                               }
-                                       }
-
-                                       ensure_root_bkgd_setup();
-
-                                       SLIST_REMOVE(&j->mgr->parentmgr->submgrs, j->mgr, jobmgr_s, sle);
-                                       j->mgr->parentmgr = background_jobmgr;
-                                       SLIST_INSERT_HEAD(&j->mgr->parentmgr->submgrs, j->mgr, sle);
-
-                                       /*
-                                        * We really should wait for all the jobs to die before proceeding. See 5351245 for more info.
-                                        *
-                                        * We have hacked around this in job_find() by ignoring jobs that are pending removal.
-                                        */
-
-                               } else if (strcmp(j->mgr->name, VPROCMGR_SESSION_AQUA) == 0) {
-                                       job_log(j, LOG_DEBUG, "Tried to move the Aqua session.");
-                                       return 0;
-                               } else if (strcmp(j->mgr->name, VPROCMGR_SESSION_BACKGROUND) == 0) {
-                                       job_log(j, LOG_DEBUG, "Tried to move the background session.");
-                                       return 0;
-                               } else {
-                                       job_log(j, LOG_ERR, "Tried to initialize an already setup session!");
-                                       kr = BOOTSTRAP_NOT_PRIVILEGED;
-                                       goto out;
-                               }
-                       } else {
-                               job_log(j, LOG_ERR, "Tried to initialize an already setup session!");
-                               kr = BOOTSTRAP_NOT_PRIVILEGED;
-                               goto out;
-                       }
-               } else if (ldc.uid == 0 && getpid() == 1 && strcmp(session_type, VPROCMGR_SESSION_STANDARDIO) == 0) {
-                       ensure_root_bkgd_setup();
-
-                       SLIST_REMOVE(&j->mgr->parentmgr->submgrs, j->mgr, jobmgr_s, sle);
-                       j->mgr->parentmgr = background_jobmgr;
-                       SLIST_INSERT_HEAD(&j->mgr->parentmgr->submgrs, j->mgr, sle);
-               } else if (strcmp(session_type, VPROCMGR_SESSION_LOGINWINDOW) == 0) {
-                       jobmgr_t jmi;
-
-                       /*
-                        * 5330262
-                        *
-                        * We're working around LoginWindow and the WindowServer.
-                        *
-                        * In practice, there is only one LoginWindow session. Unfortunately, for certain
-                        * scenarios, the WindowServer spawns loginwindow, and in those cases, it frequently
-                        * spawns a replacement loginwindow session before cleaning up the previous one.
-                        *
-                        * We're going to use the creation of a new LoginWindow context as a clue that the
-                        * previous LoginWindow context is on the way out and therefore we should just
-                        * kick-start the shutdown of it.
-                        */
-
-                       SLIST_FOREACH(jmi, &root_jobmgr->submgrs, sle) {
-                               if (jmi->shutting_down) {
-                                       continue;
-                               } else if (strcasecmp(jmi->name, session_type) == 0) {
-                                       jobmgr_shutdown(jmi);
-                                       break;
-                               }
-                       }
-               }
-
-               jobmgr_log(j->mgr, LOG_DEBUG, "Renaming to: %s", session_type);
-               strcpy(j->mgr->name, session_type);
-
-               if (job_assumes(j, (j2 = jobmgr_init_session(j->mgr, session_type, false)))) {
-                       job_assumes(j, job_dispatch(j2, true));
-               }
-
-               kr = 0;
-               goto out;
-       } else if (job_mig_intran2(root_jobmgr, target_subset, ldc.pid)) {
+       if (job_mig_intran2(root_jobmgr, target_subset, ldc->pid)) {
                job_log(j, LOG_ERR, "Moving a session to ourself is bogus.");
 
                kr = BOOTSTRAP_NOT_PRIVILEGED;
                job_log(j, LOG_ERR, "Moving a session to ourself is bogus.");
 
                kr = BOOTSTRAP_NOT_PRIVILEGED;
@@ -6067,11 +9122,36 @@ job_mig_move_subset(job_t j, mach_port_t target_subset, name_t session_type)
 
        launchd_assert(launch_data_array_get_count(out_obj_array) == l2l_port_cnt);
 
 
        launchd_assert(launch_data_array_get_count(out_obj_array) == l2l_port_cnt);
 
-       if (!job_assumes(j, (jmr = jobmgr_new(j->mgr, reqport, rcvright, false, session_type)) != NULL)) {
+       if (!job_assumes(j, (jmr = jobmgr_new(j->mgr, reqport, rcvright, false, session_type, false, asport)) != NULL)) {
                kr = BOOTSTRAP_NO_MEMORY;
                goto out;
        }
 
                kr = BOOTSTRAP_NO_MEMORY;
                goto out;
        }
 
+       jmr->properties |= BOOTSTRAP_PROPERTY_MOVEDSUBSET;
+
+       /* This is a hack. We should be doing this in jobmgr_new(), but since we're in the middle of
+        * processing an IPC request, we'll do this action before the new job manager can get any IPC
+        * requests. This serialization is guaranteed since we are single-threaded in that respect.
+        */
+       if (flags & LAUNCH_GLOBAL_ON_DEMAND) {
+               /* This is so awful. */
+               /* Remove the job from its current job manager. */
+               LIST_REMOVE(j, sle);
+               LIST_REMOVE(j, pid_hash_sle);
+
+               /* Put the job into the target job manager. */
+               LIST_INSERT_HEAD(&jmr->jobs, j, sle);
+               LIST_INSERT_HEAD(&jmr->active_jobs[ACTIVE_JOB_HASH(j->p)], j, pid_hash_sle);
+               
+               j->mgr = jmr;
+               job_set_global_on_demand(j, true);
+               
+               if (!j->holds_ref) {
+                       j->holds_ref = true;
+                       runtime_add_ref();
+               }
+       }
+       
        for (l2l_i = 0; l2l_i < l2l_port_cnt; l2l_i++) {
                launch_data_t tmp, obj_at_idx;
                struct machservice *ms;
        for (l2l_i = 0; l2l_i < l2l_port_cnt; l2l_i++) {
                launch_data_t tmp, obj_at_idx;
                struct machservice *ms;
@@ -6080,23 +9160,24 @@ job_mig_move_subset(job_t j, mach_port_t target_subset, name_t session_type)
                pid_t target_pid;
                bool serv_perpid;
 
                pid_t target_pid;
                bool serv_perpid;
 
-               job_assumes(j, obj_at_idx = launch_data_array_get_index(out_obj_array, l2l_i));
-               job_assumes(j, tmp = launch_data_dict_lookup(obj_at_idx, TAKE_SUBSET_PID));
+               (void)job_assumes(j, obj_at_idx = launch_data_array_get_index(out_obj_array, l2l_i));
+               (void)job_assumes(j, tmp = launch_data_dict_lookup(obj_at_idx, TAKE_SUBSET_PID));
                target_pid = (pid_t)launch_data_get_integer(tmp);
                target_pid = (pid_t)launch_data_get_integer(tmp);
-               job_assumes(j, tmp = launch_data_dict_lookup(obj_at_idx, TAKE_SUBSET_PERPID));
+               (void)job_assumes(j, tmp = launch_data_dict_lookup(obj_at_idx, TAKE_SUBSET_PERPID));
                serv_perpid = launch_data_get_bool(tmp);
                serv_perpid = launch_data_get_bool(tmp);
-               job_assumes(j, tmp = launch_data_dict_lookup(obj_at_idx, TAKE_SUBSET_NAME));
+               (void)job_assumes(j, tmp = launch_data_dict_lookup(obj_at_idx, TAKE_SUBSET_NAME));
                serv_name = launch_data_get_string(tmp);
 
                j_for_service = jobmgr_find_by_pid(jmr, target_pid, true);
 
                serv_name = launch_data_get_string(tmp);
 
                j_for_service = jobmgr_find_by_pid(jmr, target_pid, true);
 
-               if (!j_for_service) {
+               if (unlikely(!j_for_service)) {
                        /* The PID probably exited */
                        /* The PID probably exited */
-                       job_assumes(j, launchd_mport_deallocate(l2l_ports[l2l_i]) == KERN_SUCCESS);
+                       (void)job_assumes(j, launchd_mport_deallocate(l2l_ports[l2l_i]) == KERN_SUCCESS);
                        continue;
                }
 
                        continue;
                }
 
-               if ((ms = machservice_new(j_for_service, serv_name, &l2l_ports[l2l_i], serv_perpid))) {
+               if (likely(ms = machservice_new(j_for_service, serv_name, &l2l_ports[l2l_i], serv_perpid))) {
+                       job_log(j, LOG_DEBUG, "Importing %s into new bootstrap.", serv_name);
                        machservice_request_notifications(ms);
                }
        }
                        machservice_request_notifications(ms);
                }
        }
@@ -6114,7 +9195,10 @@ out:
 
        if (kr == 0) {
                if (target_subset) {
 
        if (kr == 0) {
                if (target_subset) {
-                       job_assumes(j, launchd_mport_deallocate(target_subset) == KERN_SUCCESS);
+                       (void)job_assumes(j, launchd_mport_deallocate(target_subset) == KERN_SUCCESS);
+               }
+               if (asport) {
+                       (void)job_assumes(j, launchd_mport_deallocate(asport) == KERN_SUCCESS);
                }
        } else if (jmr) {
                jobmgr_shutdown(jmr);
                }
        } else if (jmr) {
                jobmgr_shutdown(jmr);
@@ -6123,6 +9207,142 @@ out:
        return kr;
 }
 
        return kr;
 }
 
+kern_return_t
+job_mig_init_session(job_t j, name_t session_type, mach_port_t asport)
+{
+       job_t j2;
+       
+       kern_return_t kr = BOOTSTRAP_NO_MEMORY;
+       if (j->mgr->session_initialized) {
+               job_log(j, LOG_ERR, "Tried to initialize an already setup session!");
+               kr = BOOTSTRAP_NOT_PRIVILEGED;
+       } else if (strcmp(session_type, VPROCMGR_SESSION_LOGINWINDOW) == 0) {
+               jobmgr_t jmi;
+               
+               /*
+                * 5330262
+                *
+                * We're working around LoginWindow and the WindowServer.
+                *
+                * In practice, there is only one LoginWindow session. Unfortunately, for certain
+                * scenarios, the WindowServer spawns loginwindow, and in those cases, it frequently
+                * spawns a replacement loginwindow session before cleaning up the previous one.
+                *
+                * We're going to use the creation of a new LoginWindow context as a clue that the
+                * previous LoginWindow context is on the way out and therefore we should just
+                * kick-start the shutdown of it.
+                */
+               
+               SLIST_FOREACH(jmi, &root_jobmgr->submgrs, sle) {
+                       if (unlikely(jmi->shutting_down)) {
+                               continue;
+                       } else if (strcasecmp(jmi->name, session_type) == 0) {
+                               jobmgr_shutdown(jmi);
+                               break;
+                       }
+               }
+       }
+       
+       jobmgr_log(j->mgr, LOG_DEBUG, "Initializing as %s", session_type);
+       strcpy(j->mgr->name_init, session_type);
+       
+       if (job_assumes(j, (j2 = jobmgr_init_session(j->mgr, session_type, false)))) {
+               j2->asport = asport;
+               (void)job_assumes(j, job_dispatch(j2, true));
+               kr = BOOTSTRAP_SUCCESS;
+       }
+       
+       return kr;
+}
+
+kern_return_t
+job_mig_switch_to_session(job_t j, mach_port_t requestor_port, name_t session_name, mach_port_t asport, mach_port_t *new_bsport)
+{
+       struct ldcred *ldc = runtime_get_caller_creds();
+       if (!jobmgr_assumes(root_jobmgr, j != NULL)) {
+               jobmgr_log(root_jobmgr, LOG_ERR, "%s() called with NULL job: PID %d", __func__, ldc->pid);
+               return BOOTSTRAP_NO_MEMORY;
+       }
+
+       job_log(j, LOG_DEBUG, "Job wants to move to %s session.", session_name);
+       
+       if (!job_assumes(j, pid1_magic == false)) {
+               job_log(j, LOG_WARNING, "Switching sessions is not allowed in the system Mach bootstrap.");
+               return BOOTSTRAP_NOT_PRIVILEGED;
+       }
+       
+       if (!j->anonymous) {
+               job_log(j, LOG_NOTICE, "Non-anonymous job tried to switch sessions. Please use LimitLoadToSessionType instead.");
+               return BOOTSTRAP_NOT_PRIVILEGED;
+       }
+       
+       jobmgr_t target_jm = jobmgr_find_by_name(root_jobmgr, session_name);
+       if (target_jm == j->mgr) {
+               job_log(j, LOG_DEBUG, "Job is already in its desired session (%s).", session_name);
+               *new_bsport = target_jm->jm_port;
+               return BOOTSTRAP_SUCCESS;
+       }
+       
+       if (!target_jm) {
+               target_jm = jobmgr_new(j->mgr, requestor_port, MACH_PORT_NULL, false, session_name, false, asport);
+               if (target_jm) {
+                       target_jm->properties |= BOOTSTRAP_PROPERTY_IMPLICITSUBSET;
+                       (void)job_assumes(j, launchd_mport_deallocate(asport) == KERN_SUCCESS);
+               }
+       }
+       
+       if (!job_assumes(j, target_jm != NULL)) {
+               job_log(j, LOG_WARNING, "Could not find %s session!", session_name);
+               return BOOTSTRAP_NO_MEMORY;
+       }
+       
+       /* Remove the job from it's current job manager. */
+       LIST_REMOVE(j, sle);
+       LIST_REMOVE(j, pid_hash_sle);
+
+       job_t ji = NULL, jit = NULL;
+       LIST_FOREACH_SAFE(ji, &j->mgr->global_env_jobs, global_env_sle, jit) {
+               if (ji == j) {
+                       LIST_REMOVE(ji, global_env_sle);
+                       break;
+               }
+       }
+       
+       /* Put the job into the target job manager. */
+       LIST_INSERT_HEAD(&target_jm->jobs, j, sle);
+       LIST_INSERT_HEAD(&target_jm->active_jobs[ACTIVE_JOB_HASH(j->p)], j, pid_hash_sle);
+       
+       if (ji) {
+               LIST_INSERT_HEAD(&target_jm->global_env_jobs, j, global_env_sle);
+       }
+       
+       /* Move our Mach services over if we're not in a flat namespace. */
+       if (!g_flat_mach_namespace && !SLIST_EMPTY(&j->machservices)) {
+               struct machservice *msi = NULL, *msit = NULL;
+               SLIST_FOREACH_SAFE(msi, &j->machservices, sle, msit) {
+                       LIST_REMOVE(msi, name_hash_sle);
+                       LIST_INSERT_HEAD(&target_jm->ms_hash[hash_ms(msi->name)], msi, name_hash_sle);
+               }
+       }
+       
+       j->mgr = target_jm;
+       
+       if (!j->holds_ref) {
+               /* Anonymous jobs which move around are particularly interesting to us, so we want to
+                * stick around while they're still around.
+                * For example, login calls into the PAM launchd module, which moves the process into
+                * the StandardIO session by default. So we'll hold a reference on that job to prevent
+                * ourselves from going away.
+                */
+               j->holds_ref = true;
+               runtime_add_ref();
+       }
+       
+       *new_bsport = target_jm->jm_port;
+       
+       return KERN_SUCCESS;
+}
+
 kern_return_t
 job_mig_take_subset(job_t j, mach_port_t *reqport, mach_port_t *rcvright,
                vm_offset_t *outdata, mach_msg_type_number_t *outdataCnt,
 kern_return_t
 job_mig_take_subset(job_t j, mach_port_t *reqport, mach_port_t *rcvright,
                vm_offset_t *outdata, mach_msg_type_number_t *outdataCnt,
@@ -6142,16 +9362,19 @@ job_mig_take_subset(job_t j, mach_port_t *reqport, mach_port_t *rcvright,
 
        jm = j->mgr;
 
 
        jm = j->mgr;
 
-       if (getpid() != 1) {
+       if (unlikely(!pid1_magic)) {
                job_log(j, LOG_ERR, "Only the system launchd will transfer Mach sub-bootstraps.");
                return BOOTSTRAP_NOT_PRIVILEGED;
                job_log(j, LOG_ERR, "Only the system launchd will transfer Mach sub-bootstraps.");
                return BOOTSTRAP_NOT_PRIVILEGED;
-       } else if (jobmgr_parent(jm) == NULL) {
+       }
+       if (unlikely(jobmgr_parent(jm) == NULL)) {
                job_log(j, LOG_ERR, "Root Mach bootstrap cannot be transferred.");
                return BOOTSTRAP_NOT_PRIVILEGED;
                job_log(j, LOG_ERR, "Root Mach bootstrap cannot be transferred.");
                return BOOTSTRAP_NOT_PRIVILEGED;
-       } else if (strcasecmp(jm->name, VPROCMGR_SESSION_AQUA) == 0) {
+       }
+       if (unlikely(strcasecmp(jm->name, VPROCMGR_SESSION_AQUA) == 0)) {
                job_log(j, LOG_ERR, "Cannot transfer a setup GUI session.");
                return BOOTSTRAP_NOT_PRIVILEGED;
                job_log(j, LOG_ERR, "Cannot transfer a setup GUI session.");
                return BOOTSTRAP_NOT_PRIVILEGED;
-       } else if (!j->anonymous) {
+       }
+       if (unlikely(!j->anonymous)) {
                job_log(j, LOG_ERR, "Only the anonymous job can transfer Mach sub-bootstraps.");
                return BOOTSTRAP_NOT_PRIVILEGED;
        }
                job_log(j, LOG_ERR, "Only the anonymous job can transfer Mach sub-bootstraps.");
                return BOOTSTRAP_NOT_PRIVILEGED;
        }
@@ -6179,7 +9402,7 @@ job_mig_take_subset(job_t j, mach_port_t *reqport, mach_port_t *rcvright,
        }
 
        mig_allocate((vm_address_t *)&ports, cnt * sizeof(ports[0]));
        }
 
        mig_allocate((vm_address_t *)&ports, cnt * sizeof(ports[0]));
-       if (!launchd_assumes(ports != NULL)) {
+       if (!job_assumes(j, ports != NULL)) {
                goto out_bad;
        }
 
                goto out_bad;
        }
 
@@ -6190,25 +9413,25 @@ job_mig_take_subset(job_t j, mach_port_t *reqport, mach_port_t *rcvright,
 
                SLIST_FOREACH(ms, &ji->machservices, sle) {
                        if (job_assumes(j, (tmp_dict = launch_data_alloc(LAUNCH_DATA_DICTIONARY)))) {
 
                SLIST_FOREACH(ms, &ji->machservices, sle) {
                        if (job_assumes(j, (tmp_dict = launch_data_alloc(LAUNCH_DATA_DICTIONARY)))) {
-                               job_assumes(j, launch_data_array_set_index(outdata_obj_array, tmp_dict, cnt2));
+                               (void)job_assumes(j, launch_data_array_set_index(outdata_obj_array, tmp_dict, cnt2));
                        } else {
                                goto out_bad;
                        }
 
                        if (job_assumes(j, (tmp_obj = launch_data_new_string(machservice_name(ms))))) {
                        } else {
                                goto out_bad;
                        }
 
                        if (job_assumes(j, (tmp_obj = launch_data_new_string(machservice_name(ms))))) {
-                               job_assumes(j, launch_data_dict_insert(tmp_dict, tmp_obj, TAKE_SUBSET_NAME));
+                               (void)job_assumes(j, launch_data_dict_insert(tmp_dict, tmp_obj, TAKE_SUBSET_NAME));
                        } else {
                                goto out_bad;
                        }
 
                        if (job_assumes(j, (tmp_obj = launch_data_new_integer((ms->job->p))))) {
                        } else {
                                goto out_bad;
                        }
 
                        if (job_assumes(j, (tmp_obj = launch_data_new_integer((ms->job->p))))) {
-                               job_assumes(j, launch_data_dict_insert(tmp_dict, tmp_obj, TAKE_SUBSET_PID));
+                               (void)job_assumes(j, launch_data_dict_insert(tmp_dict, tmp_obj, TAKE_SUBSET_PID));
                        } else {
                                goto out_bad;
                        }
 
                        if (job_assumes(j, (tmp_obj = launch_data_new_bool((ms->per_pid))))) {
                        } else {
                                goto out_bad;
                        }
 
                        if (job_assumes(j, (tmp_obj = launch_data_new_bool((ms->per_pid))))) {
-                               job_assumes(j, launch_data_dict_insert(tmp_dict, tmp_obj, TAKE_SUBSET_PERPID));
+                               (void)job_assumes(j, launch_data_dict_insert(tmp_dict, tmp_obj, TAKE_SUBSET_PERPID));
                        } else {
                                goto out_bad;
                        }
                        } else {
                                goto out_bad;
                        }
@@ -6216,13 +9439,14 @@ job_mig_take_subset(job_t j, mach_port_t *reqport, mach_port_t *rcvright,
                        ports[cnt2] = machservice_port(ms);
 
                        /* Increment the send right by one so we can shutdown the jobmgr cleanly */
                        ports[cnt2] = machservice_port(ms);
 
                        /* Increment the send right by one so we can shutdown the jobmgr cleanly */
-                       jobmgr_assumes(jm, (errno = mach_port_mod_refs(mach_task_self(), ports[cnt2], MACH_PORT_RIGHT_SEND, 1)) == 0);
+                       (void)jobmgr_assumes(jm, (errno = launchd_mport_copy_send(ports[cnt2])) == KERN_SUCCESS);
                        cnt2++;
                }
        }
 
                        cnt2++;
                }
        }
 
-       launchd_assumes(cnt == cnt2);
+       (void)job_assumes(j, cnt == cnt2);
 
 
+       runtime_ktrace0(RTKT_LAUNCHD_DATA_PACK);
        packed_size = launch_data_pack(outdata_obj_array, (void *)*outdata, *outdataCnt, NULL, NULL);
        if (!job_assumes(j, packed_size != 0)) {
                goto out_bad;
        packed_size = launch_data_pack(outdata_obj_array, (void *)*outdata, *outdataCnt, NULL, NULL);
        if (!job_assumes(j, packed_size != 0)) {
                goto out_bad;
@@ -6276,136 +9500,552 @@ job_mig_subset(job_t j, mach_port_t requestorport, mach_port_t *subsetportp)
        }
 
        /* Since we use recursion, we need an artificial depth for subsets */
        }
 
        /* Since we use recursion, we need an artificial depth for subsets */
-       if (bsdepth > 100) {
+       if (unlikely(bsdepth > 100)) {
                job_log(j, LOG_ERR, "Mach sub-bootstrap create request failed. Depth greater than: %d", bsdepth);
                return BOOTSTRAP_NO_MEMORY;
        }
 
                job_log(j, LOG_ERR, "Mach sub-bootstrap create request failed. Depth greater than: %d", bsdepth);
                return BOOTSTRAP_NO_MEMORY;
        }
 
-       if ((jmr = jobmgr_new(j->mgr, requestorport, MACH_PORT_NULL, false, NULL)) == NULL) {
-               if (requestorport == MACH_PORT_NULL) {
+       char name[NAME_MAX];
+       snprintf(name, sizeof(name), "%s[%i].subset.%i", j->anonymous ? j->prog : j->label, j->p, MACH_PORT_INDEX(requestorport));
+
+       if (!job_assumes(j, (jmr = jobmgr_new(j->mgr, requestorport, MACH_PORT_NULL, false, name, true, j->asport)) != NULL)) {
+               if (unlikely(requestorport == MACH_PORT_NULL)) {
                        return BOOTSTRAP_NOT_PRIVILEGED;
                }
                return BOOTSTRAP_NO_MEMORY;
        }
 
        *subsetportp = jmr->jm_port;
                        return BOOTSTRAP_NOT_PRIVILEGED;
                }
                return BOOTSTRAP_NO_MEMORY;
        }
 
        *subsetportp = jmr->jm_port;
+       jmr->properties |= BOOTSTRAP_PROPERTY_EXPLICITSUBSET;
+       
+       /* A job could create multiple subsets, so only add a reference the first time
+        * it does so we don't have to keep a count.
+        */
+       if (j->anonymous && !j->holds_ref) {
+               j->holds_ref = true;
+               runtime_add_ref();
+       }
+       
+       job_log(j, LOG_DEBUG, "Job created a subset named \"%s\"", jmr->name);
        return BOOTSTRAP_SUCCESS;
 }
 
        return BOOTSTRAP_SUCCESS;
 }
 
+#ifndef __LAUNCH_DISABLE_XPC_SUPPORT__
+job_t
+xpc_domain_import_service(jobmgr_t jm, launch_data_t pload)
+{
+       jobmgr_t where2put = NULL;
+
+       launch_data_t destname = launch_data_dict_lookup(pload, LAUNCH_JOBKEY_XPCDOMAIN);
+       if (destname) {
+               if (launch_data_get_type(destname) == LAUNCH_DATA_STRING) {
+                       const char *str = launch_data_get_string(destname);
+                       if (strcmp(str, XPC_DOMAIN_TYPE_SYSTEM) == 0) {
+                               where2put = _s_xpc_system_domain;
+                       } else if (strcmp(str, XPC_DOMAIN_TYPE_PERUSER) == 0) {
+                               where2put = jobmgr_find_xpc_per_user_domain(jm, jm->req_euid);
+                       } else if (strcmp(str, XPC_DOMAIN_TYPE_PERSESSION) == 0) {
+                               where2put = jobmgr_find_xpc_per_session_domain(jm, jm->req_asid);
+                       } else {
+                               jobmgr_log(jm, LOG_ERR, "Invalid XPC domain type: %s", str);
+                               errno = EINVAL;
+                       }
+               } else {
+                       jobmgr_log(jm, LOG_ERR, "XPC domain type is not a string.");
+                       errno = EINVAL;
+               }
+
+               if (where2put) {
+                       launch_data_t mi = NULL;
+                       if ((mi = launch_data_dict_lookup(pload, LAUNCH_JOBKEY_MULTIPLEINSTANCES))) {
+                               if (launch_data_get_type(mi) == LAUNCH_DATA_BOOL && launch_data_get_bool(mi)) {
+                                       jobmgr_log(where2put, LOG_ERR, "Multiple-instance services are not supported in this domain.");
+                                       where2put = NULL;
+                                       errno = EINVAL;
+                               }
+                       }
+               }
+       } else {
+               where2put = jm;
+       }
+
+       job_t j = NULL;
+       if (where2put) {
+               jobmgr_log(where2put, LOG_DEBUG, "Importing service...");
+               j = jobmgr_import2(where2put, pload);
+               if (j) {
+                       j->xpc_service = true;
+                       if (where2put->xpc_singleton) {
+                               /* If the service was destined for one of the global domains,
+                                * then we have to alias it into our local domain to reserve the
+                                * name.
+                                */
+                               job_t ja = job_new_alias(jm, j);
+                               if (!ja) {
+                                       /* If we failed to alias the job because of a conflict over
+                                        * the label, then we remove it from the global domain. We
+                                        * don't want to risk having imported a malicious job into
+                                        * one of the global domains.
+                                        */
+                                       if (errno != EEXIST) {
+                                               job_assumes(j, errno == 0);
+                                       } else {
+                                               job_log(j, LOG_ERR, "Failed to alias job into: %s", where2put->name);
+                                       }
+
+                                       job_remove(j);
+                               } else {
+                                       ja->xpc_service = true;
+                                       j = ja;
+                               }
+                       }
+               }
+       }
+
+       return j;
+}
+
 kern_return_t
 kern_return_t
-job_mig_create_service(job_t j, name_t servicename, mach_port_t *serviceportp)
+xpc_domain_import2(job_t j, mach_port_t reqport, mach_port_t dport)
 {
 {
-       struct machservice *ms;
+       if (unlikely(!pid1_magic)) {
+               job_log(j, LOG_ERR, "XPC domains may only reside in PID 1.");
+               return BOOTSTRAP_NOT_PRIVILEGED;
+       }
+       if (!MACH_PORT_VALID(reqport)) {
+               return BOOTSTRAP_UNKNOWN_SERVICE;
+       }
 
 
-       if (!launchd_assumes(j != NULL)) {
+       kern_return_t kr = BOOTSTRAP_NO_MEMORY;
+       /* All XPC domains are children of the root job manager. What we're creating
+        * here is really just a skeleton. By creating it, we're adding reqp to our
+        * port set. It will have two messages on it. The first specifies the
+        * environment of the originator. This is so we can cache it and hand it to
+        * xpcproxy to bootstrap our services. The second is the set of jobs that is
+        * to be bootstrapped in.
+        */
+       jobmgr_t jm = jobmgr_new(root_jobmgr, reqport, dport, false, NULL, true, MACH_PORT_NULL);
+       if (job_assumes(j, jm != NULL)) {
+               jm->properties |= BOOTSTRAP_PROPERTY_XPC_DOMAIN;
+               jm->shortdesc = "private";
+               kr = BOOTSTRAP_SUCCESS;
+       }
+
+       return kr;
+}
+
+kern_return_t
+xpc_domain_set_environment(job_t j, mach_port_t rp, mach_port_t bsport, mach_port_t excport, vm_offset_t ctx, mach_msg_type_number_t ctx_sz)
+{
+       if (!j) {
+               /* Due to the whacky nature of XPC service bootstrapping, we can end up
+                * getting this message long after the requesting process has gone away.
+                * See <rdar://problem/8593143>.
+                */
+               return BOOTSTRAP_UNKNOWN_SERVICE;
+       }
+
+       jobmgr_t jm = j->mgr;
+       if (!(jm->properties & BOOTSTRAP_PROPERTY_XPC_DOMAIN)) {
+               return BOOTSTRAP_NOT_PRIVILEGED;
+       }
+       
+       if (jm->req_asport != MACH_PORT_NULL) {
+               return BOOTSTRAP_NOT_PRIVILEGED;
+       }
+       
+       struct ldcred *ldc = runtime_get_caller_creds();
+       struct proc_bsdshortinfo proc;
+       if (proc_pidinfo(ldc->pid, PROC_PIDT_SHORTBSDINFO, 1, &proc, PROC_PIDT_SHORTBSDINFO_SIZE) == 0) {
+               if (errno != ESRCH) {
+                       jobmgr_assumes(jm, errno == 0);
+               }
+
+               jm->error = errno;
+               jobmgr_remove(jm);
                return BOOTSTRAP_NO_MEMORY;
        }
 
                return BOOTSTRAP_NO_MEMORY;
        }
 
-       if (job_prog(j)[0] == '\0') {
-               job_log(j, LOG_ERR, "Mach service creation requires a target server: %s", servicename);
+       if (!jobmgr_assumes(jm, audit_session_port(ldc->asid, &jm->req_asport) == 0)) {
+               jm->error = EPERM;
+               jobmgr_remove(jm);
+               job_log(j, LOG_ERR, "Failed to get port for ASID: %u", ldc->asid);
                return BOOTSTRAP_NOT_PRIVILEGED;
        }
 
                return BOOTSTRAP_NOT_PRIVILEGED;
        }
 
-       if (!j->legacy_mach_job) {
-               job_log(j, LOG_ERR, "bootstrap_create_service() is only allowed against legacy Mach jobs: %s", servicename);
+       (void)snprintf(jm->name_init, NAME_MAX, "com.apple.xpc.domain.%s[%i]", proc.pbsi_comm, ldc->pid);
+       strlcpy(jm->owner, proc.pbsi_comm, sizeof(jm->owner));
+       jm->req_bsport = bsport;
+       jm->req_excport = excport;
+       jm->req_rport = rp;
+       jm->req_ctx = ctx;
+       jm->req_ctx_sz = ctx_sz;
+       jm->req_pid = ldc->pid;
+       jm->req_euid = ldc->euid;
+       jm->req_egid = ldc->egid;
+       jm->req_asid = ldc->asid;
+       
+       return KERN_SUCCESS;
+}
+
+kern_return_t
+xpc_domain_load_services(job_t j, vm_offset_t services_buff, mach_msg_type_number_t services_sz)
+{
+       if (!j) {
+               return BOOTSTRAP_UNKNOWN_SERVICE;
+       }
+
+       /* This is just for XPC domains (for now). */
+       if (!(j->mgr->properties & BOOTSTRAP_PROPERTY_XPC_DOMAIN)) {
+               return BOOTSTRAP_NOT_PRIVILEGED;
+       }
+       if (j->mgr->session_initialized) {
+               jobmgr_log(j->mgr, LOG_ERR, "Attempt to initialize an already-initialized XPC domain.");
                return BOOTSTRAP_NOT_PRIVILEGED;
        }
 
                return BOOTSTRAP_NOT_PRIVILEGED;
        }
 
-       ms = jobmgr_lookup_service(j->mgr, servicename, false, 0);
-       if (ms) {
-               job_log(j, LOG_DEBUG, "Mach service creation attempt for failed. Already exists: %s", servicename);
-               return BOOTSTRAP_NAME_IN_USE;
+       size_t offset = 0;
+       launch_data_t services = launch_data_unpack((void *)services_buff, services_sz, NULL, 0, &offset, NULL);
+       if (!jobmgr_assumes(j->mgr, services != NULL)) {
+               return BOOTSTRAP_NO_MEMORY;
        }
 
        }
 
-       job_checkin(j);
+       size_t i = 0;
+       size_t c = launch_data_array_get_count(services);
+       for (i = 0; i < c; i++) {
+               job_t nj = NULL;
+               launch_data_t ploadi = launch_data_array_get_index(services, i);
+               if (!(nj = xpc_domain_import_service(j->mgr, ploadi))) {
+                       /* If loading one job fails, just fail the whole thing. At this
+                        * point, xpchelper should receive the failure and then just refuse
+                        * to launch the application, since its XPC services could not be
+                        * fully bootstrapped.
+                        *
+                        * Take care to not reference the job or its manager after this
+                        * point.
+                        */
+                       if (errno == EINVAL) {
+                               jobmgr_log(j->mgr, LOG_ERR, "Service at index is not valid: %lu", i);
+                       } else if (errno == EEXIST) {
+                               /* If we get back EEXIST, we know that the payload was a
+                                * dictionary with a label. But, well, I guess it never hurts to
+                                * check.
+                                */
+                               char *label = "(bogus)";
+                               if (launch_data_get_type(ploadi) == LAUNCH_DATA_DICTIONARY) {
+                                       launch_data_t llabel = launch_data_dict_lookup(ploadi, LAUNCH_JOBKEY_LABEL);
+                                       if (launch_data_get_type(llabel) == LAUNCH_DATA_STRING) {
+                                               label = (char *)launch_data_get_string(llabel);
+                                       }
+                               }
+                               jobmgr_log(j->mgr, LOG_ERR, "Service name conflict: %s", label);
+                       }
 
 
-       *serviceportp = MACH_PORT_NULL;
-       ms = machservice_new(j, servicename, serviceportp, false);
+                       j->mgr->error = errno;
+                       jobmgr_log(j->mgr, LOG_ERR, "Obliterating domain.");
+                       jobmgr_remove(j->mgr);
+                       break;
+               } else {
+                       jobmgr_log(j->mgr, LOG_DEBUG, "Imported service %s", nj->label);
+                       job_dispatch(nj, false);
+               }
+       }
 
 
-       if (!launchd_assumes(ms != NULL)) {
-               goto out_bad;
+       kern_return_t result = BOOTSTRAP_NO_MEMORY;
+       if (i == c) {
+               j->mgr->session_initialized = true;
+               (void)jobmgr_assumes(j->mgr, xpc_call_wakeup(j->mgr->req_rport, BOOTSTRAP_SUCCESS) == KERN_SUCCESS);
+               j->mgr->req_rport = MACH_PORT_NULL;
+
+               /* Returning a failure code will destroy the message, whereas returning
+                * success will not, so we need to clean up here.
+                */
+               mig_deallocate(services_buff, services_sz);
+               result = BOOTSTRAP_SUCCESS;
        }
 
        }
 
-       return BOOTSTRAP_SUCCESS;
+       return result;
+}
 
 
-out_bad:
-       launchd_assumes(launchd_mport_close_recv(*serviceportp) == KERN_SUCCESS);
-       return BOOTSTRAP_NO_MEMORY;
+kern_return_t
+xpc_domain_check_in(job_t j, mach_port_t *bsport, mach_port_t *sbsport, mach_port_t *excport, mach_port_t *asport, uint32_t *uid, uint32_t *gid, int32_t *asid, vm_offset_t *ctx, mach_msg_type_number_t *ctx_sz)
+{
+       if (!jobmgr_assumes(root_jobmgr, j != NULL)) {
+               return BOOTSTRAP_UNKNOWN_SERVICE;
+       }
+       jobmgr_t jm = j->mgr;
+       if (!(jm->properties & BOOTSTRAP_PROPERTY_XPC_DOMAIN)) {
+               return BOOTSTRAP_NOT_PRIVILEGED;
+       }
+       
+       if (jm->req_asport == MACH_PORT_NULL) {
+               return BOOTSTRAP_NOT_PRIVILEGED;
+       }
+       
+       *bsport = jm->req_bsport;
+       *sbsport = root_jobmgr->jm_port;
+       *excport = jm->req_excport;
+       *asport = jm->req_asport;
+       *uid = jm->req_euid;
+       *gid = jm->req_egid;
+       *asid = jm->req_asid;
+       
+       *ctx = jm->req_ctx;
+       *ctx_sz = jm->req_ctx_sz;
+       
+       return KERN_SUCCESS;
 }
 
 kern_return_t
 }
 
 kern_return_t
-job_mig_wait(job_t j, mach_port_t srp, integer_t *waitstatus)
+xpc_domain_get_service_name(job_t j, event_name_t name)
 {
 {
-       if (!launchd_assumes(j != NULL)) {
+       if (!j) {
                return BOOTSTRAP_NO_MEMORY;
        }
                return BOOTSTRAP_NO_MEMORY;
        }
-#if 0
-       struct ldcred ldc;
-       runtime_get_caller_creds(&ldc);
+       if (!j->xpc_service) {
+               jobmgr_log(j->mgr, LOG_ERR, "Attempt to get service name by non-XPC service: %s", j->label);
+               return BOOTSTRAP_NOT_PRIVILEGED;
+       }
+
+       struct machservice * ms = SLIST_FIRST(&j->machservices);
+       if (!ms) {
+               jobmgr_log(j->mgr, LOG_ERR, "Attempt to get service name of job with no machservices: %s", j->label);
+               return BOOTSTRAP_UNKNOWN_SERVICE;
+       }
+
+       (void)strlcpy(name, ms->name, sizeof(event_name_t));
+       return BOOTSTRAP_SUCCESS;
+}
 #endif
 #endif
-       return job_handle_mpm_wait(j, srp, waitstatus);
+
+kern_return_t
+xpc_events_get_channel_name(job_t j __attribute__((unused)), event_name_t stream __attribute__((unused)), uint64_t token __attribute__((unused)), event_name_t name __attribute__((unused)))
+{
+       return KERN_FAILURE;
 }
 
 kern_return_t
 }
 
 kern_return_t
-job_mig_uncork_fork(job_t j)
+xpc_events_get_event_name(job_t j, event_name_t stream, uint64_t token, event_name_t name)
 {
 {
-       if (!launchd_assumes(j != NULL)) {
-               return BOOTSTRAP_NO_MEMORY;
+       struct externalevent *event = externalevent_find(stream, token);
+       if (event && j->event_monitor) {
+               (void)strcpy(name, event->name);
+       } else {
+               event = NULL;
        }
 
        }
 
-       if (!j->stall_before_exec) {
-               job_log(j, LOG_WARNING, "Attempt to uncork a job that isn't in the middle of a fork().");
-               return 1;
+       return event ? BOOTSTRAP_SUCCESS : BOOTSTRAP_UNKNOWN_SERVICE;
+}
+       
+kern_return_t
+xpc_events_set_event(job_t j, event_name_t stream, event_name_t key, vm_offset_t event, mach_msg_type_number_t eventCnt)
+{
+       if (j->anonymous) {
+               return BOOTSTRAP_NOT_PRIVILEGED;
        }
 
        }
 
-       job_uncork_fork(j);
-       j->stall_before_exec = false;
-       return 0;
+       struct externalevent *eei = NULL;
+       LIST_FOREACH(eei, &j->events, job_le) {
+               if (strcmp(eei->name, key) == 0 && strcmp(eei->sys->name, stream) == 0) {
+                       externalevent_delete(eei);
+                       eventsystem_ping();
+                       break;
+               }
+       }
+
+       bool success = false;
+       struct eventsystem *es = eventsystem_find(stream);
+       if (!es) {
+               es = eventsystem_new(stream);
+               (void)job_assumes(j, es != NULL);
+       }
+
+       if (es) {
+               size_t offset = 0;
+               launch_data_t unpacked = launch_data_unpack((void *)event, eventCnt, NULL, 0, &offset, 0);
+               if (unpacked && launch_data_get_type(unpacked) == LAUNCH_DATA_DICTIONARY) {
+                       success = externalevent_new(j, es, key, unpacked);
+               }
+       }
+
+       if (!success) {
+               mig_deallocate(event, eventCnt);
+       }
+
+       return KERN_SUCCESS;
 }
 
 kern_return_t
 }
 
 kern_return_t
-job_mig_set_service_policy(job_t j, pid_t target_pid, uint64_t flags, name_t target_service)
-{
-       job_t target_j;
+xpc_events_get_event(job_t j, event_name_t stream, event_name_t key, vm_offset_t *event, mach_msg_type_number_t *eventCnt)
+{
+       struct externalevent *eei = NULL;
+       LIST_FOREACH(eei, &j->events, job_le) {
+               if (strcmp(eei->name, key) == 0 && strcmp(eei->sys->name, stream) == 0) {
+                       /* Big enough. */
+                       *eventCnt = 10 * 1024;
+                       mig_allocate(event, *eventCnt);
+
+                       size_t sz = launch_data_pack(eei->event, (void *)*event, *eventCnt, NULL, NULL);
+                       if (!job_assumes(j, sz != 0)) {
+                               mig_deallocate(*event, *eventCnt);
+                               return BOOTSTRAP_NO_MEMORY;
+                       }
 
 
-       if (!launchd_assumes(j != NULL)) {
-               return BOOTSTRAP_NO_MEMORY;
+                       return BOOTSTRAP_SUCCESS;
+               }
        }
 
        }
 
-       if (!job_assumes(j, (target_j = jobmgr_find_by_pid(j->mgr, target_pid, true)) != NULL)) {
-               return BOOTSTRAP_NO_MEMORY;
+       return BOOTSTRAP_UNKNOWN_SERVICE;
+}
+
+struct machservice *
+xpc_events_find_channel(job_t j, event_name_t stream, mach_port_t *p)
+{
+       struct machservice *msi = NULL;
+       SLIST_FOREACH(msi, &j->machservices, sle) {
+               if (strcmp(stream, msi->name) == 0) {
+                       break;
+               }
        }
 
        }
 
-       if (SLIST_EMPTY(&j->mspolicies)) {
-               job_log(j, LOG_DEBUG, "Setting policy on job \"%s\" for Mach service: %s", target_j->label, target_service);
-               if (target_service[0]) {
-                       job_assumes(j, mspolicy_new(target_j, target_service, flags & BOOTSTRAP_ALLOW_LOOKUP, flags & BOOTSTRAP_PER_PID_SERVICE, false));
+       if (!msi) {
+               mach_port_t sp = MACH_PORT_NULL;
+               msi = machservice_new(j, stream, &sp, false);
+               if (job_assumes(j, msi)) {
+                       /* Hack to keep this from being publicly accessible through
+                        * bootstrap_look_up().
+                        */
+                       LIST_REMOVE(msi, name_hash_sle);
+                       msi->event_channel = true;
+                       *p = sp;
+
+                       machservice_watch(j, msi);
                } else {
                } else {
-                       target_j->deny_unknown_mslookups = !(flags & BOOTSTRAP_ALLOW_LOOKUP);
+                       errno = BOOTSTRAP_NO_MEMORY;
                }
        } else {
                }
        } else {
-               job_log(j, LOG_WARNING, "Jobs that have policies assigned to them may not set policies.");
+               if (!msi->event_channel) {
+                       job_log(j, LOG_ERR, "This job registered a MachService name identical to the requested event channel name: %s", stream);
+                       msi = NULL;
+                       errno = BOOTSTRAP_NAME_IN_USE;
+               } else {
+                       *p = msi->port;
+               }
+       }
+
+       return msi;
+}
+
+kern_return_t
+xpc_events_channel_check_in(job_t j, event_name_t stream, uint64_t flags __attribute__((unused)), mach_port_t *p)
+{
+       struct machservice *ms = xpc_events_find_channel(j, stream, p);
+       if (ms) {
+               if (ms->isActive) {
+                       job_log(j, LOG_ERR, "Attempt to check in on event channel multiple times: %s", stream);
+                       *p = MACH_PORT_NULL;
+                       errno = BOOTSTRAP_SERVICE_ACTIVE;
+               } else {
+                       job_checkin(j);
+                       machservice_request_notifications(ms);
+                       errno = BOOTSTRAP_SUCCESS;
+               }
+       }
+
+       return errno;
+}
+
+kern_return_t
+xpc_events_channel_look_up(job_t j, event_name_t stream, event_token_t token, uint64_t flags __attribute__((unused)), mach_port_t *p)
+{
+       if (!j->event_monitor) {
+               return BOOTSTRAP_NOT_PRIVILEGED;
+       }
+
+       struct externalevent *ee = externalevent_find(stream, token);
+       if (!ee) {
+               return BOOTSTRAP_UNKNOWN_SERVICE;
+       }
+
+       struct machservice *ms = xpc_events_find_channel(ee->job, stream, p);
+       if (ms) {
+               errno = BOOTSTRAP_SUCCESS;
+       }
+
+       return errno;
+}
+
+kern_return_t
+job_mig_kickstart(job_t j, name_t targetlabel, pid_t *out_pid, unsigned int flags)
+{
+       struct ldcred *ldc = runtime_get_caller_creds();
+       job_t otherj;
+
+       if (!launchd_assumes(j != NULL)) {
+               return BOOTSTRAP_NO_MEMORY;
+       }
+
+       if (unlikely(!(otherj = job_find(NULL, targetlabel)))) {
+               return BOOTSTRAP_UNKNOWN_SERVICE;
+       }
+
+#if TARGET_OS_EMBEDDED
+       bool allow_non_root_kickstart = j->username && otherj->username && (strcmp(j->username, otherj->username) == 0);
+#else
+       bool allow_non_root_kickstart = false;
+#endif
+
+       if (ldc->euid != 0 && ldc->euid != geteuid() && !allow_non_root_kickstart) {
                return BOOTSTRAP_NOT_PRIVILEGED;
        }
 
                return BOOTSTRAP_NOT_PRIVILEGED;
        }
 
+#if HAVE_SANDBOX
+       if (unlikely(sandbox_check(ldc->pid, "job-creation", SANDBOX_FILTER_NONE) > 0)) {
+               return BOOTSTRAP_NOT_PRIVILEGED;
+       }
+#endif
+
+       if (otherj->p && (flags & VPROCFLAG_STALL_JOB_EXEC)) {
+               return BOOTSTRAP_SERVICE_ACTIVE;
+       }
+
+       otherj->stall_before_exec = (flags & VPROCFLAG_STALL_JOB_EXEC);
+       otherj = job_dispatch(otherj, true);
+
+       if (!job_assumes(j, otherj && otherj->p)) {
+               /* <rdar://problem/6787083> Clear this flag if we failed to start the job. */
+               otherj->stall_before_exec = false;
+               return BOOTSTRAP_NO_MEMORY;
+       }
+
+       *out_pid = otherj->p;
+
        return 0;
 }
 
 kern_return_t
        return 0;
 }
 
 kern_return_t
-job_mig_spawn(job_t j, vm_offset_t indata, mach_msg_type_number_t indataCnt, pid_t *child_pid, mach_port_t *obsvr_port)
+job_mig_spawn_internal(job_t j, vm_offset_t indata, mach_msg_type_number_t indataCnt, mach_port_t asport, job_t *outj)
 {
 {
-       launch_data_t input_obj = NULL;
+       launch_data_t jobdata = NULL;
        size_t data_offset = 0;
        size_t data_offset = 0;
-       struct ldcred ldc;
+       struct ldcred *ldc = runtime_get_caller_creds();
        job_t jr;
        job_t jr;
-
-       runtime_get_caller_creds(&ldc);
-
+       
        if (!launchd_assumes(j != NULL)) {
                return BOOTSTRAP_NO_MEMORY;
        }
 
        if (!launchd_assumes(j != NULL)) {
                return BOOTSTRAP_NO_MEMORY;
        }
 
-       if (getpid() == 1 && ldc.euid && ldc.uid) {
+       if (unlikely(j->deny_job_creation)) {
+               return BOOTSTRAP_NOT_PRIVILEGED;
+       }
+
+#if HAVE_SANDBOX
+       if (unlikely(sandbox_check(ldc->pid, "job-creation", SANDBOX_FILTER_NONE) > 0)) {
+               return BOOTSTRAP_NOT_PRIVILEGED;
+       }
+#endif
+       
+       if (unlikely(pid1_magic && ldc->euid && ldc->uid)) {
                job_log(j, LOG_DEBUG, "Punting spawn to per-user-context");
                return VPROC_ERR_TRY_PER_USER;
        }
                job_log(j, LOG_DEBUG, "Punting spawn to per-user-context");
                return VPROC_ERR_TRY_PER_USER;
        }
@@ -6414,62 +10054,237 @@ job_mig_spawn(job_t j, vm_offset_t indata, mach_msg_type_number_t indataCnt, pid
                return 1;
        }
 
                return 1;
        }
 
-       if (!job_assumes(j, (input_obj = launch_data_unpack((void *)indata, indataCnt, NULL, 0, &data_offset, NULL)) != NULL)) {
+       runtime_ktrace0(RTKT_LAUNCHD_DATA_UNPACK);
+       if (!job_assumes(j, (jobdata = launch_data_unpack((void *)indata, indataCnt, NULL, 0, &data_offset, NULL)) != NULL)) {
                return 1;
        }
 
                return 1;
        }
 
-       jr = jobmgr_import2(j->mgr, input_obj);
-       
-       if (!job_assumes(j, jr != NULL)) {
+       jobmgr_t target_jm = jobmgr_find_by_name(j->mgr, NULL);
+       if (!jobmgr_assumes(j->mgr, target_jm != NULL)) {
+               jobmgr_log(j->mgr, LOG_ERR, "This API can only be used by a process running within an Aqua session.");
+               return 1;
+       }
+
+       jr = jobmgr_import2(target_jm ?: j->mgr, jobdata);
+
+       launch_data_t label = NULL;
+       launch_data_t wait4debugger = NULL;
+       if (!jr) {
                switch (errno) {
                case EEXIST:
                switch (errno) {
                case EEXIST:
+                       /* If EEXIST was returned, we know that there is a label string in
+                        * the dictionary. So we don't need to check the types here; that
+                        * has already been done.
+                        */
+                       label = launch_data_dict_lookup(jobdata, LAUNCH_JOBKEY_LABEL);
+                       jr = job_find(NULL, launch_data_get_string(label));
+                       if (job_assumes(j, jr != NULL) && !jr->p) {
+                               wait4debugger = launch_data_dict_lookup(jobdata, LAUNCH_JOBKEY_WAITFORDEBUGGER);
+                               if (wait4debugger && launch_data_get_type(wait4debugger) == LAUNCH_DATA_BOOL) {
+                                       if (launch_data_get_bool(wait4debugger)) {
+                                               /* If the job exists, we're going to kick-start it, but
+                                                * we need to give the caller the opportunity to start
+                                                * it suspended if it so desires. But this will only
+                                                * take effect if the job isn't running.
+                                                */
+                                               jr->wait4debugger_oneshot = true;
+                                       }
+                               }
+                       }
+
+                       *outj = jr;
                        return BOOTSTRAP_NAME_IN_USE;
                default:
                        return BOOTSTRAP_NO_MEMORY;
                }
        }
 
                        return BOOTSTRAP_NAME_IN_USE;
                default:
                        return BOOTSTRAP_NO_MEMORY;
                }
        }
 
-       job_reparent_hack(jr, NULL);
-
-       if (getpid() == 1) {
-               jr->mach_uid = ldc.uid;
+       if (pid1_magic) {
+               jr->mach_uid = ldc->uid;
        }
 
        }
 
-       jr->unload_at_exit = true;
-       jr->wait4pipe_eof = true;
+       jr->legacy_LS_job = true;
        jr->abandon_pg = true;
        jr->abandon_pg = true;
-       jr->stall_before_exec = jr->wait4debugger;
-       jr->wait4debugger = false;
-
+       jr->asport = asport;
+       uuid_clear(jr->expected_audit_uuid);
        jr = job_dispatch(jr, true);
 
        if (!job_assumes(j, jr != NULL)) {
        jr = job_dispatch(jr, true);
 
        if (!job_assumes(j, jr != NULL)) {
+               job_remove(jr);
                return BOOTSTRAP_NO_MEMORY;
        }
 
                return BOOTSTRAP_NO_MEMORY;
        }
 
-       job_assumes(jr, jr->p);
-
-       if (!job_setup_machport(jr)) {
+       if (!job_assumes(jr, jr->p)) {
                job_remove(jr);
                return BOOTSTRAP_NO_MEMORY;
        }
 
                job_remove(jr);
                return BOOTSTRAP_NO_MEMORY;
        }
 
-       job_log(j, LOG_INFO, "Spawned");
+       job_log(jr, LOG_DEBUG, "Spawned by PID %u: %s", j->p, j->label);
+       *outj = jr;
+
+       return BOOTSTRAP_SUCCESS;
+}
 
 
-       *child_pid = jr->p;
-       *obsvr_port = jr->j_port;
+kern_return_t
+job_mig_spawn2(job_t j, mach_port_t rp, vm_offset_t indata, mach_msg_type_number_t indataCnt, mach_port_t asport, pid_t *child_pid, mach_port_t *obsvr_port)
+{
+       job_t nj = NULL;
+       kern_return_t kr = job_mig_spawn_internal(j, indata, indataCnt, asport, &nj);
+       if (likely(kr == KERN_SUCCESS)) {
+               if (job_setup_exit_port(nj) != KERN_SUCCESS) {
+                       job_remove(nj);
+                       kr = BOOTSTRAP_NO_MEMORY;
+               } else {
+                       /* Do not return until the job has called exec(3), thereby making it
+                        * safe for the caller to send it SIGCONT.
+                        *
+                        * <rdar://problem/9042798>
+                        */
+                       nj->spawn_reply_port = rp;
+                       kr = MIG_NO_REPLY;
+               }
+       } else if (kr == BOOTSTRAP_NAME_IN_USE) {
+               bool was_running = nj->p;
+               if (job_dispatch(nj, true)) {
+                       if (!was_running) {
+                               job_log(nj, LOG_DEBUG, "Job exists but is not running. Kick-starting.");
+                               
+                               if (job_setup_exit_port(nj) == KERN_SUCCESS) {
+                                       nj->spawn_reply_port = rp;
+                                       kr = MIG_NO_REPLY;
+                               } else {
+                                       kr = BOOTSTRAP_NO_MEMORY;
+                               }
+                       } else {
+                               *obsvr_port = MACH_PORT_NULL;
+                               *child_pid = nj->p;
+                               kr = KERN_SUCCESS;
+                       }
+               } else {
+                       job_log(nj, LOG_ERR, "Failed to dispatch job, requestor: %s", j->label);
+                       kr = BOOTSTRAP_UNKNOWN_SERVICE;
+               }
+       }
 
        mig_deallocate(indata, indataCnt);
 
        mig_deallocate(indata, indataCnt);
+       return kr;
+}
+
+kern_return_t
+job_mig_event_source_check_in(job_t j, name_t name, mach_port_t ping_port, vm_offset_t *outval,        mach_msg_type_number_t *outvalCnt, uint64_t *tokens)
+{
+       if (!j || !j->event_monitor) {
+               return BOOTSTRAP_NOT_PRIVILEGED;
+       }
+
+       /* Update our ping-port. One ping will force all the notification systems
+        * to check in, so they'll all give us send-once rights. It doesn't really
+        * matter which one we keep around. It's not the most efficient thing ever,
+        * but keep in mind that, by doing this over one channel, we can do it over
+        * the job's MachService. This means that we'll get it back when the job dies,
+        * and we can create ourselves a send-once right if we didn't have one already,
+        * and we can just keep the helper alive without it needing to bootstrap
+        * communication.
+        *
+        * So we're trading efficiency for robustness. In this case, the checkins 
+        * should happen pretty infrequently, so it's pretty worth it.
+        */
+       if (_s_event_update_port != MACH_PORT_NULL) {
+               (void)job_assumes(j, launchd_mport_deallocate(_s_event_update_port) == KERN_SUCCESS);
+       }
+       _s_event_update_port = ping_port;
+       
+       kern_return_t result = BOOTSTRAP_NO_MEMORY;
+       launch_data_t arr = launch_data_alloc(LAUNCH_DATA_ARRAY);
+       if (job_assumes(j, arr != NULL)) {
+               struct eventsystem *es = eventsystem_find(name);
+               if (unlikely(es == NULL)) {
+                       es = eventsystem_new(name);
+               }
+               
+               if (job_assumes(j, es != NULL)) {
+                       struct externalevent *ei = NULL;
+                       size_t i = 0;
+                       LIST_FOREACH(ei, &es->events, sys_le) {
+                               (void)job_assumes(j, launch_data_array_set_index(arr, ei->event, i));
+                               if (job_assumes(j, i < 1024)) {
+                                       tokens[i] = ei->id;
+                               } else {
+                                       break;
+                               }
+                               i++;
+                       }
+                       
+                       /* Big enough. */
+                       *outvalCnt = 10 * 1024;
+                       mig_allocate(outval, *outvalCnt);
+                       
+                       size_t sz = launch_data_pack(arr, (void *)*outval, *outvalCnt, NULL, NULL);
+                       if (job_assumes(j, sz != 0)) {
+                               result = BOOTSTRAP_SUCCESS;
+                       } else {
+                               mig_deallocate(*outval, *outvalCnt);
+                       }
+               }
 
 
+               /* Total hack, but launch_data doesn't do ref-counting. */
+               struct _launch_data *hack = (struct _launch_data *)arr;
+               free(hack->_array);
+               free(arr);
+       }
+       
+       return result;
+}
+
+kern_return_t
+job_mig_event_set_state(job_t j, name_t name, uint64_t token, boolean_t state)
+{
+       if (!j->event_monitor) {
+               return BOOTSTRAP_NOT_PRIVILEGED;
+       }
+       
+       struct externalevent *ei = externalevent_find(name, token);
+       if (job_assumes(j, ei != NULL)) {
+               ei->state = state;
+               if(job_dispatch(ei->job, false) == NULL) {
+                       if (errno == EPERM) {
+                               return BOOTSTRAP_NOT_PRIVILEGED;
+                       }
+                       return BOOTSTRAP_NO_MEMORY;
+               }
+       } else {
+               return BOOTSTRAP_NO_MEMORY;
+       }
+       
        return BOOTSTRAP_SUCCESS;
 }
 
 void
 jobmgr_init(bool sflag)
 {
        return BOOTSTRAP_SUCCESS;
 }
 
 void
 jobmgr_init(bool sflag)
 {
-       const char *root_session_type = getpid() == 1 ? VPROCMGR_SESSION_SYSTEM : VPROCMGR_SESSION_BACKGROUND;
+       const char *root_session_type = pid1_magic ? VPROCMGR_SESSION_SYSTEM : VPROCMGR_SESSION_BACKGROUND;
+       SLIST_INIT(&s_curious_jobs);
+       LIST_INIT(&s_needing_sessions);
+       
+       launchd_assert((root_jobmgr = jobmgr_new(NULL, MACH_PORT_NULL, MACH_PORT_NULL, sflag, root_session_type, false, MACH_PORT_NULL)) != NULL);
+#ifndef __LAUNCH_DISABLE_XPC_SUPPORT__
+       launchd_assert((_s_xpc_system_domain = jobmgr_new_xpc_singleton_domain(root_jobmgr, "com.apple.xpc.system")) != NULL);
+       _s_xpc_system_domain->req_asid = g_audit_session;
+       _s_xpc_system_domain->req_asport = g_audit_session_port;
+       _s_xpc_system_domain->shortdesc = "system";
+#endif
+       if (pid1_magic) {
+               root_jobmgr->monitor_shutdown = true;
+       }
 
 
-       launchd_assert((root_jobmgr = jobmgr_new(NULL, MACH_PORT_NULL, MACH_PORT_NULL, sflag, root_session_type)) != NULL);
+       uint32_t fflags = NOTE_ATTRIB | NOTE_LINK | NOTE_REVOKE | NOTE_EXTEND | NOTE_WRITE;
+       s_no_hang_fd = open("/dev/autofs_nowait", O_EVTONLY | O_NONBLOCK);
+       if (likely(s_no_hang_fd == -1)) {
+               if (jobmgr_assumes(root_jobmgr, (s_no_hang_fd = open("/dev", O_EVTONLY | O_NONBLOCK)) != -1)) {
+                       (void)jobmgr_assumes(root_jobmgr, kevent_mod((uintptr_t)s_no_hang_fd, EVFILT_VNODE, EV_ADD, fflags, 0, root_jobmgr) != -1);
+               }
+       }
+       s_no_hang_fd = _fd(s_no_hang_fd);
 }
 
 size_t
 }
 
 size_t
@@ -6501,112 +10316,237 @@ hash_ms(const char *msstr)
 }
 
 bool
 }
 
 bool
-mspolicy_copy(job_t j_to, job_t j_from)
-{
-       struct mspolicy *msp;
-
-       SLIST_FOREACH(msp, &j_from->mspolicies, sle) {
-               if (!mspolicy_new(j_to, msp->name, msp->allow, msp->per_pid, true)) {
-                       return false;
-               }
-       }
-
-       return true;
-}
-
-bool
-mspolicy_new(job_t j, const char *name, bool allow, bool pid_local, bool skip_check)
+waiting4removal_new(job_t j, mach_port_t rp)
 {
 {
-       struct mspolicy *msp;
-
-       if (!skip_check) SLIST_FOREACH(msp, &j->mspolicies, sle) {
-               if (msp->per_pid != pid_local) {
-                       continue;
-               } else if (strcmp(msp->name, name) == 0) {
-                       return false;
-               }
-       }
+       struct waiting_for_removal *w4r;
 
 
-       if ((msp = calloc(1, sizeof(struct mspolicy) + strlen(name) + 1)) == NULL) {
+       if (!job_assumes(j, (w4r = malloc(sizeof(struct waiting_for_removal))) != NULL)) {
                return false;
        }
 
                return false;
        }
 
-       strcpy((char *)msp->name, name);
-       msp->per_pid = pid_local;
-       msp->allow = allow;
+       w4r->reply_port = rp;
 
 
-       SLIST_INSERT_HEAD(&j->mspolicies, msp, sle);
+       SLIST_INSERT_HEAD(&j->removal_watchers, w4r, sle);
 
        return true;
 }
 
 void
 
        return true;
 }
 
 void
-mspolicy_setup(launch_data_t obj, const char *key, void *context)
+waiting4removal_delete(job_t j, struct waiting_for_removal *w4r)
 {
 {
-       job_t j = context;
+       (void)job_assumes(j, job_mig_send_signal_reply(w4r->reply_port, 0) == 0);
 
 
-       if (launch_data_get_type(obj) != LAUNCH_DATA_BOOL) {
-               job_log(j, LOG_WARNING, "Invalid object type for Mach service policy key: %s", key);
-               return;
-       }
+       SLIST_REMOVE(&j->removal_watchers, w4r, waiting_for_removal, sle);
 
 
-       job_assumes(j, mspolicy_new(j, key, launch_data_get_bool(obj), false, false));
+       free(w4r);
 }
 
 }
 
-bool
-mspolicy_check(job_t j, const char *name, bool pid_local)
+size_t
+get_kern_max_proc(void)
 {
 {
-       struct mspolicy *mspi;
-
-       SLIST_FOREACH(mspi, &j->mspolicies, sle) {
-               if (mspi->per_pid != pid_local) {
-                       continue;
-               } else if (strcmp(mspi->name, name) != 0) {
-                       continue;
-               }
-               return mspi->allow;
-       }
-
-       return !j->deny_unknown_mslookups;
+       int mib[] = { CTL_KERN, KERN_MAXPROC };
+       int max = 100;
+       size_t max_sz = sizeof(max);
+       
+       (void)launchd_assumes(sysctl(mib, 2, &max, &max_sz, NULL, 0) != -1);
+       
+       return max;
 }
 
 }
 
+/* See rdar://problem/6271234 */
 void
 void
-mspolicy_delete(job_t j, struct mspolicy *msp)
+eliminate_double_reboot(void)
 {
 {
-       SLIST_REMOVE(&j->mspolicies, msp, mspolicy, sle);
-
-       free(msp);
+       if (unlikely(!pid1_magic)) {
+               return;
+       }
+       
+       struct stat sb;
+       const char *argv[] = { _PATH_BSHELL, "/etc/rc.deferred_install", NULL };
+       char *try_again = "Will try again at next boot.";
+       int result = ~0;
+       
+       if (unlikely(stat(argv[1], &sb) != -1)) {
+               jobmgr_log(root_jobmgr, LOG_DEBUG | LOG_CONSOLE, "Going to run deferred install script.");
+               
+               int wstatus;
+               pid_t p;
+               
+               (void)jobmgr_assumes(root_jobmgr, (errno = posix_spawnp(&p, argv[0], NULL, NULL, (char **)argv, environ)) == 0);
+               
+               if (errno) {
+                       jobmgr_log(root_jobmgr, LOG_WARNING | LOG_CONSOLE, "Couldn't run deferred install script! %s", try_again);
+                       goto out;
+               }
+               
+               if (!jobmgr_assumes(root_jobmgr, waitpid(p, &wstatus, 0) != -1)) {
+                       jobmgr_log(root_jobmgr, LOG_WARNING | LOG_CONSOLE, "Couldn't confirm that deferred install script exited successfully! %s", try_again);
+                       goto out;
+               }
+               
+               if (jobmgr_assumes(root_jobmgr, WIFEXITED(wstatus) != 0)) {
+                       if (jobmgr_assumes(root_jobmgr, (result = WEXITSTATUS(wstatus)) == EXIT_SUCCESS)) {
+                               jobmgr_log(root_jobmgr, LOG_DEBUG | LOG_CONSOLE, "Deferred install script completed successfully.");
+                       } else {
+                               jobmgr_log(root_jobmgr, LOG_WARNING | LOG_CONSOLE, "Deferred install script exited with status %d. %s", WEXITSTATUS(wstatus), try_again);
+                       }
+               } else {
+                       jobmgr_log(root_jobmgr, LOG_WARNING | LOG_CONSOLE, "Confirmed that deferred install script exited, but couldn't confirm that it was successful. %s", try_again);
+               }
+       }
+out:
+       if (result == 0) {
+               /* If the unlink(2) was to fail, it would be most likely fail with EBUSY. All the other
+                * failure cases for unlink(2) don't apply when we're running under PID 1 and have verified
+                * that the file exists. Outside of someone deliberately messing with us (like if /etc/rc.deferredinstall
+                * is actually a looping sym-link or a mount point for a filesystem) and I/O errors, we should be good.
+                */
+               if (!jobmgr_assumes(root_jobmgr, unlink(argv[1]) != -1)) {
+                       jobmgr_log(root_jobmgr, LOG_WARNING | LOG_CONSOLE, "Deferred install script couldn't be removed!");
+               }
+       }
 }
 
 }
 
-bool
-waiting4removal_new(job_t j, mach_port_t rp)
-{
-       struct waiting_for_removal *w4r;
-
-       if (!job_assumes(j, (w4r = malloc(sizeof(struct waiting_for_removal))) != NULL)) {
-               return false;
+void
+jetsam_property_setup(launch_data_t obj, const char *key, job_t j)
+{
+       job_log(j, LOG_DEBUG, "Setting Jetsam properties for job...");
+       if (strcasecmp(key, LAUNCH_JOBKEY_JETSAMPRIORITY) == 0 && launch_data_get_type(obj) == LAUNCH_DATA_INTEGER) {
+               j->jetsam_priority = (typeof(j->jetsam_priority))launch_data_get_integer(obj);
+               job_log(j, LOG_DEBUG, "Priority: %d", j->jetsam_priority);
+       } else if (strcasecmp(key, LAUNCH_JOBKEY_JETSAMMEMORYLIMIT) == 0 && launch_data_get_type(obj) == LAUNCH_DATA_INTEGER) {
+               j->jetsam_memlimit = (typeof(j->jetsam_memlimit))launch_data_get_integer(obj);
+               job_log(j, LOG_DEBUG, "Memory limit: %d", j->jetsam_memlimit);
+       } else if (strcasecmp(key, LAUNCH_KEY_JETSAMFRONTMOST) == 0) {
+               /* Ignore. We only recognize this key so we don't complain when we get SpringBoard's request. 
+                * You can't set this in a plist.
+                */
+       } else if (strcasecmp(key, LAUNCH_KEY_JETSAMLABEL) == 0) {
+               /* Ignore. This key is present in SpringBoard's request dictionary, so we don't want to
+                * complain about it.
+                */
+       } else {
+               job_log(j, LOG_ERR, "Unknown Jetsam key: %s", key);
+       }
+       
+       if (unlikely(!j->jetsam_properties)) {
+               j->jetsam_properties = true;
+               LIST_INSERT_HEAD(&j->mgr->jetsam_jobs, j, jetsam_sle);
+               j->mgr->jetsam_jobs_cnt++;
        }
 
        }
 
-       w4r->reply_port = rp;
-
-       SLIST_INSERT_HEAD(&j->removal_watchers, w4r, sle);
-
-       return true;
+       j->jetsam_seq = s_jetsam_sequence_id++;
 }
 
 }
 
-void
-waiting4removal_delete(job_t j, struct waiting_for_removal *w4r)
+int
+launchd_set_jetsam_priorities(launch_data_t priorities)
 {
 {
-       job_assumes(j, job_mig_send_signal_reply(w4r->reply_port, 0) == 0);
+       if (!launchd_assumes(launch_data_get_type(priorities) == LAUNCH_DATA_ARRAY)) {
+               return EINVAL;
+       }
 
 
-       SLIST_REMOVE(&j->removal_watchers, w4r, waiting_for_removal, sle);
+       jobmgr_t jm = NULL;
+#if !TARGET_OS_EMBEDDED
+       /* For testing. */
+       jm = jobmgr_find_by_name(root_jobmgr, VPROCMGR_SESSION_AQUA);
+       if (!launchd_assumes(jm != NULL)) {
+               return EINVAL;
+       }
+#else
+       /* Since this is for embedded, we can assume that the root job manager holds the Jetsam jobs. */
+       jm = root_jobmgr;
+       
+       if (!g_embedded_privileged_action) {
+               return EPERM;
+       }
+#endif
+               
+       size_t npris = launch_data_array_get_count(priorities);
 
 
-       free(w4r);
-}
+       job_t ji = NULL;
+       size_t i = 0;
+       for (i = 0; i < npris; i++) {
+               launch_data_t ldi = launch_data_array_get_index(priorities, i);
+               if (!launchd_assumes(launch_data_get_type(ldi) == LAUNCH_DATA_DICTIONARY)) {
+                       continue;
+               }
+               
+               launch_data_t label = NULL;
+               if (!launchd_assumes(label = launch_data_dict_lookup(ldi, LAUNCH_KEY_JETSAMLABEL))) {
+                       continue;
+               }
+               const char *_label = launch_data_get_string(label);
+               
+               ji = job_find(NULL, _label);
+               if (!launchd_assumes(ji != NULL)) {
+                       continue;
+               }
 
 
-void
-do_file_init(void)
-{
-       launchd_assert(mach_timebase_info(&tbi) == 0);
+               launch_data_dict_iterate(ldi, (void (*)(launch_data_t, const char *, void *))jetsam_property_setup, ji);
 
 
+               launch_data_t frontmost = NULL;
+               if ((frontmost = launch_data_dict_lookup(ldi, LAUNCH_KEY_JETSAMFRONTMOST)) && launch_data_get_type(frontmost) == LAUNCH_DATA_BOOL) {
+                       ji->jetsam_frontmost = launch_data_get_bool(frontmost);
+               }
+       }
+       
+       i = 0;
+       job_t *jobs = (job_t *)calloc(jm->jetsam_jobs_cnt, sizeof(job_t));
+       if (launchd_assumes(jobs != NULL)) {
+               LIST_FOREACH(ji, &jm->jetsam_jobs, jetsam_sle) {
+                       if (ji->p) {
+                               jobs[i] = ji;
+                               i++;
+                       }
+               }
+       }
+       
+       size_t totalpris = i;
+       
+       int result = EINVAL;
+       
+       /* It is conceivable that there could be no Jetsam jobs running. */
+       if (totalpris > 0) {
+               /* Yay blocks! */
+               qsort_b((void *)jobs, totalpris, sizeof(job_t), ^ int (const void *lhs, const void *rhs) {
+                       job_t _lhs = *(job_t *)lhs;
+                       job_t _rhs = *(job_t *)rhs;
+                       /* Sort in descending order. (Priority correlates to the soonishness with which you will be killed.) */
+                       if (_lhs->jetsam_priority > _rhs->jetsam_priority) {
+                               return -1;
+                       } else if (_lhs->jetsam_priority < _rhs->jetsam_priority) {
+                               return 1;
+                       }
+                       /* Priority is equal, so sort by sequence ID to maintain LRU order */
+                       if( (int)(_lhs->jetsam_seq - _rhs->jetsam_seq) > 0 ) {
+                               return 1;
+                       } else if( (int)(_lhs->jetsam_seq - _rhs->jetsam_seq) < 0 ) {
+                               return -1;
+                       }
+                       
+                       return 0;
+               });
+               
+               jetsam_priority_entry_t *jpris = (jetsam_priority_entry_t *)calloc(totalpris, sizeof(jetsam_priority_entry_t));
+               if (!launchd_assumes(jpris != NULL)) {
+                       result = ENOMEM;
+               } else {
+                       for (i = 0; i < totalpris; i++) {
+                               jpris[i].pid = jobs[i]->p; /* Subject to time-of-use vs. time-of-check, obviously. */
+                               jpris[i].flags |= jobs[i]->jetsam_frontmost ? kJetsamFlagsFrontmost : 0;
+                               jpris[i].hiwat_pages = jobs[i]->jetsam_memlimit;
+                       }
+                       
+                       (void)launchd_assumes((result = sysctlbyname("kern.memorystatus_priority_list", NULL, NULL, &jpris[0], totalpris * sizeof(jetsam_priority_entry_t))) != -1);
+                       result = result != 0 ? errno : 0;
+                       
+                       free(jpris);
+               }
+       }
+       
+       if (jobs) {
+               free(jobs);
+       }
+       
+       return result;
 }
 }
mirror of launchd