sys/kern/kern_rctl.c

   1 /*-
   2  * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
   3  *
   4  * Copyright (c) 2010 The FreeBSD Foundation
   5  * All rights reserved.
   6  *
   7  * This software was developed by Edward Tomasz Napierala under sponsorship
   8  * from the FreeBSD Foundation.
   9  *
  10  * Redistribution and use in source and binary forms, with or without
  11  * modification, are permitted provided that the following conditions
  12  * are met:
  13  * 1. Redistributions of source code must retain the above copyright
  14  *    notice, this list of conditions and the following disclaimer.
  15  * 2. Redistributions in binary form must reproduce the above copyright
  16  *    notice, this list of conditions and the following disclaimer in the
  17  *    documentation and/or other materials provided with the distribution.
  18  *
  19  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
  20  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  21  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  22  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  23  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  24  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  25  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  26  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  27  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  28  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  29  * SUCH DAMAGE.
  30  *
  31  * $FreeBSD$
  32  */
  33
  34 #include <sys/cdefs.h>
  35 __FBSDID("$FreeBSD$");
  36
  37 #include <sys/param.h>
  38 #include <sys/bus.h>
  39 #include <sys/malloc.h>
  40 #include <sys/queue.h>
  41 #include <sys/refcount.h>
  42 #include <sys/jail.h>
  43 #include <sys/kernel.h>
  44 #include <sys/limits.h>
  45 #include <sys/loginclass.h>
  46 #include <sys/priv.h>
  47 #include <sys/proc.h>
  48 #include <sys/racct.h>
  49 #include <sys/rctl.h>
  50 #include <sys/resourcevar.h>
  51 #include <sys/sx.h>
  52 #include <sys/sysent.h>
  53 #include <sys/sysproto.h>
  54 #include <sys/systm.h>
  55 #include <sys/types.h>
  56 #include <sys/eventhandler.h>
  57 #include <sys/lock.h>
  58 #include <sys/mutex.h>
  59 #include <sys/rwlock.h>
  60 #include <sys/sbuf.h>
  61 #include <sys/taskqueue.h>
  62 #include <sys/tree.h>
  63 #include <vm/uma.h>
  64
  65 #ifdef RCTL
  66 #ifndef RACCT
  67 #error "The RCTL option requires the RACCT option"
  68 #endif
  69
  70 FEATURE(rctl, "Resource Limits");
  71
  72 #define HRF_DEFAULT             0
  73 #define HRF_DONT_INHERIT        1
  74 #define HRF_DONT_ACCUMULATE     2
  75
  76 #define RCTL_MAX_INBUFSIZE      4 * 1024
  77 #define RCTL_MAX_OUTBUFSIZE     16 * 1024 * 1024
  78 #define RCTL_LOG_BUFSIZE        128
  79
  80 #define RCTL_PCPU_SHIFT         (10 * 1000000)
  81
  82 static unsigned int rctl_maxbufsize = RCTL_MAX_OUTBUFSIZE;
  83 static int rctl_log_rate_limit = 10;
  84 static int rctl_devctl_rate_limit = 10;
  85
  86 /*
  87  * Values below are initialized in rctl_init().
  88  */
  89 static int rctl_throttle_min = -1;
  90 static int rctl_throttle_max = -1;
  91 static int rctl_throttle_pct = -1;
  92 static int rctl_throttle_pct2 = -1;
  93
  94 static int rctl_throttle_min_sysctl(SYSCTL_HANDLER_ARGS);
  95 static int rctl_throttle_max_sysctl(SYSCTL_HANDLER_ARGS);
  96 static int rctl_throttle_pct_sysctl(SYSCTL_HANDLER_ARGS);
  97 static int rctl_throttle_pct2_sysctl(SYSCTL_HANDLER_ARGS);
  98
  99 SYSCTL_NODE(_kern_racct, OID_AUTO, rctl, CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
 100     "Resource Limits");
 101 SYSCTL_UINT(_kern_racct_rctl, OID_AUTO, maxbufsize, CTLFLAG_RWTUN,
 102     &rctl_maxbufsize, 0, "Maximum output buffer size");
 103 SYSCTL_UINT(_kern_racct_rctl, OID_AUTO, log_rate_limit, CTLFLAG_RW,
 104     &rctl_log_rate_limit, 0, "Maximum number of log messages per second");
 105 SYSCTL_UINT(_kern_racct_rctl, OID_AUTO, devctl_rate_limit, CTLFLAG_RWTUN,
 106     &rctl_devctl_rate_limit, 0, "Maximum number of devctl messages per second");
 107 SYSCTL_PROC(_kern_racct_rctl, OID_AUTO, throttle_min,
 108     CTLTYPE_UINT | CTLFLAG_RWTUN | CTLFLAG_MPSAFE, 0, 0,
 109     &rctl_throttle_min_sysctl, "IU",
 110     "Shortest throttling duration, in hz");
 111 TUNABLE_INT("kern.racct.rctl.throttle_min", &rctl_throttle_min);
 112 SYSCTL_PROC(_kern_racct_rctl, OID_AUTO, throttle_max,
 113     CTLTYPE_UINT | CTLFLAG_RWTUN | CTLFLAG_MPSAFE, 0, 0,
 114     &rctl_throttle_max_sysctl, "IU",
 115     "Longest throttling duration, in hz");
 116 TUNABLE_INT("kern.racct.rctl.throttle_max", &rctl_throttle_max);
 117 SYSCTL_PROC(_kern_racct_rctl, OID_AUTO, throttle_pct,
 118     CTLTYPE_UINT | CTLFLAG_RWTUN | CTLFLAG_MPSAFE, 0, 0,
 119     &rctl_throttle_pct_sysctl, "IU",
 120     "Throttling penalty for process consumption, in percent");
 121 TUNABLE_INT("kern.racct.rctl.throttle_pct", &rctl_throttle_pct);
 122 SYSCTL_PROC(_kern_racct_rctl, OID_AUTO, throttle_pct2,
 123     CTLTYPE_UINT | CTLFLAG_RWTUN | CTLFLAG_MPSAFE, 0, 0,
 124     &rctl_throttle_pct2_sysctl, "IU",
 125     "Throttling penalty for container consumption, in percent");
 126 TUNABLE_INT("kern.racct.rctl.throttle_pct2", &rctl_throttle_pct2);
 127
 128 /*
 129  * 'rctl_rule_link' connects a rule with every racct it's related to.
 130  * For example, rule 'user:X:openfiles:deny=N/process' is linked
 131  * with uidinfo for user X, and to each process of that user.
 132  */
 133 struct rctl_rule_link {
 134         LIST_ENTRY(rctl_rule_link)      rrl_next;
 135         struct rctl_rule                *rrl_rule;
 136         int                             rrl_exceeded;
 137 };
 138
 139 struct dict {
 140         const char      *d_name;
 141         int             d_value;
 142 };
 143
 144 static struct dict subjectnames[] = {
 145         { "process", RCTL_SUBJECT_TYPE_PROCESS },
 146         { "user", RCTL_SUBJECT_TYPE_USER },
 147         { "loginclass", RCTL_SUBJECT_TYPE_LOGINCLASS },
 148         { "jail", RCTL_SUBJECT_TYPE_JAIL },
 149         { NULL, -1 }};
 150
 151 static struct dict resourcenames[] = {
 152         { "cputime", RACCT_CPU },
 153         { "datasize", RACCT_DATA },
 154         { "stacksize", RACCT_STACK },
 155         { "coredumpsize", RACCT_CORE },
 156         { "memoryuse", RACCT_RSS },
 157         { "memorylocked", RACCT_MEMLOCK },
 158         { "maxproc", RACCT_NPROC },
 159         { "openfiles", RACCT_NOFILE },
 160         { "vmemoryuse", RACCT_VMEM },
 161         { "pseudoterminals", RACCT_NPTS },
 162         { "swapuse", RACCT_SWAP },
 163         { "nthr", RACCT_NTHR },
 164         { "msgqqueued", RACCT_MSGQQUEUED },
 165         { "msgqsize", RACCT_MSGQSIZE },
 166         { "nmsgq", RACCT_NMSGQ },
 167         { "nsem", RACCT_NSEM },
 168         { "nsemop", RACCT_NSEMOP },
 169         { "nshm", RACCT_NSHM },
 170         { "shmsize", RACCT_SHMSIZE },
 171         { "wallclock", RACCT_WALLCLOCK },
 172         { "pcpu", RACCT_PCTCPU },
 173         { "readbps", RACCT_READBPS },
 174         { "writebps", RACCT_WRITEBPS },
 175         { "readiops", RACCT_READIOPS },
 176         { "writeiops", RACCT_WRITEIOPS },
 177         { NULL, -1 }};
 178
 179 static struct dict actionnames[] = {
 180         { "sighup", RCTL_ACTION_SIGHUP },
 181         { "sigint", RCTL_ACTION_SIGINT },
 182         { "sigquit", RCTL_ACTION_SIGQUIT },
 183         { "sigill", RCTL_ACTION_SIGILL },
 184         { "sigtrap", RCTL_ACTION_SIGTRAP },
 185         { "sigabrt", RCTL_ACTION_SIGABRT },
 186         { "sigemt", RCTL_ACTION_SIGEMT },
 187         { "sigfpe", RCTL_ACTION_SIGFPE },
 188         { "sigkill", RCTL_ACTION_SIGKILL },
 189         { "sigbus", RCTL_ACTION_SIGBUS },
 190         { "sigsegv", RCTL_ACTION_SIGSEGV },
 191         { "sigsys", RCTL_ACTION_SIGSYS },
 192         { "sigpipe", RCTL_ACTION_SIGPIPE },
 193         { "sigalrm", RCTL_ACTION_SIGALRM },
 194         { "sigterm", RCTL_ACTION_SIGTERM },
 195         { "sigurg", RCTL_ACTION_SIGURG },
 196         { "sigstop", RCTL_ACTION_SIGSTOP },
 197         { "sigtstp", RCTL_ACTION_SIGTSTP },
 198         { "sigchld", RCTL_ACTION_SIGCHLD },
 199         { "sigttin", RCTL_ACTION_SIGTTIN },
 200         { "sigttou", RCTL_ACTION_SIGTTOU },
 201         { "sigio", RCTL_ACTION_SIGIO },
 202         { "sigxcpu", RCTL_ACTION_SIGXCPU },
 203         { "sigxfsz", RCTL_ACTION_SIGXFSZ },
 204         { "sigvtalrm", RCTL_ACTION_SIGVTALRM },
 205         { "sigprof", RCTL_ACTION_SIGPROF },
 206         { "sigwinch", RCTL_ACTION_SIGWINCH },
 207         { "siginfo", RCTL_ACTION_SIGINFO },
 208         { "sigusr1", RCTL_ACTION_SIGUSR1 },
 209         { "sigusr2", RCTL_ACTION_SIGUSR2 },
 210         { "sigthr", RCTL_ACTION_SIGTHR },
 211         { "deny", RCTL_ACTION_DENY },
 212         { "log", RCTL_ACTION_LOG },
 213         { "devctl", RCTL_ACTION_DEVCTL },
 214         { "throttle", RCTL_ACTION_THROTTLE },
 215         { NULL, -1 }};
 216
 217 static void rctl_init(void);
 218 SYSINIT(rctl, SI_SUB_RACCT, SI_ORDER_FIRST, rctl_init, NULL);
 219
 220 static uma_zone_t rctl_rule_zone;
 221 static uma_zone_t rctl_rule_link_zone;
 222
 223 static int rctl_rule_fully_specified(const struct rctl_rule *rule);
 224 static void rctl_rule_to_sbuf(struct sbuf *sb, const struct rctl_rule *rule);
 225
 226 static MALLOC_DEFINE(M_RCTL, "rctl", "Resource Limits");
 227
 228 static int rctl_throttle_min_sysctl(SYSCTL_HANDLER_ARGS)
 229 {
 230         int error, val = rctl_throttle_min;
 231
 232         error = sysctl_handle_int(oidp, &val, 0, req);
 233         if (error || !req->newptr)
 234                 return (error);
 235         if (val < 1 || val > rctl_throttle_max)
 236                 return (EINVAL);
 237
 238         RACCT_LOCK();
 239         rctl_throttle_min = val;
 240         RACCT_UNLOCK();
 241
 242         return (0);
 243 }
 244
 245 static int rctl_throttle_max_sysctl(SYSCTL_HANDLER_ARGS)
 246 {
 247         int error, val = rctl_throttle_max;
 248
 249         error = sysctl_handle_int(oidp, &val, 0, req);
 250         if (error || !req->newptr)
 251                 return (error);
 252         if (val < rctl_throttle_min)
 253                 return (EINVAL);
 254
 255         RACCT_LOCK();
 256         rctl_throttle_max = val;
 257         RACCT_UNLOCK();
 258
 259         return (0);
 260 }
 261
 262 static int rctl_throttle_pct_sysctl(SYSCTL_HANDLER_ARGS)
 263 {
 264         int error, val = rctl_throttle_pct;
 265
 266         error = sysctl_handle_int(oidp, &val, 0, req);
 267         if (error || !req->newptr)
 268                 return (error);
 269         if (val < 0)
 270                 return (EINVAL);
 271
 272         RACCT_LOCK();
 273         rctl_throttle_pct = val;
 274         RACCT_UNLOCK();
 275
 276         return (0);
 277 }
 278
 279 static int rctl_throttle_pct2_sysctl(SYSCTL_HANDLER_ARGS)
 280 {
 281         int error, val = rctl_throttle_pct2;
 282
 283         error = sysctl_handle_int(oidp, &val, 0, req);
 284         if (error || !req->newptr)
 285                 return (error);
 286         if (val < 0)
 287                 return (EINVAL);
 288
 289         RACCT_LOCK();
 290         rctl_throttle_pct2 = val;
 291         RACCT_UNLOCK();
 292
 293         return (0);
 294 }
 295
 296 static const char *
 297 rctl_subject_type_name(int subject)
 298 {
 299         int i;
 300
 301         for (i = 0; subjectnames[i].d_name != NULL; i++) {
 302                 if (subjectnames[i].d_value == subject)
 303                         return (subjectnames[i].d_name);
 304         }
 305
 306         panic("rctl_subject_type_name: unknown subject type %d", subject);
 307 }
 308
 309 static const char *
 310 rctl_action_name(int action)
 311 {
 312         int i;
 313
 314         for (i = 0; actionnames[i].d_name != NULL; i++) {
 315                 if (actionnames[i].d_value == action)
 316                         return (actionnames[i].d_name);
 317         }
 318
 319         panic("rctl_action_name: unknown action %d", action);
 320 }
 321
 322 const char *
 323 rctl_resource_name(int resource)
 324 {
 325         int i;
 326
 327         for (i = 0; resourcenames[i].d_name != NULL; i++) {
 328                 if (resourcenames[i].d_value == resource)
 329                         return (resourcenames[i].d_name);
 330         }
 331
 332         panic("rctl_resource_name: unknown resource %d", resource);
 333 }
 334
 335 static struct racct *
 336 rctl_proc_rule_to_racct(const struct proc *p, const struct rctl_rule *rule)
 337 {
 338         struct ucred *cred = p->p_ucred;
 339
 340         ASSERT_RACCT_ENABLED();
 341         RACCT_LOCK_ASSERT();
 342
 343         switch (rule->rr_per) {
 344         case RCTL_SUBJECT_TYPE_PROCESS:
 345                 return (p->p_racct);
 346         case RCTL_SUBJECT_TYPE_USER:
 347                 return (cred->cr_ruidinfo->ui_racct);
 348         case RCTL_SUBJECT_TYPE_LOGINCLASS:
 349                 return (cred->cr_loginclass->lc_racct);
 350         case RCTL_SUBJECT_TYPE_JAIL:
 351                 return (cred->cr_prison->pr_prison_racct->prr_racct);
 352         default:
 353                 panic("%s: unknown per %d", __func__, rule->rr_per);
 354         }
 355 }
 356
 357 /*
 358  * Return the amount of resource that can be allocated by 'p' before
 359  * hitting 'rule'.
 360  */
 361 static int64_t
 362 rctl_available_resource(const struct proc *p, const struct rctl_rule *rule)
 363 {
 364         const struct racct *racct;
 365         int64_t available;
 366
 367         ASSERT_RACCT_ENABLED();
 368         RACCT_LOCK_ASSERT();
 369
 370         racct = rctl_proc_rule_to_racct(p, rule);
 371         available = rule->rr_amount - racct->r_resources[rule->rr_resource];
 372
 373         return (available);
 374 }
 375
 376 /*
 377  * Called every second for proc, uidinfo, loginclass, and jail containers.
 378  * If the limit isn't exceeded, it decreases the usage amount to zero.
 379  * Otherwise, it decreases it by the value of the limit.  This way
 380  * resource consumption exceeding the limit "carries over" to the next
 381  * period.
 382  */
 383 void
 384 rctl_throttle_decay(struct racct *racct, int resource)
 385 {
 386         struct rctl_rule *rule;
 387         struct rctl_rule_link *link;
 388         int64_t minavailable;
 389
 390         ASSERT_RACCT_ENABLED();
 391         RACCT_LOCK_ASSERT();
 392
 393         minavailable = INT64_MAX;
 394
 395         LIST_FOREACH(link, &racct->r_rule_links, rrl_next) {
 396                 rule = link->rrl_rule;
 397
 398                 if (rule->rr_resource != resource)
 399                         continue;
 400                 if (rule->rr_action != RCTL_ACTION_THROTTLE)
 401                         continue;
 402
 403                 if (rule->rr_amount < minavailable)
 404                         minavailable = rule->rr_amount;
 405         }
 406
 407         if (racct->r_resources[resource] < minavailable) {
 408                 racct->r_resources[resource] = 0;
 409         } else {
 410                 /*
 411                  * Cap utilization counter at ten times the limit.  Otherwise,
 412                  * if we changed the rule lowering the allowed amount, it could
 413                  * take unreasonably long time for the accumulated resource
 414                  * usage to drop.
 415                  */
 416                 if (racct->r_resources[resource] > minavailable * 10)
 417                         racct->r_resources[resource] = minavailable * 10;
 418
 419                 racct->r_resources[resource] -= minavailable;
 420         }
 421 }
 422
 423 /*
 424  * Special version of rctl_get_available() for the %CPU resource.
 425  * We slightly cheat here and return less than we normally would.
 426  */
 427 int64_t
 428 rctl_pcpu_available(const struct proc *p) {
 429         struct rctl_rule *rule;
 430         struct rctl_rule_link *link;
 431         int64_t available, minavailable, limit;
 432
 433         ASSERT_RACCT_ENABLED();
 434         RACCT_LOCK_ASSERT();
 435
 436         minavailable = INT64_MAX;
 437         limit = 0;
 438
 439         LIST_FOREACH(link, &p->p_racct->r_rule_links, rrl_next) {
 440                 rule = link->rrl_rule;
 441                 if (rule->rr_resource != RACCT_PCTCPU)
 442                         continue;
 443                 if (rule->rr_action != RCTL_ACTION_DENY)
 444                         continue;
 445                 available = rctl_available_resource(p, rule);
 446                 if (available < minavailable) {
 447                         minavailable = available;
 448                         limit = rule->rr_amount;
 449                 }
 450         }
 451
 452         /*
 453          * Return slightly less than actual value of the available
 454          * %cpu resource.  This makes %cpu throttling more aggressive
 455          * and lets us act sooner than the limits are already exceeded.
 456          */
 457         if (limit != 0) {
 458                 if (limit > 2 * RCTL_PCPU_SHIFT)
 459                         minavailable -= RCTL_PCPU_SHIFT;
 460                 else
 461                         minavailable -= (limit / 2);
 462         }
 463
 464         return (minavailable);
 465 }
 466
 467 static uint64_t
 468 xadd(uint64_t a, uint64_t b)
 469 {
 470         uint64_t c;
 471
 472         c = a + b;
 473
 474         /*
 475          * Detect overflow.
 476          */
 477         if (c < a || c < b)
 478                 return (UINT64_MAX);
 479
 480         return (c);
 481 }
 482
 483 static uint64_t
 484 xmul(uint64_t a, uint64_t b)
 485 {
 486
 487         if (b != 0 && a > UINT64_MAX / b)
 488                 return (UINT64_MAX);
 489
 490         return (a * b);
 491 }
 492
 493 /*
 494  * Check whether the proc 'p' can allocate 'amount' of 'resource' in addition
 495  * to what it keeps allocated now.  Returns non-zero if the allocation should
 496  * be denied, 0 otherwise.
 497  */
 498 int
 499 rctl_enforce(struct proc *p, int resource, uint64_t amount)
 500 {
 501         static struct timeval log_lasttime, devctl_lasttime;
 502         static int log_curtime = 0, devctl_curtime = 0;
 503         struct rctl_rule *rule;
 504         struct rctl_rule_link *link;
 505         struct sbuf sb;
 506         char *buf;
 507         int64_t available;
 508         uint64_t sleep_ms, sleep_ratio;
 509         int should_deny = 0;
 510
 511         ASSERT_RACCT_ENABLED();
 512         RACCT_LOCK_ASSERT();
 513
 514         /*
 515          * There may be more than one matching rule; go through all of them.
 516          * Denial should be done last, after logging and sending signals.
 517          */
 518         LIST_FOREACH(link, &p->p_racct->r_rule_links, rrl_next) {
 519                 rule = link->rrl_rule;
 520                 if (rule->rr_resource != resource)
 521                         continue;
 522
 523                 available = rctl_available_resource(p, rule);
 524                 if (available >= (int64_t)amount) {
 525                         link->rrl_exceeded = 0;
 526                         continue;
 527                 }
 528
 529                 switch (rule->rr_action) {
 530                 case RCTL_ACTION_DENY:
 531                         should_deny = 1;
 532                         continue;
 533                 case RCTL_ACTION_LOG:
 534                         /*
 535                          * If rrl_exceeded != 0, it means we've already
 536                          * logged a warning for this process.
 537                          */
 538                         if (link->rrl_exceeded != 0)
 539                                 continue;
 540
 541                         /*
 542                          * If the process state is not fully initialized yet,
 543                          * we can't access most of the required fields, e.g.
 544                          * p->p_comm.  This happens when called from fork1().
 545                          * Ignore this rule for now; it will be processed just
 546                          * after fork, when called from racct_proc_fork_done().
 547                          */
 548                         if (p->p_state != PRS_NORMAL)
 549                                 continue;
 550
 551                         if (!ppsratecheck(&log_lasttime, &log_curtime,
 552                             rctl_log_rate_limit))
 553                                 continue;
 554
 555                         buf = malloc(RCTL_LOG_BUFSIZE, M_RCTL, M_NOWAIT);
 556                         if (buf == NULL) {
 557                                 printf("rctl_enforce: out of memory\n");
 558                                 continue;
 559                         }
 560                         sbuf_new(&sb, buf, RCTL_LOG_BUFSIZE, SBUF_FIXEDLEN);
 561                         rctl_rule_to_sbuf(&sb, rule);
 562                         sbuf_finish(&sb);
 563                         printf("rctl: rule \"%s\" matched by pid %d "
 564                             "(%s), uid %d, jail %s\n", sbuf_data(&sb),
 565                             p->p_pid, p->p_comm, p->p_ucred->cr_uid,
 566                             p->p_ucred->cr_prison->pr_prison_racct->prr_name);
 567                         sbuf_delete(&sb);
 568                         free(buf, M_RCTL);
 569                         link->rrl_exceeded = 1;
 570                         continue;
 571                 case RCTL_ACTION_DEVCTL:
 572                         if (link->rrl_exceeded != 0)
 573                                 continue;
 574
 575                         if (p->p_state != PRS_NORMAL)
 576                                 continue;
 577
 578                         if (!ppsratecheck(&devctl_lasttime, &devctl_curtime,
 579                             rctl_devctl_rate_limit))
 580                                 continue;
 581
 582                         buf = malloc(RCTL_LOG_BUFSIZE, M_RCTL, M_NOWAIT);
 583                         if (buf == NULL) {
 584                                 printf("rctl_enforce: out of memory\n");
 585                                 continue;
 586                         }
 587                         sbuf_new(&sb, buf, RCTL_LOG_BUFSIZE, SBUF_FIXEDLEN);
 588                         sbuf_printf(&sb, "rule=");
 589                         rctl_rule_to_sbuf(&sb, rule);
 590                         sbuf_printf(&sb, " pid=%d ruid=%d jail=%s",
 591                             p->p_pid, p->p_ucred->cr_ruid,
 592                             p->p_ucred->cr_prison->pr_prison_racct->prr_name);
 593                         sbuf_finish(&sb);
 594                         devctl_notify_f("RCTL", "rule", "matched",
 595                             sbuf_data(&sb), M_NOWAIT);
 596                         sbuf_delete(&sb);
 597                         free(buf, M_RCTL);
 598                         link->rrl_exceeded = 1;
 599                         continue;
 600                 case RCTL_ACTION_THROTTLE:
 601                         if (p->p_state != PRS_NORMAL)
 602                                 continue;
 603
 604                         /*
 605                          * Make the process sleep for a fraction of second
 606                          * proportional to the ratio of process' resource
 607                          * utilization compared to the limit.  The point is
 608                          * to penalize resource hogs: processes that consume
 609                          * more of the available resources sleep for longer.
 610                          *
 611                          * We're trying to defer division until the very end,
 612                          * to minimize the rounding effects.  The following
 613                          * calculation could have been written in a clearer
 614                          * way like this:
 615                          *
 616                          * sleep_ms = hz * p->p_racct->r_resources[resource] /
 617                          *     rule->rr_amount;
 618                          * sleep_ms *= rctl_throttle_pct / 100;
 619                          * if (sleep_ms < rctl_throttle_min)
 620                          *         sleep_ms = rctl_throttle_min;
 621                          *
 622                          */
 623                         sleep_ms = xmul(hz, p->p_racct->r_resources[resource]);
 624                         sleep_ms = xmul(sleep_ms,  rctl_throttle_pct) / 100;
 625                         if (sleep_ms < rctl_throttle_min * rule->rr_amount)
 626                                 sleep_ms = rctl_throttle_min * rule->rr_amount;
 627
 628                         /*
 629                          * Multiply that by the ratio of the resource
 630                          * consumption for the container compared to the limit,
 631                          * squared.  In other words, a process in a container
 632                          * that is two times over the limit will be throttled
 633                          * four times as much for hitting the same rule.  The
 634                          * point is to penalize processes more if the container
 635                          * itself (eg certain UID or jail) is above the limit.
 636                          */
 637                         if (available < 0)
 638                                 sleep_ratio = -available / rule->rr_amount;
 639                         else
 640                                 sleep_ratio = 0;
 641                         sleep_ratio = xmul(sleep_ratio, sleep_ratio);
 642                         sleep_ratio = xmul(sleep_ratio, rctl_throttle_pct2) / 100;
 643                         sleep_ms = xadd(sleep_ms, xmul(sleep_ms, sleep_ratio));
 644
 645                         /*
 646                          * Finally the division.
 647                          */
 648                         sleep_ms /= rule->rr_amount;
 649
 650                         if (sleep_ms > rctl_throttle_max)
 651                                 sleep_ms = rctl_throttle_max;
 652 #if 0
 653                         printf("%s: pid %d (%s), %jd of %jd, will sleep for %ju ms (ratio %ju, available %jd)\n",
 654                            __func__, p->p_pid, p->p_comm,
 655                            p->p_racct->r_resources[resource],
 656                            rule->rr_amount, (uintmax_t)sleep_ms,
 657                            (uintmax_t)sleep_ratio, (intmax_t)available);
 658 #endif
 659
 660                         KASSERT(sleep_ms >= rctl_throttle_min, ("%s: %ju < %d\n",
 661                             __func__, (uintmax_t)sleep_ms, rctl_throttle_min));
 662                         racct_proc_throttle(p, sleep_ms);
 663                         continue;
 664                 default:
 665                         if (link->rrl_exceeded != 0)
 666                                 continue;
 667
 668                         if (p->p_state != PRS_NORMAL)
 669                                 continue;
 670
 671                         KASSERT(rule->rr_action > 0 &&
 672                             rule->rr_action <= RCTL_ACTION_SIGNAL_MAX,
 673                             ("rctl_enforce: unknown action %d",
 674                              rule->rr_action));
 675
 676                         /*
 677                          * We're using the fact that RCTL_ACTION_SIG* values
 678                          * are equal to their counterparts from sys/signal.h.
 679                          */
 680                         kern_psignal(p, rule->rr_action);
 681                         link->rrl_exceeded = 1;
 682                         continue;
 683                 }
 684         }
 685
 686         if (should_deny) {
 687                 /*
 688                  * Return fake error code; the caller should change it
 689                  * into one proper for the situation - EFSIZ, ENOMEM etc.
 690                  */
 691                 return (EDOOFUS);
 692         }
 693
 694         return (0);
 695 }
 696
 697 uint64_t
 698 rctl_get_limit(struct proc *p, int resource)
 699 {
 700         struct rctl_rule *rule;
 701         struct rctl_rule_link *link;
 702         uint64_t amount = UINT64_MAX;
 703
 704         ASSERT_RACCT_ENABLED();
 705         RACCT_LOCK_ASSERT();
 706
 707         /*
 708          * There may be more than one matching rule; go through all of them.
 709          * Denial should be done last, after logging and sending signals.
 710          */
 711         LIST_FOREACH(link, &p->p_racct->r_rule_links, rrl_next) {
 712                 rule = link->rrl_rule;
 713                 if (rule->rr_resource != resource)
 714                         continue;
 715                 if (rule->rr_action != RCTL_ACTION_DENY)
 716                         continue;
 717                 if (rule->rr_amount < amount)
 718                         amount = rule->rr_amount;
 719         }
 720
 721         return (amount);
 722 }
 723
 724 uint64_t
 725 rctl_get_available(struct proc *p, int resource)
 726 {
 727         struct rctl_rule *rule;
 728         struct rctl_rule_link *link;
 729         int64_t available, minavailable, allocated;
 730
 731         minavailable = INT64_MAX;
 732
 733         ASSERT_RACCT_ENABLED();
 734         RACCT_LOCK_ASSERT();
 735
 736         /*
 737          * There may be more than one matching rule; go through all of them.
 738          * Denial should be done last, after logging and sending signals.
 739          */
 740         LIST_FOREACH(link, &p->p_racct->r_rule_links, rrl_next) {
 741                 rule = link->rrl_rule;
 742                 if (rule->rr_resource != resource)
 743                         continue;
 744                 if (rule->rr_action != RCTL_ACTION_DENY)
 745                         continue;
 746                 available = rctl_available_resource(p, rule);
 747                 if (available < minavailable)
 748                         minavailable = available;
 749         }
 750
 751         /*
 752          * XXX: Think about this _hard_.
 753          */
 754         allocated = p->p_racct->r_resources[resource];
 755         if (minavailable < INT64_MAX - allocated)
 756                 minavailable += allocated;
 757         if (minavailable < 0)
 758                 minavailable = 0;
 759
 760         return (minavailable);
 761 }
 762
 763 static int
 764 rctl_rule_matches(const struct rctl_rule *rule, const struct rctl_rule *filter)
 765 {
 766
 767         ASSERT_RACCT_ENABLED();
 768
 769         if (filter->rr_subject_type != RCTL_SUBJECT_TYPE_UNDEFINED) {
 770                 if (rule->rr_subject_type != filter->rr_subject_type)
 771                         return (0);
 772
 773                 switch (filter->rr_subject_type) {
 774                 case RCTL_SUBJECT_TYPE_PROCESS:
 775                         if (filter->rr_subject.rs_proc != NULL &&
 776                             rule->rr_subject.rs_proc !=
 777                             filter->rr_subject.rs_proc)
 778                                 return (0);
 779                         break;
 780                 case RCTL_SUBJECT_TYPE_USER:
 781                         if (filter->rr_subject.rs_uip != NULL &&
 782                             rule->rr_subject.rs_uip !=
 783                             filter->rr_subject.rs_uip)
 784                                 return (0);
 785                         break;
 786                 case RCTL_SUBJECT_TYPE_LOGINCLASS:
 787                         if (filter->rr_subject.rs_loginclass != NULL &&
 788                             rule->rr_subject.rs_loginclass !=
 789                             filter->rr_subject.rs_loginclass)
 790                                 return (0);
 791                         break;
 792                 case RCTL_SUBJECT_TYPE_JAIL:
 793                         if (filter->rr_subject.rs_prison_racct != NULL &&
 794                             rule->rr_subject.rs_prison_racct !=
 795                             filter->rr_subject.rs_prison_racct)
 796                                 return (0);
 797                         break;
 798                 default:
 799                         panic("rctl_rule_matches: unknown subject type %d",
 800                             filter->rr_subject_type);
 801                 }
 802         }
 803
 804         if (filter->rr_resource != RACCT_UNDEFINED) {
 805                 if (rule->rr_resource != filter->rr_resource)
 806                         return (0);
 807         }
 808
 809         if (filter->rr_action != RCTL_ACTION_UNDEFINED) {
 810                 if (rule->rr_action != filter->rr_action)
 811                         return (0);
 812         }
 813
 814         if (filter->rr_amount != RCTL_AMOUNT_UNDEFINED) {
 815                 if (rule->rr_amount != filter->rr_amount)
 816                         return (0);
 817         }
 818
 819         if (filter->rr_per != RCTL_SUBJECT_TYPE_UNDEFINED) {
 820                 if (rule->rr_per != filter->rr_per)
 821                         return (0);
 822         }
 823
 824         return (1);
 825 }
 826
 827 static int
 828 str2value(const char *str, int *value, struct dict *table)
 829 {
 830         int i;
 831
 832         if (value == NULL)
 833                 return (EINVAL);
 834
 835         for (i = 0; table[i].d_name != NULL; i++) {
 836                 if (strcasecmp(table[i].d_name, str) == 0) {
 837                         *value =  table[i].d_value;
 838                         return (0);
 839                 }
 840         }
 841
 842         return (EINVAL);
 843 }
 844
 845 static int
 846 str2id(const char *str, id_t *value)
 847 {
 848         char *end;
 849
 850         if (str == NULL)
 851                 return (EINVAL);
 852
 853         *value = strtoul(str, &end, 10);
 854         if ((size_t)(end - str) != strlen(str))
 855                 return (EINVAL);
 856
 857         return (0);
 858 }
 859
 860 static int
 861 str2int64(const char *str, int64_t *value)
 862 {
 863         char *end;
 864
 865         if (str == NULL)
 866                 return (EINVAL);
 867
 868         *value = strtoul(str, &end, 10);
 869         if ((size_t)(end - str) != strlen(str))
 870                 return (EINVAL);
 871
 872         if (*value < 0)
 873                 return (ERANGE);
 874
 875         return (0);
 876 }
 877
 878 /*
 879  * Connect the rule to the racct, increasing refcount for the rule.
 880  */
 881 static void
 882 rctl_racct_add_rule(struct racct *racct, struct rctl_rule *rule)
 883 {
 884         struct rctl_rule_link *link;
 885
 886         ASSERT_RACCT_ENABLED();
 887         KASSERT(rctl_rule_fully_specified(rule), ("rule not fully specified"));
 888
 889         rctl_rule_acquire(rule);
 890         link = uma_zalloc(rctl_rule_link_zone, M_WAITOK);
 891         link->rrl_rule = rule;
 892         link->rrl_exceeded = 0;
 893
 894         RACCT_LOCK();
 895         LIST_INSERT_HEAD(&racct->r_rule_links, link, rrl_next);
 896         RACCT_UNLOCK();
 897 }
 898
 899 static int
 900 rctl_racct_add_rule_locked(struct racct *racct, struct rctl_rule *rule)
 901 {
 902         struct rctl_rule_link *link;
 903
 904         ASSERT_RACCT_ENABLED();
 905         KASSERT(rctl_rule_fully_specified(rule), ("rule not fully specified"));
 906         RACCT_LOCK_ASSERT();
 907
 908         link = uma_zalloc(rctl_rule_link_zone, M_NOWAIT);
 909         if (link == NULL)
 910                 return (ENOMEM);
 911         rctl_rule_acquire(rule);
 912         link->rrl_rule = rule;
 913         link->rrl_exceeded = 0;
 914
 915         LIST_INSERT_HEAD(&racct->r_rule_links, link, rrl_next);
 916
 917         return (0);
 918 }
 919
 920 /*
 921  * Remove limits for a rules matching the filter and release
 922  * the refcounts for the rules, possibly freeing them.  Returns
 923  * the number of limit structures removed.
 924  */
 925 static int
 926 rctl_racct_remove_rules(struct racct *racct,
 927     const struct rctl_rule *filter)
 928 {
 929         struct rctl_rule_link *link, *linktmp;
 930         int removed = 0;
 931
 932         ASSERT_RACCT_ENABLED();
 933         RACCT_LOCK_ASSERT();
 934
 935         LIST_FOREACH_SAFE(link, &racct->r_rule_links, rrl_next, linktmp) {
 936                 if (!rctl_rule_matches(link->rrl_rule, filter))
 937                         continue;
 938
 939                 LIST_REMOVE(link, rrl_next);
 940                 rctl_rule_release(link->rrl_rule);
 941                 uma_zfree(rctl_rule_link_zone, link);
 942                 removed++;
 943         }
 944         return (removed);
 945 }
 946
 947 static void
 948 rctl_rule_acquire_subject(struct rctl_rule *rule)
 949 {
 950
 951         ASSERT_RACCT_ENABLED();
 952
 953         switch (rule->rr_subject_type) {
 954         case RCTL_SUBJECT_TYPE_UNDEFINED:
 955         case RCTL_SUBJECT_TYPE_PROCESS:
 956                 break;
 957         case RCTL_SUBJECT_TYPE_JAIL:
 958                 if (rule->rr_subject.rs_prison_racct != NULL)
 959                         prison_racct_hold(rule->rr_subject.rs_prison_racct);
 960                 break;
 961         case RCTL_SUBJECT_TYPE_USER:
 962                 if (rule->rr_subject.rs_uip != NULL)
 963                         uihold(rule->rr_subject.rs_uip);
 964                 break;
 965         case RCTL_SUBJECT_TYPE_LOGINCLASS:
 966                 if (rule->rr_subject.rs_loginclass != NULL)
 967                         loginclass_hold(rule->rr_subject.rs_loginclass);
 968                 break;
 969         default:
 970                 panic("rctl_rule_acquire_subject: unknown subject type %d",
 971                     rule->rr_subject_type);
 972         }
 973 }
 974
 975 static void
 976 rctl_rule_release_subject(struct rctl_rule *rule)
 977 {
 978
 979         ASSERT_RACCT_ENABLED();
 980
 981         switch (rule->rr_subject_type) {
 982         case RCTL_SUBJECT_TYPE_UNDEFINED:
 983         case RCTL_SUBJECT_TYPE_PROCESS:
 984                 break;
 985         case RCTL_SUBJECT_TYPE_JAIL:
 986                 if (rule->rr_subject.rs_prison_racct != NULL)
 987                         prison_racct_free(rule->rr_subject.rs_prison_racct);
 988                 break;
 989         case RCTL_SUBJECT_TYPE_USER:
 990                 if (rule->rr_subject.rs_uip != NULL)
 991                         uifree(rule->rr_subject.rs_uip);
 992                 break;
 993         case RCTL_SUBJECT_TYPE_LOGINCLASS:
 994                 if (rule->rr_subject.rs_loginclass != NULL)
 995                         loginclass_free(rule->rr_subject.rs_loginclass);
 996                 break;
 997         default:
 998                 panic("rctl_rule_release_subject: unknown subject type %d",
 999                     rule->rr_subject_type);
1000         }
1001 }
1002
1003 struct rctl_rule *
1004 rctl_rule_alloc(int flags)
1005 {
1006         struct rctl_rule *rule;
1007
1008         ASSERT_RACCT_ENABLED();
1009
1010         rule = uma_zalloc(rctl_rule_zone, flags);
1011         if (rule == NULL)
1012                 return (NULL);
1013         rule->rr_subject_type = RCTL_SUBJECT_TYPE_UNDEFINED;
1014         rule->rr_subject.rs_proc = NULL;
1015         rule->rr_subject.rs_uip = NULL;
1016         rule->rr_subject.rs_loginclass = NULL;
1017         rule->rr_subject.rs_prison_racct = NULL;
1018         rule->rr_per = RCTL_SUBJECT_TYPE_UNDEFINED;
1019         rule->rr_resource = RACCT_UNDEFINED;
1020         rule->rr_action = RCTL_ACTION_UNDEFINED;
1021         rule->rr_amount = RCTL_AMOUNT_UNDEFINED;
1022         refcount_init(&rule->rr_refcount, 1);
1023
1024         return (rule);
1025 }
1026
1027 struct rctl_rule *
1028 rctl_rule_duplicate(const struct rctl_rule *rule, int flags)
1029 {
1030         struct rctl_rule *copy;
1031
1032         ASSERT_RACCT_ENABLED();
1033
1034         copy = uma_zalloc(rctl_rule_zone, flags);
1035         if (copy == NULL)
1036                 return (NULL);
1037         copy->rr_subject_type = rule->rr_subject_type;
1038         copy->rr_subject.rs_proc = rule->rr_subject.rs_proc;
1039         copy->rr_subject.rs_uip = rule->rr_subject.rs_uip;
1040         copy->rr_subject.rs_loginclass = rule->rr_subject.rs_loginclass;
1041         copy->rr_subject.rs_prison_racct = rule->rr_subject.rs_prison_racct;
1042         copy->rr_per = rule->rr_per;
1043         copy->rr_resource = rule->rr_resource;
1044         copy->rr_action = rule->rr_action;
1045         copy->rr_amount = rule->rr_amount;
1046         refcount_init(&copy->rr_refcount, 1);
1047         rctl_rule_acquire_subject(copy);
1048
1049         return (copy);
1050 }
1051
1052 void
1053 rctl_rule_acquire(struct rctl_rule *rule)
1054 {
1055
1056         ASSERT_RACCT_ENABLED();
1057         KASSERT(rule->rr_refcount > 0, ("rule->rr_refcount <= 0"));
1058
1059         refcount_acquire(&rule->rr_refcount);
1060 }
1061
1062 static void
1063 rctl_rule_free(void *context, int pending)
1064 {
1065         struct rctl_rule *rule;
1066
1067         rule = (struct rctl_rule *)context;
1068
1069         ASSERT_RACCT_ENABLED();
1070         KASSERT(rule->rr_refcount == 0, ("rule->rr_refcount != 0"));
1071
1072         /*
1073          * We don't need locking here; rule is guaranteed to be inaccessible.
1074          */
1075
1076         rctl_rule_release_subject(rule);
1077         uma_zfree(rctl_rule_zone, rule);
1078 }
1079
1080 void
1081 rctl_rule_release(struct rctl_rule *rule)
1082 {
1083
1084         ASSERT_RACCT_ENABLED();
1085         KASSERT(rule->rr_refcount > 0, ("rule->rr_refcount <= 0"));
1086
1087         if (refcount_release(&rule->rr_refcount)) {
1088                 /*
1089                  * rctl_rule_release() is often called when iterating
1090                  * over all the uidinfo structures in the system,
1091                  * holding uihashtbl_lock.  Since rctl_rule_free()
1092                  * might end up calling uifree(), this would lead
1093                  * to lock recursion.  Use taskqueue to avoid this.
1094                  */
1095                 TASK_INIT(&rule->rr_task, 0, rctl_rule_free, rule);
1096                 taskqueue_enqueue(taskqueue_thread, &rule->rr_task);
1097         }
1098 }
1099
1100 static int
1101 rctl_rule_fully_specified(const struct rctl_rule *rule)
1102 {
1103
1104         ASSERT_RACCT_ENABLED();
1105
1106         switch (rule->rr_subject_type) {
1107         case RCTL_SUBJECT_TYPE_UNDEFINED:
1108                 return (0);
1109         case RCTL_SUBJECT_TYPE_PROCESS:
1110                 if (rule->rr_subject.rs_proc == NULL)
1111                         return (0);
1112                 break;
1113         case RCTL_SUBJECT_TYPE_USER:
1114                 if (rule->rr_subject.rs_uip == NULL)
1115                         return (0);
1116                 break;
1117         case RCTL_SUBJECT_TYPE_LOGINCLASS:
1118                 if (rule->rr_subject.rs_loginclass == NULL)
1119                         return (0);
1120                 break;
1121         case RCTL_SUBJECT_TYPE_JAIL:
1122                 if (rule->rr_subject.rs_prison_racct == NULL)
1123                         return (0);
1124                 break;
1125         default:
1126                 panic("rctl_rule_fully_specified: unknown subject type %d",
1127                     rule->rr_subject_type);
1128         }
1129         if (rule->rr_resource == RACCT_UNDEFINED)
1130                 return (0);
1131         if (rule->rr_action == RCTL_ACTION_UNDEFINED)
1132                 return (0);
1133         if (rule->rr_amount == RCTL_AMOUNT_UNDEFINED)
1134                 return (0);
1135         if (rule->rr_per == RCTL_SUBJECT_TYPE_UNDEFINED)
1136                 return (0);
1137
1138         return (1);
1139 }
1140
1141 static int
1142 rctl_string_to_rule(char *rulestr, struct rctl_rule **rulep)
1143 {
1144         struct rctl_rule *rule;
1145         char *subjectstr, *subject_idstr, *resourcestr, *actionstr,
1146              *amountstr, *perstr;
1147         id_t id;
1148         int error = 0;
1149
1150         ASSERT_RACCT_ENABLED();
1151
1152         rule = rctl_rule_alloc(M_WAITOK);
1153
1154         subjectstr = strsep(&rulestr, ":");
1155         subject_idstr = strsep(&rulestr, ":");
1156         resourcestr = strsep(&rulestr, ":");
1157         actionstr = strsep(&rulestr, "=/");
1158         amountstr = strsep(&rulestr, "/");
1159         perstr = rulestr;
1160
1161         if (subjectstr == NULL || subjectstr[0] == '\0')
1162                 rule->rr_subject_type = RCTL_SUBJECT_TYPE_UNDEFINED;
1163         else {
1164                 error = str2value(subjectstr, &rule->rr_subject_type, subjectnames);
1165                 if (error != 0)
1166                         goto out;
1167         }
1168
1169         if (subject_idstr == NULL || subject_idstr[0] == '\0') {
1170                 rule->rr_subject.rs_proc = NULL;
1171                 rule->rr_subject.rs_uip = NULL;
1172                 rule->rr_subject.rs_loginclass = NULL;
1173                 rule->rr_subject.rs_prison_racct = NULL;
1174         } else {
1175                 switch (rule->rr_subject_type) {
1176                 case RCTL_SUBJECT_TYPE_UNDEFINED:
1177                         error = EINVAL;
1178                         goto out;
1179                 case RCTL_SUBJECT_TYPE_PROCESS:
1180                         error = str2id(subject_idstr, &id);
1181                         if (error != 0)
1182                                 goto out;
1183                         sx_assert(&allproc_lock, SA_LOCKED);
1184                         rule->rr_subject.rs_proc = pfind(id);
1185                         if (rule->rr_subject.rs_proc == NULL) {
1186                                 error = ESRCH;
1187                                 goto out;
1188                         }
1189                         PROC_UNLOCK(rule->rr_subject.rs_proc);
1190                         break;
1191                 case RCTL_SUBJECT_TYPE_USER:
1192                         error = str2id(subject_idstr, &id);
1193                         if (error != 0)
1194                                 goto out;
1195                         rule->rr_subject.rs_uip = uifind(id);
1196                         break;
1197                 case RCTL_SUBJECT_TYPE_LOGINCLASS:
1198                         rule->rr_subject.rs_loginclass =
1199                             loginclass_find(subject_idstr);
1200                         if (rule->rr_subject.rs_loginclass == NULL) {
1201                                 error = ENAMETOOLONG;
1202                                 goto out;
1203                         }
1204                         break;
1205                 case RCTL_SUBJECT_TYPE_JAIL:
1206                         rule->rr_subject.rs_prison_racct =
1207                             prison_racct_find(subject_idstr);
1208                         if (rule->rr_subject.rs_prison_racct == NULL) {
1209                                 error = ENAMETOOLONG;
1210                                 goto out;
1211                         }
1212                         break;
1213                default:
1214                        panic("rctl_string_to_rule: unknown subject type %d",
1215                            rule->rr_subject_type);
1216                }
1217         }
1218
1219         if (resourcestr == NULL || resourcestr[0] == '\0')
1220                 rule->rr_resource = RACCT_UNDEFINED;
1221         else {
1222                 error = str2value(resourcestr, &rule->rr_resource,
1223                     resourcenames);
1224                 if (error != 0)
1225                         goto out;
1226         }
1227
1228         if (actionstr == NULL || actionstr[0] == '\0')
1229                 rule->rr_action = RCTL_ACTION_UNDEFINED;
1230         else {
1231                 error = str2value(actionstr, &rule->rr_action, actionnames);
1232                 if (error != 0)
1233                         goto out;
1234         }
1235
1236         if (amountstr == NULL || amountstr[0] == '\0')
1237                 rule->rr_amount = RCTL_AMOUNT_UNDEFINED;
1238         else {
1239                 error = str2int64(amountstr, &rule->rr_amount);
1240                 if (error != 0)
1241                         goto out;
1242                 if (RACCT_IS_IN_MILLIONS(rule->rr_resource)) {
1243                         if (rule->rr_amount > INT64_MAX / 1000000) {
1244                                 error = ERANGE;
1245                                 goto out;
1246                         }
1247                         rule->rr_amount *= 1000000;
1248                 }
1249         }
1250
1251         if (perstr == NULL || perstr[0] == '\0')
1252                 rule->rr_per = RCTL_SUBJECT_TYPE_UNDEFINED;
1253         else {
1254                 error = str2value(perstr, &rule->rr_per, subjectnames);
1255                 if (error != 0)
1256                         goto out;
1257         }
1258
1259 out:
1260         if (error == 0)
1261                 *rulep = rule;
1262         else
1263                 rctl_rule_release(rule);
1264
1265         return (error);
1266 }
1267
1268 /*
1269  * Link a rule with all the subjects it applies to.
1270  */
1271 int
1272 rctl_rule_add(struct rctl_rule *rule)
1273 {
1274         struct proc *p;
1275         struct ucred *cred;
1276         struct uidinfo *uip;
1277         struct prison *pr;
1278         struct prison_racct *prr;
1279         struct loginclass *lc;
1280         struct rctl_rule *rule2;
1281         int match;
1282
1283         ASSERT_RACCT_ENABLED();
1284         KASSERT(rctl_rule_fully_specified(rule), ("rule not fully specified"));
1285
1286         /*
1287          * Some rules just don't make sense, like "deny" rule for an undeniable
1288          * resource.  The exception are the RSS and %CPU resources - they are
1289          * not deniable in the racct sense, but the limit is enforced in
1290          * a different way.
1291          */
1292         if (rule->rr_action == RCTL_ACTION_DENY &&
1293             !RACCT_IS_DENIABLE(rule->rr_resource) &&
1294             rule->rr_resource != RACCT_RSS &&
1295             rule->rr_resource != RACCT_PCTCPU) {
1296                 return (EOPNOTSUPP);
1297         }
1298
1299         if (rule->rr_action == RCTL_ACTION_THROTTLE &&
1300             !RACCT_IS_DECAYING(rule->rr_resource)) {
1301                 return (EOPNOTSUPP);
1302         }
1303
1304         if (rule->rr_action == RCTL_ACTION_THROTTLE &&
1305             rule->rr_resource == RACCT_PCTCPU) {
1306                 return (EOPNOTSUPP);
1307         }
1308
1309         if (rule->rr_per == RCTL_SUBJECT_TYPE_PROCESS &&
1310             RACCT_IS_SLOPPY(rule->rr_resource)) {
1311                 return (EOPNOTSUPP);
1312         }
1313
1314         /*
1315          * Make sure there are no duplicated rules.  Also, for the "deny"
1316          * rules, remove ones differing only by "amount".
1317          */
1318         if (rule->rr_action == RCTL_ACTION_DENY) {
1319                 rule2 = rctl_rule_duplicate(rule, M_WAITOK);
1320                 rule2->rr_amount = RCTL_AMOUNT_UNDEFINED;
1321                 rctl_rule_remove(rule2);
1322                 rctl_rule_release(rule2);
1323         } else
1324                 rctl_rule_remove(rule);
1325
1326         switch (rule->rr_subject_type) {
1327         case RCTL_SUBJECT_TYPE_PROCESS:
1328                 p = rule->rr_subject.rs_proc;
1329                 KASSERT(p != NULL, ("rctl_rule_add: NULL proc"));
1330
1331                 rctl_racct_add_rule(p->p_racct, rule);
1332                 /*
1333                  * In case of per-process rule, we don't have anything more
1334                  * to do.
1335                  */
1336                 return (0);
1337
1338         case RCTL_SUBJECT_TYPE_USER:
1339                 uip = rule->rr_subject.rs_uip;
1340                 KASSERT(uip != NULL, ("rctl_rule_add: NULL uip"));
1341                 rctl_racct_add_rule(uip->ui_racct, rule);
1342                 break;
1343
1344         case RCTL_SUBJECT_TYPE_LOGINCLASS:
1345                 lc = rule->rr_subject.rs_loginclass;
1346                 KASSERT(lc != NULL, ("rctl_rule_add: NULL loginclass"));
1347                 rctl_racct_add_rule(lc->lc_racct, rule);
1348                 break;
1349
1350         case RCTL_SUBJECT_TYPE_JAIL:
1351                 prr = rule->rr_subject.rs_prison_racct;
1352                 KASSERT(prr != NULL, ("rctl_rule_add: NULL pr"));
1353                 rctl_racct_add_rule(prr->prr_racct, rule);
1354                 break;
1355
1356         default:
1357                 panic("rctl_rule_add: unknown subject type %d",
1358                     rule->rr_subject_type);
1359         }
1360
1361         /*
1362          * Now go through all the processes and add the new rule to the ones
1363          * it applies to.
1364          */
1365         sx_assert(&allproc_lock, SA_LOCKED);
1366         FOREACH_PROC_IN_SYSTEM(p) {
1367                 cred = p->p_ucred;
1368                 switch (rule->rr_subject_type) {
1369                 case RCTL_SUBJECT_TYPE_USER:
1370                         if (cred->cr_uidinfo == rule->rr_subject.rs_uip ||
1371                             cred->cr_ruidinfo == rule->rr_subject.rs_uip)
1372                                 break;
1373                         continue;
1374                 case RCTL_SUBJECT_TYPE_LOGINCLASS:
1375                         if (cred->cr_loginclass == rule->rr_subject.rs_loginclass)
1376                                 break;
1377                         continue;
1378                 case RCTL_SUBJECT_TYPE_JAIL:
1379                         match = 0;
1380                         for (pr = cred->cr_prison; pr != NULL; pr = pr->pr_parent) {
1381                                 if (pr->pr_prison_racct == rule->rr_subject.rs_prison_racct) {
1382                                         match = 1;
1383                                         break;
1384                                 }
1385                         }
1386                         if (match)
1387                                 break;
1388                         continue;
1389                 default:
1390                         panic("rctl_rule_add: unknown subject type %d",
1391                             rule->rr_subject_type);
1392                 }
1393
1394                 rctl_racct_add_rule(p->p_racct, rule);
1395         }
1396
1397         return (0);
1398 }
1399
1400 static void
1401 rctl_rule_pre_callback(void)
1402 {
1403
1404         RACCT_LOCK();
1405 }
1406
1407 static void
1408 rctl_rule_post_callback(void)
1409 {
1410
1411         RACCT_UNLOCK();
1412 }
1413
1414 static void
1415 rctl_rule_remove_callback(struct racct *racct, void *arg2, void *arg3)
1416 {
1417         struct rctl_rule *filter = (struct rctl_rule *)arg2;
1418         int found = 0;
1419
1420         ASSERT_RACCT_ENABLED();
1421         RACCT_LOCK_ASSERT();
1422
1423         found += rctl_racct_remove_rules(racct, filter);
1424
1425         *((int *)arg3) += found;
1426 }
1427
1428 /*
1429  * Remove all rules that match the filter.
1430  */
1431 int
1432 rctl_rule_remove(struct rctl_rule *filter)
1433 {
1434         struct proc *p;
1435         int found = 0;
1436
1437         ASSERT_RACCT_ENABLED();
1438
1439         if (filter->rr_subject_type == RCTL_SUBJECT_TYPE_PROCESS &&
1440             filter->rr_subject.rs_proc != NULL) {
1441                 p = filter->rr_subject.rs_proc;
1442                 RACCT_LOCK();
1443                 found = rctl_racct_remove_rules(p->p_racct, filter);
1444                 RACCT_UNLOCK();
1445                 if (found)
1446                         return (0);
1447                 return (ESRCH);
1448         }
1449
1450         loginclass_racct_foreach(rctl_rule_remove_callback,
1451             rctl_rule_pre_callback, rctl_rule_post_callback,
1452             filter, (void *)&found);
1453         ui_racct_foreach(rctl_rule_remove_callback,
1454             rctl_rule_pre_callback, rctl_rule_post_callback,
1455             filter, (void *)&found);
1456         prison_racct_foreach(rctl_rule_remove_callback,
1457             rctl_rule_pre_callback, rctl_rule_post_callback,
1458             filter, (void *)&found);
1459
1460         sx_assert(&allproc_lock, SA_LOCKED);
1461         RACCT_LOCK();
1462         FOREACH_PROC_IN_SYSTEM(p) {
1463                 found += rctl_racct_remove_rules(p->p_racct, filter);
1464         }
1465         RACCT_UNLOCK();
1466
1467         if (found)
1468                 return (0);
1469         return (ESRCH);
1470 }
1471
1472 /*
1473  * Appends a rule to the sbuf.
1474  */
1475 static void
1476 rctl_rule_to_sbuf(struct sbuf *sb, const struct rctl_rule *rule)
1477 {
1478         int64_t amount;
1479
1480         ASSERT_RACCT_ENABLED();
1481
1482         sbuf_printf(sb, "%s:", rctl_subject_type_name(rule->rr_subject_type));
1483
1484         switch (rule->rr_subject_type) {
1485         case RCTL_SUBJECT_TYPE_PROCESS:
1486                 if (rule->rr_subject.rs_proc == NULL)
1487                         sbuf_printf(sb, ":");
1488                 else
1489                         sbuf_printf(sb, "%d:",
1490                             rule->rr_subject.rs_proc->p_pid);
1491                 break;
1492         case RCTL_SUBJECT_TYPE_USER:
1493                 if (rule->rr_subject.rs_uip == NULL)
1494                         sbuf_printf(sb, ":");
1495                 else
1496                         sbuf_printf(sb, "%d:",
1497                             rule->rr_subject.rs_uip->ui_uid);
1498                 break;
1499         case RCTL_SUBJECT_TYPE_LOGINCLASS:
1500                 if (rule->rr_subject.rs_loginclass == NULL)
1501                         sbuf_printf(sb, ":");
1502                 else
1503                         sbuf_printf(sb, "%s:",
1504                             rule->rr_subject.rs_loginclass->lc_name);
1505                 break;
1506         case RCTL_SUBJECT_TYPE_JAIL:
1507                 if (rule->rr_subject.rs_prison_racct == NULL)
1508                         sbuf_printf(sb, ":");
1509                 else
1510                         sbuf_printf(sb, "%s:",
1511                             rule->rr_subject.rs_prison_racct->prr_name);
1512                 break;
1513         default:
1514                 panic("rctl_rule_to_sbuf: unknown subject type %d",
1515                     rule->rr_subject_type);
1516         }
1517
1518         amount = rule->rr_amount;
1519         if (amount != RCTL_AMOUNT_UNDEFINED &&
1520             RACCT_IS_IN_MILLIONS(rule->rr_resource))
1521                 amount /= 1000000;
1522
1523         sbuf_printf(sb, "%s:%s=%jd",
1524             rctl_resource_name(rule->rr_resource),
1525             rctl_action_name(rule->rr_action),
1526             amount);
1527
1528         if (rule->rr_per != rule->rr_subject_type)
1529                 sbuf_printf(sb, "/%s", rctl_subject_type_name(rule->rr_per));
1530 }
1531
1532 /*
1533  * Routine used by RCTL syscalls to read in input string.
1534  */
1535 static int
1536 rctl_read_inbuf(char **inputstr, const char *inbufp, size_t inbuflen)
1537 {
1538         char *str;
1539         int error;
1540
1541         ASSERT_RACCT_ENABLED();
1542
1543         if (inbuflen <= 0)
1544                 return (EINVAL);
1545         if (inbuflen > RCTL_MAX_INBUFSIZE)
1546                 return (E2BIG);
1547
1548         str = malloc(inbuflen + 1, M_RCTL, M_WAITOK);
1549         error = copyinstr(inbufp, str, inbuflen, NULL);
1550         if (error != 0) {
1551                 free(str, M_RCTL);
1552                 return (error);
1553         }
1554
1555         *inputstr = str;
1556
1557         return (0);
1558 }
1559
1560 /*
1561  * Routine used by RCTL syscalls to write out output string.
1562  */
1563 static int
1564 rctl_write_outbuf(struct sbuf *outputsbuf, char *outbufp, size_t outbuflen)
1565 {
1566         int error;
1567
1568         ASSERT_RACCT_ENABLED();
1569
1570         if (outputsbuf == NULL)
1571                 return (0);
1572
1573         sbuf_finish(outputsbuf);
1574         if (outbuflen < sbuf_len(outputsbuf) + 1) {
1575                 sbuf_delete(outputsbuf);
1576                 return (ERANGE);
1577         }
1578         error = copyout(sbuf_data(outputsbuf), outbufp,
1579             sbuf_len(outputsbuf) + 1);
1580         sbuf_delete(outputsbuf);
1581         return (error);
1582 }
1583
1584 static struct sbuf *
1585 rctl_racct_to_sbuf(struct racct *racct, int sloppy)
1586 {
1587         struct sbuf *sb;
1588         int64_t amount;
1589         int i;
1590
1591         ASSERT_RACCT_ENABLED();
1592
1593         sb = sbuf_new_auto();
1594         for (i = 0; i <= RACCT_MAX; i++) {
1595                 if (sloppy == 0 && RACCT_IS_SLOPPY(i))
1596                         continue;
1597                 RACCT_LOCK();
1598                 amount = racct->r_resources[i];
1599                 RACCT_UNLOCK();
1600                 if (RACCT_IS_IN_MILLIONS(i))
1601                         amount /= 1000000;
1602                 sbuf_printf(sb, "%s=%jd,", rctl_resource_name(i), amount);
1603         }
1604         sbuf_setpos(sb, sbuf_len(sb) - 1);
1605         return (sb);
1606 }
1607
1608 int
1609 sys_rctl_get_racct(struct thread *td, struct rctl_get_racct_args *uap)
1610 {
1611         struct rctl_rule *filter;
1612         struct sbuf *outputsbuf = NULL;
1613         struct proc *p;
1614         struct uidinfo *uip;
1615         struct loginclass *lc;
1616         struct prison_racct *prr;
1617         char *inputstr;
1618         int error;
1619
1620         if (!racct_enable)
1621                 return (ENOSYS);
1622
1623         error = priv_check(td, PRIV_RCTL_GET_RACCT);
1624         if (error != 0)
1625                 return (error);
1626
1627         error = rctl_read_inbuf(&inputstr, uap->inbufp, uap->inbuflen);
1628         if (error != 0)
1629                 return (error);
1630
1631         sx_slock(&allproc_lock);
1632         error = rctl_string_to_rule(inputstr, &filter);
1633         free(inputstr, M_RCTL);
1634         if (error != 0) {
1635                 sx_sunlock(&allproc_lock);
1636                 return (error);
1637         }
1638
1639         switch (filter->rr_subject_type) {
1640         case RCTL_SUBJECT_TYPE_PROCESS:
1641                 p = filter->rr_subject.rs_proc;
1642                 if (p == NULL) {
1643                         error = EINVAL;
1644                         goto out;
1645                 }
1646                 outputsbuf = rctl_racct_to_sbuf(p->p_racct, 0);
1647                 break;
1648         case RCTL_SUBJECT_TYPE_USER:
1649                 uip = filter->rr_subject.rs_uip;
1650                 if (uip == NULL) {
1651                         error = EINVAL;
1652                         goto out;
1653                 }
1654                 outputsbuf = rctl_racct_to_sbuf(uip->ui_racct, 1);
1655                 break;
1656         case RCTL_SUBJECT_TYPE_LOGINCLASS:
1657                 lc = filter->rr_subject.rs_loginclass;
1658                 if (lc == NULL) {
1659                         error = EINVAL;
1660                         goto out;
1661                 }
1662                 outputsbuf = rctl_racct_to_sbuf(lc->lc_racct, 1);
1663                 break;
1664         case RCTL_SUBJECT_TYPE_JAIL:
1665                 prr = filter->rr_subject.rs_prison_racct;
1666                 if (prr == NULL) {
1667                         error = EINVAL;
1668                         goto out;
1669                 }
1670                 outputsbuf = rctl_racct_to_sbuf(prr->prr_racct, 1);
1671                 break;
1672         default:
1673                 error = EINVAL;
1674         }
1675 out:
1676         rctl_rule_release(filter);
1677         sx_sunlock(&allproc_lock);
1678         if (error != 0)
1679                 return (error);
1680
1681         error = rctl_write_outbuf(outputsbuf, uap->outbufp, uap->outbuflen);
1682
1683         return (error);
1684 }
1685
1686 static void
1687 rctl_get_rules_callback(struct racct *racct, void *arg2, void *arg3)
1688 {
1689         struct rctl_rule *filter = (struct rctl_rule *)arg2;
1690         struct rctl_rule_link *link;
1691         struct sbuf *sb = (struct sbuf *)arg3;
1692
1693         ASSERT_RACCT_ENABLED();
1694         RACCT_LOCK_ASSERT();
1695
1696         LIST_FOREACH(link, &racct->r_rule_links, rrl_next) {
1697                 if (!rctl_rule_matches(link->rrl_rule, filter))
1698                         continue;
1699                 rctl_rule_to_sbuf(sb, link->rrl_rule);
1700                 sbuf_printf(sb, ",");
1701         }
1702 }
1703
1704 int
1705 sys_rctl_get_rules(struct thread *td, struct rctl_get_rules_args *uap)
1706 {
1707         struct sbuf *sb;
1708         struct rctl_rule *filter;
1709         struct rctl_rule_link *link;
1710         struct proc *p;
1711         char *inputstr, *buf;
1712         size_t bufsize;
1713         int error;
1714
1715         if (!racct_enable)
1716                 return (ENOSYS);
1717
1718         error = priv_check(td, PRIV_RCTL_GET_RULES);
1719         if (error != 0)
1720                 return (error);
1721
1722         error = rctl_read_inbuf(&inputstr, uap->inbufp, uap->inbuflen);
1723         if (error != 0)
1724                 return (error);
1725
1726         sx_slock(&allproc_lock);
1727         error = rctl_string_to_rule(inputstr, &filter);
1728         free(inputstr, M_RCTL);
1729         if (error != 0) {
1730                 sx_sunlock(&allproc_lock);
1731                 return (error);
1732         }
1733
1734         bufsize = uap->outbuflen;
1735         if (bufsize > rctl_maxbufsize) {
1736                 sx_sunlock(&allproc_lock);
1737                 return (E2BIG);
1738         }
1739
1740         buf = malloc(bufsize, M_RCTL, M_WAITOK);
1741         sb = sbuf_new(NULL, buf, bufsize, SBUF_FIXEDLEN);
1742         KASSERT(sb != NULL, ("sbuf_new failed"));
1743
1744         FOREACH_PROC_IN_SYSTEM(p) {
1745                 RACCT_LOCK();
1746                 LIST_FOREACH(link, &p->p_racct->r_rule_links, rrl_next) {
1747                         /*
1748                          * Non-process rules will be added to the buffer later.
1749                          * Adding them here would result in duplicated output.
1750                          */
1751                         if (link->rrl_rule->rr_subject_type !=
1752                             RCTL_SUBJECT_TYPE_PROCESS)
1753                                 continue;
1754                         if (!rctl_rule_matches(link->rrl_rule, filter))
1755                                 continue;
1756                         rctl_rule_to_sbuf(sb, link->rrl_rule);
1757                         sbuf_printf(sb, ",");
1758                 }
1759                 RACCT_UNLOCK();
1760         }
1761
1762         loginclass_racct_foreach(rctl_get_rules_callback,
1763             rctl_rule_pre_callback, rctl_rule_post_callback,
1764             filter, sb);
1765         ui_racct_foreach(rctl_get_rules_callback,
1766             rctl_rule_pre_callback, rctl_rule_post_callback,
1767             filter, sb);
1768         prison_racct_foreach(rctl_get_rules_callback,
1769             rctl_rule_pre_callback, rctl_rule_post_callback,
1770             filter, sb);
1771         if (sbuf_error(sb) == ENOMEM) {
1772                 error = ERANGE;
1773                 goto out;
1774         }
1775
1776         /*
1777          * Remove trailing ",".
1778          */
1779         if (sbuf_len(sb) > 0)
1780                 sbuf_setpos(sb, sbuf_len(sb) - 1);
1781
1782         error = rctl_write_outbuf(sb, uap->outbufp, uap->outbuflen);
1783 out:
1784         rctl_rule_release(filter);
1785         sx_sunlock(&allproc_lock);
1786         free(buf, M_RCTL);
1787         return (error);
1788 }
1789
1790 int
1791 sys_rctl_get_limits(struct thread *td, struct rctl_get_limits_args *uap)
1792 {
1793         struct sbuf *sb;
1794         struct rctl_rule *filter;
1795         struct rctl_rule_link *link;
1796         char *inputstr, *buf;
1797         size_t bufsize;
1798         int error;
1799
1800         if (!racct_enable)
1801                 return (ENOSYS);
1802
1803         error = priv_check(td, PRIV_RCTL_GET_LIMITS);
1804         if (error != 0)
1805                 return (error);
1806
1807         error = rctl_read_inbuf(&inputstr, uap->inbufp, uap->inbuflen);
1808         if (error != 0)
1809                 return (error);
1810
1811         sx_slock(&allproc_lock);
1812         error = rctl_string_to_rule(inputstr, &filter);
1813         free(inputstr, M_RCTL);
1814         if (error != 0) {
1815                 sx_sunlock(&allproc_lock);
1816                 return (error);
1817         }
1818
1819         if (filter->rr_subject_type == RCTL_SUBJECT_TYPE_UNDEFINED) {
1820                 rctl_rule_release(filter);
1821                 sx_sunlock(&allproc_lock);
1822                 return (EINVAL);
1823         }
1824         if (filter->rr_subject_type != RCTL_SUBJECT_TYPE_PROCESS) {
1825                 rctl_rule_release(filter);
1826                 sx_sunlock(&allproc_lock);
1827                 return (EOPNOTSUPP);
1828         }
1829         if (filter->rr_subject.rs_proc == NULL) {
1830                 rctl_rule_release(filter);
1831                 sx_sunlock(&allproc_lock);
1832                 return (EINVAL);
1833         }
1834
1835         bufsize = uap->outbuflen;
1836         if (bufsize > rctl_maxbufsize) {
1837                 rctl_rule_release(filter);
1838                 sx_sunlock(&allproc_lock);
1839                 return (E2BIG);
1840         }
1841
1842         buf = malloc(bufsize, M_RCTL, M_WAITOK);
1843         sb = sbuf_new(NULL, buf, bufsize, SBUF_FIXEDLEN);
1844         KASSERT(sb != NULL, ("sbuf_new failed"));
1845
1846         RACCT_LOCK();
1847         LIST_FOREACH(link, &filter->rr_subject.rs_proc->p_racct->r_rule_links,
1848             rrl_next) {
1849                 rctl_rule_to_sbuf(sb, link->rrl_rule);
1850                 sbuf_printf(sb, ",");
1851         }
1852         RACCT_UNLOCK();
1853         if (sbuf_error(sb) == ENOMEM) {
1854                 error = ERANGE;
1855                 sbuf_delete(sb);
1856                 goto out;
1857         }
1858
1859         /*
1860          * Remove trailing ",".
1861          */
1862         if (sbuf_len(sb) > 0)
1863                 sbuf_setpos(sb, sbuf_len(sb) - 1);
1864
1865         error = rctl_write_outbuf(sb, uap->outbufp, uap->outbuflen);
1866 out:
1867         rctl_rule_release(filter);
1868         sx_sunlock(&allproc_lock);
1869         free(buf, M_RCTL);
1870         return (error);
1871 }
1872
1873 int
1874 sys_rctl_add_rule(struct thread *td, struct rctl_add_rule_args *uap)
1875 {
1876         struct rctl_rule *rule;
1877         char *inputstr;
1878         int error;
1879
1880         if (!racct_enable)
1881                 return (ENOSYS);
1882
1883         error = priv_check(td, PRIV_RCTL_ADD_RULE);
1884         if (error != 0)
1885                 return (error);
1886
1887         error = rctl_read_inbuf(&inputstr, uap->inbufp, uap->inbuflen);
1888         if (error != 0)
1889                 return (error);
1890
1891         sx_slock(&allproc_lock);
1892         error = rctl_string_to_rule(inputstr, &rule);
1893         free(inputstr, M_RCTL);
1894         if (error != 0) {
1895                 sx_sunlock(&allproc_lock);
1896                 return (error);
1897         }
1898         /*
1899          * The 'per' part of a rule is optional.
1900          */
1901         if (rule->rr_per == RCTL_SUBJECT_TYPE_UNDEFINED &&
1902             rule->rr_subject_type != RCTL_SUBJECT_TYPE_UNDEFINED)
1903                 rule->rr_per = rule->rr_subject_type;
1904
1905         if (!rctl_rule_fully_specified(rule)) {
1906                 error = EINVAL;
1907                 goto out;
1908         }
1909
1910         error = rctl_rule_add(rule);
1911
1912 out:
1913         rctl_rule_release(rule);
1914         sx_sunlock(&allproc_lock);
1915         return (error);
1916 }
1917
1918 int
1919 sys_rctl_remove_rule(struct thread *td, struct rctl_remove_rule_args *uap)
1920 {
1921         struct rctl_rule *filter;
1922         char *inputstr;
1923         int error;
1924
1925         if (!racct_enable)
1926                 return (ENOSYS);
1927
1928         error = priv_check(td, PRIV_RCTL_REMOVE_RULE);
1929         if (error != 0)
1930                 return (error);
1931
1932         error = rctl_read_inbuf(&inputstr, uap->inbufp, uap->inbuflen);
1933         if (error != 0)
1934                 return (error);
1935
1936         sx_slock(&allproc_lock);
1937         error = rctl_string_to_rule(inputstr, &filter);
1938         free(inputstr, M_RCTL);
1939         if (error != 0) {
1940                 sx_sunlock(&allproc_lock);
1941                 return (error);
1942         }
1943
1944         error = rctl_rule_remove(filter);
1945         rctl_rule_release(filter);
1946         sx_sunlock(&allproc_lock);
1947
1948         return (error);
1949 }
1950
1951 /*
1952  * Update RCTL rule list after credential change.
1953  */
1954 void
1955 rctl_proc_ucred_changed(struct proc *p, struct ucred *newcred)
1956 {
1957         LIST_HEAD(, rctl_rule_link) newrules;
1958         struct rctl_rule_link *link, *newlink;
1959         struct uidinfo *newuip;
1960         struct loginclass *newlc;
1961         struct prison_racct *newprr;
1962         int rulecnt, i;
1963
1964         if (!racct_enable)
1965                 return;
1966
1967         PROC_LOCK_ASSERT(p, MA_NOTOWNED);
1968
1969         newuip = newcred->cr_ruidinfo;
1970         newlc = newcred->cr_loginclass;
1971         newprr = newcred->cr_prison->pr_prison_racct;
1972
1973         LIST_INIT(&newrules);
1974
1975 again:
1976         /*
1977          * First, count the rules that apply to the process with new
1978          * credentials.
1979          */
1980         rulecnt = 0;
1981         RACCT_LOCK();
1982         LIST_FOREACH(link, &p->p_racct->r_rule_links, rrl_next) {
1983                 if (link->rrl_rule->rr_subject_type ==
1984                     RCTL_SUBJECT_TYPE_PROCESS)
1985                         rulecnt++;
1986         }
1987         LIST_FOREACH(link, &newuip->ui_racct->r_rule_links, rrl_next)
1988                 rulecnt++;
1989         LIST_FOREACH(link, &newlc->lc_racct->r_rule_links, rrl_next)
1990                 rulecnt++;
1991         LIST_FOREACH(link, &newprr->prr_racct->r_rule_links, rrl_next)
1992                 rulecnt++;
1993         RACCT_UNLOCK();
1994
1995         /*
1996          * Create temporary list.  We've dropped the rctl_lock in order
1997          * to use M_WAITOK.
1998          */
1999         for (i = 0; i < rulecnt; i++) {
2000                 newlink = uma_zalloc(rctl_rule_link_zone, M_WAITOK);
2001                 newlink->rrl_rule = NULL;
2002                 newlink->rrl_exceeded = 0;
2003                 LIST_INSERT_HEAD(&newrules, newlink, rrl_next);
2004         }
2005
2006         newlink = LIST_FIRST(&newrules);
2007
2008         /*
2009          * Assign rules to the newly allocated list entries.
2010          */
2011         RACCT_LOCK();
2012         LIST_FOREACH(link, &p->p_racct->r_rule_links, rrl_next) {
2013                 if (link->rrl_rule->rr_subject_type ==
2014                     RCTL_SUBJECT_TYPE_PROCESS) {
2015                         if (newlink == NULL)
2016                                 goto goaround;
2017                         rctl_rule_acquire(link->rrl_rule);
2018                         newlink->rrl_rule = link->rrl_rule;
2019                         newlink->rrl_exceeded = link->rrl_exceeded;
2020                         newlink = LIST_NEXT(newlink, rrl_next);
2021                         rulecnt--;
2022                 }
2023         }
2024
2025         LIST_FOREACH(link, &newuip->ui_racct->r_rule_links, rrl_next) {
2026                 if (newlink == NULL)
2027                         goto goaround;
2028                 rctl_rule_acquire(link->rrl_rule);
2029                 newlink->rrl_rule = link->rrl_rule;
2030                 newlink->rrl_exceeded = link->rrl_exceeded;
2031                 newlink = LIST_NEXT(newlink, rrl_next);
2032                 rulecnt--;
2033         }
2034
2035         LIST_FOREACH(link, &newlc->lc_racct->r_rule_links, rrl_next) {
2036                 if (newlink == NULL)
2037                         goto goaround;
2038                 rctl_rule_acquire(link->rrl_rule);
2039                 newlink->rrl_rule = link->rrl_rule;
2040                 newlink->rrl_exceeded = link->rrl_exceeded;
2041                 newlink = LIST_NEXT(newlink, rrl_next);
2042                 rulecnt--;
2043         }
2044
2045         LIST_FOREACH(link, &newprr->prr_racct->r_rule_links, rrl_next) {
2046                 if (newlink == NULL)
2047                         goto goaround;
2048                 rctl_rule_acquire(link->rrl_rule);
2049                 newlink->rrl_rule = link->rrl_rule;
2050                 newlink->rrl_exceeded = link->rrl_exceeded;
2051                 newlink = LIST_NEXT(newlink, rrl_next);
2052                 rulecnt--;
2053         }
2054
2055         if (rulecnt == 0) {
2056                 /*
2057                  * Free the old rule list.
2058                  */
2059                 while (!LIST_EMPTY(&p->p_racct->r_rule_links)) {
2060                         link = LIST_FIRST(&p->p_racct->r_rule_links);
2061                         LIST_REMOVE(link, rrl_next);
2062                         rctl_rule_release(link->rrl_rule);
2063                         uma_zfree(rctl_rule_link_zone, link);
2064                 }
2065
2066                 /*
2067                  * Replace lists and we're done.
2068                  *
2069                  * XXX: Is there any way to switch list heads instead
2070                  *      of iterating here?
2071                  */
2072                 while (!LIST_EMPTY(&newrules)) {
2073                         newlink = LIST_FIRST(&newrules);
2074                         LIST_REMOVE(newlink, rrl_next);
2075                         LIST_INSERT_HEAD(&p->p_racct->r_rule_links,
2076                             newlink, rrl_next);
2077                 }
2078
2079                 RACCT_UNLOCK();
2080
2081                 return;
2082         }
2083
2084 goaround:
2085         RACCT_UNLOCK();
2086
2087         /*
2088          * Rule list changed while we were not holding the rctl_lock.
2089          * Free the new list and try again.
2090          */
2091         while (!LIST_EMPTY(&newrules)) {
2092                 newlink = LIST_FIRST(&newrules);
2093                 LIST_REMOVE(newlink, rrl_next);
2094                 if (newlink->rrl_rule != NULL)
2095                         rctl_rule_release(newlink->rrl_rule);
2096                 uma_zfree(rctl_rule_link_zone, newlink);
2097         }
2098
2099         goto again;
2100 }
2101
2102 /*
2103  * Assign RCTL rules to the newly created process.
2104  */
2105 int
2106 rctl_proc_fork(struct proc *parent, struct proc *child)
2107 {
2108         struct rctl_rule *rule;
2109         struct rctl_rule_link *link;
2110         int error;
2111
2112         ASSERT_RACCT_ENABLED();
2113         RACCT_LOCK_ASSERT();
2114         KASSERT(parent->p_racct != NULL, ("process without racct; p = %p", parent));
2115
2116         LIST_INIT(&child->p_racct->r_rule_links);
2117
2118         /*
2119          * Go through limits applicable to the parent and assign them
2120          * to the child.  Rules with 'process' subject have to be duplicated
2121          * in order to make their rr_subject point to the new process.
2122          */
2123         LIST_FOREACH(link, &parent->p_racct->r_rule_links, rrl_next) {
2124                 if (link->rrl_rule->rr_subject_type ==
2125                     RCTL_SUBJECT_TYPE_PROCESS) {
2126                         rule = rctl_rule_duplicate(link->rrl_rule, M_NOWAIT);
2127                         if (rule == NULL)
2128                                 goto fail;
2129                         KASSERT(rule->rr_subject.rs_proc == parent,
2130                             ("rule->rr_subject.rs_proc != parent"));
2131                         rule->rr_subject.rs_proc = child;
2132                         error = rctl_racct_add_rule_locked(child->p_racct,
2133                             rule);
2134                         rctl_rule_release(rule);
2135                         if (error != 0)
2136                                 goto fail;
2137                 } else {
2138                         error = rctl_racct_add_rule_locked(child->p_racct,
2139                             link->rrl_rule);
2140                         if (error != 0)
2141                                 goto fail;
2142                 }
2143         }
2144
2145         return (0);
2146
2147 fail:
2148         while (!LIST_EMPTY(&child->p_racct->r_rule_links)) {
2149                 link = LIST_FIRST(&child->p_racct->r_rule_links);
2150                 LIST_REMOVE(link, rrl_next);
2151                 rctl_rule_release(link->rrl_rule);
2152                 uma_zfree(rctl_rule_link_zone, link);
2153         }
2154
2155         return (EAGAIN);
2156 }
2157
2158 /*
2159  * Release rules attached to the racct.
2160  */
2161 void
2162 rctl_racct_release(struct racct *racct)
2163 {
2164         struct rctl_rule_link *link;
2165
2166         ASSERT_RACCT_ENABLED();
2167         RACCT_LOCK_ASSERT();
2168
2169         while (!LIST_EMPTY(&racct->r_rule_links)) {
2170                 link = LIST_FIRST(&racct->r_rule_links);
2171                 LIST_REMOVE(link, rrl_next);
2172                 rctl_rule_release(link->rrl_rule);
2173                 uma_zfree(rctl_rule_link_zone, link);
2174         }
2175 }
2176
2177 static void
2178 rctl_init(void)
2179 {
2180
2181         if (!racct_enable)
2182                 return;
2183
2184         rctl_rule_zone = uma_zcreate("rctl_rule", sizeof(struct rctl_rule),
2185             NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, 0);
2186         rctl_rule_link_zone = uma_zcreate("rctl_rule_link",
2187             sizeof(struct rctl_rule_link), NULL, NULL, NULL, NULL,
2188             UMA_ALIGN_PTR, 0);
2189
2190         /*
2191          * Set default values, making sure not to overwrite the ones
2192          * fetched from tunables.  Most of those could be set at the
2193          * declaration, except for the rctl_throttle_max - we cannot
2194          * set it there due to hz not being compile time constant.
2195          */
2196         if (rctl_throttle_min < 1)
2197                 rctl_throttle_min = 1;
2198         if (rctl_throttle_max < rctl_throttle_min)
2199                 rctl_throttle_max = 2 * hz;
2200         if (rctl_throttle_pct < 0)
2201                 rctl_throttle_pct = 100;
2202         if (rctl_throttle_pct2 < 0)
2203                 rctl_throttle_pct2 = 100;
2204 }
2205
2206 #else /* !RCTL */
2207
2208 int
2209 sys_rctl_get_racct(struct thread *td, struct rctl_get_racct_args *uap)
2210 {
2211
2212         return (ENOSYS);
2213 }
2214
2215 int
2216 sys_rctl_get_rules(struct thread *td, struct rctl_get_rules_args *uap)
2217 {
2218
2219         return (ENOSYS);
2220 }
2221
2222 int
2223 sys_rctl_get_limits(struct thread *td, struct rctl_get_limits_args *uap)
2224 {
2225
2226         return (ENOSYS);
2227 }
2228
2229 int
2230 sys_rctl_add_rule(struct thread *td, struct rctl_add_rule_args *uap)
2231 {
2232
2233         return (ENOSYS);
2234 }
2235
2236 int
2237 sys_rctl_remove_rule(struct thread *td, struct rctl_remove_rule_args *uap)
2238 {
2239
2240         return (ENOSYS);
2241 }
2242
2243 #endif /* !RCTL */