xref: /freebsd/sys/kern/kern_rctl.c (revision b4af4f93c682e445bf159f0d1ec90b636296c946)
1 /*-
2  * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
3  *
4  * Copyright (c) 2010 The FreeBSD Foundation
5  * All rights reserved.
6  *
7  * This software was developed by Edward Tomasz Napierala under sponsorship
8  * from the FreeBSD Foundation.
9  *
10  * Redistribution and use in source and binary forms, with or without
11  * modification, are permitted provided that the following conditions
12  * are met:
13  * 1. Redistributions of source code must retain the above copyright
14  *    notice, this list of conditions and the following disclaimer.
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in the
17  *    documentation and/or other materials provided with the distribution.
18  *
19  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
20  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
23  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29  * SUCH DAMAGE.
30  *
31  * $FreeBSD$
32  */
33 
34 #include <sys/cdefs.h>
35 __FBSDID("$FreeBSD$");
36 
37 #include <sys/param.h>
38 #include <sys/bus.h>
39 #include <sys/malloc.h>
40 #include <sys/queue.h>
41 #include <sys/refcount.h>
42 #include <sys/jail.h>
43 #include <sys/kernel.h>
44 #include <sys/limits.h>
45 #include <sys/loginclass.h>
46 #include <sys/priv.h>
47 #include <sys/proc.h>
48 #include <sys/racct.h>
49 #include <sys/rctl.h>
50 #include <sys/resourcevar.h>
51 #include <sys/sx.h>
52 #include <sys/sysent.h>
53 #include <sys/sysproto.h>
54 #include <sys/systm.h>
55 #include <sys/types.h>
56 #include <sys/eventhandler.h>
57 #include <sys/lock.h>
58 #include <sys/mutex.h>
59 #include <sys/rwlock.h>
60 #include <sys/sbuf.h>
61 #include <sys/taskqueue.h>
62 #include <sys/tree.h>
63 #include <vm/uma.h>
64 
65 #ifdef RCTL
66 #ifndef RACCT
67 #error "The RCTL option requires the RACCT option"
68 #endif
69 
70 FEATURE(rctl, "Resource Limits");
71 
72 #define	HRF_DEFAULT		0
73 #define	HRF_DONT_INHERIT	1
74 #define	HRF_DONT_ACCUMULATE	2
75 
76 #define	RCTL_MAX_INBUFSIZE	4 * 1024
77 #define	RCTL_MAX_OUTBUFSIZE	16 * 1024 * 1024
78 #define	RCTL_LOG_BUFSIZE	128
79 
80 #define	RCTL_PCPU_SHIFT		(10 * 1000000)
81 
82 static unsigned int rctl_maxbufsize = RCTL_MAX_OUTBUFSIZE;
83 static int rctl_log_rate_limit = 10;
84 static int rctl_devctl_rate_limit = 10;
85 
86 /*
87  * Values below are initialized in rctl_init().
88  */
89 static int rctl_throttle_min = -1;
90 static int rctl_throttle_max = -1;
91 static int rctl_throttle_pct = -1;
92 static int rctl_throttle_pct2 = -1;
93 
94 static int rctl_throttle_min_sysctl(SYSCTL_HANDLER_ARGS);
95 static int rctl_throttle_max_sysctl(SYSCTL_HANDLER_ARGS);
96 static int rctl_throttle_pct_sysctl(SYSCTL_HANDLER_ARGS);
97 static int rctl_throttle_pct2_sysctl(SYSCTL_HANDLER_ARGS);
98 
99 SYSCTL_NODE(_kern_racct, OID_AUTO, rctl, CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
100     "Resource Limits");
101 SYSCTL_UINT(_kern_racct_rctl, OID_AUTO, maxbufsize, CTLFLAG_RWTUN,
102     &rctl_maxbufsize, 0, "Maximum output buffer size");
103 SYSCTL_UINT(_kern_racct_rctl, OID_AUTO, log_rate_limit, CTLFLAG_RW,
104     &rctl_log_rate_limit, 0, "Maximum number of log messages per second");
105 SYSCTL_UINT(_kern_racct_rctl, OID_AUTO, devctl_rate_limit, CTLFLAG_RWTUN,
106     &rctl_devctl_rate_limit, 0, "Maximum number of devctl messages per second");
107 SYSCTL_PROC(_kern_racct_rctl, OID_AUTO, throttle_min,
108     CTLTYPE_UINT | CTLFLAG_RWTUN | CTLFLAG_MPSAFE, 0, 0,
109     &rctl_throttle_min_sysctl, "IU",
110     "Shortest throttling duration, in hz");
111 TUNABLE_INT("kern.racct.rctl.throttle_min", &rctl_throttle_min);
112 SYSCTL_PROC(_kern_racct_rctl, OID_AUTO, throttle_max,
113     CTLTYPE_UINT | CTLFLAG_RWTUN | CTLFLAG_MPSAFE, 0, 0,
114     &rctl_throttle_max_sysctl, "IU",
115     "Longest throttling duration, in hz");
116 TUNABLE_INT("kern.racct.rctl.throttle_max", &rctl_throttle_max);
117 SYSCTL_PROC(_kern_racct_rctl, OID_AUTO, throttle_pct,
118     CTLTYPE_UINT | CTLFLAG_RWTUN | CTLFLAG_MPSAFE, 0, 0,
119     &rctl_throttle_pct_sysctl, "IU",
120     "Throttling penalty for process consumption, in percent");
121 TUNABLE_INT("kern.racct.rctl.throttle_pct", &rctl_throttle_pct);
122 SYSCTL_PROC(_kern_racct_rctl, OID_AUTO, throttle_pct2,
123     CTLTYPE_UINT | CTLFLAG_RWTUN | CTLFLAG_MPSAFE, 0, 0,
124     &rctl_throttle_pct2_sysctl, "IU",
125     "Throttling penalty for container consumption, in percent");
126 TUNABLE_INT("kern.racct.rctl.throttle_pct2", &rctl_throttle_pct2);
127 
128 /*
129  * 'rctl_rule_link' connects a rule with every racct it's related to.
130  * For example, rule 'user:X:openfiles:deny=N/process' is linked
131  * with uidinfo for user X, and to each process of that user.
132  */
133 struct rctl_rule_link {
134 	LIST_ENTRY(rctl_rule_link)	rrl_next;
135 	struct rctl_rule		*rrl_rule;
136 	int				rrl_exceeded;
137 };
138 
139 struct dict {
140 	const char	*d_name;
141 	int		d_value;
142 };
143 
144 static struct dict subjectnames[] = {
145 	{ "process", RCTL_SUBJECT_TYPE_PROCESS },
146 	{ "user", RCTL_SUBJECT_TYPE_USER },
147 	{ "loginclass", RCTL_SUBJECT_TYPE_LOGINCLASS },
148 	{ "jail", RCTL_SUBJECT_TYPE_JAIL },
149 	{ NULL, -1 }};
150 
151 static struct dict resourcenames[] = {
152 	{ "cputime", RACCT_CPU },
153 	{ "datasize", RACCT_DATA },
154 	{ "stacksize", RACCT_STACK },
155 	{ "coredumpsize", RACCT_CORE },
156 	{ "memoryuse", RACCT_RSS },
157 	{ "memorylocked", RACCT_MEMLOCK },
158 	{ "maxproc", RACCT_NPROC },
159 	{ "openfiles", RACCT_NOFILE },
160 	{ "vmemoryuse", RACCT_VMEM },
161 	{ "pseudoterminals", RACCT_NPTS },
162 	{ "swapuse", RACCT_SWAP },
163 	{ "nthr", RACCT_NTHR },
164 	{ "msgqqueued", RACCT_MSGQQUEUED },
165 	{ "msgqsize", RACCT_MSGQSIZE },
166 	{ "nmsgq", RACCT_NMSGQ },
167 	{ "nsem", RACCT_NSEM },
168 	{ "nsemop", RACCT_NSEMOP },
169 	{ "nshm", RACCT_NSHM },
170 	{ "shmsize", RACCT_SHMSIZE },
171 	{ "wallclock", RACCT_WALLCLOCK },
172 	{ "pcpu", RACCT_PCTCPU },
173 	{ "readbps", RACCT_READBPS },
174 	{ "writebps", RACCT_WRITEBPS },
175 	{ "readiops", RACCT_READIOPS },
176 	{ "writeiops", RACCT_WRITEIOPS },
177 	{ NULL, -1 }};
178 
179 static struct dict actionnames[] = {
180 	{ "sighup", RCTL_ACTION_SIGHUP },
181 	{ "sigint", RCTL_ACTION_SIGINT },
182 	{ "sigquit", RCTL_ACTION_SIGQUIT },
183 	{ "sigill", RCTL_ACTION_SIGILL },
184 	{ "sigtrap", RCTL_ACTION_SIGTRAP },
185 	{ "sigabrt", RCTL_ACTION_SIGABRT },
186 	{ "sigemt", RCTL_ACTION_SIGEMT },
187 	{ "sigfpe", RCTL_ACTION_SIGFPE },
188 	{ "sigkill", RCTL_ACTION_SIGKILL },
189 	{ "sigbus", RCTL_ACTION_SIGBUS },
190 	{ "sigsegv", RCTL_ACTION_SIGSEGV },
191 	{ "sigsys", RCTL_ACTION_SIGSYS },
192 	{ "sigpipe", RCTL_ACTION_SIGPIPE },
193 	{ "sigalrm", RCTL_ACTION_SIGALRM },
194 	{ "sigterm", RCTL_ACTION_SIGTERM },
195 	{ "sigurg", RCTL_ACTION_SIGURG },
196 	{ "sigstop", RCTL_ACTION_SIGSTOP },
197 	{ "sigtstp", RCTL_ACTION_SIGTSTP },
198 	{ "sigchld", RCTL_ACTION_SIGCHLD },
199 	{ "sigttin", RCTL_ACTION_SIGTTIN },
200 	{ "sigttou", RCTL_ACTION_SIGTTOU },
201 	{ "sigio", RCTL_ACTION_SIGIO },
202 	{ "sigxcpu", RCTL_ACTION_SIGXCPU },
203 	{ "sigxfsz", RCTL_ACTION_SIGXFSZ },
204 	{ "sigvtalrm", RCTL_ACTION_SIGVTALRM },
205 	{ "sigprof", RCTL_ACTION_SIGPROF },
206 	{ "sigwinch", RCTL_ACTION_SIGWINCH },
207 	{ "siginfo", RCTL_ACTION_SIGINFO },
208 	{ "sigusr1", RCTL_ACTION_SIGUSR1 },
209 	{ "sigusr2", RCTL_ACTION_SIGUSR2 },
210 	{ "sigthr", RCTL_ACTION_SIGTHR },
211 	{ "deny", RCTL_ACTION_DENY },
212 	{ "log", RCTL_ACTION_LOG },
213 	{ "devctl", RCTL_ACTION_DEVCTL },
214 	{ "throttle", RCTL_ACTION_THROTTLE },
215 	{ NULL, -1 }};
216 
217 static void rctl_init(void);
218 SYSINIT(rctl, SI_SUB_RACCT, SI_ORDER_FIRST, rctl_init, NULL);
219 
220 static uma_zone_t rctl_rule_zone;
221 static uma_zone_t rctl_rule_link_zone;
222 
223 static int rctl_rule_fully_specified(const struct rctl_rule *rule);
224 static void rctl_rule_to_sbuf(struct sbuf *sb, const struct rctl_rule *rule);
225 
226 static MALLOC_DEFINE(M_RCTL, "rctl", "Resource Limits");
227 
228 static int rctl_throttle_min_sysctl(SYSCTL_HANDLER_ARGS)
229 {
230 	int error, val = rctl_throttle_min;
231 
232 	error = sysctl_handle_int(oidp, &val, 0, req);
233 	if (error || !req->newptr)
234 		return (error);
235 	if (val < 1 || val > rctl_throttle_max)
236 		return (EINVAL);
237 
238 	RACCT_LOCK();
239 	rctl_throttle_min = val;
240 	RACCT_UNLOCK();
241 
242 	return (0);
243 }
244 
245 static int rctl_throttle_max_sysctl(SYSCTL_HANDLER_ARGS)
246 {
247 	int error, val = rctl_throttle_max;
248 
249 	error = sysctl_handle_int(oidp, &val, 0, req);
250 	if (error || !req->newptr)
251 		return (error);
252 	if (val < rctl_throttle_min)
253 		return (EINVAL);
254 
255 	RACCT_LOCK();
256 	rctl_throttle_max = val;
257 	RACCT_UNLOCK();
258 
259 	return (0);
260 }
261 
262 static int rctl_throttle_pct_sysctl(SYSCTL_HANDLER_ARGS)
263 {
264 	int error, val = rctl_throttle_pct;
265 
266 	error = sysctl_handle_int(oidp, &val, 0, req);
267 	if (error || !req->newptr)
268 		return (error);
269 	if (val < 0)
270 		return (EINVAL);
271 
272 	RACCT_LOCK();
273 	rctl_throttle_pct = val;
274 	RACCT_UNLOCK();
275 
276 	return (0);
277 }
278 
279 static int rctl_throttle_pct2_sysctl(SYSCTL_HANDLER_ARGS)
280 {
281 	int error, val = rctl_throttle_pct2;
282 
283 	error = sysctl_handle_int(oidp, &val, 0, req);
284 	if (error || !req->newptr)
285 		return (error);
286 	if (val < 0)
287 		return (EINVAL);
288 
289 	RACCT_LOCK();
290 	rctl_throttle_pct2 = val;
291 	RACCT_UNLOCK();
292 
293 	return (0);
294 }
295 
296 static const char *
297 rctl_subject_type_name(int subject)
298 {
299 	int i;
300 
301 	for (i = 0; subjectnames[i].d_name != NULL; i++) {
302 		if (subjectnames[i].d_value == subject)
303 			return (subjectnames[i].d_name);
304 	}
305 
306 	panic("rctl_subject_type_name: unknown subject type %d", subject);
307 }
308 
309 static const char *
310 rctl_action_name(int action)
311 {
312 	int i;
313 
314 	for (i = 0; actionnames[i].d_name != NULL; i++) {
315 		if (actionnames[i].d_value == action)
316 			return (actionnames[i].d_name);
317 	}
318 
319 	panic("rctl_action_name: unknown action %d", action);
320 }
321 
322 const char *
323 rctl_resource_name(int resource)
324 {
325 	int i;
326 
327 	for (i = 0; resourcenames[i].d_name != NULL; i++) {
328 		if (resourcenames[i].d_value == resource)
329 			return (resourcenames[i].d_name);
330 	}
331 
332 	panic("rctl_resource_name: unknown resource %d", resource);
333 }
334 
335 static struct racct *
336 rctl_proc_rule_to_racct(const struct proc *p, const struct rctl_rule *rule)
337 {
338 	struct ucred *cred = p->p_ucred;
339 
340 	ASSERT_RACCT_ENABLED();
341 	RACCT_LOCK_ASSERT();
342 
343 	switch (rule->rr_per) {
344 	case RCTL_SUBJECT_TYPE_PROCESS:
345 		return (p->p_racct);
346 	case RCTL_SUBJECT_TYPE_USER:
347 		return (cred->cr_ruidinfo->ui_racct);
348 	case RCTL_SUBJECT_TYPE_LOGINCLASS:
349 		return (cred->cr_loginclass->lc_racct);
350 	case RCTL_SUBJECT_TYPE_JAIL:
351 		return (cred->cr_prison->pr_prison_racct->prr_racct);
352 	default:
353 		panic("%s: unknown per %d", __func__, rule->rr_per);
354 	}
355 }
356 
357 /*
358  * Return the amount of resource that can be allocated by 'p' before
359  * hitting 'rule'.
360  */
361 static int64_t
362 rctl_available_resource(const struct proc *p, const struct rctl_rule *rule)
363 {
364 	const struct racct *racct;
365 	int64_t available;
366 
367 	ASSERT_RACCT_ENABLED();
368 	RACCT_LOCK_ASSERT();
369 
370 	racct = rctl_proc_rule_to_racct(p, rule);
371 	available = rule->rr_amount - racct->r_resources[rule->rr_resource];
372 
373 	return (available);
374 }
375 
376 /*
377  * Called every second for proc, uidinfo, loginclass, and jail containers.
378  * If the limit isn't exceeded, it decreases the usage amount to zero.
379  * Otherwise, it decreases it by the value of the limit.  This way
380  * resource consumption exceeding the limit "carries over" to the next
381  * period.
382  */
383 void
384 rctl_throttle_decay(struct racct *racct, int resource)
385 {
386 	struct rctl_rule *rule;
387 	struct rctl_rule_link *link;
388 	int64_t minavailable;
389 
390 	ASSERT_RACCT_ENABLED();
391 	RACCT_LOCK_ASSERT();
392 
393 	minavailable = INT64_MAX;
394 
395 	LIST_FOREACH(link, &racct->r_rule_links, rrl_next) {
396 		rule = link->rrl_rule;
397 
398 		if (rule->rr_resource != resource)
399 			continue;
400 		if (rule->rr_action != RCTL_ACTION_THROTTLE)
401 			continue;
402 
403 		if (rule->rr_amount < minavailable)
404 			minavailable = rule->rr_amount;
405 	}
406 
407 	if (racct->r_resources[resource] < minavailable) {
408 		racct->r_resources[resource] = 0;
409 	} else {
410 		/*
411 		 * Cap utilization counter at ten times the limit.  Otherwise,
412 		 * if we changed the rule lowering the allowed amount, it could
413 		 * take unreasonably long time for the accumulated resource
414 		 * usage to drop.
415 		 */
416 		if (racct->r_resources[resource] > minavailable * 10)
417 			racct->r_resources[resource] = minavailable * 10;
418 
419 		racct->r_resources[resource] -= minavailable;
420 	}
421 }
422 
423 /*
424  * Special version of rctl_get_available() for the %CPU resource.
425  * We slightly cheat here and return less than we normally would.
426  */
427 int64_t
428 rctl_pcpu_available(const struct proc *p) {
429 	struct rctl_rule *rule;
430 	struct rctl_rule_link *link;
431 	int64_t available, minavailable, limit;
432 
433 	ASSERT_RACCT_ENABLED();
434 	RACCT_LOCK_ASSERT();
435 
436 	minavailable = INT64_MAX;
437 	limit = 0;
438 
439 	LIST_FOREACH(link, &p->p_racct->r_rule_links, rrl_next) {
440 		rule = link->rrl_rule;
441 		if (rule->rr_resource != RACCT_PCTCPU)
442 			continue;
443 		if (rule->rr_action != RCTL_ACTION_DENY)
444 			continue;
445 		available = rctl_available_resource(p, rule);
446 		if (available < minavailable) {
447 			minavailable = available;
448 			limit = rule->rr_amount;
449 		}
450 	}
451 
452 	/*
453 	 * Return slightly less than actual value of the available
454 	 * %cpu resource.  This makes %cpu throttling more aggressive
455 	 * and lets us act sooner than the limits are already exceeded.
456 	 */
457 	if (limit != 0) {
458 		if (limit > 2 * RCTL_PCPU_SHIFT)
459 			minavailable -= RCTL_PCPU_SHIFT;
460 		else
461 			minavailable -= (limit / 2);
462 	}
463 
464 	return (minavailable);
465 }
466 
467 static uint64_t
468 xadd(uint64_t a, uint64_t b)
469 {
470 	uint64_t c;
471 
472 	c = a + b;
473 
474 	/*
475 	 * Detect overflow.
476 	 */
477 	if (c < a || c < b)
478 		return (UINT64_MAX);
479 
480 	return (c);
481 }
482 
483 static uint64_t
484 xmul(uint64_t a, uint64_t b)
485 {
486 
487 	if (b != 0 && a > UINT64_MAX / b)
488 		return (UINT64_MAX);
489 
490 	return (a * b);
491 }
492 
493 /*
494  * Check whether the proc 'p' can allocate 'amount' of 'resource' in addition
495  * to what it keeps allocated now.  Returns non-zero if the allocation should
496  * be denied, 0 otherwise.
497  */
498 int
499 rctl_enforce(struct proc *p, int resource, uint64_t amount)
500 {
501 	static struct timeval log_lasttime, devctl_lasttime;
502 	static int log_curtime = 0, devctl_curtime = 0;
503 	struct rctl_rule *rule;
504 	struct rctl_rule_link *link;
505 	struct sbuf sb;
506 	char *buf;
507 	int64_t available;
508 	uint64_t sleep_ms, sleep_ratio;
509 	int should_deny = 0;
510 
511 	ASSERT_RACCT_ENABLED();
512 	RACCT_LOCK_ASSERT();
513 
514 	/*
515 	 * There may be more than one matching rule; go through all of them.
516 	 * Denial should be done last, after logging and sending signals.
517 	 */
518 	LIST_FOREACH(link, &p->p_racct->r_rule_links, rrl_next) {
519 		rule = link->rrl_rule;
520 		if (rule->rr_resource != resource)
521 			continue;
522 
523 		available = rctl_available_resource(p, rule);
524 		if (available >= (int64_t)amount) {
525 			link->rrl_exceeded = 0;
526 			continue;
527 		}
528 
529 		switch (rule->rr_action) {
530 		case RCTL_ACTION_DENY:
531 			should_deny = 1;
532 			continue;
533 		case RCTL_ACTION_LOG:
534 			/*
535 			 * If rrl_exceeded != 0, it means we've already
536 			 * logged a warning for this process.
537 			 */
538 			if (link->rrl_exceeded != 0)
539 				continue;
540 
541 			/*
542 			 * If the process state is not fully initialized yet,
543 			 * we can't access most of the required fields, e.g.
544 			 * p->p_comm.  This happens when called from fork1().
545 			 * Ignore this rule for now; it will be processed just
546 			 * after fork, when called from racct_proc_fork_done().
547 			 */
548 			if (p->p_state != PRS_NORMAL)
549 				continue;
550 
551 			if (!ppsratecheck(&log_lasttime, &log_curtime,
552 			    rctl_log_rate_limit))
553 				continue;
554 
555 			buf = malloc(RCTL_LOG_BUFSIZE, M_RCTL, M_NOWAIT);
556 			if (buf == NULL) {
557 				printf("rctl_enforce: out of memory\n");
558 				continue;
559 			}
560 			sbuf_new(&sb, buf, RCTL_LOG_BUFSIZE, SBUF_FIXEDLEN);
561 			rctl_rule_to_sbuf(&sb, rule);
562 			sbuf_finish(&sb);
563 			printf("rctl: rule \"%s\" matched by pid %d "
564 			    "(%s), uid %d, jail %s\n", sbuf_data(&sb),
565 			    p->p_pid, p->p_comm, p->p_ucred->cr_uid,
566 			    p->p_ucred->cr_prison->pr_prison_racct->prr_name);
567 			sbuf_delete(&sb);
568 			free(buf, M_RCTL);
569 			link->rrl_exceeded = 1;
570 			continue;
571 		case RCTL_ACTION_DEVCTL:
572 			if (link->rrl_exceeded != 0)
573 				continue;
574 
575 			if (p->p_state != PRS_NORMAL)
576 				continue;
577 
578 			if (!ppsratecheck(&devctl_lasttime, &devctl_curtime,
579 			    rctl_devctl_rate_limit))
580 				continue;
581 
582 			buf = malloc(RCTL_LOG_BUFSIZE, M_RCTL, M_NOWAIT);
583 			if (buf == NULL) {
584 				printf("rctl_enforce: out of memory\n");
585 				continue;
586 			}
587 			sbuf_new(&sb, buf, RCTL_LOG_BUFSIZE, SBUF_FIXEDLEN);
588 			sbuf_printf(&sb, "rule=");
589 			rctl_rule_to_sbuf(&sb, rule);
590 			sbuf_printf(&sb, " pid=%d ruid=%d jail=%s",
591 			    p->p_pid, p->p_ucred->cr_ruid,
592 			    p->p_ucred->cr_prison->pr_prison_racct->prr_name);
593 			sbuf_finish(&sb);
594 			devctl_notify_f("RCTL", "rule", "matched",
595 			    sbuf_data(&sb), M_NOWAIT);
596 			sbuf_delete(&sb);
597 			free(buf, M_RCTL);
598 			link->rrl_exceeded = 1;
599 			continue;
600 		case RCTL_ACTION_THROTTLE:
601 			if (p->p_state != PRS_NORMAL)
602 				continue;
603 
604 			/*
605 			 * Make the process sleep for a fraction of second
606 			 * proportional to the ratio of process' resource
607 			 * utilization compared to the limit.  The point is
608 			 * to penalize resource hogs: processes that consume
609 			 * more of the available resources sleep for longer.
610 			 *
611 			 * We're trying to defer division until the very end,
612 			 * to minimize the rounding effects.  The following
613 			 * calculation could have been written in a clearer
614 			 * way like this:
615 			 *
616 			 * sleep_ms = hz * p->p_racct->r_resources[resource] /
617 			 *     rule->rr_amount;
618 			 * sleep_ms *= rctl_throttle_pct / 100;
619 			 * if (sleep_ms < rctl_throttle_min)
620 			 *         sleep_ms = rctl_throttle_min;
621 			 *
622 			 */
623 			sleep_ms = xmul(hz, p->p_racct->r_resources[resource]);
624 			sleep_ms = xmul(sleep_ms,  rctl_throttle_pct) / 100;
625 			if (sleep_ms < rctl_throttle_min * rule->rr_amount)
626 				sleep_ms = rctl_throttle_min * rule->rr_amount;
627 
628 			/*
629 			 * Multiply that by the ratio of the resource
630 			 * consumption for the container compared to the limit,
631 			 * squared.  In other words, a process in a container
632 			 * that is two times over the limit will be throttled
633 			 * four times as much for hitting the same rule.  The
634 			 * point is to penalize processes more if the container
635 			 * itself (eg certain UID or jail) is above the limit.
636 			 */
637 			if (available < 0)
638 				sleep_ratio = -available / rule->rr_amount;
639 			else
640 				sleep_ratio = 0;
641 			sleep_ratio = xmul(sleep_ratio, sleep_ratio);
642 			sleep_ratio = xmul(sleep_ratio, rctl_throttle_pct2) / 100;
643 			sleep_ms = xadd(sleep_ms, xmul(sleep_ms, sleep_ratio));
644 
645 			/*
646 			 * Finally the division.
647 			 */
648 			sleep_ms /= rule->rr_amount;
649 
650 			if (sleep_ms > rctl_throttle_max)
651 				sleep_ms = rctl_throttle_max;
652 #if 0
653 			printf("%s: pid %d (%s), %jd of %jd, will sleep for %ju ms (ratio %ju, available %jd)\n",
654 			   __func__, p->p_pid, p->p_comm,
655 			   p->p_racct->r_resources[resource],
656 			   rule->rr_amount, (uintmax_t)sleep_ms,
657 			   (uintmax_t)sleep_ratio, (intmax_t)available);
658 #endif
659 
660 			KASSERT(sleep_ms >= rctl_throttle_min, ("%s: %ju < %d\n",
661 			    __func__, (uintmax_t)sleep_ms, rctl_throttle_min));
662 			racct_proc_throttle(p, sleep_ms);
663 			continue;
664 		default:
665 			if (link->rrl_exceeded != 0)
666 				continue;
667 
668 			if (p->p_state != PRS_NORMAL)
669 				continue;
670 
671 			KASSERT(rule->rr_action > 0 &&
672 			    rule->rr_action <= RCTL_ACTION_SIGNAL_MAX,
673 			    ("rctl_enforce: unknown action %d",
674 			     rule->rr_action));
675 
676 			/*
677 			 * We're using the fact that RCTL_ACTION_SIG* values
678 			 * are equal to their counterparts from sys/signal.h.
679 			 */
680 			kern_psignal(p, rule->rr_action);
681 			link->rrl_exceeded = 1;
682 			continue;
683 		}
684 	}
685 
686 	if (should_deny) {
687 		/*
688 		 * Return fake error code; the caller should change it
689 		 * into one proper for the situation - EFSIZ, ENOMEM etc.
690 		 */
691 		return (EDOOFUS);
692 	}
693 
694 	return (0);
695 }
696 
697 uint64_t
698 rctl_get_limit(struct proc *p, int resource)
699 {
700 	struct rctl_rule *rule;
701 	struct rctl_rule_link *link;
702 	uint64_t amount = UINT64_MAX;
703 
704 	ASSERT_RACCT_ENABLED();
705 	RACCT_LOCK_ASSERT();
706 
707 	/*
708 	 * There may be more than one matching rule; go through all of them.
709 	 * Denial should be done last, after logging and sending signals.
710 	 */
711 	LIST_FOREACH(link, &p->p_racct->r_rule_links, rrl_next) {
712 		rule = link->rrl_rule;
713 		if (rule->rr_resource != resource)
714 			continue;
715 		if (rule->rr_action != RCTL_ACTION_DENY)
716 			continue;
717 		if (rule->rr_amount < amount)
718 			amount = rule->rr_amount;
719 	}
720 
721 	return (amount);
722 }
723 
724 uint64_t
725 rctl_get_available(struct proc *p, int resource)
726 {
727 	struct rctl_rule *rule;
728 	struct rctl_rule_link *link;
729 	int64_t available, minavailable, allocated;
730 
731 	minavailable = INT64_MAX;
732 
733 	ASSERT_RACCT_ENABLED();
734 	RACCT_LOCK_ASSERT();
735 
736 	/*
737 	 * There may be more than one matching rule; go through all of them.
738 	 * Denial should be done last, after logging and sending signals.
739 	 */
740 	LIST_FOREACH(link, &p->p_racct->r_rule_links, rrl_next) {
741 		rule = link->rrl_rule;
742 		if (rule->rr_resource != resource)
743 			continue;
744 		if (rule->rr_action != RCTL_ACTION_DENY)
745 			continue;
746 		available = rctl_available_resource(p, rule);
747 		if (available < minavailable)
748 			minavailable = available;
749 	}
750 
751 	/*
752 	 * XXX: Think about this _hard_.
753 	 */
754 	allocated = p->p_racct->r_resources[resource];
755 	if (minavailable < INT64_MAX - allocated)
756 		minavailable += allocated;
757 	if (minavailable < 0)
758 		minavailable = 0;
759 
760 	return (minavailable);
761 }
762 
763 static int
764 rctl_rule_matches(const struct rctl_rule *rule, const struct rctl_rule *filter)
765 {
766 
767 	ASSERT_RACCT_ENABLED();
768 
769 	if (filter->rr_subject_type != RCTL_SUBJECT_TYPE_UNDEFINED) {
770 		if (rule->rr_subject_type != filter->rr_subject_type)
771 			return (0);
772 
773 		switch (filter->rr_subject_type) {
774 		case RCTL_SUBJECT_TYPE_PROCESS:
775 			if (filter->rr_subject.rs_proc != NULL &&
776 			    rule->rr_subject.rs_proc !=
777 			    filter->rr_subject.rs_proc)
778 				return (0);
779 			break;
780 		case RCTL_SUBJECT_TYPE_USER:
781 			if (filter->rr_subject.rs_uip != NULL &&
782 			    rule->rr_subject.rs_uip !=
783 			    filter->rr_subject.rs_uip)
784 				return (0);
785 			break;
786 		case RCTL_SUBJECT_TYPE_LOGINCLASS:
787 			if (filter->rr_subject.rs_loginclass != NULL &&
788 			    rule->rr_subject.rs_loginclass !=
789 			    filter->rr_subject.rs_loginclass)
790 				return (0);
791 			break;
792 		case RCTL_SUBJECT_TYPE_JAIL:
793 			if (filter->rr_subject.rs_prison_racct != NULL &&
794 			    rule->rr_subject.rs_prison_racct !=
795 			    filter->rr_subject.rs_prison_racct)
796 				return (0);
797 			break;
798 		default:
799 			panic("rctl_rule_matches: unknown subject type %d",
800 			    filter->rr_subject_type);
801 		}
802 	}
803 
804 	if (filter->rr_resource != RACCT_UNDEFINED) {
805 		if (rule->rr_resource != filter->rr_resource)
806 			return (0);
807 	}
808 
809 	if (filter->rr_action != RCTL_ACTION_UNDEFINED) {
810 		if (rule->rr_action != filter->rr_action)
811 			return (0);
812 	}
813 
814 	if (filter->rr_amount != RCTL_AMOUNT_UNDEFINED) {
815 		if (rule->rr_amount != filter->rr_amount)
816 			return (0);
817 	}
818 
819 	if (filter->rr_per != RCTL_SUBJECT_TYPE_UNDEFINED) {
820 		if (rule->rr_per != filter->rr_per)
821 			return (0);
822 	}
823 
824 	return (1);
825 }
826 
827 static int
828 str2value(const char *str, int *value, struct dict *table)
829 {
830 	int i;
831 
832 	if (value == NULL)
833 		return (EINVAL);
834 
835 	for (i = 0; table[i].d_name != NULL; i++) {
836 		if (strcasecmp(table[i].d_name, str) == 0) {
837 			*value =  table[i].d_value;
838 			return (0);
839 		}
840 	}
841 
842 	return (EINVAL);
843 }
844 
845 static int
846 str2id(const char *str, id_t *value)
847 {
848 	char *end;
849 
850 	if (str == NULL)
851 		return (EINVAL);
852 
853 	*value = strtoul(str, &end, 10);
854 	if ((size_t)(end - str) != strlen(str))
855 		return (EINVAL);
856 
857 	return (0);
858 }
859 
860 static int
861 str2int64(const char *str, int64_t *value)
862 {
863 	char *end;
864 
865 	if (str == NULL)
866 		return (EINVAL);
867 
868 	*value = strtoul(str, &end, 10);
869 	if ((size_t)(end - str) != strlen(str))
870 		return (EINVAL);
871 
872 	if (*value < 0)
873 		return (ERANGE);
874 
875 	return (0);
876 }
877 
878 /*
879  * Connect the rule to the racct, increasing refcount for the rule.
880  */
881 static void
882 rctl_racct_add_rule(struct racct *racct, struct rctl_rule *rule)
883 {
884 	struct rctl_rule_link *link;
885 
886 	ASSERT_RACCT_ENABLED();
887 	KASSERT(rctl_rule_fully_specified(rule), ("rule not fully specified"));
888 
889 	rctl_rule_acquire(rule);
890 	link = uma_zalloc(rctl_rule_link_zone, M_WAITOK);
891 	link->rrl_rule = rule;
892 	link->rrl_exceeded = 0;
893 
894 	RACCT_LOCK();
895 	LIST_INSERT_HEAD(&racct->r_rule_links, link, rrl_next);
896 	RACCT_UNLOCK();
897 }
898 
899 static int
900 rctl_racct_add_rule_locked(struct racct *racct, struct rctl_rule *rule)
901 {
902 	struct rctl_rule_link *link;
903 
904 	ASSERT_RACCT_ENABLED();
905 	KASSERT(rctl_rule_fully_specified(rule), ("rule not fully specified"));
906 	RACCT_LOCK_ASSERT();
907 
908 	link = uma_zalloc(rctl_rule_link_zone, M_NOWAIT);
909 	if (link == NULL)
910 		return (ENOMEM);
911 	rctl_rule_acquire(rule);
912 	link->rrl_rule = rule;
913 	link->rrl_exceeded = 0;
914 
915 	LIST_INSERT_HEAD(&racct->r_rule_links, link, rrl_next);
916 
917 	return (0);
918 }
919 
920 /*
921  * Remove limits for a rules matching the filter and release
922  * the refcounts for the rules, possibly freeing them.  Returns
923  * the number of limit structures removed.
924  */
925 static int
926 rctl_racct_remove_rules(struct racct *racct,
927     const struct rctl_rule *filter)
928 {
929 	struct rctl_rule_link *link, *linktmp;
930 	int removed = 0;
931 
932 	ASSERT_RACCT_ENABLED();
933 	RACCT_LOCK_ASSERT();
934 
935 	LIST_FOREACH_SAFE(link, &racct->r_rule_links, rrl_next, linktmp) {
936 		if (!rctl_rule_matches(link->rrl_rule, filter))
937 			continue;
938 
939 		LIST_REMOVE(link, rrl_next);
940 		rctl_rule_release(link->rrl_rule);
941 		uma_zfree(rctl_rule_link_zone, link);
942 		removed++;
943 	}
944 	return (removed);
945 }
946 
947 static void
948 rctl_rule_acquire_subject(struct rctl_rule *rule)
949 {
950 
951 	ASSERT_RACCT_ENABLED();
952 
953 	switch (rule->rr_subject_type) {
954 	case RCTL_SUBJECT_TYPE_UNDEFINED:
955 	case RCTL_SUBJECT_TYPE_PROCESS:
956 		break;
957 	case RCTL_SUBJECT_TYPE_JAIL:
958 		if (rule->rr_subject.rs_prison_racct != NULL)
959 			prison_racct_hold(rule->rr_subject.rs_prison_racct);
960 		break;
961 	case RCTL_SUBJECT_TYPE_USER:
962 		if (rule->rr_subject.rs_uip != NULL)
963 			uihold(rule->rr_subject.rs_uip);
964 		break;
965 	case RCTL_SUBJECT_TYPE_LOGINCLASS:
966 		if (rule->rr_subject.rs_loginclass != NULL)
967 			loginclass_hold(rule->rr_subject.rs_loginclass);
968 		break;
969 	default:
970 		panic("rctl_rule_acquire_subject: unknown subject type %d",
971 		    rule->rr_subject_type);
972 	}
973 }
974 
975 static void
976 rctl_rule_release_subject(struct rctl_rule *rule)
977 {
978 
979 	ASSERT_RACCT_ENABLED();
980 
981 	switch (rule->rr_subject_type) {
982 	case RCTL_SUBJECT_TYPE_UNDEFINED:
983 	case RCTL_SUBJECT_TYPE_PROCESS:
984 		break;
985 	case RCTL_SUBJECT_TYPE_JAIL:
986 		if (rule->rr_subject.rs_prison_racct != NULL)
987 			prison_racct_free(rule->rr_subject.rs_prison_racct);
988 		break;
989 	case RCTL_SUBJECT_TYPE_USER:
990 		if (rule->rr_subject.rs_uip != NULL)
991 			uifree(rule->rr_subject.rs_uip);
992 		break;
993 	case RCTL_SUBJECT_TYPE_LOGINCLASS:
994 		if (rule->rr_subject.rs_loginclass != NULL)
995 			loginclass_free(rule->rr_subject.rs_loginclass);
996 		break;
997 	default:
998 		panic("rctl_rule_release_subject: unknown subject type %d",
999 		    rule->rr_subject_type);
1000 	}
1001 }
1002 
1003 struct rctl_rule *
1004 rctl_rule_alloc(int flags)
1005 {
1006 	struct rctl_rule *rule;
1007 
1008 	ASSERT_RACCT_ENABLED();
1009 
1010 	rule = uma_zalloc(rctl_rule_zone, flags);
1011 	if (rule == NULL)
1012 		return (NULL);
1013 	rule->rr_subject_type = RCTL_SUBJECT_TYPE_UNDEFINED;
1014 	rule->rr_subject.rs_proc = NULL;
1015 	rule->rr_subject.rs_uip = NULL;
1016 	rule->rr_subject.rs_loginclass = NULL;
1017 	rule->rr_subject.rs_prison_racct = NULL;
1018 	rule->rr_per = RCTL_SUBJECT_TYPE_UNDEFINED;
1019 	rule->rr_resource = RACCT_UNDEFINED;
1020 	rule->rr_action = RCTL_ACTION_UNDEFINED;
1021 	rule->rr_amount = RCTL_AMOUNT_UNDEFINED;
1022 	refcount_init(&rule->rr_refcount, 1);
1023 
1024 	return (rule);
1025 }
1026 
1027 struct rctl_rule *
1028 rctl_rule_duplicate(const struct rctl_rule *rule, int flags)
1029 {
1030 	struct rctl_rule *copy;
1031 
1032 	ASSERT_RACCT_ENABLED();
1033 
1034 	copy = uma_zalloc(rctl_rule_zone, flags);
1035 	if (copy == NULL)
1036 		return (NULL);
1037 	copy->rr_subject_type = rule->rr_subject_type;
1038 	copy->rr_subject.rs_proc = rule->rr_subject.rs_proc;
1039 	copy->rr_subject.rs_uip = rule->rr_subject.rs_uip;
1040 	copy->rr_subject.rs_loginclass = rule->rr_subject.rs_loginclass;
1041 	copy->rr_subject.rs_prison_racct = rule->rr_subject.rs_prison_racct;
1042 	copy->rr_per = rule->rr_per;
1043 	copy->rr_resource = rule->rr_resource;
1044 	copy->rr_action = rule->rr_action;
1045 	copy->rr_amount = rule->rr_amount;
1046 	refcount_init(&copy->rr_refcount, 1);
1047 	rctl_rule_acquire_subject(copy);
1048 
1049 	return (copy);
1050 }
1051 
1052 void
1053 rctl_rule_acquire(struct rctl_rule *rule)
1054 {
1055 
1056 	ASSERT_RACCT_ENABLED();
1057 	KASSERT(rule->rr_refcount > 0, ("rule->rr_refcount <= 0"));
1058 
1059 	refcount_acquire(&rule->rr_refcount);
1060 }
1061 
1062 static void
1063 rctl_rule_free(void *context, int pending)
1064 {
1065 	struct rctl_rule *rule;
1066 
1067 	rule = (struct rctl_rule *)context;
1068 
1069 	ASSERT_RACCT_ENABLED();
1070 	KASSERT(rule->rr_refcount == 0, ("rule->rr_refcount != 0"));
1071 
1072 	/*
1073 	 * We don't need locking here; rule is guaranteed to be inaccessible.
1074 	 */
1075 
1076 	rctl_rule_release_subject(rule);
1077 	uma_zfree(rctl_rule_zone, rule);
1078 }
1079 
1080 void
1081 rctl_rule_release(struct rctl_rule *rule)
1082 {
1083 
1084 	ASSERT_RACCT_ENABLED();
1085 	KASSERT(rule->rr_refcount > 0, ("rule->rr_refcount <= 0"));
1086 
1087 	if (refcount_release(&rule->rr_refcount)) {
1088 		/*
1089 		 * rctl_rule_release() is often called when iterating
1090 		 * over all the uidinfo structures in the system,
1091 		 * holding uihashtbl_lock.  Since rctl_rule_free()
1092 		 * might end up calling uifree(), this would lead
1093 		 * to lock recursion.  Use taskqueue to avoid this.
1094 		 */
1095 		TASK_INIT(&rule->rr_task, 0, rctl_rule_free, rule);
1096 		taskqueue_enqueue(taskqueue_thread, &rule->rr_task);
1097 	}
1098 }
1099 
1100 static int
1101 rctl_rule_fully_specified(const struct rctl_rule *rule)
1102 {
1103 
1104 	ASSERT_RACCT_ENABLED();
1105 
1106 	switch (rule->rr_subject_type) {
1107 	case RCTL_SUBJECT_TYPE_UNDEFINED:
1108 		return (0);
1109 	case RCTL_SUBJECT_TYPE_PROCESS:
1110 		if (rule->rr_subject.rs_proc == NULL)
1111 			return (0);
1112 		break;
1113 	case RCTL_SUBJECT_TYPE_USER:
1114 		if (rule->rr_subject.rs_uip == NULL)
1115 			return (0);
1116 		break;
1117 	case RCTL_SUBJECT_TYPE_LOGINCLASS:
1118 		if (rule->rr_subject.rs_loginclass == NULL)
1119 			return (0);
1120 		break;
1121 	case RCTL_SUBJECT_TYPE_JAIL:
1122 		if (rule->rr_subject.rs_prison_racct == NULL)
1123 			return (0);
1124 		break;
1125 	default:
1126 		panic("rctl_rule_fully_specified: unknown subject type %d",
1127 		    rule->rr_subject_type);
1128 	}
1129 	if (rule->rr_resource == RACCT_UNDEFINED)
1130 		return (0);
1131 	if (rule->rr_action == RCTL_ACTION_UNDEFINED)
1132 		return (0);
1133 	if (rule->rr_amount == RCTL_AMOUNT_UNDEFINED)
1134 		return (0);
1135 	if (rule->rr_per == RCTL_SUBJECT_TYPE_UNDEFINED)
1136 		return (0);
1137 
1138 	return (1);
1139 }
1140 
1141 static int
1142 rctl_string_to_rule(char *rulestr, struct rctl_rule **rulep)
1143 {
1144 	struct rctl_rule *rule;
1145 	char *subjectstr, *subject_idstr, *resourcestr, *actionstr,
1146 	     *amountstr, *perstr;
1147 	id_t id;
1148 	int error = 0;
1149 
1150 	ASSERT_RACCT_ENABLED();
1151 
1152 	rule = rctl_rule_alloc(M_WAITOK);
1153 
1154 	subjectstr = strsep(&rulestr, ":");
1155 	subject_idstr = strsep(&rulestr, ":");
1156 	resourcestr = strsep(&rulestr, ":");
1157 	actionstr = strsep(&rulestr, "=/");
1158 	amountstr = strsep(&rulestr, "/");
1159 	perstr = rulestr;
1160 
1161 	if (subjectstr == NULL || subjectstr[0] == '\0')
1162 		rule->rr_subject_type = RCTL_SUBJECT_TYPE_UNDEFINED;
1163 	else {
1164 		error = str2value(subjectstr, &rule->rr_subject_type, subjectnames);
1165 		if (error != 0)
1166 			goto out;
1167 	}
1168 
1169 	if (subject_idstr == NULL || subject_idstr[0] == '\0') {
1170 		rule->rr_subject.rs_proc = NULL;
1171 		rule->rr_subject.rs_uip = NULL;
1172 		rule->rr_subject.rs_loginclass = NULL;
1173 		rule->rr_subject.rs_prison_racct = NULL;
1174 	} else {
1175 		switch (rule->rr_subject_type) {
1176 		case RCTL_SUBJECT_TYPE_UNDEFINED:
1177 			error = EINVAL;
1178 			goto out;
1179 		case RCTL_SUBJECT_TYPE_PROCESS:
1180 			error = str2id(subject_idstr, &id);
1181 			if (error != 0)
1182 				goto out;
1183 			sx_assert(&allproc_lock, SA_LOCKED);
1184 			rule->rr_subject.rs_proc = pfind(id);
1185 			if (rule->rr_subject.rs_proc == NULL) {
1186 				error = ESRCH;
1187 				goto out;
1188 			}
1189 			PROC_UNLOCK(rule->rr_subject.rs_proc);
1190 			break;
1191 		case RCTL_SUBJECT_TYPE_USER:
1192 			error = str2id(subject_idstr, &id);
1193 			if (error != 0)
1194 				goto out;
1195 			rule->rr_subject.rs_uip = uifind(id);
1196 			break;
1197 		case RCTL_SUBJECT_TYPE_LOGINCLASS:
1198 			rule->rr_subject.rs_loginclass =
1199 			    loginclass_find(subject_idstr);
1200 			if (rule->rr_subject.rs_loginclass == NULL) {
1201 				error = ENAMETOOLONG;
1202 				goto out;
1203 			}
1204 			break;
1205 		case RCTL_SUBJECT_TYPE_JAIL:
1206 			rule->rr_subject.rs_prison_racct =
1207 			    prison_racct_find(subject_idstr);
1208 			if (rule->rr_subject.rs_prison_racct == NULL) {
1209 				error = ENAMETOOLONG;
1210 				goto out;
1211 			}
1212 			break;
1213                default:
1214                        panic("rctl_string_to_rule: unknown subject type %d",
1215                            rule->rr_subject_type);
1216                }
1217 	}
1218 
1219 	if (resourcestr == NULL || resourcestr[0] == '\0')
1220 		rule->rr_resource = RACCT_UNDEFINED;
1221 	else {
1222 		error = str2value(resourcestr, &rule->rr_resource,
1223 		    resourcenames);
1224 		if (error != 0)
1225 			goto out;
1226 	}
1227 
1228 	if (actionstr == NULL || actionstr[0] == '\0')
1229 		rule->rr_action = RCTL_ACTION_UNDEFINED;
1230 	else {
1231 		error = str2value(actionstr, &rule->rr_action, actionnames);
1232 		if (error != 0)
1233 			goto out;
1234 	}
1235 
1236 	if (amountstr == NULL || amountstr[0] == '\0')
1237 		rule->rr_amount = RCTL_AMOUNT_UNDEFINED;
1238 	else {
1239 		error = str2int64(amountstr, &rule->rr_amount);
1240 		if (error != 0)
1241 			goto out;
1242 		if (RACCT_IS_IN_MILLIONS(rule->rr_resource)) {
1243 			if (rule->rr_amount > INT64_MAX / 1000000) {
1244 				error = ERANGE;
1245 				goto out;
1246 			}
1247 			rule->rr_amount *= 1000000;
1248 		}
1249 	}
1250 
1251 	if (perstr == NULL || perstr[0] == '\0')
1252 		rule->rr_per = RCTL_SUBJECT_TYPE_UNDEFINED;
1253 	else {
1254 		error = str2value(perstr, &rule->rr_per, subjectnames);
1255 		if (error != 0)
1256 			goto out;
1257 	}
1258 
1259 out:
1260 	if (error == 0)
1261 		*rulep = rule;
1262 	else
1263 		rctl_rule_release(rule);
1264 
1265 	return (error);
1266 }
1267 
1268 /*
1269  * Link a rule with all the subjects it applies to.
1270  */
1271 int
1272 rctl_rule_add(struct rctl_rule *rule)
1273 {
1274 	struct proc *p;
1275 	struct ucred *cred;
1276 	struct uidinfo *uip;
1277 	struct prison *pr;
1278 	struct prison_racct *prr;
1279 	struct loginclass *lc;
1280 	struct rctl_rule *rule2;
1281 	int match;
1282 
1283 	ASSERT_RACCT_ENABLED();
1284 	KASSERT(rctl_rule_fully_specified(rule), ("rule not fully specified"));
1285 
1286 	/*
1287 	 * Some rules just don't make sense, like "deny" rule for an undeniable
1288 	 * resource.  The exception are the RSS and %CPU resources - they are
1289 	 * not deniable in the racct sense, but the limit is enforced in
1290 	 * a different way.
1291 	 */
1292 	if (rule->rr_action == RCTL_ACTION_DENY &&
1293 	    !RACCT_IS_DENIABLE(rule->rr_resource) &&
1294 	    rule->rr_resource != RACCT_RSS &&
1295 	    rule->rr_resource != RACCT_PCTCPU) {
1296 		return (EOPNOTSUPP);
1297 	}
1298 
1299 	if (rule->rr_action == RCTL_ACTION_THROTTLE &&
1300 	    !RACCT_IS_DECAYING(rule->rr_resource)) {
1301 		return (EOPNOTSUPP);
1302 	}
1303 
1304 	if (rule->rr_action == RCTL_ACTION_THROTTLE &&
1305 	    rule->rr_resource == RACCT_PCTCPU) {
1306 		return (EOPNOTSUPP);
1307 	}
1308 
1309 	if (rule->rr_per == RCTL_SUBJECT_TYPE_PROCESS &&
1310 	    RACCT_IS_SLOPPY(rule->rr_resource)) {
1311 		return (EOPNOTSUPP);
1312 	}
1313 
1314 	/*
1315 	 * Make sure there are no duplicated rules.  Also, for the "deny"
1316 	 * rules, remove ones differing only by "amount".
1317 	 */
1318 	if (rule->rr_action == RCTL_ACTION_DENY) {
1319 		rule2 = rctl_rule_duplicate(rule, M_WAITOK);
1320 		rule2->rr_amount = RCTL_AMOUNT_UNDEFINED;
1321 		rctl_rule_remove(rule2);
1322 		rctl_rule_release(rule2);
1323 	} else
1324 		rctl_rule_remove(rule);
1325 
1326 	switch (rule->rr_subject_type) {
1327 	case RCTL_SUBJECT_TYPE_PROCESS:
1328 		p = rule->rr_subject.rs_proc;
1329 		KASSERT(p != NULL, ("rctl_rule_add: NULL proc"));
1330 
1331 		rctl_racct_add_rule(p->p_racct, rule);
1332 		/*
1333 		 * In case of per-process rule, we don't have anything more
1334 		 * to do.
1335 		 */
1336 		return (0);
1337 
1338 	case RCTL_SUBJECT_TYPE_USER:
1339 		uip = rule->rr_subject.rs_uip;
1340 		KASSERT(uip != NULL, ("rctl_rule_add: NULL uip"));
1341 		rctl_racct_add_rule(uip->ui_racct, rule);
1342 		break;
1343 
1344 	case RCTL_SUBJECT_TYPE_LOGINCLASS:
1345 		lc = rule->rr_subject.rs_loginclass;
1346 		KASSERT(lc != NULL, ("rctl_rule_add: NULL loginclass"));
1347 		rctl_racct_add_rule(lc->lc_racct, rule);
1348 		break;
1349 
1350 	case RCTL_SUBJECT_TYPE_JAIL:
1351 		prr = rule->rr_subject.rs_prison_racct;
1352 		KASSERT(prr != NULL, ("rctl_rule_add: NULL pr"));
1353 		rctl_racct_add_rule(prr->prr_racct, rule);
1354 		break;
1355 
1356 	default:
1357 		panic("rctl_rule_add: unknown subject type %d",
1358 		    rule->rr_subject_type);
1359 	}
1360 
1361 	/*
1362 	 * Now go through all the processes and add the new rule to the ones
1363 	 * it applies to.
1364 	 */
1365 	sx_assert(&allproc_lock, SA_LOCKED);
1366 	FOREACH_PROC_IN_SYSTEM(p) {
1367 		cred = p->p_ucred;
1368 		switch (rule->rr_subject_type) {
1369 		case RCTL_SUBJECT_TYPE_USER:
1370 			if (cred->cr_uidinfo == rule->rr_subject.rs_uip ||
1371 			    cred->cr_ruidinfo == rule->rr_subject.rs_uip)
1372 				break;
1373 			continue;
1374 		case RCTL_SUBJECT_TYPE_LOGINCLASS:
1375 			if (cred->cr_loginclass == rule->rr_subject.rs_loginclass)
1376 				break;
1377 			continue;
1378 		case RCTL_SUBJECT_TYPE_JAIL:
1379 			match = 0;
1380 			for (pr = cred->cr_prison; pr != NULL; pr = pr->pr_parent) {
1381 				if (pr->pr_prison_racct == rule->rr_subject.rs_prison_racct) {
1382 					match = 1;
1383 					break;
1384 				}
1385 			}
1386 			if (match)
1387 				break;
1388 			continue;
1389 		default:
1390 			panic("rctl_rule_add: unknown subject type %d",
1391 			    rule->rr_subject_type);
1392 		}
1393 
1394 		rctl_racct_add_rule(p->p_racct, rule);
1395 	}
1396 
1397 	return (0);
1398 }
1399 
1400 static void
1401 rctl_rule_pre_callback(void)
1402 {
1403 
1404 	RACCT_LOCK();
1405 }
1406 
1407 static void
1408 rctl_rule_post_callback(void)
1409 {
1410 
1411 	RACCT_UNLOCK();
1412 }
1413 
1414 static void
1415 rctl_rule_remove_callback(struct racct *racct, void *arg2, void *arg3)
1416 {
1417 	struct rctl_rule *filter = (struct rctl_rule *)arg2;
1418 	int found = 0;
1419 
1420 	ASSERT_RACCT_ENABLED();
1421 	RACCT_LOCK_ASSERT();
1422 
1423 	found += rctl_racct_remove_rules(racct, filter);
1424 
1425 	*((int *)arg3) += found;
1426 }
1427 
1428 /*
1429  * Remove all rules that match the filter.
1430  */
1431 int
1432 rctl_rule_remove(struct rctl_rule *filter)
1433 {
1434 	struct proc *p;
1435 	int found = 0;
1436 
1437 	ASSERT_RACCT_ENABLED();
1438 
1439 	if (filter->rr_subject_type == RCTL_SUBJECT_TYPE_PROCESS &&
1440 	    filter->rr_subject.rs_proc != NULL) {
1441 		p = filter->rr_subject.rs_proc;
1442 		RACCT_LOCK();
1443 		found = rctl_racct_remove_rules(p->p_racct, filter);
1444 		RACCT_UNLOCK();
1445 		if (found)
1446 			return (0);
1447 		return (ESRCH);
1448 	}
1449 
1450 	loginclass_racct_foreach(rctl_rule_remove_callback,
1451 	    rctl_rule_pre_callback, rctl_rule_post_callback,
1452 	    filter, (void *)&found);
1453 	ui_racct_foreach(rctl_rule_remove_callback,
1454 	    rctl_rule_pre_callback, rctl_rule_post_callback,
1455 	    filter, (void *)&found);
1456 	prison_racct_foreach(rctl_rule_remove_callback,
1457 	    rctl_rule_pre_callback, rctl_rule_post_callback,
1458 	    filter, (void *)&found);
1459 
1460 	sx_assert(&allproc_lock, SA_LOCKED);
1461 	RACCT_LOCK();
1462 	FOREACH_PROC_IN_SYSTEM(p) {
1463 		found += rctl_racct_remove_rules(p->p_racct, filter);
1464 	}
1465 	RACCT_UNLOCK();
1466 
1467 	if (found)
1468 		return (0);
1469 	return (ESRCH);
1470 }
1471 
1472 /*
1473  * Appends a rule to the sbuf.
1474  */
1475 static void
1476 rctl_rule_to_sbuf(struct sbuf *sb, const struct rctl_rule *rule)
1477 {
1478 	int64_t amount;
1479 
1480 	ASSERT_RACCT_ENABLED();
1481 
1482 	sbuf_printf(sb, "%s:", rctl_subject_type_name(rule->rr_subject_type));
1483 
1484 	switch (rule->rr_subject_type) {
1485 	case RCTL_SUBJECT_TYPE_PROCESS:
1486 		if (rule->rr_subject.rs_proc == NULL)
1487 			sbuf_printf(sb, ":");
1488 		else
1489 			sbuf_printf(sb, "%d:",
1490 			    rule->rr_subject.rs_proc->p_pid);
1491 		break;
1492 	case RCTL_SUBJECT_TYPE_USER:
1493 		if (rule->rr_subject.rs_uip == NULL)
1494 			sbuf_printf(sb, ":");
1495 		else
1496 			sbuf_printf(sb, "%d:",
1497 			    rule->rr_subject.rs_uip->ui_uid);
1498 		break;
1499 	case RCTL_SUBJECT_TYPE_LOGINCLASS:
1500 		if (rule->rr_subject.rs_loginclass == NULL)
1501 			sbuf_printf(sb, ":");
1502 		else
1503 			sbuf_printf(sb, "%s:",
1504 			    rule->rr_subject.rs_loginclass->lc_name);
1505 		break;
1506 	case RCTL_SUBJECT_TYPE_JAIL:
1507 		if (rule->rr_subject.rs_prison_racct == NULL)
1508 			sbuf_printf(sb, ":");
1509 		else
1510 			sbuf_printf(sb, "%s:",
1511 			    rule->rr_subject.rs_prison_racct->prr_name);
1512 		break;
1513 	default:
1514 		panic("rctl_rule_to_sbuf: unknown subject type %d",
1515 		    rule->rr_subject_type);
1516 	}
1517 
1518 	amount = rule->rr_amount;
1519 	if (amount != RCTL_AMOUNT_UNDEFINED &&
1520 	    RACCT_IS_IN_MILLIONS(rule->rr_resource))
1521 		amount /= 1000000;
1522 
1523 	sbuf_printf(sb, "%s:%s=%jd",
1524 	    rctl_resource_name(rule->rr_resource),
1525 	    rctl_action_name(rule->rr_action),
1526 	    amount);
1527 
1528 	if (rule->rr_per != rule->rr_subject_type)
1529 		sbuf_printf(sb, "/%s", rctl_subject_type_name(rule->rr_per));
1530 }
1531 
1532 /*
1533  * Routine used by RCTL syscalls to read in input string.
1534  */
1535 static int
1536 rctl_read_inbuf(char **inputstr, const char *inbufp, size_t inbuflen)
1537 {
1538 	char *str;
1539 	int error;
1540 
1541 	ASSERT_RACCT_ENABLED();
1542 
1543 	if (inbuflen <= 0)
1544 		return (EINVAL);
1545 	if (inbuflen > RCTL_MAX_INBUFSIZE)
1546 		return (E2BIG);
1547 
1548 	str = malloc(inbuflen + 1, M_RCTL, M_WAITOK);
1549 	error = copyinstr(inbufp, str, inbuflen, NULL);
1550 	if (error != 0) {
1551 		free(str, M_RCTL);
1552 		return (error);
1553 	}
1554 
1555 	*inputstr = str;
1556 
1557 	return (0);
1558 }
1559 
1560 /*
1561  * Routine used by RCTL syscalls to write out output string.
1562  */
1563 static int
1564 rctl_write_outbuf(struct sbuf *outputsbuf, char *outbufp, size_t outbuflen)
1565 {
1566 	int error;
1567 
1568 	ASSERT_RACCT_ENABLED();
1569 
1570 	if (outputsbuf == NULL)
1571 		return (0);
1572 
1573 	sbuf_finish(outputsbuf);
1574 	if (outbuflen < sbuf_len(outputsbuf) + 1) {
1575 		sbuf_delete(outputsbuf);
1576 		return (ERANGE);
1577 	}
1578 	error = copyout(sbuf_data(outputsbuf), outbufp,
1579 	    sbuf_len(outputsbuf) + 1);
1580 	sbuf_delete(outputsbuf);
1581 	return (error);
1582 }
1583 
1584 static struct sbuf *
1585 rctl_racct_to_sbuf(struct racct *racct, int sloppy)
1586 {
1587 	struct sbuf *sb;
1588 	int64_t amount;
1589 	int i;
1590 
1591 	ASSERT_RACCT_ENABLED();
1592 
1593 	sb = sbuf_new_auto();
1594 	for (i = 0; i <= RACCT_MAX; i++) {
1595 		if (sloppy == 0 && RACCT_IS_SLOPPY(i))
1596 			continue;
1597 		RACCT_LOCK();
1598 		amount = racct->r_resources[i];
1599 		RACCT_UNLOCK();
1600 		if (RACCT_IS_IN_MILLIONS(i))
1601 			amount /= 1000000;
1602 		sbuf_printf(sb, "%s=%jd,", rctl_resource_name(i), amount);
1603 	}
1604 	sbuf_setpos(sb, sbuf_len(sb) - 1);
1605 	return (sb);
1606 }
1607 
1608 int
1609 sys_rctl_get_racct(struct thread *td, struct rctl_get_racct_args *uap)
1610 {
1611 	struct rctl_rule *filter;
1612 	struct sbuf *outputsbuf = NULL;
1613 	struct proc *p;
1614 	struct uidinfo *uip;
1615 	struct loginclass *lc;
1616 	struct prison_racct *prr;
1617 	char *inputstr;
1618 	int error;
1619 
1620 	if (!racct_enable)
1621 		return (ENOSYS);
1622 
1623 	error = priv_check(td, PRIV_RCTL_GET_RACCT);
1624 	if (error != 0)
1625 		return (error);
1626 
1627 	error = rctl_read_inbuf(&inputstr, uap->inbufp, uap->inbuflen);
1628 	if (error != 0)
1629 		return (error);
1630 
1631 	sx_slock(&allproc_lock);
1632 	error = rctl_string_to_rule(inputstr, &filter);
1633 	free(inputstr, M_RCTL);
1634 	if (error != 0) {
1635 		sx_sunlock(&allproc_lock);
1636 		return (error);
1637 	}
1638 
1639 	switch (filter->rr_subject_type) {
1640 	case RCTL_SUBJECT_TYPE_PROCESS:
1641 		p = filter->rr_subject.rs_proc;
1642 		if (p == NULL) {
1643 			error = EINVAL;
1644 			goto out;
1645 		}
1646 		outputsbuf = rctl_racct_to_sbuf(p->p_racct, 0);
1647 		break;
1648 	case RCTL_SUBJECT_TYPE_USER:
1649 		uip = filter->rr_subject.rs_uip;
1650 		if (uip == NULL) {
1651 			error = EINVAL;
1652 			goto out;
1653 		}
1654 		outputsbuf = rctl_racct_to_sbuf(uip->ui_racct, 1);
1655 		break;
1656 	case RCTL_SUBJECT_TYPE_LOGINCLASS:
1657 		lc = filter->rr_subject.rs_loginclass;
1658 		if (lc == NULL) {
1659 			error = EINVAL;
1660 			goto out;
1661 		}
1662 		outputsbuf = rctl_racct_to_sbuf(lc->lc_racct, 1);
1663 		break;
1664 	case RCTL_SUBJECT_TYPE_JAIL:
1665 		prr = filter->rr_subject.rs_prison_racct;
1666 		if (prr == NULL) {
1667 			error = EINVAL;
1668 			goto out;
1669 		}
1670 		outputsbuf = rctl_racct_to_sbuf(prr->prr_racct, 1);
1671 		break;
1672 	default:
1673 		error = EINVAL;
1674 	}
1675 out:
1676 	rctl_rule_release(filter);
1677 	sx_sunlock(&allproc_lock);
1678 	if (error != 0)
1679 		return (error);
1680 
1681 	error = rctl_write_outbuf(outputsbuf, uap->outbufp, uap->outbuflen);
1682 
1683 	return (error);
1684 }
1685 
1686 static void
1687 rctl_get_rules_callback(struct racct *racct, void *arg2, void *arg3)
1688 {
1689 	struct rctl_rule *filter = (struct rctl_rule *)arg2;
1690 	struct rctl_rule_link *link;
1691 	struct sbuf *sb = (struct sbuf *)arg3;
1692 
1693 	ASSERT_RACCT_ENABLED();
1694 	RACCT_LOCK_ASSERT();
1695 
1696 	LIST_FOREACH(link, &racct->r_rule_links, rrl_next) {
1697 		if (!rctl_rule_matches(link->rrl_rule, filter))
1698 			continue;
1699 		rctl_rule_to_sbuf(sb, link->rrl_rule);
1700 		sbuf_printf(sb, ",");
1701 	}
1702 }
1703 
1704 int
1705 sys_rctl_get_rules(struct thread *td, struct rctl_get_rules_args *uap)
1706 {
1707 	struct sbuf *sb;
1708 	struct rctl_rule *filter;
1709 	struct rctl_rule_link *link;
1710 	struct proc *p;
1711 	char *inputstr, *buf;
1712 	size_t bufsize;
1713 	int error;
1714 
1715 	if (!racct_enable)
1716 		return (ENOSYS);
1717 
1718 	error = priv_check(td, PRIV_RCTL_GET_RULES);
1719 	if (error != 0)
1720 		return (error);
1721 
1722 	error = rctl_read_inbuf(&inputstr, uap->inbufp, uap->inbuflen);
1723 	if (error != 0)
1724 		return (error);
1725 
1726 	sx_slock(&allproc_lock);
1727 	error = rctl_string_to_rule(inputstr, &filter);
1728 	free(inputstr, M_RCTL);
1729 	if (error != 0) {
1730 		sx_sunlock(&allproc_lock);
1731 		return (error);
1732 	}
1733 
1734 	bufsize = uap->outbuflen;
1735 	if (bufsize > rctl_maxbufsize) {
1736 		sx_sunlock(&allproc_lock);
1737 		return (E2BIG);
1738 	}
1739 
1740 	buf = malloc(bufsize, M_RCTL, M_WAITOK);
1741 	sb = sbuf_new(NULL, buf, bufsize, SBUF_FIXEDLEN);
1742 	KASSERT(sb != NULL, ("sbuf_new failed"));
1743 
1744 	FOREACH_PROC_IN_SYSTEM(p) {
1745 		RACCT_LOCK();
1746 		LIST_FOREACH(link, &p->p_racct->r_rule_links, rrl_next) {
1747 			/*
1748 			 * Non-process rules will be added to the buffer later.
1749 			 * Adding them here would result in duplicated output.
1750 			 */
1751 			if (link->rrl_rule->rr_subject_type !=
1752 			    RCTL_SUBJECT_TYPE_PROCESS)
1753 				continue;
1754 			if (!rctl_rule_matches(link->rrl_rule, filter))
1755 				continue;
1756 			rctl_rule_to_sbuf(sb, link->rrl_rule);
1757 			sbuf_printf(sb, ",");
1758 		}
1759 		RACCT_UNLOCK();
1760 	}
1761 
1762 	loginclass_racct_foreach(rctl_get_rules_callback,
1763 	    rctl_rule_pre_callback, rctl_rule_post_callback,
1764 	    filter, sb);
1765 	ui_racct_foreach(rctl_get_rules_callback,
1766 	    rctl_rule_pre_callback, rctl_rule_post_callback,
1767 	    filter, sb);
1768 	prison_racct_foreach(rctl_get_rules_callback,
1769 	    rctl_rule_pre_callback, rctl_rule_post_callback,
1770 	    filter, sb);
1771 	if (sbuf_error(sb) == ENOMEM) {
1772 		error = ERANGE;
1773 		goto out;
1774 	}
1775 
1776 	/*
1777 	 * Remove trailing ",".
1778 	 */
1779 	if (sbuf_len(sb) > 0)
1780 		sbuf_setpos(sb, sbuf_len(sb) - 1);
1781 
1782 	error = rctl_write_outbuf(sb, uap->outbufp, uap->outbuflen);
1783 out:
1784 	rctl_rule_release(filter);
1785 	sx_sunlock(&allproc_lock);
1786 	free(buf, M_RCTL);
1787 	return (error);
1788 }
1789 
1790 int
1791 sys_rctl_get_limits(struct thread *td, struct rctl_get_limits_args *uap)
1792 {
1793 	struct sbuf *sb;
1794 	struct rctl_rule *filter;
1795 	struct rctl_rule_link *link;
1796 	char *inputstr, *buf;
1797 	size_t bufsize;
1798 	int error;
1799 
1800 	if (!racct_enable)
1801 		return (ENOSYS);
1802 
1803 	error = priv_check(td, PRIV_RCTL_GET_LIMITS);
1804 	if (error != 0)
1805 		return (error);
1806 
1807 	error = rctl_read_inbuf(&inputstr, uap->inbufp, uap->inbuflen);
1808 	if (error != 0)
1809 		return (error);
1810 
1811 	sx_slock(&allproc_lock);
1812 	error = rctl_string_to_rule(inputstr, &filter);
1813 	free(inputstr, M_RCTL);
1814 	if (error != 0) {
1815 		sx_sunlock(&allproc_lock);
1816 		return (error);
1817 	}
1818 
1819 	if (filter->rr_subject_type == RCTL_SUBJECT_TYPE_UNDEFINED) {
1820 		rctl_rule_release(filter);
1821 		sx_sunlock(&allproc_lock);
1822 		return (EINVAL);
1823 	}
1824 	if (filter->rr_subject_type != RCTL_SUBJECT_TYPE_PROCESS) {
1825 		rctl_rule_release(filter);
1826 		sx_sunlock(&allproc_lock);
1827 		return (EOPNOTSUPP);
1828 	}
1829 	if (filter->rr_subject.rs_proc == NULL) {
1830 		rctl_rule_release(filter);
1831 		sx_sunlock(&allproc_lock);
1832 		return (EINVAL);
1833 	}
1834 
1835 	bufsize = uap->outbuflen;
1836 	if (bufsize > rctl_maxbufsize) {
1837 		rctl_rule_release(filter);
1838 		sx_sunlock(&allproc_lock);
1839 		return (E2BIG);
1840 	}
1841 
1842 	buf = malloc(bufsize, M_RCTL, M_WAITOK);
1843 	sb = sbuf_new(NULL, buf, bufsize, SBUF_FIXEDLEN);
1844 	KASSERT(sb != NULL, ("sbuf_new failed"));
1845 
1846 	RACCT_LOCK();
1847 	LIST_FOREACH(link, &filter->rr_subject.rs_proc->p_racct->r_rule_links,
1848 	    rrl_next) {
1849 		rctl_rule_to_sbuf(sb, link->rrl_rule);
1850 		sbuf_printf(sb, ",");
1851 	}
1852 	RACCT_UNLOCK();
1853 	if (sbuf_error(sb) == ENOMEM) {
1854 		error = ERANGE;
1855 		sbuf_delete(sb);
1856 		goto out;
1857 	}
1858 
1859 	/*
1860 	 * Remove trailing ",".
1861 	 */
1862 	if (sbuf_len(sb) > 0)
1863 		sbuf_setpos(sb, sbuf_len(sb) - 1);
1864 
1865 	error = rctl_write_outbuf(sb, uap->outbufp, uap->outbuflen);
1866 out:
1867 	rctl_rule_release(filter);
1868 	sx_sunlock(&allproc_lock);
1869 	free(buf, M_RCTL);
1870 	return (error);
1871 }
1872 
1873 int
1874 sys_rctl_add_rule(struct thread *td, struct rctl_add_rule_args *uap)
1875 {
1876 	struct rctl_rule *rule;
1877 	char *inputstr;
1878 	int error;
1879 
1880 	if (!racct_enable)
1881 		return (ENOSYS);
1882 
1883 	error = priv_check(td, PRIV_RCTL_ADD_RULE);
1884 	if (error != 0)
1885 		return (error);
1886 
1887 	error = rctl_read_inbuf(&inputstr, uap->inbufp, uap->inbuflen);
1888 	if (error != 0)
1889 		return (error);
1890 
1891 	sx_slock(&allproc_lock);
1892 	error = rctl_string_to_rule(inputstr, &rule);
1893 	free(inputstr, M_RCTL);
1894 	if (error != 0) {
1895 		sx_sunlock(&allproc_lock);
1896 		return (error);
1897 	}
1898 	/*
1899 	 * The 'per' part of a rule is optional.
1900 	 */
1901 	if (rule->rr_per == RCTL_SUBJECT_TYPE_UNDEFINED &&
1902 	    rule->rr_subject_type != RCTL_SUBJECT_TYPE_UNDEFINED)
1903 		rule->rr_per = rule->rr_subject_type;
1904 
1905 	if (!rctl_rule_fully_specified(rule)) {
1906 		error = EINVAL;
1907 		goto out;
1908 	}
1909 
1910 	error = rctl_rule_add(rule);
1911 
1912 out:
1913 	rctl_rule_release(rule);
1914 	sx_sunlock(&allproc_lock);
1915 	return (error);
1916 }
1917 
1918 int
1919 sys_rctl_remove_rule(struct thread *td, struct rctl_remove_rule_args *uap)
1920 {
1921 	struct rctl_rule *filter;
1922 	char *inputstr;
1923 	int error;
1924 
1925 	if (!racct_enable)
1926 		return (ENOSYS);
1927 
1928 	error = priv_check(td, PRIV_RCTL_REMOVE_RULE);
1929 	if (error != 0)
1930 		return (error);
1931 
1932 	error = rctl_read_inbuf(&inputstr, uap->inbufp, uap->inbuflen);
1933 	if (error != 0)
1934 		return (error);
1935 
1936 	sx_slock(&allproc_lock);
1937 	error = rctl_string_to_rule(inputstr, &filter);
1938 	free(inputstr, M_RCTL);
1939 	if (error != 0) {
1940 		sx_sunlock(&allproc_lock);
1941 		return (error);
1942 	}
1943 
1944 	error = rctl_rule_remove(filter);
1945 	rctl_rule_release(filter);
1946 	sx_sunlock(&allproc_lock);
1947 
1948 	return (error);
1949 }
1950 
1951 /*
1952  * Update RCTL rule list after credential change.
1953  */
1954 void
1955 rctl_proc_ucred_changed(struct proc *p, struct ucred *newcred)
1956 {
1957 	LIST_HEAD(, rctl_rule_link) newrules;
1958 	struct rctl_rule_link *link, *newlink;
1959 	struct uidinfo *newuip;
1960 	struct loginclass *newlc;
1961 	struct prison_racct *newprr;
1962 	int rulecnt, i;
1963 
1964 	if (!racct_enable)
1965 		return;
1966 
1967 	PROC_LOCK_ASSERT(p, MA_NOTOWNED);
1968 
1969 	newuip = newcred->cr_ruidinfo;
1970 	newlc = newcred->cr_loginclass;
1971 	newprr = newcred->cr_prison->pr_prison_racct;
1972 
1973 	LIST_INIT(&newrules);
1974 
1975 again:
1976 	/*
1977 	 * First, count the rules that apply to the process with new
1978 	 * credentials.
1979 	 */
1980 	rulecnt = 0;
1981 	RACCT_LOCK();
1982 	LIST_FOREACH(link, &p->p_racct->r_rule_links, rrl_next) {
1983 		if (link->rrl_rule->rr_subject_type ==
1984 		    RCTL_SUBJECT_TYPE_PROCESS)
1985 			rulecnt++;
1986 	}
1987 	LIST_FOREACH(link, &newuip->ui_racct->r_rule_links, rrl_next)
1988 		rulecnt++;
1989 	LIST_FOREACH(link, &newlc->lc_racct->r_rule_links, rrl_next)
1990 		rulecnt++;
1991 	LIST_FOREACH(link, &newprr->prr_racct->r_rule_links, rrl_next)
1992 		rulecnt++;
1993 	RACCT_UNLOCK();
1994 
1995 	/*
1996 	 * Create temporary list.  We've dropped the rctl_lock in order
1997 	 * to use M_WAITOK.
1998 	 */
1999 	for (i = 0; i < rulecnt; i++) {
2000 		newlink = uma_zalloc(rctl_rule_link_zone, M_WAITOK);
2001 		newlink->rrl_rule = NULL;
2002 		newlink->rrl_exceeded = 0;
2003 		LIST_INSERT_HEAD(&newrules, newlink, rrl_next);
2004 	}
2005 
2006 	newlink = LIST_FIRST(&newrules);
2007 
2008 	/*
2009 	 * Assign rules to the newly allocated list entries.
2010 	 */
2011 	RACCT_LOCK();
2012 	LIST_FOREACH(link, &p->p_racct->r_rule_links, rrl_next) {
2013 		if (link->rrl_rule->rr_subject_type ==
2014 		    RCTL_SUBJECT_TYPE_PROCESS) {
2015 			if (newlink == NULL)
2016 				goto goaround;
2017 			rctl_rule_acquire(link->rrl_rule);
2018 			newlink->rrl_rule = link->rrl_rule;
2019 			newlink->rrl_exceeded = link->rrl_exceeded;
2020 			newlink = LIST_NEXT(newlink, rrl_next);
2021 			rulecnt--;
2022 		}
2023 	}
2024 
2025 	LIST_FOREACH(link, &newuip->ui_racct->r_rule_links, rrl_next) {
2026 		if (newlink == NULL)
2027 			goto goaround;
2028 		rctl_rule_acquire(link->rrl_rule);
2029 		newlink->rrl_rule = link->rrl_rule;
2030 		newlink->rrl_exceeded = link->rrl_exceeded;
2031 		newlink = LIST_NEXT(newlink, rrl_next);
2032 		rulecnt--;
2033 	}
2034 
2035 	LIST_FOREACH(link, &newlc->lc_racct->r_rule_links, rrl_next) {
2036 		if (newlink == NULL)
2037 			goto goaround;
2038 		rctl_rule_acquire(link->rrl_rule);
2039 		newlink->rrl_rule = link->rrl_rule;
2040 		newlink->rrl_exceeded = link->rrl_exceeded;
2041 		newlink = LIST_NEXT(newlink, rrl_next);
2042 		rulecnt--;
2043 	}
2044 
2045 	LIST_FOREACH(link, &newprr->prr_racct->r_rule_links, rrl_next) {
2046 		if (newlink == NULL)
2047 			goto goaround;
2048 		rctl_rule_acquire(link->rrl_rule);
2049 		newlink->rrl_rule = link->rrl_rule;
2050 		newlink->rrl_exceeded = link->rrl_exceeded;
2051 		newlink = LIST_NEXT(newlink, rrl_next);
2052 		rulecnt--;
2053 	}
2054 
2055 	if (rulecnt == 0) {
2056 		/*
2057 		 * Free the old rule list.
2058 		 */
2059 		while (!LIST_EMPTY(&p->p_racct->r_rule_links)) {
2060 			link = LIST_FIRST(&p->p_racct->r_rule_links);
2061 			LIST_REMOVE(link, rrl_next);
2062 			rctl_rule_release(link->rrl_rule);
2063 			uma_zfree(rctl_rule_link_zone, link);
2064 		}
2065 
2066 		/*
2067 		 * Replace lists and we're done.
2068 		 *
2069 		 * XXX: Is there any way to switch list heads instead
2070 		 *      of iterating here?
2071 		 */
2072 		while (!LIST_EMPTY(&newrules)) {
2073 			newlink = LIST_FIRST(&newrules);
2074 			LIST_REMOVE(newlink, rrl_next);
2075 			LIST_INSERT_HEAD(&p->p_racct->r_rule_links,
2076 			    newlink, rrl_next);
2077 		}
2078 
2079 		RACCT_UNLOCK();
2080 
2081 		return;
2082 	}
2083 
2084 goaround:
2085 	RACCT_UNLOCK();
2086 
2087 	/*
2088 	 * Rule list changed while we were not holding the rctl_lock.
2089 	 * Free the new list and try again.
2090 	 */
2091 	while (!LIST_EMPTY(&newrules)) {
2092 		newlink = LIST_FIRST(&newrules);
2093 		LIST_REMOVE(newlink, rrl_next);
2094 		if (newlink->rrl_rule != NULL)
2095 			rctl_rule_release(newlink->rrl_rule);
2096 		uma_zfree(rctl_rule_link_zone, newlink);
2097 	}
2098 
2099 	goto again;
2100 }
2101 
2102 /*
2103  * Assign RCTL rules to the newly created process.
2104  */
2105 int
2106 rctl_proc_fork(struct proc *parent, struct proc *child)
2107 {
2108 	struct rctl_rule *rule;
2109 	struct rctl_rule_link *link;
2110 	int error;
2111 
2112 	ASSERT_RACCT_ENABLED();
2113 	RACCT_LOCK_ASSERT();
2114 	KASSERT(parent->p_racct != NULL, ("process without racct; p = %p", parent));
2115 
2116 	LIST_INIT(&child->p_racct->r_rule_links);
2117 
2118 	/*
2119 	 * Go through limits applicable to the parent and assign them
2120 	 * to the child.  Rules with 'process' subject have to be duplicated
2121 	 * in order to make their rr_subject point to the new process.
2122 	 */
2123 	LIST_FOREACH(link, &parent->p_racct->r_rule_links, rrl_next) {
2124 		if (link->rrl_rule->rr_subject_type ==
2125 		    RCTL_SUBJECT_TYPE_PROCESS) {
2126 			rule = rctl_rule_duplicate(link->rrl_rule, M_NOWAIT);
2127 			if (rule == NULL)
2128 				goto fail;
2129 			KASSERT(rule->rr_subject.rs_proc == parent,
2130 			    ("rule->rr_subject.rs_proc != parent"));
2131 			rule->rr_subject.rs_proc = child;
2132 			error = rctl_racct_add_rule_locked(child->p_racct,
2133 			    rule);
2134 			rctl_rule_release(rule);
2135 			if (error != 0)
2136 				goto fail;
2137 		} else {
2138 			error = rctl_racct_add_rule_locked(child->p_racct,
2139 			    link->rrl_rule);
2140 			if (error != 0)
2141 				goto fail;
2142 		}
2143 	}
2144 
2145 	return (0);
2146 
2147 fail:
2148 	while (!LIST_EMPTY(&child->p_racct->r_rule_links)) {
2149 		link = LIST_FIRST(&child->p_racct->r_rule_links);
2150 		LIST_REMOVE(link, rrl_next);
2151 		rctl_rule_release(link->rrl_rule);
2152 		uma_zfree(rctl_rule_link_zone, link);
2153 	}
2154 
2155 	return (EAGAIN);
2156 }
2157 
2158 /*
2159  * Release rules attached to the racct.
2160  */
2161 void
2162 rctl_racct_release(struct racct *racct)
2163 {
2164 	struct rctl_rule_link *link;
2165 
2166 	ASSERT_RACCT_ENABLED();
2167 	RACCT_LOCK_ASSERT();
2168 
2169 	while (!LIST_EMPTY(&racct->r_rule_links)) {
2170 		link = LIST_FIRST(&racct->r_rule_links);
2171 		LIST_REMOVE(link, rrl_next);
2172 		rctl_rule_release(link->rrl_rule);
2173 		uma_zfree(rctl_rule_link_zone, link);
2174 	}
2175 }
2176 
2177 static void
2178 rctl_init(void)
2179 {
2180 
2181 	if (!racct_enable)
2182 		return;
2183 
2184 	rctl_rule_zone = uma_zcreate("rctl_rule", sizeof(struct rctl_rule),
2185 	    NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, 0);
2186 	rctl_rule_link_zone = uma_zcreate("rctl_rule_link",
2187 	    sizeof(struct rctl_rule_link), NULL, NULL, NULL, NULL,
2188 	    UMA_ALIGN_PTR, 0);
2189 
2190 	/*
2191 	 * Set default values, making sure not to overwrite the ones
2192 	 * fetched from tunables.  Most of those could be set at the
2193 	 * declaration, except for the rctl_throttle_max - we cannot
2194 	 * set it there due to hz not being compile time constant.
2195 	 */
2196 	if (rctl_throttle_min < 1)
2197 		rctl_throttle_min = 1;
2198 	if (rctl_throttle_max < rctl_throttle_min)
2199 		rctl_throttle_max = 2 * hz;
2200 	if (rctl_throttle_pct < 0)
2201 		rctl_throttle_pct = 100;
2202 	if (rctl_throttle_pct2 < 0)
2203 		rctl_throttle_pct2 = 100;
2204 }
2205 
2206 #else /* !RCTL */
2207 
2208 int
2209 sys_rctl_get_racct(struct thread *td, struct rctl_get_racct_args *uap)
2210 {
2211 
2212 	return (ENOSYS);
2213 }
2214 
2215 int
2216 sys_rctl_get_rules(struct thread *td, struct rctl_get_rules_args *uap)
2217 {
2218 
2219 	return (ENOSYS);
2220 }
2221 
2222 int
2223 sys_rctl_get_limits(struct thread *td, struct rctl_get_limits_args *uap)
2224 {
2225 
2226 	return (ENOSYS);
2227 }
2228 
2229 int
2230 sys_rctl_add_rule(struct thread *td, struct rctl_add_rule_args *uap)
2231 {
2232 
2233 	return (ENOSYS);
2234 }
2235 
2236 int
2237 sys_rctl_remove_rule(struct thread *td, struct rctl_remove_rule_args *uap)
2238 {
2239 
2240 	return (ENOSYS);
2241 }
2242 
2243 #endif /* !RCTL */
2244