xref: /freebsd/sys/kern/kern_rctl.c (revision 6829dae12bb055451fa467da4589c43bd03b1e64)
1 /*-
2  * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
3  *
4  * Copyright (c) 2010 The FreeBSD Foundation
5  * All rights reserved.
6  *
7  * This software was developed by Edward Tomasz Napierala under sponsorship
8  * from the FreeBSD Foundation.
9  *
10  * Redistribution and use in source and binary forms, with or without
11  * modification, are permitted provided that the following conditions
12  * are met:
13  * 1. Redistributions of source code must retain the above copyright
14  *    notice, this list of conditions and the following disclaimer.
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in the
17  *    documentation and/or other materials provided with the distribution.
18  *
19  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
20  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
23  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29  * SUCH DAMAGE.
30  *
31  * $FreeBSD$
32  */
33 
34 #include <sys/cdefs.h>
35 __FBSDID("$FreeBSD$");
36 
37 #include <sys/param.h>
38 #include <sys/bus.h>
39 #include <sys/malloc.h>
40 #include <sys/queue.h>
41 #include <sys/refcount.h>
42 #include <sys/jail.h>
43 #include <sys/kernel.h>
44 #include <sys/limits.h>
45 #include <sys/loginclass.h>
46 #include <sys/priv.h>
47 #include <sys/proc.h>
48 #include <sys/racct.h>
49 #include <sys/rctl.h>
50 #include <sys/resourcevar.h>
51 #include <sys/sx.h>
52 #include <sys/sysent.h>
53 #include <sys/sysproto.h>
54 #include <sys/systm.h>
55 #include <sys/types.h>
56 #include <sys/eventhandler.h>
57 #include <sys/lock.h>
58 #include <sys/mutex.h>
59 #include <sys/rwlock.h>
60 #include <sys/sbuf.h>
61 #include <sys/taskqueue.h>
62 #include <sys/tree.h>
63 #include <vm/uma.h>
64 
65 #ifdef RCTL
66 #ifndef RACCT
67 #error "The RCTL option requires the RACCT option"
68 #endif
69 
70 FEATURE(rctl, "Resource Limits");
71 
72 #define	HRF_DEFAULT		0
73 #define	HRF_DONT_INHERIT	1
74 #define	HRF_DONT_ACCUMULATE	2
75 
76 #define	RCTL_MAX_INBUFSIZE	4 * 1024
77 #define	RCTL_MAX_OUTBUFSIZE	16 * 1024 * 1024
78 #define	RCTL_LOG_BUFSIZE	128
79 
80 #define	RCTL_PCPU_SHIFT		(10 * 1000000)
81 
82 static unsigned int rctl_maxbufsize = RCTL_MAX_OUTBUFSIZE;
83 static int rctl_log_rate_limit = 10;
84 static int rctl_devctl_rate_limit = 10;
85 
86 /*
87  * Values below are initialized in rctl_init().
88  */
89 static int rctl_throttle_min = -1;
90 static int rctl_throttle_max = -1;
91 static int rctl_throttle_pct = -1;
92 static int rctl_throttle_pct2 = -1;
93 
94 static int rctl_throttle_min_sysctl(SYSCTL_HANDLER_ARGS);
95 static int rctl_throttle_max_sysctl(SYSCTL_HANDLER_ARGS);
96 static int rctl_throttle_pct_sysctl(SYSCTL_HANDLER_ARGS);
97 static int rctl_throttle_pct2_sysctl(SYSCTL_HANDLER_ARGS);
98 
99 SYSCTL_NODE(_kern_racct, OID_AUTO, rctl, CTLFLAG_RW, 0, "Resource Limits");
100 SYSCTL_UINT(_kern_racct_rctl, OID_AUTO, maxbufsize, CTLFLAG_RWTUN,
101     &rctl_maxbufsize, 0, "Maximum output buffer size");
102 SYSCTL_UINT(_kern_racct_rctl, OID_AUTO, log_rate_limit, CTLFLAG_RW,
103     &rctl_log_rate_limit, 0, "Maximum number of log messages per second");
104 SYSCTL_UINT(_kern_racct_rctl, OID_AUTO, devctl_rate_limit, CTLFLAG_RWTUN,
105     &rctl_devctl_rate_limit, 0, "Maximum number of devctl messages per second");
106 SYSCTL_PROC(_kern_racct_rctl, OID_AUTO, throttle_min,
107     CTLTYPE_UINT | CTLFLAG_RWTUN, 0, 0, &rctl_throttle_min_sysctl, "IU",
108     "Shortest throttling duration, in hz");
109 TUNABLE_INT("kern.racct.rctl.throttle_min", &rctl_throttle_min);
110 SYSCTL_PROC(_kern_racct_rctl, OID_AUTO, throttle_max,
111     CTLTYPE_UINT | CTLFLAG_RWTUN, 0, 0, &rctl_throttle_max_sysctl, "IU",
112     "Longest throttling duration, in hz");
113 TUNABLE_INT("kern.racct.rctl.throttle_max", &rctl_throttle_max);
114 SYSCTL_PROC(_kern_racct_rctl, OID_AUTO, throttle_pct,
115     CTLTYPE_UINT | CTLFLAG_RWTUN, 0, 0, &rctl_throttle_pct_sysctl, "IU",
116     "Throttling penalty for process consumption, in percent");
117 TUNABLE_INT("kern.racct.rctl.throttle_pct", &rctl_throttle_pct);
118 SYSCTL_PROC(_kern_racct_rctl, OID_AUTO, throttle_pct2,
119     CTLTYPE_UINT | CTLFLAG_RWTUN, 0, 0, &rctl_throttle_pct2_sysctl, "IU",
120     "Throttling penalty for container consumption, in percent");
121 TUNABLE_INT("kern.racct.rctl.throttle_pct2", &rctl_throttle_pct2);
122 
123 /*
124  * 'rctl_rule_link' connects a rule with every racct it's related to.
125  * For example, rule 'user:X:openfiles:deny=N/process' is linked
126  * with uidinfo for user X, and to each process of that user.
127  */
128 struct rctl_rule_link {
129 	LIST_ENTRY(rctl_rule_link)	rrl_next;
130 	struct rctl_rule		*rrl_rule;
131 	int				rrl_exceeded;
132 };
133 
134 struct dict {
135 	const char	*d_name;
136 	int		d_value;
137 };
138 
139 static struct dict subjectnames[] = {
140 	{ "process", RCTL_SUBJECT_TYPE_PROCESS },
141 	{ "user", RCTL_SUBJECT_TYPE_USER },
142 	{ "loginclass", RCTL_SUBJECT_TYPE_LOGINCLASS },
143 	{ "jail", RCTL_SUBJECT_TYPE_JAIL },
144 	{ NULL, -1 }};
145 
146 static struct dict resourcenames[] = {
147 	{ "cputime", RACCT_CPU },
148 	{ "datasize", RACCT_DATA },
149 	{ "stacksize", RACCT_STACK },
150 	{ "coredumpsize", RACCT_CORE },
151 	{ "memoryuse", RACCT_RSS },
152 	{ "memorylocked", RACCT_MEMLOCK },
153 	{ "maxproc", RACCT_NPROC },
154 	{ "openfiles", RACCT_NOFILE },
155 	{ "vmemoryuse", RACCT_VMEM },
156 	{ "pseudoterminals", RACCT_NPTS },
157 	{ "swapuse", RACCT_SWAP },
158 	{ "nthr", RACCT_NTHR },
159 	{ "msgqqueued", RACCT_MSGQQUEUED },
160 	{ "msgqsize", RACCT_MSGQSIZE },
161 	{ "nmsgq", RACCT_NMSGQ },
162 	{ "nsem", RACCT_NSEM },
163 	{ "nsemop", RACCT_NSEMOP },
164 	{ "nshm", RACCT_NSHM },
165 	{ "shmsize", RACCT_SHMSIZE },
166 	{ "wallclock", RACCT_WALLCLOCK },
167 	{ "pcpu", RACCT_PCTCPU },
168 	{ "readbps", RACCT_READBPS },
169 	{ "writebps", RACCT_WRITEBPS },
170 	{ "readiops", RACCT_READIOPS },
171 	{ "writeiops", RACCT_WRITEIOPS },
172 	{ NULL, -1 }};
173 
174 static struct dict actionnames[] = {
175 	{ "sighup", RCTL_ACTION_SIGHUP },
176 	{ "sigint", RCTL_ACTION_SIGINT },
177 	{ "sigquit", RCTL_ACTION_SIGQUIT },
178 	{ "sigill", RCTL_ACTION_SIGILL },
179 	{ "sigtrap", RCTL_ACTION_SIGTRAP },
180 	{ "sigabrt", RCTL_ACTION_SIGABRT },
181 	{ "sigemt", RCTL_ACTION_SIGEMT },
182 	{ "sigfpe", RCTL_ACTION_SIGFPE },
183 	{ "sigkill", RCTL_ACTION_SIGKILL },
184 	{ "sigbus", RCTL_ACTION_SIGBUS },
185 	{ "sigsegv", RCTL_ACTION_SIGSEGV },
186 	{ "sigsys", RCTL_ACTION_SIGSYS },
187 	{ "sigpipe", RCTL_ACTION_SIGPIPE },
188 	{ "sigalrm", RCTL_ACTION_SIGALRM },
189 	{ "sigterm", RCTL_ACTION_SIGTERM },
190 	{ "sigurg", RCTL_ACTION_SIGURG },
191 	{ "sigstop", RCTL_ACTION_SIGSTOP },
192 	{ "sigtstp", RCTL_ACTION_SIGTSTP },
193 	{ "sigchld", RCTL_ACTION_SIGCHLD },
194 	{ "sigttin", RCTL_ACTION_SIGTTIN },
195 	{ "sigttou", RCTL_ACTION_SIGTTOU },
196 	{ "sigio", RCTL_ACTION_SIGIO },
197 	{ "sigxcpu", RCTL_ACTION_SIGXCPU },
198 	{ "sigxfsz", RCTL_ACTION_SIGXFSZ },
199 	{ "sigvtalrm", RCTL_ACTION_SIGVTALRM },
200 	{ "sigprof", RCTL_ACTION_SIGPROF },
201 	{ "sigwinch", RCTL_ACTION_SIGWINCH },
202 	{ "siginfo", RCTL_ACTION_SIGINFO },
203 	{ "sigusr1", RCTL_ACTION_SIGUSR1 },
204 	{ "sigusr2", RCTL_ACTION_SIGUSR2 },
205 	{ "sigthr", RCTL_ACTION_SIGTHR },
206 	{ "deny", RCTL_ACTION_DENY },
207 	{ "log", RCTL_ACTION_LOG },
208 	{ "devctl", RCTL_ACTION_DEVCTL },
209 	{ "throttle", RCTL_ACTION_THROTTLE },
210 	{ NULL, -1 }};
211 
212 static void rctl_init(void);
213 SYSINIT(rctl, SI_SUB_RACCT, SI_ORDER_FIRST, rctl_init, NULL);
214 
215 static uma_zone_t rctl_rule_zone;
216 static uma_zone_t rctl_rule_link_zone;
217 
218 static int rctl_rule_fully_specified(const struct rctl_rule *rule);
219 static void rctl_rule_to_sbuf(struct sbuf *sb, const struct rctl_rule *rule);
220 
221 static MALLOC_DEFINE(M_RCTL, "rctl", "Resource Limits");
222 
223 static int rctl_throttle_min_sysctl(SYSCTL_HANDLER_ARGS)
224 {
225 	int error, val = rctl_throttle_min;
226 
227 	error = sysctl_handle_int(oidp, &val, 0, req);
228 	if (error || !req->newptr)
229 		return (error);
230 	if (val < 1 || val > rctl_throttle_max)
231 		return (EINVAL);
232 
233 	RACCT_LOCK();
234 	rctl_throttle_min = val;
235 	RACCT_UNLOCK();
236 
237 	return (0);
238 }
239 
240 static int rctl_throttle_max_sysctl(SYSCTL_HANDLER_ARGS)
241 {
242 	int error, val = rctl_throttle_max;
243 
244 	error = sysctl_handle_int(oidp, &val, 0, req);
245 	if (error || !req->newptr)
246 		return (error);
247 	if (val < rctl_throttle_min)
248 		return (EINVAL);
249 
250 	RACCT_LOCK();
251 	rctl_throttle_max = val;
252 	RACCT_UNLOCK();
253 
254 	return (0);
255 }
256 
257 static int rctl_throttle_pct_sysctl(SYSCTL_HANDLER_ARGS)
258 {
259 	int error, val = rctl_throttle_pct;
260 
261 	error = sysctl_handle_int(oidp, &val, 0, req);
262 	if (error || !req->newptr)
263 		return (error);
264 	if (val < 0)
265 		return (EINVAL);
266 
267 	RACCT_LOCK();
268 	rctl_throttle_pct = val;
269 	RACCT_UNLOCK();
270 
271 	return (0);
272 }
273 
274 static int rctl_throttle_pct2_sysctl(SYSCTL_HANDLER_ARGS)
275 {
276 	int error, val = rctl_throttle_pct2;
277 
278 	error = sysctl_handle_int(oidp, &val, 0, req);
279 	if (error || !req->newptr)
280 		return (error);
281 	if (val < 0)
282 		return (EINVAL);
283 
284 	RACCT_LOCK();
285 	rctl_throttle_pct2 = val;
286 	RACCT_UNLOCK();
287 
288 	return (0);
289 }
290 
291 static const char *
292 rctl_subject_type_name(int subject)
293 {
294 	int i;
295 
296 	for (i = 0; subjectnames[i].d_name != NULL; i++) {
297 		if (subjectnames[i].d_value == subject)
298 			return (subjectnames[i].d_name);
299 	}
300 
301 	panic("rctl_subject_type_name: unknown subject type %d", subject);
302 }
303 
304 static const char *
305 rctl_action_name(int action)
306 {
307 	int i;
308 
309 	for (i = 0; actionnames[i].d_name != NULL; i++) {
310 		if (actionnames[i].d_value == action)
311 			return (actionnames[i].d_name);
312 	}
313 
314 	panic("rctl_action_name: unknown action %d", action);
315 }
316 
317 const char *
318 rctl_resource_name(int resource)
319 {
320 	int i;
321 
322 	for (i = 0; resourcenames[i].d_name != NULL; i++) {
323 		if (resourcenames[i].d_value == resource)
324 			return (resourcenames[i].d_name);
325 	}
326 
327 	panic("rctl_resource_name: unknown resource %d", resource);
328 }
329 
330 static struct racct *
331 rctl_proc_rule_to_racct(const struct proc *p, const struct rctl_rule *rule)
332 {
333 	struct ucred *cred = p->p_ucred;
334 
335 	ASSERT_RACCT_ENABLED();
336 	RACCT_LOCK_ASSERT();
337 
338 	switch (rule->rr_per) {
339 	case RCTL_SUBJECT_TYPE_PROCESS:
340 		return (p->p_racct);
341 	case RCTL_SUBJECT_TYPE_USER:
342 		return (cred->cr_ruidinfo->ui_racct);
343 	case RCTL_SUBJECT_TYPE_LOGINCLASS:
344 		return (cred->cr_loginclass->lc_racct);
345 	case RCTL_SUBJECT_TYPE_JAIL:
346 		return (cred->cr_prison->pr_prison_racct->prr_racct);
347 	default:
348 		panic("%s: unknown per %d", __func__, rule->rr_per);
349 	}
350 }
351 
352 /*
353  * Return the amount of resource that can be allocated by 'p' before
354  * hitting 'rule'.
355  */
356 static int64_t
357 rctl_available_resource(const struct proc *p, const struct rctl_rule *rule)
358 {
359 	const struct racct *racct;
360 	int64_t available;
361 
362 	ASSERT_RACCT_ENABLED();
363 	RACCT_LOCK_ASSERT();
364 
365 	racct = rctl_proc_rule_to_racct(p, rule);
366 	available = rule->rr_amount - racct->r_resources[rule->rr_resource];
367 
368 	return (available);
369 }
370 
371 /*
372  * Called every second for proc, uidinfo, loginclass, and jail containers.
373  * If the limit isn't exceeded, it decreases the usage amount to zero.
374  * Otherwise, it decreases it by the value of the limit.  This way
375  * resource consumption exceeding the limit "carries over" to the next
376  * period.
377  */
378 void
379 rctl_throttle_decay(struct racct *racct, int resource)
380 {
381 	struct rctl_rule *rule;
382 	struct rctl_rule_link *link;
383 	int64_t minavailable;
384 
385 	ASSERT_RACCT_ENABLED();
386 	RACCT_LOCK_ASSERT();
387 
388 	minavailable = INT64_MAX;
389 
390 	LIST_FOREACH(link, &racct->r_rule_links, rrl_next) {
391 		rule = link->rrl_rule;
392 
393 		if (rule->rr_resource != resource)
394 			continue;
395 		if (rule->rr_action != RCTL_ACTION_THROTTLE)
396 			continue;
397 
398 		if (rule->rr_amount < minavailable)
399 			minavailable = rule->rr_amount;
400 	}
401 
402 	if (racct->r_resources[resource] < minavailable) {
403 		racct->r_resources[resource] = 0;
404 	} else {
405 		/*
406 		 * Cap utilization counter at ten times the limit.  Otherwise,
407 		 * if we changed the rule lowering the allowed amount, it could
408 		 * take unreasonably long time for the accumulated resource
409 		 * usage to drop.
410 		 */
411 		if (racct->r_resources[resource] > minavailable * 10)
412 			racct->r_resources[resource] = minavailable * 10;
413 
414 		racct->r_resources[resource] -= minavailable;
415 	}
416 }
417 
418 /*
419  * Special version of rctl_get_available() for the %CPU resource.
420  * We slightly cheat here and return less than we normally would.
421  */
422 int64_t
423 rctl_pcpu_available(const struct proc *p) {
424 	struct rctl_rule *rule;
425 	struct rctl_rule_link *link;
426 	int64_t available, minavailable, limit;
427 
428 	ASSERT_RACCT_ENABLED();
429 	RACCT_LOCK_ASSERT();
430 
431 	minavailable = INT64_MAX;
432 	limit = 0;
433 
434 	LIST_FOREACH(link, &p->p_racct->r_rule_links, rrl_next) {
435 		rule = link->rrl_rule;
436 		if (rule->rr_resource != RACCT_PCTCPU)
437 			continue;
438 		if (rule->rr_action != RCTL_ACTION_DENY)
439 			continue;
440 		available = rctl_available_resource(p, rule);
441 		if (available < minavailable) {
442 			minavailable = available;
443 			limit = rule->rr_amount;
444 		}
445 	}
446 
447 	/*
448 	 * Return slightly less than actual value of the available
449 	 * %cpu resource.  This makes %cpu throttling more aggressive
450 	 * and lets us act sooner than the limits are already exceeded.
451 	 */
452 	if (limit != 0) {
453 		if (limit > 2 * RCTL_PCPU_SHIFT)
454 			minavailable -= RCTL_PCPU_SHIFT;
455 		else
456 			minavailable -= (limit / 2);
457 	}
458 
459 	return (minavailable);
460 }
461 
462 static uint64_t
463 xadd(uint64_t a, uint64_t b)
464 {
465 	uint64_t c;
466 
467 	c = a + b;
468 
469 	/*
470 	 * Detect overflow.
471 	 */
472 	if (c < a || c < b)
473 		return (UINT64_MAX);
474 
475 	return (c);
476 }
477 
478 static uint64_t
479 xmul(uint64_t a, uint64_t b)
480 {
481 
482 	if (b != 0 && a > UINT64_MAX / b)
483 		return (UINT64_MAX);
484 
485 	return (a * b);
486 }
487 
488 /*
489  * Check whether the proc 'p' can allocate 'amount' of 'resource' in addition
490  * to what it keeps allocated now.  Returns non-zero if the allocation should
491  * be denied, 0 otherwise.
492  */
493 int
494 rctl_enforce(struct proc *p, int resource, uint64_t amount)
495 {
496 	static struct timeval log_lasttime, devctl_lasttime;
497 	static int log_curtime = 0, devctl_curtime = 0;
498 	struct rctl_rule *rule;
499 	struct rctl_rule_link *link;
500 	struct sbuf sb;
501 	char *buf;
502 	int64_t available;
503 	uint64_t sleep_ms, sleep_ratio;
504 	int should_deny = 0;
505 
506 	ASSERT_RACCT_ENABLED();
507 	RACCT_LOCK_ASSERT();
508 
509 	/*
510 	 * There may be more than one matching rule; go through all of them.
511 	 * Denial should be done last, after logging and sending signals.
512 	 */
513 	LIST_FOREACH(link, &p->p_racct->r_rule_links, rrl_next) {
514 		rule = link->rrl_rule;
515 		if (rule->rr_resource != resource)
516 			continue;
517 
518 		available = rctl_available_resource(p, rule);
519 		if (available >= (int64_t)amount) {
520 			link->rrl_exceeded = 0;
521 			continue;
522 		}
523 
524 		switch (rule->rr_action) {
525 		case RCTL_ACTION_DENY:
526 			should_deny = 1;
527 			continue;
528 		case RCTL_ACTION_LOG:
529 			/*
530 			 * If rrl_exceeded != 0, it means we've already
531 			 * logged a warning for this process.
532 			 */
533 			if (link->rrl_exceeded != 0)
534 				continue;
535 
536 			/*
537 			 * If the process state is not fully initialized yet,
538 			 * we can't access most of the required fields, e.g.
539 			 * p->p_comm.  This happens when called from fork1().
540 			 * Ignore this rule for now; it will be processed just
541 			 * after fork, when called from racct_proc_fork_done().
542 			 */
543 			if (p->p_state != PRS_NORMAL)
544 				continue;
545 
546 			if (!ppsratecheck(&log_lasttime, &log_curtime,
547 			    rctl_log_rate_limit))
548 				continue;
549 
550 			buf = malloc(RCTL_LOG_BUFSIZE, M_RCTL, M_NOWAIT);
551 			if (buf == NULL) {
552 				printf("rctl_enforce: out of memory\n");
553 				continue;
554 			}
555 			sbuf_new(&sb, buf, RCTL_LOG_BUFSIZE, SBUF_FIXEDLEN);
556 			rctl_rule_to_sbuf(&sb, rule);
557 			sbuf_finish(&sb);
558 			printf("rctl: rule \"%s\" matched by pid %d "
559 			    "(%s), uid %d, jail %s\n", sbuf_data(&sb),
560 			    p->p_pid, p->p_comm, p->p_ucred->cr_uid,
561 			    p->p_ucred->cr_prison->pr_prison_racct->prr_name);
562 			sbuf_delete(&sb);
563 			free(buf, M_RCTL);
564 			link->rrl_exceeded = 1;
565 			continue;
566 		case RCTL_ACTION_DEVCTL:
567 			if (link->rrl_exceeded != 0)
568 				continue;
569 
570 			if (p->p_state != PRS_NORMAL)
571 				continue;
572 
573 			if (!ppsratecheck(&devctl_lasttime, &devctl_curtime,
574 			    rctl_devctl_rate_limit))
575 				continue;
576 
577 			buf = malloc(RCTL_LOG_BUFSIZE, M_RCTL, M_NOWAIT);
578 			if (buf == NULL) {
579 				printf("rctl_enforce: out of memory\n");
580 				continue;
581 			}
582 			sbuf_new(&sb, buf, RCTL_LOG_BUFSIZE, SBUF_FIXEDLEN);
583 			sbuf_printf(&sb, "rule=");
584 			rctl_rule_to_sbuf(&sb, rule);
585 			sbuf_printf(&sb, " pid=%d ruid=%d jail=%s",
586 			    p->p_pid, p->p_ucred->cr_ruid,
587 			    p->p_ucred->cr_prison->pr_prison_racct->prr_name);
588 			sbuf_finish(&sb);
589 			devctl_notify_f("RCTL", "rule", "matched",
590 			    sbuf_data(&sb), M_NOWAIT);
591 			sbuf_delete(&sb);
592 			free(buf, M_RCTL);
593 			link->rrl_exceeded = 1;
594 			continue;
595 		case RCTL_ACTION_THROTTLE:
596 			if (p->p_state != PRS_NORMAL)
597 				continue;
598 
599 			/*
600 			 * Make the process sleep for a fraction of second
601 			 * proportional to the ratio of process' resource
602 			 * utilization compared to the limit.  The point is
603 			 * to penalize resource hogs: processes that consume
604 			 * more of the available resources sleep for longer.
605 			 *
606 			 * We're trying to defer division until the very end,
607 			 * to minimize the rounding effects.  The following
608 			 * calculation could have been written in a clearer
609 			 * way like this:
610 			 *
611 			 * sleep_ms = hz * p->p_racct->r_resources[resource] /
612 			 *     rule->rr_amount;
613 			 * sleep_ms *= rctl_throttle_pct / 100;
614 			 * if (sleep_ms < rctl_throttle_min)
615 			 *         sleep_ms = rctl_throttle_min;
616 			 *
617 			 */
618 			sleep_ms = xmul(hz, p->p_racct->r_resources[resource]);
619 			sleep_ms = xmul(sleep_ms,  rctl_throttle_pct) / 100;
620 			if (sleep_ms < rctl_throttle_min * rule->rr_amount)
621 				sleep_ms = rctl_throttle_min * rule->rr_amount;
622 
623 			/*
624 			 * Multiply that by the ratio of the resource
625 			 * consumption for the container compared to the limit,
626 			 * squared.  In other words, a process in a container
627 			 * that is two times over the limit will be throttled
628 			 * four times as much for hitting the same rule.  The
629 			 * point is to penalize processes more if the container
630 			 * itself (eg certain UID or jail) is above the limit.
631 			 */
632 			if (available < 0)
633 				sleep_ratio = -available / rule->rr_amount;
634 			else
635 				sleep_ratio = 0;
636 			sleep_ratio = xmul(sleep_ratio, sleep_ratio);
637 			sleep_ratio = xmul(sleep_ratio, rctl_throttle_pct2) / 100;
638 			sleep_ms = xadd(sleep_ms, xmul(sleep_ms, sleep_ratio));
639 
640 			/*
641 			 * Finally the division.
642 			 */
643 			sleep_ms /= rule->rr_amount;
644 
645 			if (sleep_ms > rctl_throttle_max)
646 				sleep_ms = rctl_throttle_max;
647 #if 0
648 			printf("%s: pid %d (%s), %jd of %jd, will sleep for %ju ms (ratio %ju, available %jd)\n",
649 			   __func__, p->p_pid, p->p_comm,
650 			   p->p_racct->r_resources[resource],
651 			   rule->rr_amount, (uintmax_t)sleep_ms,
652 			   (uintmax_t)sleep_ratio, (intmax_t)available);
653 #endif
654 
655 			KASSERT(sleep_ms >= rctl_throttle_min, ("%s: %ju < %d\n",
656 			    __func__, (uintmax_t)sleep_ms, rctl_throttle_min));
657 			racct_proc_throttle(p, sleep_ms);
658 			continue;
659 		default:
660 			if (link->rrl_exceeded != 0)
661 				continue;
662 
663 			if (p->p_state != PRS_NORMAL)
664 				continue;
665 
666 			KASSERT(rule->rr_action > 0 &&
667 			    rule->rr_action <= RCTL_ACTION_SIGNAL_MAX,
668 			    ("rctl_enforce: unknown action %d",
669 			     rule->rr_action));
670 
671 			/*
672 			 * We're using the fact that RCTL_ACTION_SIG* values
673 			 * are equal to their counterparts from sys/signal.h.
674 			 */
675 			kern_psignal(p, rule->rr_action);
676 			link->rrl_exceeded = 1;
677 			continue;
678 		}
679 	}
680 
681 	if (should_deny) {
682 		/*
683 		 * Return fake error code; the caller should change it
684 		 * into one proper for the situation - EFSIZ, ENOMEM etc.
685 		 */
686 		return (EDOOFUS);
687 	}
688 
689 	return (0);
690 }
691 
692 uint64_t
693 rctl_get_limit(struct proc *p, int resource)
694 {
695 	struct rctl_rule *rule;
696 	struct rctl_rule_link *link;
697 	uint64_t amount = UINT64_MAX;
698 
699 	ASSERT_RACCT_ENABLED();
700 	RACCT_LOCK_ASSERT();
701 
702 	/*
703 	 * There may be more than one matching rule; go through all of them.
704 	 * Denial should be done last, after logging and sending signals.
705 	 */
706 	LIST_FOREACH(link, &p->p_racct->r_rule_links, rrl_next) {
707 		rule = link->rrl_rule;
708 		if (rule->rr_resource != resource)
709 			continue;
710 		if (rule->rr_action != RCTL_ACTION_DENY)
711 			continue;
712 		if (rule->rr_amount < amount)
713 			amount = rule->rr_amount;
714 	}
715 
716 	return (amount);
717 }
718 
719 uint64_t
720 rctl_get_available(struct proc *p, int resource)
721 {
722 	struct rctl_rule *rule;
723 	struct rctl_rule_link *link;
724 	int64_t available, minavailable, allocated;
725 
726 	minavailable = INT64_MAX;
727 
728 	ASSERT_RACCT_ENABLED();
729 	RACCT_LOCK_ASSERT();
730 
731 	/*
732 	 * There may be more than one matching rule; go through all of them.
733 	 * Denial should be done last, after logging and sending signals.
734 	 */
735 	LIST_FOREACH(link, &p->p_racct->r_rule_links, rrl_next) {
736 		rule = link->rrl_rule;
737 		if (rule->rr_resource != resource)
738 			continue;
739 		if (rule->rr_action != RCTL_ACTION_DENY)
740 			continue;
741 		available = rctl_available_resource(p, rule);
742 		if (available < minavailable)
743 			minavailable = available;
744 	}
745 
746 	/*
747 	 * XXX: Think about this _hard_.
748 	 */
749 	allocated = p->p_racct->r_resources[resource];
750 	if (minavailable < INT64_MAX - allocated)
751 		minavailable += allocated;
752 	if (minavailable < 0)
753 		minavailable = 0;
754 
755 	return (minavailable);
756 }
757 
758 static int
759 rctl_rule_matches(const struct rctl_rule *rule, const struct rctl_rule *filter)
760 {
761 
762 	ASSERT_RACCT_ENABLED();
763 
764 	if (filter->rr_subject_type != RCTL_SUBJECT_TYPE_UNDEFINED) {
765 		if (rule->rr_subject_type != filter->rr_subject_type)
766 			return (0);
767 
768 		switch (filter->rr_subject_type) {
769 		case RCTL_SUBJECT_TYPE_PROCESS:
770 			if (filter->rr_subject.rs_proc != NULL &&
771 			    rule->rr_subject.rs_proc !=
772 			    filter->rr_subject.rs_proc)
773 				return (0);
774 			break;
775 		case RCTL_SUBJECT_TYPE_USER:
776 			if (filter->rr_subject.rs_uip != NULL &&
777 			    rule->rr_subject.rs_uip !=
778 			    filter->rr_subject.rs_uip)
779 				return (0);
780 			break;
781 		case RCTL_SUBJECT_TYPE_LOGINCLASS:
782 			if (filter->rr_subject.rs_loginclass != NULL &&
783 			    rule->rr_subject.rs_loginclass !=
784 			    filter->rr_subject.rs_loginclass)
785 				return (0);
786 			break;
787 		case RCTL_SUBJECT_TYPE_JAIL:
788 			if (filter->rr_subject.rs_prison_racct != NULL &&
789 			    rule->rr_subject.rs_prison_racct !=
790 			    filter->rr_subject.rs_prison_racct)
791 				return (0);
792 			break;
793 		default:
794 			panic("rctl_rule_matches: unknown subject type %d",
795 			    filter->rr_subject_type);
796 		}
797 	}
798 
799 	if (filter->rr_resource != RACCT_UNDEFINED) {
800 		if (rule->rr_resource != filter->rr_resource)
801 			return (0);
802 	}
803 
804 	if (filter->rr_action != RCTL_ACTION_UNDEFINED) {
805 		if (rule->rr_action != filter->rr_action)
806 			return (0);
807 	}
808 
809 	if (filter->rr_amount != RCTL_AMOUNT_UNDEFINED) {
810 		if (rule->rr_amount != filter->rr_amount)
811 			return (0);
812 	}
813 
814 	if (filter->rr_per != RCTL_SUBJECT_TYPE_UNDEFINED) {
815 		if (rule->rr_per != filter->rr_per)
816 			return (0);
817 	}
818 
819 	return (1);
820 }
821 
822 static int
823 str2value(const char *str, int *value, struct dict *table)
824 {
825 	int i;
826 
827 	if (value == NULL)
828 		return (EINVAL);
829 
830 	for (i = 0; table[i].d_name != NULL; i++) {
831 		if (strcasecmp(table[i].d_name, str) == 0) {
832 			*value =  table[i].d_value;
833 			return (0);
834 		}
835 	}
836 
837 	return (EINVAL);
838 }
839 
840 static int
841 str2id(const char *str, id_t *value)
842 {
843 	char *end;
844 
845 	if (str == NULL)
846 		return (EINVAL);
847 
848 	*value = strtoul(str, &end, 10);
849 	if ((size_t)(end - str) != strlen(str))
850 		return (EINVAL);
851 
852 	return (0);
853 }
854 
855 static int
856 str2int64(const char *str, int64_t *value)
857 {
858 	char *end;
859 
860 	if (str == NULL)
861 		return (EINVAL);
862 
863 	*value = strtoul(str, &end, 10);
864 	if ((size_t)(end - str) != strlen(str))
865 		return (EINVAL);
866 
867 	if (*value < 0)
868 		return (ERANGE);
869 
870 	return (0);
871 }
872 
873 /*
874  * Connect the rule to the racct, increasing refcount for the rule.
875  */
876 static void
877 rctl_racct_add_rule(struct racct *racct, struct rctl_rule *rule)
878 {
879 	struct rctl_rule_link *link;
880 
881 	ASSERT_RACCT_ENABLED();
882 	KASSERT(rctl_rule_fully_specified(rule), ("rule not fully specified"));
883 
884 	rctl_rule_acquire(rule);
885 	link = uma_zalloc(rctl_rule_link_zone, M_WAITOK);
886 	link->rrl_rule = rule;
887 	link->rrl_exceeded = 0;
888 
889 	RACCT_LOCK();
890 	LIST_INSERT_HEAD(&racct->r_rule_links, link, rrl_next);
891 	RACCT_UNLOCK();
892 }
893 
894 static int
895 rctl_racct_add_rule_locked(struct racct *racct, struct rctl_rule *rule)
896 {
897 	struct rctl_rule_link *link;
898 
899 	ASSERT_RACCT_ENABLED();
900 	KASSERT(rctl_rule_fully_specified(rule), ("rule not fully specified"));
901 	RACCT_LOCK_ASSERT();
902 
903 	link = uma_zalloc(rctl_rule_link_zone, M_NOWAIT);
904 	if (link == NULL)
905 		return (ENOMEM);
906 	rctl_rule_acquire(rule);
907 	link->rrl_rule = rule;
908 	link->rrl_exceeded = 0;
909 
910 	LIST_INSERT_HEAD(&racct->r_rule_links, link, rrl_next);
911 
912 	return (0);
913 }
914 
915 /*
916  * Remove limits for a rules matching the filter and release
917  * the refcounts for the rules, possibly freeing them.  Returns
918  * the number of limit structures removed.
919  */
920 static int
921 rctl_racct_remove_rules(struct racct *racct,
922     const struct rctl_rule *filter)
923 {
924 	struct rctl_rule_link *link, *linktmp;
925 	int removed = 0;
926 
927 	ASSERT_RACCT_ENABLED();
928 	RACCT_LOCK_ASSERT();
929 
930 	LIST_FOREACH_SAFE(link, &racct->r_rule_links, rrl_next, linktmp) {
931 		if (!rctl_rule_matches(link->rrl_rule, filter))
932 			continue;
933 
934 		LIST_REMOVE(link, rrl_next);
935 		rctl_rule_release(link->rrl_rule);
936 		uma_zfree(rctl_rule_link_zone, link);
937 		removed++;
938 	}
939 	return (removed);
940 }
941 
942 static void
943 rctl_rule_acquire_subject(struct rctl_rule *rule)
944 {
945 
946 	ASSERT_RACCT_ENABLED();
947 
948 	switch (rule->rr_subject_type) {
949 	case RCTL_SUBJECT_TYPE_UNDEFINED:
950 	case RCTL_SUBJECT_TYPE_PROCESS:
951 		break;
952 	case RCTL_SUBJECT_TYPE_JAIL:
953 		if (rule->rr_subject.rs_prison_racct != NULL)
954 			prison_racct_hold(rule->rr_subject.rs_prison_racct);
955 		break;
956 	case RCTL_SUBJECT_TYPE_USER:
957 		if (rule->rr_subject.rs_uip != NULL)
958 			uihold(rule->rr_subject.rs_uip);
959 		break;
960 	case RCTL_SUBJECT_TYPE_LOGINCLASS:
961 		if (rule->rr_subject.rs_loginclass != NULL)
962 			loginclass_hold(rule->rr_subject.rs_loginclass);
963 		break;
964 	default:
965 		panic("rctl_rule_acquire_subject: unknown subject type %d",
966 		    rule->rr_subject_type);
967 	}
968 }
969 
970 static void
971 rctl_rule_release_subject(struct rctl_rule *rule)
972 {
973 
974 	ASSERT_RACCT_ENABLED();
975 
976 	switch (rule->rr_subject_type) {
977 	case RCTL_SUBJECT_TYPE_UNDEFINED:
978 	case RCTL_SUBJECT_TYPE_PROCESS:
979 		break;
980 	case RCTL_SUBJECT_TYPE_JAIL:
981 		if (rule->rr_subject.rs_prison_racct != NULL)
982 			prison_racct_free(rule->rr_subject.rs_prison_racct);
983 		break;
984 	case RCTL_SUBJECT_TYPE_USER:
985 		if (rule->rr_subject.rs_uip != NULL)
986 			uifree(rule->rr_subject.rs_uip);
987 		break;
988 	case RCTL_SUBJECT_TYPE_LOGINCLASS:
989 		if (rule->rr_subject.rs_loginclass != NULL)
990 			loginclass_free(rule->rr_subject.rs_loginclass);
991 		break;
992 	default:
993 		panic("rctl_rule_release_subject: unknown subject type %d",
994 		    rule->rr_subject_type);
995 	}
996 }
997 
998 struct rctl_rule *
999 rctl_rule_alloc(int flags)
1000 {
1001 	struct rctl_rule *rule;
1002 
1003 	ASSERT_RACCT_ENABLED();
1004 
1005 	rule = uma_zalloc(rctl_rule_zone, flags);
1006 	if (rule == NULL)
1007 		return (NULL);
1008 	rule->rr_subject_type = RCTL_SUBJECT_TYPE_UNDEFINED;
1009 	rule->rr_subject.rs_proc = NULL;
1010 	rule->rr_subject.rs_uip = NULL;
1011 	rule->rr_subject.rs_loginclass = NULL;
1012 	rule->rr_subject.rs_prison_racct = NULL;
1013 	rule->rr_per = RCTL_SUBJECT_TYPE_UNDEFINED;
1014 	rule->rr_resource = RACCT_UNDEFINED;
1015 	rule->rr_action = RCTL_ACTION_UNDEFINED;
1016 	rule->rr_amount = RCTL_AMOUNT_UNDEFINED;
1017 	refcount_init(&rule->rr_refcount, 1);
1018 
1019 	return (rule);
1020 }
1021 
1022 struct rctl_rule *
1023 rctl_rule_duplicate(const struct rctl_rule *rule, int flags)
1024 {
1025 	struct rctl_rule *copy;
1026 
1027 	ASSERT_RACCT_ENABLED();
1028 
1029 	copy = uma_zalloc(rctl_rule_zone, flags);
1030 	if (copy == NULL)
1031 		return (NULL);
1032 	copy->rr_subject_type = rule->rr_subject_type;
1033 	copy->rr_subject.rs_proc = rule->rr_subject.rs_proc;
1034 	copy->rr_subject.rs_uip = rule->rr_subject.rs_uip;
1035 	copy->rr_subject.rs_loginclass = rule->rr_subject.rs_loginclass;
1036 	copy->rr_subject.rs_prison_racct = rule->rr_subject.rs_prison_racct;
1037 	copy->rr_per = rule->rr_per;
1038 	copy->rr_resource = rule->rr_resource;
1039 	copy->rr_action = rule->rr_action;
1040 	copy->rr_amount = rule->rr_amount;
1041 	refcount_init(&copy->rr_refcount, 1);
1042 	rctl_rule_acquire_subject(copy);
1043 
1044 	return (copy);
1045 }
1046 
1047 void
1048 rctl_rule_acquire(struct rctl_rule *rule)
1049 {
1050 
1051 	ASSERT_RACCT_ENABLED();
1052 	KASSERT(rule->rr_refcount > 0, ("rule->rr_refcount <= 0"));
1053 
1054 	refcount_acquire(&rule->rr_refcount);
1055 }
1056 
1057 static void
1058 rctl_rule_free(void *context, int pending)
1059 {
1060 	struct rctl_rule *rule;
1061 
1062 	rule = (struct rctl_rule *)context;
1063 
1064 	ASSERT_RACCT_ENABLED();
1065 	KASSERT(rule->rr_refcount == 0, ("rule->rr_refcount != 0"));
1066 
1067 	/*
1068 	 * We don't need locking here; rule is guaranteed to be inaccessible.
1069 	 */
1070 
1071 	rctl_rule_release_subject(rule);
1072 	uma_zfree(rctl_rule_zone, rule);
1073 }
1074 
1075 void
1076 rctl_rule_release(struct rctl_rule *rule)
1077 {
1078 
1079 	ASSERT_RACCT_ENABLED();
1080 	KASSERT(rule->rr_refcount > 0, ("rule->rr_refcount <= 0"));
1081 
1082 	if (refcount_release(&rule->rr_refcount)) {
1083 		/*
1084 		 * rctl_rule_release() is often called when iterating
1085 		 * over all the uidinfo structures in the system,
1086 		 * holding uihashtbl_lock.  Since rctl_rule_free()
1087 		 * might end up calling uifree(), this would lead
1088 		 * to lock recursion.  Use taskqueue to avoid this.
1089 		 */
1090 		TASK_INIT(&rule->rr_task, 0, rctl_rule_free, rule);
1091 		taskqueue_enqueue(taskqueue_thread, &rule->rr_task);
1092 	}
1093 }
1094 
1095 static int
1096 rctl_rule_fully_specified(const struct rctl_rule *rule)
1097 {
1098 
1099 	ASSERT_RACCT_ENABLED();
1100 
1101 	switch (rule->rr_subject_type) {
1102 	case RCTL_SUBJECT_TYPE_UNDEFINED:
1103 		return (0);
1104 	case RCTL_SUBJECT_TYPE_PROCESS:
1105 		if (rule->rr_subject.rs_proc == NULL)
1106 			return (0);
1107 		break;
1108 	case RCTL_SUBJECT_TYPE_USER:
1109 		if (rule->rr_subject.rs_uip == NULL)
1110 			return (0);
1111 		break;
1112 	case RCTL_SUBJECT_TYPE_LOGINCLASS:
1113 		if (rule->rr_subject.rs_loginclass == NULL)
1114 			return (0);
1115 		break;
1116 	case RCTL_SUBJECT_TYPE_JAIL:
1117 		if (rule->rr_subject.rs_prison_racct == NULL)
1118 			return (0);
1119 		break;
1120 	default:
1121 		panic("rctl_rule_fully_specified: unknown subject type %d",
1122 		    rule->rr_subject_type);
1123 	}
1124 	if (rule->rr_resource == RACCT_UNDEFINED)
1125 		return (0);
1126 	if (rule->rr_action == RCTL_ACTION_UNDEFINED)
1127 		return (0);
1128 	if (rule->rr_amount == RCTL_AMOUNT_UNDEFINED)
1129 		return (0);
1130 	if (rule->rr_per == RCTL_SUBJECT_TYPE_UNDEFINED)
1131 		return (0);
1132 
1133 	return (1);
1134 }
1135 
1136 static int
1137 rctl_string_to_rule(char *rulestr, struct rctl_rule **rulep)
1138 {
1139 	struct rctl_rule *rule;
1140 	char *subjectstr, *subject_idstr, *resourcestr, *actionstr,
1141 	     *amountstr, *perstr;
1142 	id_t id;
1143 	int error = 0;
1144 
1145 	ASSERT_RACCT_ENABLED();
1146 
1147 	rule = rctl_rule_alloc(M_WAITOK);
1148 
1149 	subjectstr = strsep(&rulestr, ":");
1150 	subject_idstr = strsep(&rulestr, ":");
1151 	resourcestr = strsep(&rulestr, ":");
1152 	actionstr = strsep(&rulestr, "=/");
1153 	amountstr = strsep(&rulestr, "/");
1154 	perstr = rulestr;
1155 
1156 	if (subjectstr == NULL || subjectstr[0] == '\0')
1157 		rule->rr_subject_type = RCTL_SUBJECT_TYPE_UNDEFINED;
1158 	else {
1159 		error = str2value(subjectstr, &rule->rr_subject_type, subjectnames);
1160 		if (error != 0)
1161 			goto out;
1162 	}
1163 
1164 	if (subject_idstr == NULL || subject_idstr[0] == '\0') {
1165 		rule->rr_subject.rs_proc = NULL;
1166 		rule->rr_subject.rs_uip = NULL;
1167 		rule->rr_subject.rs_loginclass = NULL;
1168 		rule->rr_subject.rs_prison_racct = NULL;
1169 	} else {
1170 		switch (rule->rr_subject_type) {
1171 		case RCTL_SUBJECT_TYPE_UNDEFINED:
1172 			error = EINVAL;
1173 			goto out;
1174 		case RCTL_SUBJECT_TYPE_PROCESS:
1175 			error = str2id(subject_idstr, &id);
1176 			if (error != 0)
1177 				goto out;
1178 			sx_assert(&allproc_lock, SA_LOCKED);
1179 			rule->rr_subject.rs_proc = pfind(id);
1180 			if (rule->rr_subject.rs_proc == NULL) {
1181 				error = ESRCH;
1182 				goto out;
1183 			}
1184 			PROC_UNLOCK(rule->rr_subject.rs_proc);
1185 			break;
1186 		case RCTL_SUBJECT_TYPE_USER:
1187 			error = str2id(subject_idstr, &id);
1188 			if (error != 0)
1189 				goto out;
1190 			rule->rr_subject.rs_uip = uifind(id);
1191 			break;
1192 		case RCTL_SUBJECT_TYPE_LOGINCLASS:
1193 			rule->rr_subject.rs_loginclass =
1194 			    loginclass_find(subject_idstr);
1195 			if (rule->rr_subject.rs_loginclass == NULL) {
1196 				error = ENAMETOOLONG;
1197 				goto out;
1198 			}
1199 			break;
1200 		case RCTL_SUBJECT_TYPE_JAIL:
1201 			rule->rr_subject.rs_prison_racct =
1202 			    prison_racct_find(subject_idstr);
1203 			if (rule->rr_subject.rs_prison_racct == NULL) {
1204 				error = ENAMETOOLONG;
1205 				goto out;
1206 			}
1207 			break;
1208                default:
1209                        panic("rctl_string_to_rule: unknown subject type %d",
1210                            rule->rr_subject_type);
1211                }
1212 	}
1213 
1214 	if (resourcestr == NULL || resourcestr[0] == '\0')
1215 		rule->rr_resource = RACCT_UNDEFINED;
1216 	else {
1217 		error = str2value(resourcestr, &rule->rr_resource,
1218 		    resourcenames);
1219 		if (error != 0)
1220 			goto out;
1221 	}
1222 
1223 	if (actionstr == NULL || actionstr[0] == '\0')
1224 		rule->rr_action = RCTL_ACTION_UNDEFINED;
1225 	else {
1226 		error = str2value(actionstr, &rule->rr_action, actionnames);
1227 		if (error != 0)
1228 			goto out;
1229 	}
1230 
1231 	if (amountstr == NULL || amountstr[0] == '\0')
1232 		rule->rr_amount = RCTL_AMOUNT_UNDEFINED;
1233 	else {
1234 		error = str2int64(amountstr, &rule->rr_amount);
1235 		if (error != 0)
1236 			goto out;
1237 		if (RACCT_IS_IN_MILLIONS(rule->rr_resource)) {
1238 			if (rule->rr_amount > INT64_MAX / 1000000) {
1239 				error = ERANGE;
1240 				goto out;
1241 			}
1242 			rule->rr_amount *= 1000000;
1243 		}
1244 	}
1245 
1246 	if (perstr == NULL || perstr[0] == '\0')
1247 		rule->rr_per = RCTL_SUBJECT_TYPE_UNDEFINED;
1248 	else {
1249 		error = str2value(perstr, &rule->rr_per, subjectnames);
1250 		if (error != 0)
1251 			goto out;
1252 	}
1253 
1254 out:
1255 	if (error == 0)
1256 		*rulep = rule;
1257 	else
1258 		rctl_rule_release(rule);
1259 
1260 	return (error);
1261 }
1262 
1263 /*
1264  * Link a rule with all the subjects it applies to.
1265  */
1266 int
1267 rctl_rule_add(struct rctl_rule *rule)
1268 {
1269 	struct proc *p;
1270 	struct ucred *cred;
1271 	struct uidinfo *uip;
1272 	struct prison *pr;
1273 	struct prison_racct *prr;
1274 	struct loginclass *lc;
1275 	struct rctl_rule *rule2;
1276 	int match;
1277 
1278 	ASSERT_RACCT_ENABLED();
1279 	KASSERT(rctl_rule_fully_specified(rule), ("rule not fully specified"));
1280 
1281 	/*
1282 	 * Some rules just don't make sense, like "deny" rule for an undeniable
1283 	 * resource.  The exception are the RSS and %CPU resources - they are
1284 	 * not deniable in the racct sense, but the limit is enforced in
1285 	 * a different way.
1286 	 */
1287 	if (rule->rr_action == RCTL_ACTION_DENY &&
1288 	    !RACCT_IS_DENIABLE(rule->rr_resource) &&
1289 	    rule->rr_resource != RACCT_RSS &&
1290 	    rule->rr_resource != RACCT_PCTCPU) {
1291 		return (EOPNOTSUPP);
1292 	}
1293 
1294 	if (rule->rr_action == RCTL_ACTION_THROTTLE &&
1295 	    !RACCT_IS_DECAYING(rule->rr_resource)) {
1296 		return (EOPNOTSUPP);
1297 	}
1298 
1299 	if (rule->rr_action == RCTL_ACTION_THROTTLE &&
1300 	    rule->rr_resource == RACCT_PCTCPU) {
1301 		return (EOPNOTSUPP);
1302 	}
1303 
1304 	if (rule->rr_per == RCTL_SUBJECT_TYPE_PROCESS &&
1305 	    RACCT_IS_SLOPPY(rule->rr_resource)) {
1306 		return (EOPNOTSUPP);
1307 	}
1308 
1309 	/*
1310 	 * Make sure there are no duplicated rules.  Also, for the "deny"
1311 	 * rules, remove ones differing only by "amount".
1312 	 */
1313 	if (rule->rr_action == RCTL_ACTION_DENY) {
1314 		rule2 = rctl_rule_duplicate(rule, M_WAITOK);
1315 		rule2->rr_amount = RCTL_AMOUNT_UNDEFINED;
1316 		rctl_rule_remove(rule2);
1317 		rctl_rule_release(rule2);
1318 	} else
1319 		rctl_rule_remove(rule);
1320 
1321 	switch (rule->rr_subject_type) {
1322 	case RCTL_SUBJECT_TYPE_PROCESS:
1323 		p = rule->rr_subject.rs_proc;
1324 		KASSERT(p != NULL, ("rctl_rule_add: NULL proc"));
1325 
1326 		rctl_racct_add_rule(p->p_racct, rule);
1327 		/*
1328 		 * In case of per-process rule, we don't have anything more
1329 		 * to do.
1330 		 */
1331 		return (0);
1332 
1333 	case RCTL_SUBJECT_TYPE_USER:
1334 		uip = rule->rr_subject.rs_uip;
1335 		KASSERT(uip != NULL, ("rctl_rule_add: NULL uip"));
1336 		rctl_racct_add_rule(uip->ui_racct, rule);
1337 		break;
1338 
1339 	case RCTL_SUBJECT_TYPE_LOGINCLASS:
1340 		lc = rule->rr_subject.rs_loginclass;
1341 		KASSERT(lc != NULL, ("rctl_rule_add: NULL loginclass"));
1342 		rctl_racct_add_rule(lc->lc_racct, rule);
1343 		break;
1344 
1345 	case RCTL_SUBJECT_TYPE_JAIL:
1346 		prr = rule->rr_subject.rs_prison_racct;
1347 		KASSERT(prr != NULL, ("rctl_rule_add: NULL pr"));
1348 		rctl_racct_add_rule(prr->prr_racct, rule);
1349 		break;
1350 
1351 	default:
1352 		panic("rctl_rule_add: unknown subject type %d",
1353 		    rule->rr_subject_type);
1354 	}
1355 
1356 	/*
1357 	 * Now go through all the processes and add the new rule to the ones
1358 	 * it applies to.
1359 	 */
1360 	sx_assert(&allproc_lock, SA_LOCKED);
1361 	FOREACH_PROC_IN_SYSTEM(p) {
1362 		cred = p->p_ucred;
1363 		switch (rule->rr_subject_type) {
1364 		case RCTL_SUBJECT_TYPE_USER:
1365 			if (cred->cr_uidinfo == rule->rr_subject.rs_uip ||
1366 			    cred->cr_ruidinfo == rule->rr_subject.rs_uip)
1367 				break;
1368 			continue;
1369 		case RCTL_SUBJECT_TYPE_LOGINCLASS:
1370 			if (cred->cr_loginclass == rule->rr_subject.rs_loginclass)
1371 				break;
1372 			continue;
1373 		case RCTL_SUBJECT_TYPE_JAIL:
1374 			match = 0;
1375 			for (pr = cred->cr_prison; pr != NULL; pr = pr->pr_parent) {
1376 				if (pr->pr_prison_racct == rule->rr_subject.rs_prison_racct) {
1377 					match = 1;
1378 					break;
1379 				}
1380 			}
1381 			if (match)
1382 				break;
1383 			continue;
1384 		default:
1385 			panic("rctl_rule_add: unknown subject type %d",
1386 			    rule->rr_subject_type);
1387 		}
1388 
1389 		rctl_racct_add_rule(p->p_racct, rule);
1390 	}
1391 
1392 	return (0);
1393 }
1394 
1395 static void
1396 rctl_rule_pre_callback(void)
1397 {
1398 
1399 	RACCT_LOCK();
1400 }
1401 
1402 static void
1403 rctl_rule_post_callback(void)
1404 {
1405 
1406 	RACCT_UNLOCK();
1407 }
1408 
1409 static void
1410 rctl_rule_remove_callback(struct racct *racct, void *arg2, void *arg3)
1411 {
1412 	struct rctl_rule *filter = (struct rctl_rule *)arg2;
1413 	int found = 0;
1414 
1415 	ASSERT_RACCT_ENABLED();
1416 	RACCT_LOCK_ASSERT();
1417 
1418 	found += rctl_racct_remove_rules(racct, filter);
1419 
1420 	*((int *)arg3) += found;
1421 }
1422 
1423 /*
1424  * Remove all rules that match the filter.
1425  */
1426 int
1427 rctl_rule_remove(struct rctl_rule *filter)
1428 {
1429 	struct proc *p;
1430 	int found = 0;
1431 
1432 	ASSERT_RACCT_ENABLED();
1433 
1434 	if (filter->rr_subject_type == RCTL_SUBJECT_TYPE_PROCESS &&
1435 	    filter->rr_subject.rs_proc != NULL) {
1436 		p = filter->rr_subject.rs_proc;
1437 		RACCT_LOCK();
1438 		found = rctl_racct_remove_rules(p->p_racct, filter);
1439 		RACCT_UNLOCK();
1440 		if (found)
1441 			return (0);
1442 		return (ESRCH);
1443 	}
1444 
1445 	loginclass_racct_foreach(rctl_rule_remove_callback,
1446 	    rctl_rule_pre_callback, rctl_rule_post_callback,
1447 	    filter, (void *)&found);
1448 	ui_racct_foreach(rctl_rule_remove_callback,
1449 	    rctl_rule_pre_callback, rctl_rule_post_callback,
1450 	    filter, (void *)&found);
1451 	prison_racct_foreach(rctl_rule_remove_callback,
1452 	    rctl_rule_pre_callback, rctl_rule_post_callback,
1453 	    filter, (void *)&found);
1454 
1455 	sx_assert(&allproc_lock, SA_LOCKED);
1456 	RACCT_LOCK();
1457 	FOREACH_PROC_IN_SYSTEM(p) {
1458 		found += rctl_racct_remove_rules(p->p_racct, filter);
1459 	}
1460 	RACCT_UNLOCK();
1461 
1462 	if (found)
1463 		return (0);
1464 	return (ESRCH);
1465 }
1466 
1467 /*
1468  * Appends a rule to the sbuf.
1469  */
1470 static void
1471 rctl_rule_to_sbuf(struct sbuf *sb, const struct rctl_rule *rule)
1472 {
1473 	int64_t amount;
1474 
1475 	ASSERT_RACCT_ENABLED();
1476 
1477 	sbuf_printf(sb, "%s:", rctl_subject_type_name(rule->rr_subject_type));
1478 
1479 	switch (rule->rr_subject_type) {
1480 	case RCTL_SUBJECT_TYPE_PROCESS:
1481 		if (rule->rr_subject.rs_proc == NULL)
1482 			sbuf_printf(sb, ":");
1483 		else
1484 			sbuf_printf(sb, "%d:",
1485 			    rule->rr_subject.rs_proc->p_pid);
1486 		break;
1487 	case RCTL_SUBJECT_TYPE_USER:
1488 		if (rule->rr_subject.rs_uip == NULL)
1489 			sbuf_printf(sb, ":");
1490 		else
1491 			sbuf_printf(sb, "%d:",
1492 			    rule->rr_subject.rs_uip->ui_uid);
1493 		break;
1494 	case RCTL_SUBJECT_TYPE_LOGINCLASS:
1495 		if (rule->rr_subject.rs_loginclass == NULL)
1496 			sbuf_printf(sb, ":");
1497 		else
1498 			sbuf_printf(sb, "%s:",
1499 			    rule->rr_subject.rs_loginclass->lc_name);
1500 		break;
1501 	case RCTL_SUBJECT_TYPE_JAIL:
1502 		if (rule->rr_subject.rs_prison_racct == NULL)
1503 			sbuf_printf(sb, ":");
1504 		else
1505 			sbuf_printf(sb, "%s:",
1506 			    rule->rr_subject.rs_prison_racct->prr_name);
1507 		break;
1508 	default:
1509 		panic("rctl_rule_to_sbuf: unknown subject type %d",
1510 		    rule->rr_subject_type);
1511 	}
1512 
1513 	amount = rule->rr_amount;
1514 	if (amount != RCTL_AMOUNT_UNDEFINED &&
1515 	    RACCT_IS_IN_MILLIONS(rule->rr_resource))
1516 		amount /= 1000000;
1517 
1518 	sbuf_printf(sb, "%s:%s=%jd",
1519 	    rctl_resource_name(rule->rr_resource),
1520 	    rctl_action_name(rule->rr_action),
1521 	    amount);
1522 
1523 	if (rule->rr_per != rule->rr_subject_type)
1524 		sbuf_printf(sb, "/%s", rctl_subject_type_name(rule->rr_per));
1525 }
1526 
1527 /*
1528  * Routine used by RCTL syscalls to read in input string.
1529  */
1530 static int
1531 rctl_read_inbuf(char **inputstr, const char *inbufp, size_t inbuflen)
1532 {
1533 	char *str;
1534 	int error;
1535 
1536 	ASSERT_RACCT_ENABLED();
1537 
1538 	if (inbuflen <= 0)
1539 		return (EINVAL);
1540 	if (inbuflen > RCTL_MAX_INBUFSIZE)
1541 		return (E2BIG);
1542 
1543 	str = malloc(inbuflen + 1, M_RCTL, M_WAITOK);
1544 	error = copyinstr(inbufp, str, inbuflen, NULL);
1545 	if (error != 0) {
1546 		free(str, M_RCTL);
1547 		return (error);
1548 	}
1549 
1550 	*inputstr = str;
1551 
1552 	return (0);
1553 }
1554 
1555 /*
1556  * Routine used by RCTL syscalls to write out output string.
1557  */
1558 static int
1559 rctl_write_outbuf(struct sbuf *outputsbuf, char *outbufp, size_t outbuflen)
1560 {
1561 	int error;
1562 
1563 	ASSERT_RACCT_ENABLED();
1564 
1565 	if (outputsbuf == NULL)
1566 		return (0);
1567 
1568 	sbuf_finish(outputsbuf);
1569 	if (outbuflen < sbuf_len(outputsbuf) + 1) {
1570 		sbuf_delete(outputsbuf);
1571 		return (ERANGE);
1572 	}
1573 	error = copyout(sbuf_data(outputsbuf), outbufp,
1574 	    sbuf_len(outputsbuf) + 1);
1575 	sbuf_delete(outputsbuf);
1576 	return (error);
1577 }
1578 
1579 static struct sbuf *
1580 rctl_racct_to_sbuf(struct racct *racct, int sloppy)
1581 {
1582 	struct sbuf *sb;
1583 	int64_t amount;
1584 	int i;
1585 
1586 	ASSERT_RACCT_ENABLED();
1587 
1588 	sb = sbuf_new_auto();
1589 	for (i = 0; i <= RACCT_MAX; i++) {
1590 		if (sloppy == 0 && RACCT_IS_SLOPPY(i))
1591 			continue;
1592 		RACCT_LOCK();
1593 		amount = racct->r_resources[i];
1594 		RACCT_UNLOCK();
1595 		if (RACCT_IS_IN_MILLIONS(i))
1596 			amount /= 1000000;
1597 		sbuf_printf(sb, "%s=%jd,", rctl_resource_name(i), amount);
1598 	}
1599 	sbuf_setpos(sb, sbuf_len(sb) - 1);
1600 	return (sb);
1601 }
1602 
1603 int
1604 sys_rctl_get_racct(struct thread *td, struct rctl_get_racct_args *uap)
1605 {
1606 	struct rctl_rule *filter;
1607 	struct sbuf *outputsbuf = NULL;
1608 	struct proc *p;
1609 	struct uidinfo *uip;
1610 	struct loginclass *lc;
1611 	struct prison_racct *prr;
1612 	char *inputstr;
1613 	int error;
1614 
1615 	if (!racct_enable)
1616 		return (ENOSYS);
1617 
1618 	error = priv_check(td, PRIV_RCTL_GET_RACCT);
1619 	if (error != 0)
1620 		return (error);
1621 
1622 	error = rctl_read_inbuf(&inputstr, uap->inbufp, uap->inbuflen);
1623 	if (error != 0)
1624 		return (error);
1625 
1626 	sx_slock(&allproc_lock);
1627 	error = rctl_string_to_rule(inputstr, &filter);
1628 	free(inputstr, M_RCTL);
1629 	if (error != 0) {
1630 		sx_sunlock(&allproc_lock);
1631 		return (error);
1632 	}
1633 
1634 	switch (filter->rr_subject_type) {
1635 	case RCTL_SUBJECT_TYPE_PROCESS:
1636 		p = filter->rr_subject.rs_proc;
1637 		if (p == NULL) {
1638 			error = EINVAL;
1639 			goto out;
1640 		}
1641 		outputsbuf = rctl_racct_to_sbuf(p->p_racct, 0);
1642 		break;
1643 	case RCTL_SUBJECT_TYPE_USER:
1644 		uip = filter->rr_subject.rs_uip;
1645 		if (uip == NULL) {
1646 			error = EINVAL;
1647 			goto out;
1648 		}
1649 		outputsbuf = rctl_racct_to_sbuf(uip->ui_racct, 1);
1650 		break;
1651 	case RCTL_SUBJECT_TYPE_LOGINCLASS:
1652 		lc = filter->rr_subject.rs_loginclass;
1653 		if (lc == NULL) {
1654 			error = EINVAL;
1655 			goto out;
1656 		}
1657 		outputsbuf = rctl_racct_to_sbuf(lc->lc_racct, 1);
1658 		break;
1659 	case RCTL_SUBJECT_TYPE_JAIL:
1660 		prr = filter->rr_subject.rs_prison_racct;
1661 		if (prr == NULL) {
1662 			error = EINVAL;
1663 			goto out;
1664 		}
1665 		outputsbuf = rctl_racct_to_sbuf(prr->prr_racct, 1);
1666 		break;
1667 	default:
1668 		error = EINVAL;
1669 	}
1670 out:
1671 	rctl_rule_release(filter);
1672 	sx_sunlock(&allproc_lock);
1673 	if (error != 0)
1674 		return (error);
1675 
1676 	error = rctl_write_outbuf(outputsbuf, uap->outbufp, uap->outbuflen);
1677 
1678 	return (error);
1679 }
1680 
1681 static void
1682 rctl_get_rules_callback(struct racct *racct, void *arg2, void *arg3)
1683 {
1684 	struct rctl_rule *filter = (struct rctl_rule *)arg2;
1685 	struct rctl_rule_link *link;
1686 	struct sbuf *sb = (struct sbuf *)arg3;
1687 
1688 	ASSERT_RACCT_ENABLED();
1689 	RACCT_LOCK_ASSERT();
1690 
1691 	LIST_FOREACH(link, &racct->r_rule_links, rrl_next) {
1692 		if (!rctl_rule_matches(link->rrl_rule, filter))
1693 			continue;
1694 		rctl_rule_to_sbuf(sb, link->rrl_rule);
1695 		sbuf_printf(sb, ",");
1696 	}
1697 }
1698 
1699 int
1700 sys_rctl_get_rules(struct thread *td, struct rctl_get_rules_args *uap)
1701 {
1702 	struct sbuf *sb;
1703 	struct rctl_rule *filter;
1704 	struct rctl_rule_link *link;
1705 	struct proc *p;
1706 	char *inputstr, *buf;
1707 	size_t bufsize;
1708 	int error;
1709 
1710 	if (!racct_enable)
1711 		return (ENOSYS);
1712 
1713 	error = priv_check(td, PRIV_RCTL_GET_RULES);
1714 	if (error != 0)
1715 		return (error);
1716 
1717 	error = rctl_read_inbuf(&inputstr, uap->inbufp, uap->inbuflen);
1718 	if (error != 0)
1719 		return (error);
1720 
1721 	sx_slock(&allproc_lock);
1722 	error = rctl_string_to_rule(inputstr, &filter);
1723 	free(inputstr, M_RCTL);
1724 	if (error != 0) {
1725 		sx_sunlock(&allproc_lock);
1726 		return (error);
1727 	}
1728 
1729 	bufsize = uap->outbuflen;
1730 	if (bufsize > rctl_maxbufsize) {
1731 		sx_sunlock(&allproc_lock);
1732 		return (E2BIG);
1733 	}
1734 
1735 	buf = malloc(bufsize, M_RCTL, M_WAITOK);
1736 	sb = sbuf_new(NULL, buf, bufsize, SBUF_FIXEDLEN);
1737 	KASSERT(sb != NULL, ("sbuf_new failed"));
1738 
1739 	FOREACH_PROC_IN_SYSTEM(p) {
1740 		RACCT_LOCK();
1741 		LIST_FOREACH(link, &p->p_racct->r_rule_links, rrl_next) {
1742 			/*
1743 			 * Non-process rules will be added to the buffer later.
1744 			 * Adding them here would result in duplicated output.
1745 			 */
1746 			if (link->rrl_rule->rr_subject_type !=
1747 			    RCTL_SUBJECT_TYPE_PROCESS)
1748 				continue;
1749 			if (!rctl_rule_matches(link->rrl_rule, filter))
1750 				continue;
1751 			rctl_rule_to_sbuf(sb, link->rrl_rule);
1752 			sbuf_printf(sb, ",");
1753 		}
1754 		RACCT_UNLOCK();
1755 	}
1756 
1757 	loginclass_racct_foreach(rctl_get_rules_callback,
1758 	    rctl_rule_pre_callback, rctl_rule_post_callback,
1759 	    filter, sb);
1760 	ui_racct_foreach(rctl_get_rules_callback,
1761 	    rctl_rule_pre_callback, rctl_rule_post_callback,
1762 	    filter, sb);
1763 	prison_racct_foreach(rctl_get_rules_callback,
1764 	    rctl_rule_pre_callback, rctl_rule_post_callback,
1765 	    filter, sb);
1766 	if (sbuf_error(sb) == ENOMEM) {
1767 		error = ERANGE;
1768 		goto out;
1769 	}
1770 
1771 	/*
1772 	 * Remove trailing ",".
1773 	 */
1774 	if (sbuf_len(sb) > 0)
1775 		sbuf_setpos(sb, sbuf_len(sb) - 1);
1776 
1777 	error = rctl_write_outbuf(sb, uap->outbufp, uap->outbuflen);
1778 out:
1779 	rctl_rule_release(filter);
1780 	sx_sunlock(&allproc_lock);
1781 	free(buf, M_RCTL);
1782 	return (error);
1783 }
1784 
1785 int
1786 sys_rctl_get_limits(struct thread *td, struct rctl_get_limits_args *uap)
1787 {
1788 	struct sbuf *sb;
1789 	struct rctl_rule *filter;
1790 	struct rctl_rule_link *link;
1791 	char *inputstr, *buf;
1792 	size_t bufsize;
1793 	int error;
1794 
1795 	if (!racct_enable)
1796 		return (ENOSYS);
1797 
1798 	error = priv_check(td, PRIV_RCTL_GET_LIMITS);
1799 	if (error != 0)
1800 		return (error);
1801 
1802 	error = rctl_read_inbuf(&inputstr, uap->inbufp, uap->inbuflen);
1803 	if (error != 0)
1804 		return (error);
1805 
1806 	sx_slock(&allproc_lock);
1807 	error = rctl_string_to_rule(inputstr, &filter);
1808 	free(inputstr, M_RCTL);
1809 	if (error != 0) {
1810 		sx_sunlock(&allproc_lock);
1811 		return (error);
1812 	}
1813 
1814 	if (filter->rr_subject_type == RCTL_SUBJECT_TYPE_UNDEFINED) {
1815 		rctl_rule_release(filter);
1816 		sx_sunlock(&allproc_lock);
1817 		return (EINVAL);
1818 	}
1819 	if (filter->rr_subject_type != RCTL_SUBJECT_TYPE_PROCESS) {
1820 		rctl_rule_release(filter);
1821 		sx_sunlock(&allproc_lock);
1822 		return (EOPNOTSUPP);
1823 	}
1824 	if (filter->rr_subject.rs_proc == NULL) {
1825 		rctl_rule_release(filter);
1826 		sx_sunlock(&allproc_lock);
1827 		return (EINVAL);
1828 	}
1829 
1830 	bufsize = uap->outbuflen;
1831 	if (bufsize > rctl_maxbufsize) {
1832 		rctl_rule_release(filter);
1833 		sx_sunlock(&allproc_lock);
1834 		return (E2BIG);
1835 	}
1836 
1837 	buf = malloc(bufsize, M_RCTL, M_WAITOK);
1838 	sb = sbuf_new(NULL, buf, bufsize, SBUF_FIXEDLEN);
1839 	KASSERT(sb != NULL, ("sbuf_new failed"));
1840 
1841 	RACCT_LOCK();
1842 	LIST_FOREACH(link, &filter->rr_subject.rs_proc->p_racct->r_rule_links,
1843 	    rrl_next) {
1844 		rctl_rule_to_sbuf(sb, link->rrl_rule);
1845 		sbuf_printf(sb, ",");
1846 	}
1847 	RACCT_UNLOCK();
1848 	if (sbuf_error(sb) == ENOMEM) {
1849 		error = ERANGE;
1850 		sbuf_delete(sb);
1851 		goto out;
1852 	}
1853 
1854 	/*
1855 	 * Remove trailing ",".
1856 	 */
1857 	if (sbuf_len(sb) > 0)
1858 		sbuf_setpos(sb, sbuf_len(sb) - 1);
1859 
1860 	error = rctl_write_outbuf(sb, uap->outbufp, uap->outbuflen);
1861 out:
1862 	rctl_rule_release(filter);
1863 	sx_sunlock(&allproc_lock);
1864 	free(buf, M_RCTL);
1865 	return (error);
1866 }
1867 
1868 int
1869 sys_rctl_add_rule(struct thread *td, struct rctl_add_rule_args *uap)
1870 {
1871 	struct rctl_rule *rule;
1872 	char *inputstr;
1873 	int error;
1874 
1875 	if (!racct_enable)
1876 		return (ENOSYS);
1877 
1878 	error = priv_check(td, PRIV_RCTL_ADD_RULE);
1879 	if (error != 0)
1880 		return (error);
1881 
1882 	error = rctl_read_inbuf(&inputstr, uap->inbufp, uap->inbuflen);
1883 	if (error != 0)
1884 		return (error);
1885 
1886 	sx_slock(&allproc_lock);
1887 	error = rctl_string_to_rule(inputstr, &rule);
1888 	free(inputstr, M_RCTL);
1889 	if (error != 0) {
1890 		sx_sunlock(&allproc_lock);
1891 		return (error);
1892 	}
1893 	/*
1894 	 * The 'per' part of a rule is optional.
1895 	 */
1896 	if (rule->rr_per == RCTL_SUBJECT_TYPE_UNDEFINED &&
1897 	    rule->rr_subject_type != RCTL_SUBJECT_TYPE_UNDEFINED)
1898 		rule->rr_per = rule->rr_subject_type;
1899 
1900 	if (!rctl_rule_fully_specified(rule)) {
1901 		error = EINVAL;
1902 		goto out;
1903 	}
1904 
1905 	error = rctl_rule_add(rule);
1906 
1907 out:
1908 	rctl_rule_release(rule);
1909 	sx_sunlock(&allproc_lock);
1910 	return (error);
1911 }
1912 
1913 int
1914 sys_rctl_remove_rule(struct thread *td, struct rctl_remove_rule_args *uap)
1915 {
1916 	struct rctl_rule *filter;
1917 	char *inputstr;
1918 	int error;
1919 
1920 	if (!racct_enable)
1921 		return (ENOSYS);
1922 
1923 	error = priv_check(td, PRIV_RCTL_REMOVE_RULE);
1924 	if (error != 0)
1925 		return (error);
1926 
1927 	error = rctl_read_inbuf(&inputstr, uap->inbufp, uap->inbuflen);
1928 	if (error != 0)
1929 		return (error);
1930 
1931 	sx_slock(&allproc_lock);
1932 	error = rctl_string_to_rule(inputstr, &filter);
1933 	free(inputstr, M_RCTL);
1934 	if (error != 0) {
1935 		sx_sunlock(&allproc_lock);
1936 		return (error);
1937 	}
1938 
1939 	error = rctl_rule_remove(filter);
1940 	rctl_rule_release(filter);
1941 	sx_sunlock(&allproc_lock);
1942 
1943 	return (error);
1944 }
1945 
1946 /*
1947  * Update RCTL rule list after credential change.
1948  */
1949 void
1950 rctl_proc_ucred_changed(struct proc *p, struct ucred *newcred)
1951 {
1952 	LIST_HEAD(, rctl_rule_link) newrules;
1953 	struct rctl_rule_link *link, *newlink;
1954 	struct uidinfo *newuip;
1955 	struct loginclass *newlc;
1956 	struct prison_racct *newprr;
1957 	int rulecnt, i;
1958 
1959 	if (!racct_enable)
1960 		return;
1961 
1962 	PROC_LOCK_ASSERT(p, MA_NOTOWNED);
1963 
1964 	newuip = newcred->cr_ruidinfo;
1965 	newlc = newcred->cr_loginclass;
1966 	newprr = newcred->cr_prison->pr_prison_racct;
1967 
1968 	LIST_INIT(&newrules);
1969 
1970 again:
1971 	/*
1972 	 * First, count the rules that apply to the process with new
1973 	 * credentials.
1974 	 */
1975 	rulecnt = 0;
1976 	RACCT_LOCK();
1977 	LIST_FOREACH(link, &p->p_racct->r_rule_links, rrl_next) {
1978 		if (link->rrl_rule->rr_subject_type ==
1979 		    RCTL_SUBJECT_TYPE_PROCESS)
1980 			rulecnt++;
1981 	}
1982 	LIST_FOREACH(link, &newuip->ui_racct->r_rule_links, rrl_next)
1983 		rulecnt++;
1984 	LIST_FOREACH(link, &newlc->lc_racct->r_rule_links, rrl_next)
1985 		rulecnt++;
1986 	LIST_FOREACH(link, &newprr->prr_racct->r_rule_links, rrl_next)
1987 		rulecnt++;
1988 	RACCT_UNLOCK();
1989 
1990 	/*
1991 	 * Create temporary list.  We've dropped the rctl_lock in order
1992 	 * to use M_WAITOK.
1993 	 */
1994 	for (i = 0; i < rulecnt; i++) {
1995 		newlink = uma_zalloc(rctl_rule_link_zone, M_WAITOK);
1996 		newlink->rrl_rule = NULL;
1997 		newlink->rrl_exceeded = 0;
1998 		LIST_INSERT_HEAD(&newrules, newlink, rrl_next);
1999 	}
2000 
2001 	newlink = LIST_FIRST(&newrules);
2002 
2003 	/*
2004 	 * Assign rules to the newly allocated list entries.
2005 	 */
2006 	RACCT_LOCK();
2007 	LIST_FOREACH(link, &p->p_racct->r_rule_links, rrl_next) {
2008 		if (link->rrl_rule->rr_subject_type ==
2009 		    RCTL_SUBJECT_TYPE_PROCESS) {
2010 			if (newlink == NULL)
2011 				goto goaround;
2012 			rctl_rule_acquire(link->rrl_rule);
2013 			newlink->rrl_rule = link->rrl_rule;
2014 			newlink->rrl_exceeded = link->rrl_exceeded;
2015 			newlink = LIST_NEXT(newlink, rrl_next);
2016 			rulecnt--;
2017 		}
2018 	}
2019 
2020 	LIST_FOREACH(link, &newuip->ui_racct->r_rule_links, rrl_next) {
2021 		if (newlink == NULL)
2022 			goto goaround;
2023 		rctl_rule_acquire(link->rrl_rule);
2024 		newlink->rrl_rule = link->rrl_rule;
2025 		newlink->rrl_exceeded = link->rrl_exceeded;
2026 		newlink = LIST_NEXT(newlink, rrl_next);
2027 		rulecnt--;
2028 	}
2029 
2030 	LIST_FOREACH(link, &newlc->lc_racct->r_rule_links, rrl_next) {
2031 		if (newlink == NULL)
2032 			goto goaround;
2033 		rctl_rule_acquire(link->rrl_rule);
2034 		newlink->rrl_rule = link->rrl_rule;
2035 		newlink->rrl_exceeded = link->rrl_exceeded;
2036 		newlink = LIST_NEXT(newlink, rrl_next);
2037 		rulecnt--;
2038 	}
2039 
2040 	LIST_FOREACH(link, &newprr->prr_racct->r_rule_links, rrl_next) {
2041 		if (newlink == NULL)
2042 			goto goaround;
2043 		rctl_rule_acquire(link->rrl_rule);
2044 		newlink->rrl_rule = link->rrl_rule;
2045 		newlink->rrl_exceeded = link->rrl_exceeded;
2046 		newlink = LIST_NEXT(newlink, rrl_next);
2047 		rulecnt--;
2048 	}
2049 
2050 	if (rulecnt == 0) {
2051 		/*
2052 		 * Free the old rule list.
2053 		 */
2054 		while (!LIST_EMPTY(&p->p_racct->r_rule_links)) {
2055 			link = LIST_FIRST(&p->p_racct->r_rule_links);
2056 			LIST_REMOVE(link, rrl_next);
2057 			rctl_rule_release(link->rrl_rule);
2058 			uma_zfree(rctl_rule_link_zone, link);
2059 		}
2060 
2061 		/*
2062 		 * Replace lists and we're done.
2063 		 *
2064 		 * XXX: Is there any way to switch list heads instead
2065 		 *      of iterating here?
2066 		 */
2067 		while (!LIST_EMPTY(&newrules)) {
2068 			newlink = LIST_FIRST(&newrules);
2069 			LIST_REMOVE(newlink, rrl_next);
2070 			LIST_INSERT_HEAD(&p->p_racct->r_rule_links,
2071 			    newlink, rrl_next);
2072 		}
2073 
2074 		RACCT_UNLOCK();
2075 
2076 		return;
2077 	}
2078 
2079 goaround:
2080 	RACCT_UNLOCK();
2081 
2082 	/*
2083 	 * Rule list changed while we were not holding the rctl_lock.
2084 	 * Free the new list and try again.
2085 	 */
2086 	while (!LIST_EMPTY(&newrules)) {
2087 		newlink = LIST_FIRST(&newrules);
2088 		LIST_REMOVE(newlink, rrl_next);
2089 		if (newlink->rrl_rule != NULL)
2090 			rctl_rule_release(newlink->rrl_rule);
2091 		uma_zfree(rctl_rule_link_zone, newlink);
2092 	}
2093 
2094 	goto again;
2095 }
2096 
2097 /*
2098  * Assign RCTL rules to the newly created process.
2099  */
2100 int
2101 rctl_proc_fork(struct proc *parent, struct proc *child)
2102 {
2103 	struct rctl_rule *rule;
2104 	struct rctl_rule_link *link;
2105 	int error;
2106 
2107 	ASSERT_RACCT_ENABLED();
2108 	RACCT_LOCK_ASSERT();
2109 	KASSERT(parent->p_racct != NULL, ("process without racct; p = %p", parent));
2110 
2111 	LIST_INIT(&child->p_racct->r_rule_links);
2112 
2113 	/*
2114 	 * Go through limits applicable to the parent and assign them
2115 	 * to the child.  Rules with 'process' subject have to be duplicated
2116 	 * in order to make their rr_subject point to the new process.
2117 	 */
2118 	LIST_FOREACH(link, &parent->p_racct->r_rule_links, rrl_next) {
2119 		if (link->rrl_rule->rr_subject_type ==
2120 		    RCTL_SUBJECT_TYPE_PROCESS) {
2121 			rule = rctl_rule_duplicate(link->rrl_rule, M_NOWAIT);
2122 			if (rule == NULL)
2123 				goto fail;
2124 			KASSERT(rule->rr_subject.rs_proc == parent,
2125 			    ("rule->rr_subject.rs_proc != parent"));
2126 			rule->rr_subject.rs_proc = child;
2127 			error = rctl_racct_add_rule_locked(child->p_racct,
2128 			    rule);
2129 			rctl_rule_release(rule);
2130 			if (error != 0)
2131 				goto fail;
2132 		} else {
2133 			error = rctl_racct_add_rule_locked(child->p_racct,
2134 			    link->rrl_rule);
2135 			if (error != 0)
2136 				goto fail;
2137 		}
2138 	}
2139 
2140 	return (0);
2141 
2142 fail:
2143 	while (!LIST_EMPTY(&child->p_racct->r_rule_links)) {
2144 		link = LIST_FIRST(&child->p_racct->r_rule_links);
2145 		LIST_REMOVE(link, rrl_next);
2146 		rctl_rule_release(link->rrl_rule);
2147 		uma_zfree(rctl_rule_link_zone, link);
2148 	}
2149 
2150 	return (EAGAIN);
2151 }
2152 
2153 /*
2154  * Release rules attached to the racct.
2155  */
2156 void
2157 rctl_racct_release(struct racct *racct)
2158 {
2159 	struct rctl_rule_link *link;
2160 
2161 	ASSERT_RACCT_ENABLED();
2162 	RACCT_LOCK_ASSERT();
2163 
2164 	while (!LIST_EMPTY(&racct->r_rule_links)) {
2165 		link = LIST_FIRST(&racct->r_rule_links);
2166 		LIST_REMOVE(link, rrl_next);
2167 		rctl_rule_release(link->rrl_rule);
2168 		uma_zfree(rctl_rule_link_zone, link);
2169 	}
2170 }
2171 
2172 static void
2173 rctl_init(void)
2174 {
2175 
2176 	if (!racct_enable)
2177 		return;
2178 
2179 	rctl_rule_zone = uma_zcreate("rctl_rule", sizeof(struct rctl_rule),
2180 	    NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, 0);
2181 	rctl_rule_link_zone = uma_zcreate("rctl_rule_link",
2182 	    sizeof(struct rctl_rule_link), NULL, NULL, NULL, NULL,
2183 	    UMA_ALIGN_PTR, 0);
2184 
2185 	/*
2186 	 * Set default values, making sure not to overwrite the ones
2187 	 * fetched from tunables.  Most of those could be set at the
2188 	 * declaration, except for the rctl_throttle_max - we cannot
2189 	 * set it there due to hz not being compile time constant.
2190 	 */
2191 	if (rctl_throttle_min < 1)
2192 		rctl_throttle_min = 1;
2193 	if (rctl_throttle_max < rctl_throttle_min)
2194 		rctl_throttle_max = 2 * hz;
2195 	if (rctl_throttle_pct < 0)
2196 		rctl_throttle_pct = 100;
2197 	if (rctl_throttle_pct2 < 0)
2198 		rctl_throttle_pct2 = 100;
2199 }
2200 
2201 #else /* !RCTL */
2202 
2203 int
2204 sys_rctl_get_racct(struct thread *td, struct rctl_get_racct_args *uap)
2205 {
2206 
2207 	return (ENOSYS);
2208 }
2209 
2210 int
2211 sys_rctl_get_rules(struct thread *td, struct rctl_get_rules_args *uap)
2212 {
2213 
2214 	return (ENOSYS);
2215 }
2216 
2217 int
2218 sys_rctl_get_limits(struct thread *td, struct rctl_get_limits_args *uap)
2219 {
2220 
2221 	return (ENOSYS);
2222 }
2223 
2224 int
2225 sys_rctl_add_rule(struct thread *td, struct rctl_add_rule_args *uap)
2226 {
2227 
2228 	return (ENOSYS);
2229 }
2230 
2231 int
2232 sys_rctl_remove_rule(struct thread *td, struct rctl_remove_rule_args *uap)
2233 {
2234 
2235 	return (ENOSYS);
2236 }
2237 
2238 #endif /* !RCTL */
2239