VM: support for shared call mask ACLs

The VM server now manages its call masks such that all user processes
share the same call mask. As a result, an update for the call mask of
any user process will apply to all user processes. This is similar to
the privilege infrastructure employed by the kernel, and may serve as
a template for similar fine-grained restrictions in other servers.

Concretely, this patch fixes the problem of "service edit init" not
applying the given VM call mask to user processes started from RC
scripts during system startup.

In addition, this patch makes RS set a proper VM call mask for each
recovery script it spawns.

Change-Id: I520a30d85a0d3f3502d2b158293a2258825358cf

include/minix/com.h

@@ -1037,6 +1037,7 @@
 #define VM_RS_SET_PRIV		(VM_RQ_BASE+37)
 #	define VM_RS_NR			m2_i1
 #	define VM_RS_BUF		m2_l1
+#	define VM_RS_SYS		m2_i2
 
 #define VM_QUERY_EXIT		(VM_RQ_BASE+38)
 #	define VM_QUERY_RET_PT	m2_i1

include/minix/rs.h

@@ -119,6 +119,11 @@ struct rprocpub {
   int devman_id;
 };
 
+/* Return whether the given boot process is a user process, as opposed to a
+ * system process. Only usable by core services during SEF initialization.
+ */
+#define IS_RPUB_BOOT_USR(rpub) ((rpub)->endpoint == INIT_PROC_NR)
+
 int minix_rs_lookup(const char *name, endpoint_t *value);
 
 #endif

include/minix/vm.h

@@ -17,7 +17,7 @@ void *vm_map_phys(endpoint_t who, void *physaddr, size_t len);
 int vm_unmap_phys(endpoint_t who, void *vaddr, size_t len);
 
 int vm_notify_sig(endpoint_t ep, endpoint_t ipc_ep);
-int vm_set_priv(int procnr, void *buf);
+int vm_set_priv(endpoint_t ep, void *buf, int sys_proc);
 int vm_update(endpoint_t src_e, endpoint_t dst_e);
 int vm_memctl(endpoint_t ep, int req);
 int vm_query_exit(endpoint_t *endpt);