Expore kern.acct_configured, a sysctl that reflects the configured/
unconfigured state of the kernel accounting system. This is used by
the accounting privilege regression test to determine whether

Expore kern.acct_configured, a sysctl that reflects the configured/
unconfigured state of the kernel accounting system. This is used by
the accounting privilege regression test to determine whether
accounting is in use and will be disrupted by the regression test.

Sponsored by: nCircle Network Security, Inc.
Obtained from: TrustedBSD Project
MFC after: 1 month

show more ...

Audit path passed to the acct() system call.

Obtained from: TrustedBSD Project

Conditionalize locking of Giant for VFS in acct(2). We already
conditionally acquired Giant in the other parts of the accounting code.

Provide some anti-footshooting. Don't allow the user to set the interval
for acctwatch() runs to be negative or zero as this could result in either
a possible hang (or panic if INVARIANTS is on). P

Provide some anti-footshooting. Don't allow the user to set the interval
for acctwatch() runs to be negative or zero as this could result in either
a possible hang (or panic if INVARIANTS is on). Previously the accounting
code handled the <= 0 case by calling acctwatch on every clock tick (eww!)
due to an implementation detail of callout_reset(). (Tick counts of
<= 0 are converted to 1).

MFC after: 3 days

show more ...

- Add a kthread to periodically call acctwatch() when accounting is active
instead of calling acctwatch() from softclock. The acctwatch() function
needs to hold an sx lock and also makes a VFS c

- Add a kthread to periodically call acctwatch() when accounting is active
instead of calling acctwatch() from softclock. The acctwatch() function
needs to hold an sx lock and also makes a VFS call, and neither of these
are good things (or safe) to do from a callout. The kthread only exists
and is running when accounting is turned on; it is started and stopped
as needed. I didn't run acctwatch() via the thread taskqueue at Robert's
request as he was worried that if the accounting file was over NFS the
VFS_STAT() calls might stall other work on the taskqueue.
- Add an acct_disable() function to take care of closing the accounting
vnode and cleaning up so we don't duplicate the same code in two
different places.

MFC after: 3 days

show more ...

Sort includes.

Whitespace fix.

Submitted by: Wojciech A. Koszek <dunstan at zsno ids czest pl>

Significant refactoring of the accounting code to improve locking and VFS
happiness, as well as correct other bugs:

- Replace notion of current and saved accounting credential/vnode with a
single

Significant refactoring of the accounting code to improve locking and VFS
happiness, as well as correct other bugs:

- Replace notion of current and saved accounting credential/vnode with a
single credential/vnode and an acct_suspended flag. This simplifies the
accounting logic substantially.

- Replace acct_mtx with acct_sx, a sleepable lock held exclusively during
reconfiguration and space polling, but shared during log entry
generation. This avoids holding a mutex over sleepable VFS operations.

- Hold the sx lock over the duration of the I/O so that the vnode I/O
cannot occur after vnode close, which could occur previously if
accounting was disabled as a process exited.

- Write the accounting log entry with Giant conditionally acquired based
on the file system where the log is stored. Previously, the accounting
code relied on the caller acquiring Giant.

- Acquire Giant conditionally in the accounting callout based on the file
system where the accounting log is stored. Run the callout MPSAFE.

- Expose acct_suspended via a read-only sysctl so it is possibly to
programmatically determine whether accounting is suspended or not without
attempting to parse logs.

- Check both acct_vp and acct_suspended lock-free before entering the
accounting sx lock in acct().

- When accounting is disabled due to a VBAD vnode (i.e., forceable unmount),
generate a log message indicating accounting has been disabled.

- Correct a long-standing bug in how free space is calculated and compared
to the required space: generate and compare signed results, not unsigned
results, or negative free space will cause accounting to not be suspended
when required, or worse, incorrectly resumed once negative free space is
reached.

MFC after: 2 weeks

show more ...

Pass 'curthread' into VFS_STATFS() from acctwatch(), rather than passing
NULL. The NFS client expects that a thread will always be present for a
VOP so that it can check for signal conditions, and w

Pass 'curthread' into VFS_STATFS() from acctwatch(), rather than passing
NULL. The NFS client expects that a thread will always be present for a
VOP so that it can check for signal conditions, and will dereference a
NULL pointer if one isn't present.

MFC after: 3 days

show more ...

When mac_check_system_acct() fails, make sure to unlock as well as close
the vnode.

Pointed out by: jeff

In acct_process(), do a lockless read of acctvp to see if it's NULL
before deciding to do more expensive locking to account for process
exit. This acceptable minor race avoids two mutex operations i

In acct_process(), do a lockless read of acctvp to see if it's NULL
before deciding to do more expensive locking to account for process
exit. This acceptable minor race avoids two mutex operations in
that highly common case of accounting not being enabled.

MFC after: 2 weeks

show more ...

Rework how we store process times in the kernel such that we always store
the raw values including for child process statistics and only compute the
system and user timevals on demand.

- Fix the var

Rework how we store process times in the kernel such that we always store
the raw values including for child process statistics and only compute the
system and user timevals on demand.

- Fix the various kern_wait() syscall wrappers to only pass in a rusage
pointer if they are going to use the result.
- Add a kern_getrusage() function for the ABI syscalls to use so that they
don't have to play stackgap games to call getrusage().
- Fix the svr4_sys_times() syscall to just call calcru() to calculate the
times it needs rather than calling getrusage() twice with associated
stackgap, etc.
- Add a new rusage_ext structure to store raw time stats such as tick counts
for user, system, and interrupt time as well as a bintime of the total
runtime. A new p_rux field in struct proc replaces the same inline fields
from struct proc (i.e. p_[isu]ticks, p_[isu]u, and p_runtime). A new p_crux
field in struct proc contains the "raw" child time usage statistics.
ruadd() has been changed to handle adding the associated rusage_ext
structures as well as the values in rusage. Effectively, the values in
rusage_ext replace the ru_utime and ru_stime values in struct rusage. These
two fields in struct rusage are no longer used in the kernel.
- calcru() has been split into a static worker function calcru1() that
calculates appropriate timevals for user and system time as well as updating
the rux_[isu]u fields of a passed in rusage_ext structure. calcru() uses a
copy of the process' p_rux structure to compute the timevals after updating
the runtime appropriately if any of the threads in that process are
currently executing. It also now only locks sched_lock internally while
doing the rux_runtime fixup. calcru() now only requires the caller to
hold the proc lock and calcru1() only requires the proc lock internally.
calcru() also no longer allows callers to ask for an interrupt timeval
since none of them actually did.
- calcru() now correctly handles threads executing on other CPUs.
- A new calccru() function computes the child system and user timevals by
calling calcru1() on p_crux. Note that this means that any code that wants
child times must now call this function rather than reading from p_cru
directly. This function also requires the proc lock.
- This finishes the locking for rusage and friends so some of the Giant locks
in exit1() and kern_wait() are now gone.
- The locking in ttyinfo() has been tweaked so that a shared lock of the
proctree lock is used to protect the process group rather than the process
group lock. By holding this lock until the end of the function we now
ensure that the process/thread that we pick to dump info about will no
longer vanish while we are trying to output its info to the console.

Submitted by: bde (mostly)
MFC after: 1 month

show more ...

Second half of the dev_t cleanup.

The big lines are:
NODEV -> NULL
NOUDEV -> NODEV
udev_t -> dev_t
udev2dev() -> findcdev()

Various minor adjustments including handling of userland access to ke

Second half of the dev_t cleanup.

The big lines are:
NODEV -> NULL
NOUDEV -> NODEV
udev_t -> dev_t
udev2dev() -> findcdev()

Various minor adjustments including handling of userland access to kernel
space struct cdev etc.

show more ...

Fixed some style bugs (mainly misplaced comments, and totally disordered
declarations in acct_process()).

Locking for the per-process resource limits structure.
- struct plimit includes a mutex to protect a reference count. The plimit
structure is treated similarly to struct ucred in that is is always

Locking for the per-process resource limits structure.
- struct plimit includes a mutex to protect a reference count. The plimit
structure is treated similarly to struct ucred in that is is always copy
on write, so having a reference to a structure is sufficient to read from
it without needing a further lock.
- The proc lock protects the p_limit pointer and must be held while reading
limits from a process to keep the limit structure from changing out from
under you while reading from it.
- Various global limits that are ints are not protected by a lock since
int writes are atomic on all the archs we support and thus a lock
wouldn't buy us anything.
- All accesses to individual resource limits from a process are abstracted
behind a simple lim_rlimit(), lim_max(), and lim_cur() API that return
either an rlimit, or the current or max individual limit of the specified
resource from a process.
- dosetrlimit() was renamed to kern_setrlimit() to match existing style of
other similar syscall helper functions.
- The alpha OSF/1 compat layer no longer calls getrlimit() and setrlimit()
(it didn't used the stackgap when it should have) but uses lim_rlimit()
and kern_setrlimit() instead.
- The svr4 compat no longer uses the stackgap for resource limits calls,
but uses lim_rlimit() and kern_setrlimit() instead.
- The ibcs2 compat no longer uses the stackgap for resource limits. It
also no longer uses the stackgap for accessing sysctl's for the
ibcs2_sysconf() syscall but uses kernel_sysctl() instead. As a result,
ibcs2_sysconf() no longer needs Giant.
- The p_rlimit macro no longer exists.

Submitted by: mtm (mostly, I only did a few cleanups and catchups)
Tested on: i386
Compiled on: alpha, amd64

show more ...

Add fdidx argument to vn_open() and vn_open_cred() and pass -1 throughout.

Change the style of the english used to print accounting enabled
and disabled. This means no period at the end and changing
"Process accounting <foo>" to "Accounting <foo>".

Pointed out by: bde

Log process accounting activation/deactivation.
Useful for some auditing purposes.

Submitted by: Christian S.J. Peron <maneo@bsdpro.com>
PR: kern/54529

Use __FBSDID().

Instead of recording the Unix time in a process when it starts, record the
uptime. Where necessary, convert it back to Unix time by adding boottime
to it. This fixes a potential problem in the acco

Instead of recording the Unix time in a process when it starts, record the
uptime. Where necessary, convert it back to Unix time by adding boottime
to it. This fixes a potential problem in the accounting code, which would
compute the elapsed time incorrectly if the Unix time was stepped during
the lifetime of the process.

show more ...

Hold the proc lock across a wider range of fields that it protects.

Trim some trailing whitespace.

Remove the PL_SHAREMOD flag from struct plimit, which could have been
used to share resource limits between rfork threads, but never was.
Removing it makes resource limit locking much simpler -- only

Remove the PL_SHAREMOD flag from struct plimit, which could have been
used to share resource limits between rfork threads, but never was.
Removing it makes resource limit locking much simpler -- only the current
process can change the contents of the structure that p_limit points to.

show more ...

unwrap lines made short enough by SCARGS removal

remove syscallarg().

Suggested by: peter