Lines Matching full:rule
124 * 'rctl_rule_link' connects a rule with every racct it's related to.
125 * For example, rule 'user:X:openfiles:deny=N/process' is linked
218 static int rctl_rule_fully_specified(const struct rctl_rule *rule);
219 static void rctl_rule_to_sbuf(struct sbuf *sb, const struct rctl_rule *rule);
331 rctl_proc_rule_to_racct(const struct proc *p, const struct rctl_rule *rule)
338 switch (rule->rr_per) {
348 panic("%s: unknown per %d", __func__, rule->rr_per);
354 * hitting 'rule'.
357 rctl_available_resource(const struct proc *p, const struct rctl_rule *rule)
365 racct = rctl_proc_rule_to_racct(p, rule);
366 available = rule->rr_amount - racct->r_resources[rule->rr_resource];
381 struct rctl_rule *rule;
391 rule = link->rrl_rule;
393 if (rule->rr_resource != resource)
395 if (rule->rr_action != RCTL_ACTION_THROTTLE)
398 if (rule->rr_amount < minavailable)
399 minavailable = rule->rr_amount;
407 * if we changed the rule lowering the allowed amount, it could
424 struct rctl_rule *rule;
435 rule = link->rrl_rule;
436 if (rule->rr_resource != RACCT_PCTCPU)
438 if (rule->rr_action != RCTL_ACTION_DENY)
440 available = rctl_available_resource(p, rule);
443 limit = rule->rr_amount;
498 struct rctl_rule *rule;
510 * There may be more than one matching rule; go through all of them.
514 rule = link->rrl_rule;
515 if (rule->rr_resource != resource)
518 available = rctl_available_resource(p, rule);
524 switch (rule->rr_action) {
540 * Ignore this rule for now; it will be processed just
556 rctl_rule_to_sbuf(&sb, rule);
558 printf("rctl: rule \"%s\" matched by pid %d "
583 sbuf_cat(&sb, "rule=");
584 rctl_rule_to_sbuf(&sb, rule);
589 devctl_notify("RCTL", "rule", "matched",
599 if (rule->rr_amount == 0) {
617 * rule->rr_amount;
625 if (sleep_ms < rctl_throttle_min * rule->rr_amount)
626 sleep_ms = rctl_throttle_min * rule->rr_amount;
633 * four times as much for hitting the same rule. The
638 sleep_ratio = -available / rule->rr_amount;
648 sleep_ms /= rule->rr_amount;
656 rule->rr_amount, (uintmax_t)sleep_ms,
671 KASSERT(rule->rr_action > 0 &&
672 rule->rr_action <= RCTL_ACTION_SIGNAL_MAX,
674 rule->rr_action));
680 kern_psignal(p, rule->rr_action);
700 struct rctl_rule *rule;
708 * There may be more than one matching rule; go through all of them.
712 rule = link->rrl_rule;
713 if (rule->rr_resource != resource)
715 if (rule->rr_action != RCTL_ACTION_DENY)
717 if (rule->rr_amount < amount)
718 amount = rule->rr_amount;
727 struct rctl_rule *rule;
737 * There may be more than one matching rule; go through all of them.
741 rule = link->rrl_rule;
742 if (rule->rr_resource != resource)
744 if (rule->rr_action != RCTL_ACTION_DENY)
746 available = rctl_available_resource(p, rule);
764 rctl_rule_matches(const struct rctl_rule *rule, const struct rctl_rule *filter)
770 if (rule->rr_subject_type != filter->rr_subject_type)
776 rule->rr_subject.rs_proc !=
782 rule->rr_subject.rs_uip !=
788 rule->rr_subject.rs_loginclass !=
794 rule->rr_subject.rs_prison_racct !=
805 if (rule->rr_resource != filter->rr_resource)
810 if (rule->rr_action != filter->rr_action)
815 if (rule->rr_amount != filter->rr_amount)
820 if (rule->rr_per != filter->rr_per)
879 * Connect the rule to the racct, increasing refcount for the rule.
882 rctl_racct_add_rule(struct racct *racct, struct rctl_rule *rule)
887 KASSERT(rctl_rule_fully_specified(rule), ("rule not fully specified"));
889 rctl_rule_acquire(rule);
891 link->rrl_rule = rule;
900 rctl_racct_add_rule_locked(struct racct *racct, struct rctl_rule *rule)
905 KASSERT(rctl_rule_fully_specified(rule), ("rule not fully specified"));
911 rctl_rule_acquire(rule);
912 link->rrl_rule = rule;
948 rctl_rule_acquire_subject(struct rctl_rule *rule)
953 switch (rule->rr_subject_type) {
958 if (rule->rr_subject.rs_prison_racct != NULL)
959 prison_racct_hold(rule->rr_subject.rs_prison_racct);
962 if (rule->rr_subject.rs_uip != NULL)
963 uihold(rule->rr_subject.rs_uip);
966 if (rule->rr_subject.rs_loginclass != NULL)
967 loginclass_hold(rule->rr_subject.rs_loginclass);
971 rule->rr_subject_type);
976 rctl_rule_release_subject(struct rctl_rule *rule)
981 switch (rule->rr_subject_type) {
986 if (rule->rr_subject.rs_prison_racct != NULL)
987 prison_racct_free(rule->rr_subject.rs_prison_racct);
990 if (rule->rr_subject.rs_uip != NULL)
991 uifree(rule->rr_subject.rs_uip);
994 if (rule->rr_subject.rs_loginclass != NULL)
995 loginclass_free(rule->rr_subject.rs_loginclass);
999 rule->rr_subject_type);
1006 struct rctl_rule *rule;
1010 rule = uma_zalloc(rctl_rule_zone, flags);
1011 if (rule == NULL)
1013 rule->rr_subject_type = RCTL_SUBJECT_TYPE_UNDEFINED;
1014 rule->rr_subject.rs_proc = NULL;
1015 rule->rr_subject.rs_uip = NULL;
1016 rule->rr_subject.rs_loginclass = NULL;
1017 rule->rr_subject.rs_prison_racct = NULL;
1018 rule->rr_per = RCTL_SUBJECT_TYPE_UNDEFINED;
1019 rule->rr_resource = RACCT_UNDEFINED;
1020 rule->rr_action = RCTL_ACTION_UNDEFINED;
1021 rule->rr_amount = RCTL_AMOUNT_UNDEFINED;
1022 refcount_init(&rule->rr_refcount, 1);
1024 return (rule);
1028 rctl_rule_duplicate(const struct rctl_rule *rule, int flags)
1037 copy->rr_subject_type = rule->rr_subject_type;
1038 copy->rr_subject.rs_proc = rule->rr_subject.rs_proc;
1039 copy->rr_subject.rs_uip = rule->rr_subject.rs_uip;
1040 copy->rr_subject.rs_loginclass = rule->rr_subject.rs_loginclass;
1041 copy->rr_subject.rs_prison_racct = rule->rr_subject.rs_prison_racct;
1042 copy->rr_per = rule->rr_per;
1043 copy->rr_resource = rule->rr_resource;
1044 copy->rr_action = rule->rr_action;
1045 copy->rr_amount = rule->rr_amount;
1053 rctl_rule_acquire(struct rctl_rule *rule)
1057 KASSERT(rule->rr_refcount > 0, ("rule->rr_refcount <= 0"));
1059 refcount_acquire(&rule->rr_refcount);
1065 struct rctl_rule *rule;
1067 rule = (struct rctl_rule *)context;
1070 KASSERT(rule->rr_refcount == 0, ("rule->rr_refcount != 0"));
1073 * We don't need locking here; rule is guaranteed to be inaccessible.
1076 rctl_rule_release_subject(rule);
1077 uma_zfree(rctl_rule_zone, rule);
1081 rctl_rule_release(struct rctl_rule *rule)
1085 KASSERT(rule->rr_refcount > 0, ("rule->rr_refcount <= 0"));
1087 if (refcount_release(&rule->rr_refcount)) {
1095 TASK_INIT(&rule->rr_task, 0, rctl_rule_free, rule);
1096 taskqueue_enqueue(taskqueue_thread, &rule->rr_task);
1101 rctl_rule_fully_specified(const struct rctl_rule *rule)
1106 switch (rule->rr_subject_type) {
1110 if (rule->rr_subject.rs_proc == NULL)
1114 if (rule->rr_subject.rs_uip == NULL)
1118 if (rule->rr_subject.rs_loginclass == NULL)
1122 if (rule->rr_subject.rs_prison_racct == NULL)
1127 rule->rr_subject_type);
1129 if (rule->rr_resource == RACCT_UNDEFINED)
1131 if (rule->rr_action == RCTL_ACTION_UNDEFINED)
1133 if (rule->rr_amount == RCTL_AMOUNT_UNDEFINED)
1135 if (rule->rr_per == RCTL_SUBJECT_TYPE_UNDEFINED)
1144 struct rctl_rule *rule;
1152 rule = rctl_rule_alloc(M_WAITOK);
1162 rule->rr_subject_type = RCTL_SUBJECT_TYPE_UNDEFINED;
1164 error = str2value(subjectstr, &rule->rr_subject_type, subjectnames);
1170 rule->rr_subject.rs_proc = NULL;
1171 rule->rr_subject.rs_uip = NULL;
1172 rule->rr_subject.rs_loginclass = NULL;
1173 rule->rr_subject.rs_prison_racct = NULL;
1175 switch (rule->rr_subject_type) {
1184 rule->rr_subject.rs_proc = pfind(id);
1185 if (rule->rr_subject.rs_proc == NULL) {
1189 PROC_UNLOCK(rule->rr_subject.rs_proc);
1195 rule->rr_subject.rs_uip = uifind(id);
1198 rule->rr_subject.rs_loginclass =
1200 if (rule->rr_subject.rs_loginclass == NULL) {
1206 rule->rr_subject.rs_prison_racct =
1208 if (rule->rr_subject.rs_prison_racct == NULL) {
1215 rule->rr_subject_type);
1220 rule->rr_resource = RACCT_UNDEFINED;
1222 error = str2value(resourcestr, &rule->rr_resource,
1229 rule->rr_action = RCTL_ACTION_UNDEFINED;
1231 error = str2value(actionstr, &rule->rr_action, actionnames);
1237 rule->rr_amount = RCTL_AMOUNT_UNDEFINED;
1239 error = str2int64(amountstr, &rule->rr_amount);
1242 if (RACCT_IS_IN_MILLIONS(rule->rr_resource)) {
1243 if (rule->rr_amount > INT64_MAX / 1000000) {
1247 rule->rr_amount *= 1000000;
1252 rule->rr_per = RCTL_SUBJECT_TYPE_UNDEFINED;
1254 error = str2value(perstr, &rule->rr_per, subjectnames);
1261 *rulep = rule;
1263 rctl_rule_release(rule);
1269 * Link a rule with all the subjects it applies to.
1272 rctl_rule_add(struct rctl_rule *rule)
1284 KASSERT(rctl_rule_fully_specified(rule), ("rule not fully specified"));
1287 * Some rules just don't make sense, like "deny" rule for an undeniable
1292 if (rule->rr_action == RCTL_ACTION_DENY &&
1293 !RACCT_IS_DENIABLE(rule->rr_resource) &&
1294 rule->rr_resource != RACCT_RSS &&
1295 rule->rr_resource != RACCT_PCTCPU) {
1299 if (rule->rr_action == RCTL_ACTION_THROTTLE &&
1300 !RACCT_IS_DECAYING(rule->rr_resource)) {
1304 if (rule->rr_action == RCTL_ACTION_THROTTLE &&
1305 rule->rr_resource == RACCT_PCTCPU) {
1309 if (rule->rr_per == RCTL_SUBJECT_TYPE_PROCESS &&
1310 RACCT_IS_SLOPPY(rule->rr_resource)) {
1318 if (rule->rr_action == RCTL_ACTION_DENY) {
1319 rule2 = rctl_rule_duplicate(rule, M_WAITOK);
1324 rctl_rule_remove(rule);
1326 switch (rule->rr_subject_type) {
1328 p = rule->rr_subject.rs_proc;
1331 rctl_racct_add_rule(p->p_racct, rule);
1333 * In case of per-process rule, we don't have anything more
1339 uip = rule->rr_subject.rs_uip;
1341 rctl_racct_add_rule(uip->ui_racct, rule);
1345 lc = rule->rr_subject.rs_loginclass;
1347 rctl_racct_add_rule(lc->lc_racct, rule);
1351 prr = rule->rr_subject.rs_prison_racct;
1353 rctl_racct_add_rule(prr->prr_racct, rule);
1358 rule->rr_subject_type);
1362 * Now go through all the processes and add the new rule to the ones
1368 switch (rule->rr_subject_type) {
1370 if (cred->cr_uidinfo == rule->rr_subject.rs_uip ||
1371 cred->cr_ruidinfo == rule->rr_subject.rs_uip)
1375 if (cred->cr_loginclass == rule->rr_subject.rs_loginclass)
1381 if (pr->pr_prison_racct == rule->rr_subject.rs_prison_racct) {
1391 rule->rr_subject_type);
1394 rctl_racct_add_rule(p->p_racct, rule);
1473 * Appends a rule to the sbuf.
1476 rctl_rule_to_sbuf(struct sbuf *sb, const struct rctl_rule *rule)
1482 sbuf_printf(sb, "%s:", rctl_subject_type_name(rule->rr_subject_type));
1484 switch (rule->rr_subject_type) {
1486 if (rule->rr_subject.rs_proc == NULL)
1490 rule->rr_subject.rs_proc->p_pid);
1493 if (rule->rr_subject.rs_uip == NULL)
1497 rule->rr_subject.rs_uip->ui_uid);
1500 if (rule->rr_subject.rs_loginclass == NULL)
1504 rule->rr_subject.rs_loginclass->lc_name);
1507 if (rule->rr_subject.rs_prison_racct == NULL)
1511 rule->rr_subject.rs_prison_racct->prr_name);
1515 rule->rr_subject_type);
1518 amount = rule->rr_amount;
1520 RACCT_IS_IN_MILLIONS(rule->rr_resource))
1524 rctl_resource_name(rule->rr_resource),
1525 rctl_action_name(rule->rr_action),
1528 if (rule->rr_per != rule->rr_subject_type)
1529 sbuf_printf(sb, "/%s", rctl_subject_type_name(rule->rr_per));
1876 struct rctl_rule *rule;
1892 error = rctl_string_to_rule(inputstr, &rule);
1899 * The 'per' part of a rule is optional.
1901 if (rule->rr_per == RCTL_SUBJECT_TYPE_UNDEFINED &&
1902 rule->rr_subject_type != RCTL_SUBJECT_TYPE_UNDEFINED)
1903 rule->rr_per = rule->rr_subject_type;
1905 if (!rctl_rule_fully_specified(rule)) {
1910 error = rctl_rule_add(rule);
1913 rctl_rule_release(rule);
1952 * Update RCTL rule list after credential change.
2057 * Free the old rule list.
2088 * Rule list changed while we were not holding the rctl_lock.
2108 struct rctl_rule *rule;
2126 rule = rctl_rule_duplicate(link->rrl_rule, M_NOWAIT);
2127 if (rule == NULL)
2129 KASSERT(rule->rr_subject.rs_proc == parent,
2130 ("rule->rr_subject.rs_proc != parent"));
2131 rule->rr_subject.rs_proc = child;
2133 rule);
2134 rctl_rule_release(rule);