xref: /freebsd/sys/kern/kern_rctl.c (revision d5b0e70f7e04d971691517ce1304d86a1e367e2e)
1 /*-
2  * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
3  *
4  * Copyright (c) 2010 The FreeBSD Foundation
5  *
6  * This software was developed by Edward Tomasz Napierala under sponsorship
7  * from the FreeBSD Foundation.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer.
14  * 2. Redistributions in binary form must reproduce the above copyright
15  *    notice, this list of conditions and the following disclaimer in the
16  *    documentation and/or other materials provided with the distribution.
17  *
18  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
19  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
22  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28  * SUCH DAMAGE.
29  *
30  * $FreeBSD$
31  */
32 
33 #include <sys/cdefs.h>
34 __FBSDID("$FreeBSD$");
35 
36 #include <sys/param.h>
37 #include <sys/devctl.h>
38 #include <sys/malloc.h>
39 #include <sys/queue.h>
40 #include <sys/refcount.h>
41 #include <sys/jail.h>
42 #include <sys/kernel.h>
43 #include <sys/limits.h>
44 #include <sys/loginclass.h>
45 #include <sys/priv.h>
46 #include <sys/proc.h>
47 #include <sys/racct.h>
48 #include <sys/rctl.h>
49 #include <sys/resourcevar.h>
50 #include <sys/sx.h>
51 #include <sys/sysproto.h>
52 #include <sys/systm.h>
53 #include <sys/types.h>
54 #include <sys/eventhandler.h>
55 #include <sys/lock.h>
56 #include <sys/mutex.h>
57 #include <sys/rwlock.h>
58 #include <sys/sbuf.h>
59 #include <sys/taskqueue.h>
60 #include <sys/tree.h>
61 #include <vm/uma.h>
62 
63 #ifdef RCTL
64 #ifndef RACCT
65 #error "The RCTL option requires the RACCT option"
66 #endif
67 
68 FEATURE(rctl, "Resource Limits");
69 
70 #define	HRF_DEFAULT		0
71 #define	HRF_DONT_INHERIT	1
72 #define	HRF_DONT_ACCUMULATE	2
73 
74 #define	RCTL_MAX_INBUFSIZE	4 * 1024
75 #define	RCTL_MAX_OUTBUFSIZE	16 * 1024 * 1024
76 #define	RCTL_LOG_BUFSIZE	128
77 
78 #define	RCTL_PCPU_SHIFT		(10 * 1000000)
79 
80 static unsigned int rctl_maxbufsize = RCTL_MAX_OUTBUFSIZE;
81 static int rctl_log_rate_limit = 10;
82 static int rctl_devctl_rate_limit = 10;
83 
84 /*
85  * Values below are initialized in rctl_init().
86  */
87 static int rctl_throttle_min = -1;
88 static int rctl_throttle_max = -1;
89 static int rctl_throttle_pct = -1;
90 static int rctl_throttle_pct2 = -1;
91 
92 static int rctl_throttle_min_sysctl(SYSCTL_HANDLER_ARGS);
93 static int rctl_throttle_max_sysctl(SYSCTL_HANDLER_ARGS);
94 static int rctl_throttle_pct_sysctl(SYSCTL_HANDLER_ARGS);
95 static int rctl_throttle_pct2_sysctl(SYSCTL_HANDLER_ARGS);
96 
97 SYSCTL_NODE(_kern_racct, OID_AUTO, rctl, CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
98     "Resource Limits");
99 SYSCTL_UINT(_kern_racct_rctl, OID_AUTO, maxbufsize, CTLFLAG_RWTUN,
100     &rctl_maxbufsize, 0, "Maximum output buffer size");
101 SYSCTL_UINT(_kern_racct_rctl, OID_AUTO, log_rate_limit, CTLFLAG_RW,
102     &rctl_log_rate_limit, 0, "Maximum number of log messages per second");
103 SYSCTL_UINT(_kern_racct_rctl, OID_AUTO, devctl_rate_limit, CTLFLAG_RWTUN,
104     &rctl_devctl_rate_limit, 0, "Maximum number of devctl messages per second");
105 SYSCTL_PROC(_kern_racct_rctl, OID_AUTO, throttle_min,
106     CTLTYPE_UINT | CTLFLAG_RWTUN | CTLFLAG_MPSAFE, 0, 0,
107     &rctl_throttle_min_sysctl, "IU",
108     "Shortest throttling duration, in hz");
109 TUNABLE_INT("kern.racct.rctl.throttle_min", &rctl_throttle_min);
110 SYSCTL_PROC(_kern_racct_rctl, OID_AUTO, throttle_max,
111     CTLTYPE_UINT | CTLFLAG_RWTUN | CTLFLAG_MPSAFE, 0, 0,
112     &rctl_throttle_max_sysctl, "IU",
113     "Longest throttling duration, in hz");
114 TUNABLE_INT("kern.racct.rctl.throttle_max", &rctl_throttle_max);
115 SYSCTL_PROC(_kern_racct_rctl, OID_AUTO, throttle_pct,
116     CTLTYPE_UINT | CTLFLAG_RWTUN | CTLFLAG_MPSAFE, 0, 0,
117     &rctl_throttle_pct_sysctl, "IU",
118     "Throttling penalty for process consumption, in percent");
119 TUNABLE_INT("kern.racct.rctl.throttle_pct", &rctl_throttle_pct);
120 SYSCTL_PROC(_kern_racct_rctl, OID_AUTO, throttle_pct2,
121     CTLTYPE_UINT | CTLFLAG_RWTUN | CTLFLAG_MPSAFE, 0, 0,
122     &rctl_throttle_pct2_sysctl, "IU",
123     "Throttling penalty for container consumption, in percent");
124 TUNABLE_INT("kern.racct.rctl.throttle_pct2", &rctl_throttle_pct2);
125 
126 /*
127  * 'rctl_rule_link' connects a rule with every racct it's related to.
128  * For example, rule 'user:X:openfiles:deny=N/process' is linked
129  * with uidinfo for user X, and to each process of that user.
130  */
131 struct rctl_rule_link {
132 	LIST_ENTRY(rctl_rule_link)	rrl_next;
133 	struct rctl_rule		*rrl_rule;
134 	int				rrl_exceeded;
135 };
136 
137 struct dict {
138 	const char	*d_name;
139 	int		d_value;
140 };
141 
142 static struct dict subjectnames[] = {
143 	{ "process", RCTL_SUBJECT_TYPE_PROCESS },
144 	{ "user", RCTL_SUBJECT_TYPE_USER },
145 	{ "loginclass", RCTL_SUBJECT_TYPE_LOGINCLASS },
146 	{ "jail", RCTL_SUBJECT_TYPE_JAIL },
147 	{ NULL, -1 }};
148 
149 static struct dict resourcenames[] = {
150 	{ "cputime", RACCT_CPU },
151 	{ "datasize", RACCT_DATA },
152 	{ "stacksize", RACCT_STACK },
153 	{ "coredumpsize", RACCT_CORE },
154 	{ "memoryuse", RACCT_RSS },
155 	{ "memorylocked", RACCT_MEMLOCK },
156 	{ "maxproc", RACCT_NPROC },
157 	{ "openfiles", RACCT_NOFILE },
158 	{ "vmemoryuse", RACCT_VMEM },
159 	{ "pseudoterminals", RACCT_NPTS },
160 	{ "swapuse", RACCT_SWAP },
161 	{ "nthr", RACCT_NTHR },
162 	{ "msgqqueued", RACCT_MSGQQUEUED },
163 	{ "msgqsize", RACCT_MSGQSIZE },
164 	{ "nmsgq", RACCT_NMSGQ },
165 	{ "nsem", RACCT_NSEM },
166 	{ "nsemop", RACCT_NSEMOP },
167 	{ "nshm", RACCT_NSHM },
168 	{ "shmsize", RACCT_SHMSIZE },
169 	{ "wallclock", RACCT_WALLCLOCK },
170 	{ "pcpu", RACCT_PCTCPU },
171 	{ "readbps", RACCT_READBPS },
172 	{ "writebps", RACCT_WRITEBPS },
173 	{ "readiops", RACCT_READIOPS },
174 	{ "writeiops", RACCT_WRITEIOPS },
175 	{ NULL, -1 }};
176 
177 static struct dict actionnames[] = {
178 	{ "sighup", RCTL_ACTION_SIGHUP },
179 	{ "sigint", RCTL_ACTION_SIGINT },
180 	{ "sigquit", RCTL_ACTION_SIGQUIT },
181 	{ "sigill", RCTL_ACTION_SIGILL },
182 	{ "sigtrap", RCTL_ACTION_SIGTRAP },
183 	{ "sigabrt", RCTL_ACTION_SIGABRT },
184 	{ "sigemt", RCTL_ACTION_SIGEMT },
185 	{ "sigfpe", RCTL_ACTION_SIGFPE },
186 	{ "sigkill", RCTL_ACTION_SIGKILL },
187 	{ "sigbus", RCTL_ACTION_SIGBUS },
188 	{ "sigsegv", RCTL_ACTION_SIGSEGV },
189 	{ "sigsys", RCTL_ACTION_SIGSYS },
190 	{ "sigpipe", RCTL_ACTION_SIGPIPE },
191 	{ "sigalrm", RCTL_ACTION_SIGALRM },
192 	{ "sigterm", RCTL_ACTION_SIGTERM },
193 	{ "sigurg", RCTL_ACTION_SIGURG },
194 	{ "sigstop", RCTL_ACTION_SIGSTOP },
195 	{ "sigtstp", RCTL_ACTION_SIGTSTP },
196 	{ "sigchld", RCTL_ACTION_SIGCHLD },
197 	{ "sigttin", RCTL_ACTION_SIGTTIN },
198 	{ "sigttou", RCTL_ACTION_SIGTTOU },
199 	{ "sigio", RCTL_ACTION_SIGIO },
200 	{ "sigxcpu", RCTL_ACTION_SIGXCPU },
201 	{ "sigxfsz", RCTL_ACTION_SIGXFSZ },
202 	{ "sigvtalrm", RCTL_ACTION_SIGVTALRM },
203 	{ "sigprof", RCTL_ACTION_SIGPROF },
204 	{ "sigwinch", RCTL_ACTION_SIGWINCH },
205 	{ "siginfo", RCTL_ACTION_SIGINFO },
206 	{ "sigusr1", RCTL_ACTION_SIGUSR1 },
207 	{ "sigusr2", RCTL_ACTION_SIGUSR2 },
208 	{ "sigthr", RCTL_ACTION_SIGTHR },
209 	{ "deny", RCTL_ACTION_DENY },
210 	{ "log", RCTL_ACTION_LOG },
211 	{ "devctl", RCTL_ACTION_DEVCTL },
212 	{ "throttle", RCTL_ACTION_THROTTLE },
213 	{ NULL, -1 }};
214 
215 static void rctl_init(void);
216 SYSINIT(rctl, SI_SUB_RACCT, SI_ORDER_FIRST, rctl_init, NULL);
217 
218 static uma_zone_t rctl_rule_zone;
219 static uma_zone_t rctl_rule_link_zone;
220 
221 static int rctl_rule_fully_specified(const struct rctl_rule *rule);
222 static void rctl_rule_to_sbuf(struct sbuf *sb, const struct rctl_rule *rule);
223 
224 static MALLOC_DEFINE(M_RCTL, "rctl", "Resource Limits");
225 
226 static int rctl_throttle_min_sysctl(SYSCTL_HANDLER_ARGS)
227 {
228 	int error, val = rctl_throttle_min;
229 
230 	error = sysctl_handle_int(oidp, &val, 0, req);
231 	if (error || !req->newptr)
232 		return (error);
233 	if (val < 1 || val > rctl_throttle_max)
234 		return (EINVAL);
235 
236 	RACCT_LOCK();
237 	rctl_throttle_min = val;
238 	RACCT_UNLOCK();
239 
240 	return (0);
241 }
242 
243 static int rctl_throttle_max_sysctl(SYSCTL_HANDLER_ARGS)
244 {
245 	int error, val = rctl_throttle_max;
246 
247 	error = sysctl_handle_int(oidp, &val, 0, req);
248 	if (error || !req->newptr)
249 		return (error);
250 	if (val < rctl_throttle_min)
251 		return (EINVAL);
252 
253 	RACCT_LOCK();
254 	rctl_throttle_max = val;
255 	RACCT_UNLOCK();
256 
257 	return (0);
258 }
259 
260 static int rctl_throttle_pct_sysctl(SYSCTL_HANDLER_ARGS)
261 {
262 	int error, val = rctl_throttle_pct;
263 
264 	error = sysctl_handle_int(oidp, &val, 0, req);
265 	if (error || !req->newptr)
266 		return (error);
267 	if (val < 0)
268 		return (EINVAL);
269 
270 	RACCT_LOCK();
271 	rctl_throttle_pct = val;
272 	RACCT_UNLOCK();
273 
274 	return (0);
275 }
276 
277 static int rctl_throttle_pct2_sysctl(SYSCTL_HANDLER_ARGS)
278 {
279 	int error, val = rctl_throttle_pct2;
280 
281 	error = sysctl_handle_int(oidp, &val, 0, req);
282 	if (error || !req->newptr)
283 		return (error);
284 	if (val < 0)
285 		return (EINVAL);
286 
287 	RACCT_LOCK();
288 	rctl_throttle_pct2 = val;
289 	RACCT_UNLOCK();
290 
291 	return (0);
292 }
293 
294 static const char *
295 rctl_subject_type_name(int subject)
296 {
297 	int i;
298 
299 	for (i = 0; subjectnames[i].d_name != NULL; i++) {
300 		if (subjectnames[i].d_value == subject)
301 			return (subjectnames[i].d_name);
302 	}
303 
304 	panic("rctl_subject_type_name: unknown subject type %d", subject);
305 }
306 
307 static const char *
308 rctl_action_name(int action)
309 {
310 	int i;
311 
312 	for (i = 0; actionnames[i].d_name != NULL; i++) {
313 		if (actionnames[i].d_value == action)
314 			return (actionnames[i].d_name);
315 	}
316 
317 	panic("rctl_action_name: unknown action %d", action);
318 }
319 
320 const char *
321 rctl_resource_name(int resource)
322 {
323 	int i;
324 
325 	for (i = 0; resourcenames[i].d_name != NULL; i++) {
326 		if (resourcenames[i].d_value == resource)
327 			return (resourcenames[i].d_name);
328 	}
329 
330 	panic("rctl_resource_name: unknown resource %d", resource);
331 }
332 
333 static struct racct *
334 rctl_proc_rule_to_racct(const struct proc *p, const struct rctl_rule *rule)
335 {
336 	struct ucred *cred = p->p_ucred;
337 
338 	ASSERT_RACCT_ENABLED();
339 	RACCT_LOCK_ASSERT();
340 
341 	switch (rule->rr_per) {
342 	case RCTL_SUBJECT_TYPE_PROCESS:
343 		return (p->p_racct);
344 	case RCTL_SUBJECT_TYPE_USER:
345 		return (cred->cr_ruidinfo->ui_racct);
346 	case RCTL_SUBJECT_TYPE_LOGINCLASS:
347 		return (cred->cr_loginclass->lc_racct);
348 	case RCTL_SUBJECT_TYPE_JAIL:
349 		return (cred->cr_prison->pr_prison_racct->prr_racct);
350 	default:
351 		panic("%s: unknown per %d", __func__, rule->rr_per);
352 	}
353 }
354 
355 /*
356  * Return the amount of resource that can be allocated by 'p' before
357  * hitting 'rule'.
358  */
359 static int64_t
360 rctl_available_resource(const struct proc *p, const struct rctl_rule *rule)
361 {
362 	const struct racct *racct;
363 	int64_t available;
364 
365 	ASSERT_RACCT_ENABLED();
366 	RACCT_LOCK_ASSERT();
367 
368 	racct = rctl_proc_rule_to_racct(p, rule);
369 	available = rule->rr_amount - racct->r_resources[rule->rr_resource];
370 
371 	return (available);
372 }
373 
374 /*
375  * Called every second for proc, uidinfo, loginclass, and jail containers.
376  * If the limit isn't exceeded, it decreases the usage amount to zero.
377  * Otherwise, it decreases it by the value of the limit.  This way
378  * resource consumption exceeding the limit "carries over" to the next
379  * period.
380  */
381 void
382 rctl_throttle_decay(struct racct *racct, int resource)
383 {
384 	struct rctl_rule *rule;
385 	struct rctl_rule_link *link;
386 	int64_t minavailable;
387 
388 	ASSERT_RACCT_ENABLED();
389 	RACCT_LOCK_ASSERT();
390 
391 	minavailable = INT64_MAX;
392 
393 	LIST_FOREACH(link, &racct->r_rule_links, rrl_next) {
394 		rule = link->rrl_rule;
395 
396 		if (rule->rr_resource != resource)
397 			continue;
398 		if (rule->rr_action != RCTL_ACTION_THROTTLE)
399 			continue;
400 
401 		if (rule->rr_amount < minavailable)
402 			minavailable = rule->rr_amount;
403 	}
404 
405 	if (racct->r_resources[resource] < minavailable) {
406 		racct->r_resources[resource] = 0;
407 	} else {
408 		/*
409 		 * Cap utilization counter at ten times the limit.  Otherwise,
410 		 * if we changed the rule lowering the allowed amount, it could
411 		 * take unreasonably long time for the accumulated resource
412 		 * usage to drop.
413 		 */
414 		if (racct->r_resources[resource] > minavailable * 10)
415 			racct->r_resources[resource] = minavailable * 10;
416 
417 		racct->r_resources[resource] -= minavailable;
418 	}
419 }
420 
421 /*
422  * Special version of rctl_get_available() for the %CPU resource.
423  * We slightly cheat here and return less than we normally would.
424  */
425 int64_t
426 rctl_pcpu_available(const struct proc *p) {
427 	struct rctl_rule *rule;
428 	struct rctl_rule_link *link;
429 	int64_t available, minavailable, limit;
430 
431 	ASSERT_RACCT_ENABLED();
432 	RACCT_LOCK_ASSERT();
433 
434 	minavailable = INT64_MAX;
435 	limit = 0;
436 
437 	LIST_FOREACH(link, &p->p_racct->r_rule_links, rrl_next) {
438 		rule = link->rrl_rule;
439 		if (rule->rr_resource != RACCT_PCTCPU)
440 			continue;
441 		if (rule->rr_action != RCTL_ACTION_DENY)
442 			continue;
443 		available = rctl_available_resource(p, rule);
444 		if (available < minavailable) {
445 			minavailable = available;
446 			limit = rule->rr_amount;
447 		}
448 	}
449 
450 	/*
451 	 * Return slightly less than actual value of the available
452 	 * %cpu resource.  This makes %cpu throttling more aggressive
453 	 * and lets us act sooner than the limits are already exceeded.
454 	 */
455 	if (limit != 0) {
456 		if (limit > 2 * RCTL_PCPU_SHIFT)
457 			minavailable -= RCTL_PCPU_SHIFT;
458 		else
459 			minavailable -= (limit / 2);
460 	}
461 
462 	return (minavailable);
463 }
464 
465 static uint64_t
466 xadd(uint64_t a, uint64_t b)
467 {
468 	uint64_t c;
469 
470 	c = a + b;
471 
472 	/*
473 	 * Detect overflow.
474 	 */
475 	if (c < a || c < b)
476 		return (UINT64_MAX);
477 
478 	return (c);
479 }
480 
481 static uint64_t
482 xmul(uint64_t a, uint64_t b)
483 {
484 
485 	if (b != 0 && a > UINT64_MAX / b)
486 		return (UINT64_MAX);
487 
488 	return (a * b);
489 }
490 
491 /*
492  * Check whether the proc 'p' can allocate 'amount' of 'resource' in addition
493  * to what it keeps allocated now.  Returns non-zero if the allocation should
494  * be denied, 0 otherwise.
495  */
496 int
497 rctl_enforce(struct proc *p, int resource, uint64_t amount)
498 {
499 	static struct timeval log_lasttime, devctl_lasttime;
500 	static int log_curtime = 0, devctl_curtime = 0;
501 	struct rctl_rule *rule;
502 	struct rctl_rule_link *link;
503 	struct sbuf sb;
504 	char *buf;
505 	int64_t available;
506 	uint64_t sleep_ms, sleep_ratio;
507 	int should_deny = 0;
508 
509 	ASSERT_RACCT_ENABLED();
510 	RACCT_LOCK_ASSERT();
511 
512 	/*
513 	 * There may be more than one matching rule; go through all of them.
514 	 * Denial should be done last, after logging and sending signals.
515 	 */
516 	LIST_FOREACH(link, &p->p_racct->r_rule_links, rrl_next) {
517 		rule = link->rrl_rule;
518 		if (rule->rr_resource != resource)
519 			continue;
520 
521 		available = rctl_available_resource(p, rule);
522 		if (available >= (int64_t)amount) {
523 			link->rrl_exceeded = 0;
524 			continue;
525 		}
526 
527 		switch (rule->rr_action) {
528 		case RCTL_ACTION_DENY:
529 			should_deny = 1;
530 			continue;
531 		case RCTL_ACTION_LOG:
532 			/*
533 			 * If rrl_exceeded != 0, it means we've already
534 			 * logged a warning for this process.
535 			 */
536 			if (link->rrl_exceeded != 0)
537 				continue;
538 
539 			/*
540 			 * If the process state is not fully initialized yet,
541 			 * we can't access most of the required fields, e.g.
542 			 * p->p_comm.  This happens when called from fork1().
543 			 * Ignore this rule for now; it will be processed just
544 			 * after fork, when called from racct_proc_fork_done().
545 			 */
546 			if (p->p_state != PRS_NORMAL)
547 				continue;
548 
549 			if (!ppsratecheck(&log_lasttime, &log_curtime,
550 			    rctl_log_rate_limit))
551 				continue;
552 
553 			buf = malloc(RCTL_LOG_BUFSIZE, M_RCTL, M_NOWAIT);
554 			if (buf == NULL) {
555 				printf("rctl_enforce: out of memory\n");
556 				continue;
557 			}
558 			sbuf_new(&sb, buf, RCTL_LOG_BUFSIZE, SBUF_FIXEDLEN);
559 			rctl_rule_to_sbuf(&sb, rule);
560 			sbuf_finish(&sb);
561 			printf("rctl: rule \"%s\" matched by pid %d "
562 			    "(%s), uid %d, jail %s\n", sbuf_data(&sb),
563 			    p->p_pid, p->p_comm, p->p_ucred->cr_uid,
564 			    p->p_ucred->cr_prison->pr_prison_racct->prr_name);
565 			sbuf_delete(&sb);
566 			free(buf, M_RCTL);
567 			link->rrl_exceeded = 1;
568 			continue;
569 		case RCTL_ACTION_DEVCTL:
570 			if (link->rrl_exceeded != 0)
571 				continue;
572 
573 			if (p->p_state != PRS_NORMAL)
574 				continue;
575 
576 			if (!ppsratecheck(&devctl_lasttime, &devctl_curtime,
577 			    rctl_devctl_rate_limit))
578 				continue;
579 
580 			buf = malloc(RCTL_LOG_BUFSIZE, M_RCTL, M_NOWAIT);
581 			if (buf == NULL) {
582 				printf("rctl_enforce: out of memory\n");
583 				continue;
584 			}
585 			sbuf_new(&sb, buf, RCTL_LOG_BUFSIZE, SBUF_FIXEDLEN);
586 			sbuf_printf(&sb, "rule=");
587 			rctl_rule_to_sbuf(&sb, rule);
588 			sbuf_printf(&sb, " pid=%d ruid=%d jail=%s",
589 			    p->p_pid, p->p_ucred->cr_ruid,
590 			    p->p_ucred->cr_prison->pr_prison_racct->prr_name);
591 			sbuf_finish(&sb);
592 			devctl_notify("RCTL", "rule", "matched",
593 			    sbuf_data(&sb));
594 			sbuf_delete(&sb);
595 			free(buf, M_RCTL);
596 			link->rrl_exceeded = 1;
597 			continue;
598 		case RCTL_ACTION_THROTTLE:
599 			if (p->p_state != PRS_NORMAL)
600 				continue;
601 
602 			if (rule->rr_amount == 0) {
603 				racct_proc_throttle(p, rctl_throttle_max);
604 				continue;
605 			}
606 
607 			/*
608 			 * Make the process sleep for a fraction of second
609 			 * proportional to the ratio of process' resource
610 			 * utilization compared to the limit.  The point is
611 			 * to penalize resource hogs: processes that consume
612 			 * more of the available resources sleep for longer.
613 			 *
614 			 * We're trying to defer division until the very end,
615 			 * to minimize the rounding effects.  The following
616 			 * calculation could have been written in a clearer
617 			 * way like this:
618 			 *
619 			 * sleep_ms = hz * p->p_racct->r_resources[resource] /
620 			 *     rule->rr_amount;
621 			 * sleep_ms *= rctl_throttle_pct / 100;
622 			 * if (sleep_ms < rctl_throttle_min)
623 			 *         sleep_ms = rctl_throttle_min;
624 			 *
625 			 */
626 			sleep_ms = xmul(hz, p->p_racct->r_resources[resource]);
627 			sleep_ms = xmul(sleep_ms,  rctl_throttle_pct) / 100;
628 			if (sleep_ms < rctl_throttle_min * rule->rr_amount)
629 				sleep_ms = rctl_throttle_min * rule->rr_amount;
630 
631 			/*
632 			 * Multiply that by the ratio of the resource
633 			 * consumption for the container compared to the limit,
634 			 * squared.  In other words, a process in a container
635 			 * that is two times over the limit will be throttled
636 			 * four times as much for hitting the same rule.  The
637 			 * point is to penalize processes more if the container
638 			 * itself (eg certain UID or jail) is above the limit.
639 			 */
640 			if (available < 0)
641 				sleep_ratio = -available / rule->rr_amount;
642 			else
643 				sleep_ratio = 0;
644 			sleep_ratio = xmul(sleep_ratio, sleep_ratio);
645 			sleep_ratio = xmul(sleep_ratio, rctl_throttle_pct2) / 100;
646 			sleep_ms = xadd(sleep_ms, xmul(sleep_ms, sleep_ratio));
647 
648 			/*
649 			 * Finally the division.
650 			 */
651 			sleep_ms /= rule->rr_amount;
652 
653 			if (sleep_ms > rctl_throttle_max)
654 				sleep_ms = rctl_throttle_max;
655 #if 0
656 			printf("%s: pid %d (%s), %jd of %jd, will sleep for %ju ms (ratio %ju, available %jd)\n",
657 			   __func__, p->p_pid, p->p_comm,
658 			   p->p_racct->r_resources[resource],
659 			   rule->rr_amount, (uintmax_t)sleep_ms,
660 			   (uintmax_t)sleep_ratio, (intmax_t)available);
661 #endif
662 
663 			KASSERT(sleep_ms >= rctl_throttle_min, ("%s: %ju < %d\n",
664 			    __func__, (uintmax_t)sleep_ms, rctl_throttle_min));
665 			racct_proc_throttle(p, sleep_ms);
666 			continue;
667 		default:
668 			if (link->rrl_exceeded != 0)
669 				continue;
670 
671 			if (p->p_state != PRS_NORMAL)
672 				continue;
673 
674 			KASSERT(rule->rr_action > 0 &&
675 			    rule->rr_action <= RCTL_ACTION_SIGNAL_MAX,
676 			    ("rctl_enforce: unknown action %d",
677 			     rule->rr_action));
678 
679 			/*
680 			 * We're using the fact that RCTL_ACTION_SIG* values
681 			 * are equal to their counterparts from sys/signal.h.
682 			 */
683 			kern_psignal(p, rule->rr_action);
684 			link->rrl_exceeded = 1;
685 			continue;
686 		}
687 	}
688 
689 	if (should_deny) {
690 		/*
691 		 * Return fake error code; the caller should change it
692 		 * into one proper for the situation - EFSIZ, ENOMEM etc.
693 		 */
694 		return (EDOOFUS);
695 	}
696 
697 	return (0);
698 }
699 
700 uint64_t
701 rctl_get_limit(struct proc *p, int resource)
702 {
703 	struct rctl_rule *rule;
704 	struct rctl_rule_link *link;
705 	uint64_t amount = UINT64_MAX;
706 
707 	ASSERT_RACCT_ENABLED();
708 	RACCT_LOCK_ASSERT();
709 
710 	/*
711 	 * There may be more than one matching rule; go through all of them.
712 	 * Denial should be done last, after logging and sending signals.
713 	 */
714 	LIST_FOREACH(link, &p->p_racct->r_rule_links, rrl_next) {
715 		rule = link->rrl_rule;
716 		if (rule->rr_resource != resource)
717 			continue;
718 		if (rule->rr_action != RCTL_ACTION_DENY)
719 			continue;
720 		if (rule->rr_amount < amount)
721 			amount = rule->rr_amount;
722 	}
723 
724 	return (amount);
725 }
726 
727 uint64_t
728 rctl_get_available(struct proc *p, int resource)
729 {
730 	struct rctl_rule *rule;
731 	struct rctl_rule_link *link;
732 	int64_t available, minavailable, allocated;
733 
734 	minavailable = INT64_MAX;
735 
736 	ASSERT_RACCT_ENABLED();
737 	RACCT_LOCK_ASSERT();
738 
739 	/*
740 	 * There may be more than one matching rule; go through all of them.
741 	 * Denial should be done last, after logging and sending signals.
742 	 */
743 	LIST_FOREACH(link, &p->p_racct->r_rule_links, rrl_next) {
744 		rule = link->rrl_rule;
745 		if (rule->rr_resource != resource)
746 			continue;
747 		if (rule->rr_action != RCTL_ACTION_DENY)
748 			continue;
749 		available = rctl_available_resource(p, rule);
750 		if (available < minavailable)
751 			minavailable = available;
752 	}
753 
754 	/*
755 	 * XXX: Think about this _hard_.
756 	 */
757 	allocated = p->p_racct->r_resources[resource];
758 	if (minavailable < INT64_MAX - allocated)
759 		minavailable += allocated;
760 	if (minavailable < 0)
761 		minavailable = 0;
762 
763 	return (minavailable);
764 }
765 
766 static int
767 rctl_rule_matches(const struct rctl_rule *rule, const struct rctl_rule *filter)
768 {
769 
770 	ASSERT_RACCT_ENABLED();
771 
772 	if (filter->rr_subject_type != RCTL_SUBJECT_TYPE_UNDEFINED) {
773 		if (rule->rr_subject_type != filter->rr_subject_type)
774 			return (0);
775 
776 		switch (filter->rr_subject_type) {
777 		case RCTL_SUBJECT_TYPE_PROCESS:
778 			if (filter->rr_subject.rs_proc != NULL &&
779 			    rule->rr_subject.rs_proc !=
780 			    filter->rr_subject.rs_proc)
781 				return (0);
782 			break;
783 		case RCTL_SUBJECT_TYPE_USER:
784 			if (filter->rr_subject.rs_uip != NULL &&
785 			    rule->rr_subject.rs_uip !=
786 			    filter->rr_subject.rs_uip)
787 				return (0);
788 			break;
789 		case RCTL_SUBJECT_TYPE_LOGINCLASS:
790 			if (filter->rr_subject.rs_loginclass != NULL &&
791 			    rule->rr_subject.rs_loginclass !=
792 			    filter->rr_subject.rs_loginclass)
793 				return (0);
794 			break;
795 		case RCTL_SUBJECT_TYPE_JAIL:
796 			if (filter->rr_subject.rs_prison_racct != NULL &&
797 			    rule->rr_subject.rs_prison_racct !=
798 			    filter->rr_subject.rs_prison_racct)
799 				return (0);
800 			break;
801 		default:
802 			panic("rctl_rule_matches: unknown subject type %d",
803 			    filter->rr_subject_type);
804 		}
805 	}
806 
807 	if (filter->rr_resource != RACCT_UNDEFINED) {
808 		if (rule->rr_resource != filter->rr_resource)
809 			return (0);
810 	}
811 
812 	if (filter->rr_action != RCTL_ACTION_UNDEFINED) {
813 		if (rule->rr_action != filter->rr_action)
814 			return (0);
815 	}
816 
817 	if (filter->rr_amount != RCTL_AMOUNT_UNDEFINED) {
818 		if (rule->rr_amount != filter->rr_amount)
819 			return (0);
820 	}
821 
822 	if (filter->rr_per != RCTL_SUBJECT_TYPE_UNDEFINED) {
823 		if (rule->rr_per != filter->rr_per)
824 			return (0);
825 	}
826 
827 	return (1);
828 }
829 
830 static int
831 str2value(const char *str, int *value, struct dict *table)
832 {
833 	int i;
834 
835 	if (value == NULL)
836 		return (EINVAL);
837 
838 	for (i = 0; table[i].d_name != NULL; i++) {
839 		if (strcasecmp(table[i].d_name, str) == 0) {
840 			*value =  table[i].d_value;
841 			return (0);
842 		}
843 	}
844 
845 	return (EINVAL);
846 }
847 
848 static int
849 str2id(const char *str, id_t *value)
850 {
851 	char *end;
852 
853 	if (str == NULL)
854 		return (EINVAL);
855 
856 	*value = strtoul(str, &end, 10);
857 	if ((size_t)(end - str) != strlen(str))
858 		return (EINVAL);
859 
860 	return (0);
861 }
862 
863 static int
864 str2int64(const char *str, int64_t *value)
865 {
866 	char *end;
867 
868 	if (str == NULL)
869 		return (EINVAL);
870 
871 	*value = strtoul(str, &end, 10);
872 	if ((size_t)(end - str) != strlen(str))
873 		return (EINVAL);
874 
875 	if (*value < 0)
876 		return (ERANGE);
877 
878 	return (0);
879 }
880 
881 /*
882  * Connect the rule to the racct, increasing refcount for the rule.
883  */
884 static void
885 rctl_racct_add_rule(struct racct *racct, struct rctl_rule *rule)
886 {
887 	struct rctl_rule_link *link;
888 
889 	ASSERT_RACCT_ENABLED();
890 	KASSERT(rctl_rule_fully_specified(rule), ("rule not fully specified"));
891 
892 	rctl_rule_acquire(rule);
893 	link = uma_zalloc(rctl_rule_link_zone, M_WAITOK);
894 	link->rrl_rule = rule;
895 	link->rrl_exceeded = 0;
896 
897 	RACCT_LOCK();
898 	LIST_INSERT_HEAD(&racct->r_rule_links, link, rrl_next);
899 	RACCT_UNLOCK();
900 }
901 
902 static int
903 rctl_racct_add_rule_locked(struct racct *racct, struct rctl_rule *rule)
904 {
905 	struct rctl_rule_link *link;
906 
907 	ASSERT_RACCT_ENABLED();
908 	KASSERT(rctl_rule_fully_specified(rule), ("rule not fully specified"));
909 	RACCT_LOCK_ASSERT();
910 
911 	link = uma_zalloc(rctl_rule_link_zone, M_NOWAIT);
912 	if (link == NULL)
913 		return (ENOMEM);
914 	rctl_rule_acquire(rule);
915 	link->rrl_rule = rule;
916 	link->rrl_exceeded = 0;
917 
918 	LIST_INSERT_HEAD(&racct->r_rule_links, link, rrl_next);
919 
920 	return (0);
921 }
922 
923 /*
924  * Remove limits for a rules matching the filter and release
925  * the refcounts for the rules, possibly freeing them.  Returns
926  * the number of limit structures removed.
927  */
928 static int
929 rctl_racct_remove_rules(struct racct *racct,
930     const struct rctl_rule *filter)
931 {
932 	struct rctl_rule_link *link, *linktmp;
933 	int removed = 0;
934 
935 	ASSERT_RACCT_ENABLED();
936 	RACCT_LOCK_ASSERT();
937 
938 	LIST_FOREACH_SAFE(link, &racct->r_rule_links, rrl_next, linktmp) {
939 		if (!rctl_rule_matches(link->rrl_rule, filter))
940 			continue;
941 
942 		LIST_REMOVE(link, rrl_next);
943 		rctl_rule_release(link->rrl_rule);
944 		uma_zfree(rctl_rule_link_zone, link);
945 		removed++;
946 	}
947 	return (removed);
948 }
949 
950 static void
951 rctl_rule_acquire_subject(struct rctl_rule *rule)
952 {
953 
954 	ASSERT_RACCT_ENABLED();
955 
956 	switch (rule->rr_subject_type) {
957 	case RCTL_SUBJECT_TYPE_UNDEFINED:
958 	case RCTL_SUBJECT_TYPE_PROCESS:
959 		break;
960 	case RCTL_SUBJECT_TYPE_JAIL:
961 		if (rule->rr_subject.rs_prison_racct != NULL)
962 			prison_racct_hold(rule->rr_subject.rs_prison_racct);
963 		break;
964 	case RCTL_SUBJECT_TYPE_USER:
965 		if (rule->rr_subject.rs_uip != NULL)
966 			uihold(rule->rr_subject.rs_uip);
967 		break;
968 	case RCTL_SUBJECT_TYPE_LOGINCLASS:
969 		if (rule->rr_subject.rs_loginclass != NULL)
970 			loginclass_hold(rule->rr_subject.rs_loginclass);
971 		break;
972 	default:
973 		panic("rctl_rule_acquire_subject: unknown subject type %d",
974 		    rule->rr_subject_type);
975 	}
976 }
977 
978 static void
979 rctl_rule_release_subject(struct rctl_rule *rule)
980 {
981 
982 	ASSERT_RACCT_ENABLED();
983 
984 	switch (rule->rr_subject_type) {
985 	case RCTL_SUBJECT_TYPE_UNDEFINED:
986 	case RCTL_SUBJECT_TYPE_PROCESS:
987 		break;
988 	case RCTL_SUBJECT_TYPE_JAIL:
989 		if (rule->rr_subject.rs_prison_racct != NULL)
990 			prison_racct_free(rule->rr_subject.rs_prison_racct);
991 		break;
992 	case RCTL_SUBJECT_TYPE_USER:
993 		if (rule->rr_subject.rs_uip != NULL)
994 			uifree(rule->rr_subject.rs_uip);
995 		break;
996 	case RCTL_SUBJECT_TYPE_LOGINCLASS:
997 		if (rule->rr_subject.rs_loginclass != NULL)
998 			loginclass_free(rule->rr_subject.rs_loginclass);
999 		break;
1000 	default:
1001 		panic("rctl_rule_release_subject: unknown subject type %d",
1002 		    rule->rr_subject_type);
1003 	}
1004 }
1005 
1006 struct rctl_rule *
1007 rctl_rule_alloc(int flags)
1008 {
1009 	struct rctl_rule *rule;
1010 
1011 	ASSERT_RACCT_ENABLED();
1012 
1013 	rule = uma_zalloc(rctl_rule_zone, flags);
1014 	if (rule == NULL)
1015 		return (NULL);
1016 	rule->rr_subject_type = RCTL_SUBJECT_TYPE_UNDEFINED;
1017 	rule->rr_subject.rs_proc = NULL;
1018 	rule->rr_subject.rs_uip = NULL;
1019 	rule->rr_subject.rs_loginclass = NULL;
1020 	rule->rr_subject.rs_prison_racct = NULL;
1021 	rule->rr_per = RCTL_SUBJECT_TYPE_UNDEFINED;
1022 	rule->rr_resource = RACCT_UNDEFINED;
1023 	rule->rr_action = RCTL_ACTION_UNDEFINED;
1024 	rule->rr_amount = RCTL_AMOUNT_UNDEFINED;
1025 	refcount_init(&rule->rr_refcount, 1);
1026 
1027 	return (rule);
1028 }
1029 
1030 struct rctl_rule *
1031 rctl_rule_duplicate(const struct rctl_rule *rule, int flags)
1032 {
1033 	struct rctl_rule *copy;
1034 
1035 	ASSERT_RACCT_ENABLED();
1036 
1037 	copy = uma_zalloc(rctl_rule_zone, flags);
1038 	if (copy == NULL)
1039 		return (NULL);
1040 	copy->rr_subject_type = rule->rr_subject_type;
1041 	copy->rr_subject.rs_proc = rule->rr_subject.rs_proc;
1042 	copy->rr_subject.rs_uip = rule->rr_subject.rs_uip;
1043 	copy->rr_subject.rs_loginclass = rule->rr_subject.rs_loginclass;
1044 	copy->rr_subject.rs_prison_racct = rule->rr_subject.rs_prison_racct;
1045 	copy->rr_per = rule->rr_per;
1046 	copy->rr_resource = rule->rr_resource;
1047 	copy->rr_action = rule->rr_action;
1048 	copy->rr_amount = rule->rr_amount;
1049 	refcount_init(&copy->rr_refcount, 1);
1050 	rctl_rule_acquire_subject(copy);
1051 
1052 	return (copy);
1053 }
1054 
1055 void
1056 rctl_rule_acquire(struct rctl_rule *rule)
1057 {
1058 
1059 	ASSERT_RACCT_ENABLED();
1060 	KASSERT(rule->rr_refcount > 0, ("rule->rr_refcount <= 0"));
1061 
1062 	refcount_acquire(&rule->rr_refcount);
1063 }
1064 
1065 static void
1066 rctl_rule_free(void *context, int pending)
1067 {
1068 	struct rctl_rule *rule;
1069 
1070 	rule = (struct rctl_rule *)context;
1071 
1072 	ASSERT_RACCT_ENABLED();
1073 	KASSERT(rule->rr_refcount == 0, ("rule->rr_refcount != 0"));
1074 
1075 	/*
1076 	 * We don't need locking here; rule is guaranteed to be inaccessible.
1077 	 */
1078 
1079 	rctl_rule_release_subject(rule);
1080 	uma_zfree(rctl_rule_zone, rule);
1081 }
1082 
1083 void
1084 rctl_rule_release(struct rctl_rule *rule)
1085 {
1086 
1087 	ASSERT_RACCT_ENABLED();
1088 	KASSERT(rule->rr_refcount > 0, ("rule->rr_refcount <= 0"));
1089 
1090 	if (refcount_release(&rule->rr_refcount)) {
1091 		/*
1092 		 * rctl_rule_release() is often called when iterating
1093 		 * over all the uidinfo structures in the system,
1094 		 * holding uihashtbl_lock.  Since rctl_rule_free()
1095 		 * might end up calling uifree(), this would lead
1096 		 * to lock recursion.  Use taskqueue to avoid this.
1097 		 */
1098 		TASK_INIT(&rule->rr_task, 0, rctl_rule_free, rule);
1099 		taskqueue_enqueue(taskqueue_thread, &rule->rr_task);
1100 	}
1101 }
1102 
1103 static int
1104 rctl_rule_fully_specified(const struct rctl_rule *rule)
1105 {
1106 
1107 	ASSERT_RACCT_ENABLED();
1108 
1109 	switch (rule->rr_subject_type) {
1110 	case RCTL_SUBJECT_TYPE_UNDEFINED:
1111 		return (0);
1112 	case RCTL_SUBJECT_TYPE_PROCESS:
1113 		if (rule->rr_subject.rs_proc == NULL)
1114 			return (0);
1115 		break;
1116 	case RCTL_SUBJECT_TYPE_USER:
1117 		if (rule->rr_subject.rs_uip == NULL)
1118 			return (0);
1119 		break;
1120 	case RCTL_SUBJECT_TYPE_LOGINCLASS:
1121 		if (rule->rr_subject.rs_loginclass == NULL)
1122 			return (0);
1123 		break;
1124 	case RCTL_SUBJECT_TYPE_JAIL:
1125 		if (rule->rr_subject.rs_prison_racct == NULL)
1126 			return (0);
1127 		break;
1128 	default:
1129 		panic("rctl_rule_fully_specified: unknown subject type %d",
1130 		    rule->rr_subject_type);
1131 	}
1132 	if (rule->rr_resource == RACCT_UNDEFINED)
1133 		return (0);
1134 	if (rule->rr_action == RCTL_ACTION_UNDEFINED)
1135 		return (0);
1136 	if (rule->rr_amount == RCTL_AMOUNT_UNDEFINED)
1137 		return (0);
1138 	if (rule->rr_per == RCTL_SUBJECT_TYPE_UNDEFINED)
1139 		return (0);
1140 
1141 	return (1);
1142 }
1143 
1144 static int
1145 rctl_string_to_rule(char *rulestr, struct rctl_rule **rulep)
1146 {
1147 	struct rctl_rule *rule;
1148 	char *subjectstr, *subject_idstr, *resourcestr, *actionstr,
1149 	     *amountstr, *perstr;
1150 	id_t id;
1151 	int error = 0;
1152 
1153 	ASSERT_RACCT_ENABLED();
1154 
1155 	rule = rctl_rule_alloc(M_WAITOK);
1156 
1157 	subjectstr = strsep(&rulestr, ":");
1158 	subject_idstr = strsep(&rulestr, ":");
1159 	resourcestr = strsep(&rulestr, ":");
1160 	actionstr = strsep(&rulestr, "=/");
1161 	amountstr = strsep(&rulestr, "/");
1162 	perstr = rulestr;
1163 
1164 	if (subjectstr == NULL || subjectstr[0] == '\0')
1165 		rule->rr_subject_type = RCTL_SUBJECT_TYPE_UNDEFINED;
1166 	else {
1167 		error = str2value(subjectstr, &rule->rr_subject_type, subjectnames);
1168 		if (error != 0)
1169 			goto out;
1170 	}
1171 
1172 	if (subject_idstr == NULL || subject_idstr[0] == '\0') {
1173 		rule->rr_subject.rs_proc = NULL;
1174 		rule->rr_subject.rs_uip = NULL;
1175 		rule->rr_subject.rs_loginclass = NULL;
1176 		rule->rr_subject.rs_prison_racct = NULL;
1177 	} else {
1178 		switch (rule->rr_subject_type) {
1179 		case RCTL_SUBJECT_TYPE_UNDEFINED:
1180 			error = EINVAL;
1181 			goto out;
1182 		case RCTL_SUBJECT_TYPE_PROCESS:
1183 			error = str2id(subject_idstr, &id);
1184 			if (error != 0)
1185 				goto out;
1186 			sx_assert(&allproc_lock, SA_LOCKED);
1187 			rule->rr_subject.rs_proc = pfind(id);
1188 			if (rule->rr_subject.rs_proc == NULL) {
1189 				error = ESRCH;
1190 				goto out;
1191 			}
1192 			PROC_UNLOCK(rule->rr_subject.rs_proc);
1193 			break;
1194 		case RCTL_SUBJECT_TYPE_USER:
1195 			error = str2id(subject_idstr, &id);
1196 			if (error != 0)
1197 				goto out;
1198 			rule->rr_subject.rs_uip = uifind(id);
1199 			break;
1200 		case RCTL_SUBJECT_TYPE_LOGINCLASS:
1201 			rule->rr_subject.rs_loginclass =
1202 			    loginclass_find(subject_idstr);
1203 			if (rule->rr_subject.rs_loginclass == NULL) {
1204 				error = ENAMETOOLONG;
1205 				goto out;
1206 			}
1207 			break;
1208 		case RCTL_SUBJECT_TYPE_JAIL:
1209 			rule->rr_subject.rs_prison_racct =
1210 			    prison_racct_find(subject_idstr);
1211 			if (rule->rr_subject.rs_prison_racct == NULL) {
1212 				error = ENAMETOOLONG;
1213 				goto out;
1214 			}
1215 			break;
1216                default:
1217                        panic("rctl_string_to_rule: unknown subject type %d",
1218                            rule->rr_subject_type);
1219                }
1220 	}
1221 
1222 	if (resourcestr == NULL || resourcestr[0] == '\0')
1223 		rule->rr_resource = RACCT_UNDEFINED;
1224 	else {
1225 		error = str2value(resourcestr, &rule->rr_resource,
1226 		    resourcenames);
1227 		if (error != 0)
1228 			goto out;
1229 	}
1230 
1231 	if (actionstr == NULL || actionstr[0] == '\0')
1232 		rule->rr_action = RCTL_ACTION_UNDEFINED;
1233 	else {
1234 		error = str2value(actionstr, &rule->rr_action, actionnames);
1235 		if (error != 0)
1236 			goto out;
1237 	}
1238 
1239 	if (amountstr == NULL || amountstr[0] == '\0')
1240 		rule->rr_amount = RCTL_AMOUNT_UNDEFINED;
1241 	else {
1242 		error = str2int64(amountstr, &rule->rr_amount);
1243 		if (error != 0)
1244 			goto out;
1245 		if (RACCT_IS_IN_MILLIONS(rule->rr_resource)) {
1246 			if (rule->rr_amount > INT64_MAX / 1000000) {
1247 				error = ERANGE;
1248 				goto out;
1249 			}
1250 			rule->rr_amount *= 1000000;
1251 		}
1252 	}
1253 
1254 	if (perstr == NULL || perstr[0] == '\0')
1255 		rule->rr_per = RCTL_SUBJECT_TYPE_UNDEFINED;
1256 	else {
1257 		error = str2value(perstr, &rule->rr_per, subjectnames);
1258 		if (error != 0)
1259 			goto out;
1260 	}
1261 
1262 out:
1263 	if (error == 0)
1264 		*rulep = rule;
1265 	else
1266 		rctl_rule_release(rule);
1267 
1268 	return (error);
1269 }
1270 
1271 /*
1272  * Link a rule with all the subjects it applies to.
1273  */
1274 int
1275 rctl_rule_add(struct rctl_rule *rule)
1276 {
1277 	struct proc *p;
1278 	struct ucred *cred;
1279 	struct uidinfo *uip;
1280 	struct prison *pr;
1281 	struct prison_racct *prr;
1282 	struct loginclass *lc;
1283 	struct rctl_rule *rule2;
1284 	int match;
1285 
1286 	ASSERT_RACCT_ENABLED();
1287 	KASSERT(rctl_rule_fully_specified(rule), ("rule not fully specified"));
1288 
1289 	/*
1290 	 * Some rules just don't make sense, like "deny" rule for an undeniable
1291 	 * resource.  The exception are the RSS and %CPU resources - they are
1292 	 * not deniable in the racct sense, but the limit is enforced in
1293 	 * a different way.
1294 	 */
1295 	if (rule->rr_action == RCTL_ACTION_DENY &&
1296 	    !RACCT_IS_DENIABLE(rule->rr_resource) &&
1297 	    rule->rr_resource != RACCT_RSS &&
1298 	    rule->rr_resource != RACCT_PCTCPU) {
1299 		return (EOPNOTSUPP);
1300 	}
1301 
1302 	if (rule->rr_action == RCTL_ACTION_THROTTLE &&
1303 	    !RACCT_IS_DECAYING(rule->rr_resource)) {
1304 		return (EOPNOTSUPP);
1305 	}
1306 
1307 	if (rule->rr_action == RCTL_ACTION_THROTTLE &&
1308 	    rule->rr_resource == RACCT_PCTCPU) {
1309 		return (EOPNOTSUPP);
1310 	}
1311 
1312 	if (rule->rr_per == RCTL_SUBJECT_TYPE_PROCESS &&
1313 	    RACCT_IS_SLOPPY(rule->rr_resource)) {
1314 		return (EOPNOTSUPP);
1315 	}
1316 
1317 	/*
1318 	 * Make sure there are no duplicated rules.  Also, for the "deny"
1319 	 * rules, remove ones differing only by "amount".
1320 	 */
1321 	if (rule->rr_action == RCTL_ACTION_DENY) {
1322 		rule2 = rctl_rule_duplicate(rule, M_WAITOK);
1323 		rule2->rr_amount = RCTL_AMOUNT_UNDEFINED;
1324 		rctl_rule_remove(rule2);
1325 		rctl_rule_release(rule2);
1326 	} else
1327 		rctl_rule_remove(rule);
1328 
1329 	switch (rule->rr_subject_type) {
1330 	case RCTL_SUBJECT_TYPE_PROCESS:
1331 		p = rule->rr_subject.rs_proc;
1332 		KASSERT(p != NULL, ("rctl_rule_add: NULL proc"));
1333 
1334 		rctl_racct_add_rule(p->p_racct, rule);
1335 		/*
1336 		 * In case of per-process rule, we don't have anything more
1337 		 * to do.
1338 		 */
1339 		return (0);
1340 
1341 	case RCTL_SUBJECT_TYPE_USER:
1342 		uip = rule->rr_subject.rs_uip;
1343 		KASSERT(uip != NULL, ("rctl_rule_add: NULL uip"));
1344 		rctl_racct_add_rule(uip->ui_racct, rule);
1345 		break;
1346 
1347 	case RCTL_SUBJECT_TYPE_LOGINCLASS:
1348 		lc = rule->rr_subject.rs_loginclass;
1349 		KASSERT(lc != NULL, ("rctl_rule_add: NULL loginclass"));
1350 		rctl_racct_add_rule(lc->lc_racct, rule);
1351 		break;
1352 
1353 	case RCTL_SUBJECT_TYPE_JAIL:
1354 		prr = rule->rr_subject.rs_prison_racct;
1355 		KASSERT(prr != NULL, ("rctl_rule_add: NULL pr"));
1356 		rctl_racct_add_rule(prr->prr_racct, rule);
1357 		break;
1358 
1359 	default:
1360 		panic("rctl_rule_add: unknown subject type %d",
1361 		    rule->rr_subject_type);
1362 	}
1363 
1364 	/*
1365 	 * Now go through all the processes and add the new rule to the ones
1366 	 * it applies to.
1367 	 */
1368 	sx_assert(&allproc_lock, SA_LOCKED);
1369 	FOREACH_PROC_IN_SYSTEM(p) {
1370 		cred = p->p_ucred;
1371 		switch (rule->rr_subject_type) {
1372 		case RCTL_SUBJECT_TYPE_USER:
1373 			if (cred->cr_uidinfo == rule->rr_subject.rs_uip ||
1374 			    cred->cr_ruidinfo == rule->rr_subject.rs_uip)
1375 				break;
1376 			continue;
1377 		case RCTL_SUBJECT_TYPE_LOGINCLASS:
1378 			if (cred->cr_loginclass == rule->rr_subject.rs_loginclass)
1379 				break;
1380 			continue;
1381 		case RCTL_SUBJECT_TYPE_JAIL:
1382 			match = 0;
1383 			for (pr = cred->cr_prison; pr != NULL; pr = pr->pr_parent) {
1384 				if (pr->pr_prison_racct == rule->rr_subject.rs_prison_racct) {
1385 					match = 1;
1386 					break;
1387 				}
1388 			}
1389 			if (match)
1390 				break;
1391 			continue;
1392 		default:
1393 			panic("rctl_rule_add: unknown subject type %d",
1394 			    rule->rr_subject_type);
1395 		}
1396 
1397 		rctl_racct_add_rule(p->p_racct, rule);
1398 	}
1399 
1400 	return (0);
1401 }
1402 
1403 static void
1404 rctl_rule_pre_callback(void)
1405 {
1406 
1407 	RACCT_LOCK();
1408 }
1409 
1410 static void
1411 rctl_rule_post_callback(void)
1412 {
1413 
1414 	RACCT_UNLOCK();
1415 }
1416 
1417 static void
1418 rctl_rule_remove_callback(struct racct *racct, void *arg2, void *arg3)
1419 {
1420 	struct rctl_rule *filter = (struct rctl_rule *)arg2;
1421 	int found = 0;
1422 
1423 	ASSERT_RACCT_ENABLED();
1424 	RACCT_LOCK_ASSERT();
1425 
1426 	found += rctl_racct_remove_rules(racct, filter);
1427 
1428 	*((int *)arg3) += found;
1429 }
1430 
1431 /*
1432  * Remove all rules that match the filter.
1433  */
1434 int
1435 rctl_rule_remove(struct rctl_rule *filter)
1436 {
1437 	struct proc *p;
1438 	int found = 0;
1439 
1440 	ASSERT_RACCT_ENABLED();
1441 
1442 	if (filter->rr_subject_type == RCTL_SUBJECT_TYPE_PROCESS &&
1443 	    filter->rr_subject.rs_proc != NULL) {
1444 		p = filter->rr_subject.rs_proc;
1445 		RACCT_LOCK();
1446 		found = rctl_racct_remove_rules(p->p_racct, filter);
1447 		RACCT_UNLOCK();
1448 		if (found)
1449 			return (0);
1450 		return (ESRCH);
1451 	}
1452 
1453 	loginclass_racct_foreach(rctl_rule_remove_callback,
1454 	    rctl_rule_pre_callback, rctl_rule_post_callback,
1455 	    filter, (void *)&found);
1456 	ui_racct_foreach(rctl_rule_remove_callback,
1457 	    rctl_rule_pre_callback, rctl_rule_post_callback,
1458 	    filter, (void *)&found);
1459 	prison_racct_foreach(rctl_rule_remove_callback,
1460 	    rctl_rule_pre_callback, rctl_rule_post_callback,
1461 	    filter, (void *)&found);
1462 
1463 	sx_assert(&allproc_lock, SA_LOCKED);
1464 	RACCT_LOCK();
1465 	FOREACH_PROC_IN_SYSTEM(p) {
1466 		found += rctl_racct_remove_rules(p->p_racct, filter);
1467 	}
1468 	RACCT_UNLOCK();
1469 
1470 	if (found)
1471 		return (0);
1472 	return (ESRCH);
1473 }
1474 
1475 /*
1476  * Appends a rule to the sbuf.
1477  */
1478 static void
1479 rctl_rule_to_sbuf(struct sbuf *sb, const struct rctl_rule *rule)
1480 {
1481 	int64_t amount;
1482 
1483 	ASSERT_RACCT_ENABLED();
1484 
1485 	sbuf_printf(sb, "%s:", rctl_subject_type_name(rule->rr_subject_type));
1486 
1487 	switch (rule->rr_subject_type) {
1488 	case RCTL_SUBJECT_TYPE_PROCESS:
1489 		if (rule->rr_subject.rs_proc == NULL)
1490 			sbuf_printf(sb, ":");
1491 		else
1492 			sbuf_printf(sb, "%d:",
1493 			    rule->rr_subject.rs_proc->p_pid);
1494 		break;
1495 	case RCTL_SUBJECT_TYPE_USER:
1496 		if (rule->rr_subject.rs_uip == NULL)
1497 			sbuf_printf(sb, ":");
1498 		else
1499 			sbuf_printf(sb, "%d:",
1500 			    rule->rr_subject.rs_uip->ui_uid);
1501 		break;
1502 	case RCTL_SUBJECT_TYPE_LOGINCLASS:
1503 		if (rule->rr_subject.rs_loginclass == NULL)
1504 			sbuf_printf(sb, ":");
1505 		else
1506 			sbuf_printf(sb, "%s:",
1507 			    rule->rr_subject.rs_loginclass->lc_name);
1508 		break;
1509 	case RCTL_SUBJECT_TYPE_JAIL:
1510 		if (rule->rr_subject.rs_prison_racct == NULL)
1511 			sbuf_printf(sb, ":");
1512 		else
1513 			sbuf_printf(sb, "%s:",
1514 			    rule->rr_subject.rs_prison_racct->prr_name);
1515 		break;
1516 	default:
1517 		panic("rctl_rule_to_sbuf: unknown subject type %d",
1518 		    rule->rr_subject_type);
1519 	}
1520 
1521 	amount = rule->rr_amount;
1522 	if (amount != RCTL_AMOUNT_UNDEFINED &&
1523 	    RACCT_IS_IN_MILLIONS(rule->rr_resource))
1524 		amount /= 1000000;
1525 
1526 	sbuf_printf(sb, "%s:%s=%jd",
1527 	    rctl_resource_name(rule->rr_resource),
1528 	    rctl_action_name(rule->rr_action),
1529 	    amount);
1530 
1531 	if (rule->rr_per != rule->rr_subject_type)
1532 		sbuf_printf(sb, "/%s", rctl_subject_type_name(rule->rr_per));
1533 }
1534 
1535 /*
1536  * Routine used by RCTL syscalls to read in input string.
1537  */
1538 static int
1539 rctl_read_inbuf(char **inputstr, const char *inbufp, size_t inbuflen)
1540 {
1541 	char *str;
1542 	int error;
1543 
1544 	ASSERT_RACCT_ENABLED();
1545 
1546 	if (inbuflen <= 0)
1547 		return (EINVAL);
1548 	if (inbuflen > RCTL_MAX_INBUFSIZE)
1549 		return (E2BIG);
1550 
1551 	str = malloc(inbuflen + 1, M_RCTL, M_WAITOK);
1552 	error = copyinstr(inbufp, str, inbuflen, NULL);
1553 	if (error != 0) {
1554 		free(str, M_RCTL);
1555 		return (error);
1556 	}
1557 
1558 	*inputstr = str;
1559 
1560 	return (0);
1561 }
1562 
1563 /*
1564  * Routine used by RCTL syscalls to write out output string.
1565  */
1566 static int
1567 rctl_write_outbuf(struct sbuf *outputsbuf, char *outbufp, size_t outbuflen)
1568 {
1569 	int error;
1570 
1571 	ASSERT_RACCT_ENABLED();
1572 
1573 	if (outputsbuf == NULL)
1574 		return (0);
1575 
1576 	sbuf_finish(outputsbuf);
1577 	if (outbuflen < sbuf_len(outputsbuf) + 1) {
1578 		sbuf_delete(outputsbuf);
1579 		return (ERANGE);
1580 	}
1581 	error = copyout(sbuf_data(outputsbuf), outbufp,
1582 	    sbuf_len(outputsbuf) + 1);
1583 	sbuf_delete(outputsbuf);
1584 	return (error);
1585 }
1586 
1587 static struct sbuf *
1588 rctl_racct_to_sbuf(struct racct *racct, int sloppy)
1589 {
1590 	struct sbuf *sb;
1591 	int64_t amount;
1592 	int i;
1593 
1594 	ASSERT_RACCT_ENABLED();
1595 
1596 	sb = sbuf_new_auto();
1597 	for (i = 0; i <= RACCT_MAX; i++) {
1598 		if (sloppy == 0 && RACCT_IS_SLOPPY(i))
1599 			continue;
1600 		RACCT_LOCK();
1601 		amount = racct->r_resources[i];
1602 		RACCT_UNLOCK();
1603 		if (RACCT_IS_IN_MILLIONS(i))
1604 			amount /= 1000000;
1605 		sbuf_printf(sb, "%s=%jd,", rctl_resource_name(i), amount);
1606 	}
1607 	sbuf_setpos(sb, sbuf_len(sb) - 1);
1608 	return (sb);
1609 }
1610 
1611 int
1612 sys_rctl_get_racct(struct thread *td, struct rctl_get_racct_args *uap)
1613 {
1614 	struct rctl_rule *filter;
1615 	struct sbuf *outputsbuf = NULL;
1616 	struct proc *p;
1617 	struct uidinfo *uip;
1618 	struct loginclass *lc;
1619 	struct prison_racct *prr;
1620 	char *inputstr;
1621 	int error;
1622 
1623 	if (!racct_enable)
1624 		return (ENOSYS);
1625 
1626 	error = priv_check(td, PRIV_RCTL_GET_RACCT);
1627 	if (error != 0)
1628 		return (error);
1629 
1630 	error = rctl_read_inbuf(&inputstr, uap->inbufp, uap->inbuflen);
1631 	if (error != 0)
1632 		return (error);
1633 
1634 	sx_slock(&allproc_lock);
1635 	error = rctl_string_to_rule(inputstr, &filter);
1636 	free(inputstr, M_RCTL);
1637 	if (error != 0) {
1638 		sx_sunlock(&allproc_lock);
1639 		return (error);
1640 	}
1641 
1642 	switch (filter->rr_subject_type) {
1643 	case RCTL_SUBJECT_TYPE_PROCESS:
1644 		p = filter->rr_subject.rs_proc;
1645 		if (p == NULL) {
1646 			error = EINVAL;
1647 			goto out;
1648 		}
1649 		outputsbuf = rctl_racct_to_sbuf(p->p_racct, 0);
1650 		break;
1651 	case RCTL_SUBJECT_TYPE_USER:
1652 		uip = filter->rr_subject.rs_uip;
1653 		if (uip == NULL) {
1654 			error = EINVAL;
1655 			goto out;
1656 		}
1657 		outputsbuf = rctl_racct_to_sbuf(uip->ui_racct, 1);
1658 		break;
1659 	case RCTL_SUBJECT_TYPE_LOGINCLASS:
1660 		lc = filter->rr_subject.rs_loginclass;
1661 		if (lc == NULL) {
1662 			error = EINVAL;
1663 			goto out;
1664 		}
1665 		outputsbuf = rctl_racct_to_sbuf(lc->lc_racct, 1);
1666 		break;
1667 	case RCTL_SUBJECT_TYPE_JAIL:
1668 		prr = filter->rr_subject.rs_prison_racct;
1669 		if (prr == NULL) {
1670 			error = EINVAL;
1671 			goto out;
1672 		}
1673 		outputsbuf = rctl_racct_to_sbuf(prr->prr_racct, 1);
1674 		break;
1675 	default:
1676 		error = EINVAL;
1677 	}
1678 out:
1679 	rctl_rule_release(filter);
1680 	sx_sunlock(&allproc_lock);
1681 	if (error != 0)
1682 		return (error);
1683 
1684 	error = rctl_write_outbuf(outputsbuf, uap->outbufp, uap->outbuflen);
1685 
1686 	return (error);
1687 }
1688 
1689 static void
1690 rctl_get_rules_callback(struct racct *racct, void *arg2, void *arg3)
1691 {
1692 	struct rctl_rule *filter = (struct rctl_rule *)arg2;
1693 	struct rctl_rule_link *link;
1694 	struct sbuf *sb = (struct sbuf *)arg3;
1695 
1696 	ASSERT_RACCT_ENABLED();
1697 	RACCT_LOCK_ASSERT();
1698 
1699 	LIST_FOREACH(link, &racct->r_rule_links, rrl_next) {
1700 		if (!rctl_rule_matches(link->rrl_rule, filter))
1701 			continue;
1702 		rctl_rule_to_sbuf(sb, link->rrl_rule);
1703 		sbuf_printf(sb, ",");
1704 	}
1705 }
1706 
1707 int
1708 sys_rctl_get_rules(struct thread *td, struct rctl_get_rules_args *uap)
1709 {
1710 	struct sbuf *sb;
1711 	struct rctl_rule *filter;
1712 	struct rctl_rule_link *link;
1713 	struct proc *p;
1714 	char *inputstr, *buf;
1715 	size_t bufsize;
1716 	int error;
1717 
1718 	if (!racct_enable)
1719 		return (ENOSYS);
1720 
1721 	error = priv_check(td, PRIV_RCTL_GET_RULES);
1722 	if (error != 0)
1723 		return (error);
1724 
1725 	error = rctl_read_inbuf(&inputstr, uap->inbufp, uap->inbuflen);
1726 	if (error != 0)
1727 		return (error);
1728 
1729 	sx_slock(&allproc_lock);
1730 	error = rctl_string_to_rule(inputstr, &filter);
1731 	free(inputstr, M_RCTL);
1732 	if (error != 0) {
1733 		sx_sunlock(&allproc_lock);
1734 		return (error);
1735 	}
1736 
1737 	bufsize = uap->outbuflen;
1738 	if (bufsize > rctl_maxbufsize) {
1739 		sx_sunlock(&allproc_lock);
1740 		return (E2BIG);
1741 	}
1742 
1743 	buf = malloc(bufsize, M_RCTL, M_WAITOK);
1744 	sb = sbuf_new(NULL, buf, bufsize, SBUF_FIXEDLEN);
1745 	KASSERT(sb != NULL, ("sbuf_new failed"));
1746 
1747 	FOREACH_PROC_IN_SYSTEM(p) {
1748 		RACCT_LOCK();
1749 		LIST_FOREACH(link, &p->p_racct->r_rule_links, rrl_next) {
1750 			/*
1751 			 * Non-process rules will be added to the buffer later.
1752 			 * Adding them here would result in duplicated output.
1753 			 */
1754 			if (link->rrl_rule->rr_subject_type !=
1755 			    RCTL_SUBJECT_TYPE_PROCESS)
1756 				continue;
1757 			if (!rctl_rule_matches(link->rrl_rule, filter))
1758 				continue;
1759 			rctl_rule_to_sbuf(sb, link->rrl_rule);
1760 			sbuf_printf(sb, ",");
1761 		}
1762 		RACCT_UNLOCK();
1763 	}
1764 
1765 	loginclass_racct_foreach(rctl_get_rules_callback,
1766 	    rctl_rule_pre_callback, rctl_rule_post_callback,
1767 	    filter, sb);
1768 	ui_racct_foreach(rctl_get_rules_callback,
1769 	    rctl_rule_pre_callback, rctl_rule_post_callback,
1770 	    filter, sb);
1771 	prison_racct_foreach(rctl_get_rules_callback,
1772 	    rctl_rule_pre_callback, rctl_rule_post_callback,
1773 	    filter, sb);
1774 	if (sbuf_error(sb) == ENOMEM) {
1775 		error = ERANGE;
1776 		goto out;
1777 	}
1778 
1779 	/*
1780 	 * Remove trailing ",".
1781 	 */
1782 	if (sbuf_len(sb) > 0)
1783 		sbuf_setpos(sb, sbuf_len(sb) - 1);
1784 
1785 	error = rctl_write_outbuf(sb, uap->outbufp, uap->outbuflen);
1786 out:
1787 	rctl_rule_release(filter);
1788 	sx_sunlock(&allproc_lock);
1789 	free(buf, M_RCTL);
1790 	return (error);
1791 }
1792 
1793 int
1794 sys_rctl_get_limits(struct thread *td, struct rctl_get_limits_args *uap)
1795 {
1796 	struct sbuf *sb;
1797 	struct rctl_rule *filter;
1798 	struct rctl_rule_link *link;
1799 	char *inputstr, *buf;
1800 	size_t bufsize;
1801 	int error;
1802 
1803 	if (!racct_enable)
1804 		return (ENOSYS);
1805 
1806 	error = priv_check(td, PRIV_RCTL_GET_LIMITS);
1807 	if (error != 0)
1808 		return (error);
1809 
1810 	error = rctl_read_inbuf(&inputstr, uap->inbufp, uap->inbuflen);
1811 	if (error != 0)
1812 		return (error);
1813 
1814 	sx_slock(&allproc_lock);
1815 	error = rctl_string_to_rule(inputstr, &filter);
1816 	free(inputstr, M_RCTL);
1817 	if (error != 0) {
1818 		sx_sunlock(&allproc_lock);
1819 		return (error);
1820 	}
1821 
1822 	if (filter->rr_subject_type == RCTL_SUBJECT_TYPE_UNDEFINED) {
1823 		rctl_rule_release(filter);
1824 		sx_sunlock(&allproc_lock);
1825 		return (EINVAL);
1826 	}
1827 	if (filter->rr_subject_type != RCTL_SUBJECT_TYPE_PROCESS) {
1828 		rctl_rule_release(filter);
1829 		sx_sunlock(&allproc_lock);
1830 		return (EOPNOTSUPP);
1831 	}
1832 	if (filter->rr_subject.rs_proc == NULL) {
1833 		rctl_rule_release(filter);
1834 		sx_sunlock(&allproc_lock);
1835 		return (EINVAL);
1836 	}
1837 
1838 	bufsize = uap->outbuflen;
1839 	if (bufsize > rctl_maxbufsize) {
1840 		rctl_rule_release(filter);
1841 		sx_sunlock(&allproc_lock);
1842 		return (E2BIG);
1843 	}
1844 
1845 	buf = malloc(bufsize, M_RCTL, M_WAITOK);
1846 	sb = sbuf_new(NULL, buf, bufsize, SBUF_FIXEDLEN);
1847 	KASSERT(sb != NULL, ("sbuf_new failed"));
1848 
1849 	RACCT_LOCK();
1850 	LIST_FOREACH(link, &filter->rr_subject.rs_proc->p_racct->r_rule_links,
1851 	    rrl_next) {
1852 		rctl_rule_to_sbuf(sb, link->rrl_rule);
1853 		sbuf_printf(sb, ",");
1854 	}
1855 	RACCT_UNLOCK();
1856 	if (sbuf_error(sb) == ENOMEM) {
1857 		error = ERANGE;
1858 		sbuf_delete(sb);
1859 		goto out;
1860 	}
1861 
1862 	/*
1863 	 * Remove trailing ",".
1864 	 */
1865 	if (sbuf_len(sb) > 0)
1866 		sbuf_setpos(sb, sbuf_len(sb) - 1);
1867 
1868 	error = rctl_write_outbuf(sb, uap->outbufp, uap->outbuflen);
1869 out:
1870 	rctl_rule_release(filter);
1871 	sx_sunlock(&allproc_lock);
1872 	free(buf, M_RCTL);
1873 	return (error);
1874 }
1875 
1876 int
1877 sys_rctl_add_rule(struct thread *td, struct rctl_add_rule_args *uap)
1878 {
1879 	struct rctl_rule *rule;
1880 	char *inputstr;
1881 	int error;
1882 
1883 	if (!racct_enable)
1884 		return (ENOSYS);
1885 
1886 	error = priv_check(td, PRIV_RCTL_ADD_RULE);
1887 	if (error != 0)
1888 		return (error);
1889 
1890 	error = rctl_read_inbuf(&inputstr, uap->inbufp, uap->inbuflen);
1891 	if (error != 0)
1892 		return (error);
1893 
1894 	sx_slock(&allproc_lock);
1895 	error = rctl_string_to_rule(inputstr, &rule);
1896 	free(inputstr, M_RCTL);
1897 	if (error != 0) {
1898 		sx_sunlock(&allproc_lock);
1899 		return (error);
1900 	}
1901 	/*
1902 	 * The 'per' part of a rule is optional.
1903 	 */
1904 	if (rule->rr_per == RCTL_SUBJECT_TYPE_UNDEFINED &&
1905 	    rule->rr_subject_type != RCTL_SUBJECT_TYPE_UNDEFINED)
1906 		rule->rr_per = rule->rr_subject_type;
1907 
1908 	if (!rctl_rule_fully_specified(rule)) {
1909 		error = EINVAL;
1910 		goto out;
1911 	}
1912 
1913 	error = rctl_rule_add(rule);
1914 
1915 out:
1916 	rctl_rule_release(rule);
1917 	sx_sunlock(&allproc_lock);
1918 	return (error);
1919 }
1920 
1921 int
1922 sys_rctl_remove_rule(struct thread *td, struct rctl_remove_rule_args *uap)
1923 {
1924 	struct rctl_rule *filter;
1925 	char *inputstr;
1926 	int error;
1927 
1928 	if (!racct_enable)
1929 		return (ENOSYS);
1930 
1931 	error = priv_check(td, PRIV_RCTL_REMOVE_RULE);
1932 	if (error != 0)
1933 		return (error);
1934 
1935 	error = rctl_read_inbuf(&inputstr, uap->inbufp, uap->inbuflen);
1936 	if (error != 0)
1937 		return (error);
1938 
1939 	sx_slock(&allproc_lock);
1940 	error = rctl_string_to_rule(inputstr, &filter);
1941 	free(inputstr, M_RCTL);
1942 	if (error != 0) {
1943 		sx_sunlock(&allproc_lock);
1944 		return (error);
1945 	}
1946 
1947 	error = rctl_rule_remove(filter);
1948 	rctl_rule_release(filter);
1949 	sx_sunlock(&allproc_lock);
1950 
1951 	return (error);
1952 }
1953 
1954 /*
1955  * Update RCTL rule list after credential change.
1956  */
1957 void
1958 rctl_proc_ucred_changed(struct proc *p, struct ucred *newcred)
1959 {
1960 	LIST_HEAD(, rctl_rule_link) newrules;
1961 	struct rctl_rule_link *link, *newlink;
1962 	struct uidinfo *newuip;
1963 	struct loginclass *newlc;
1964 	struct prison_racct *newprr;
1965 	int rulecnt, i;
1966 
1967 	if (!racct_enable)
1968 		return;
1969 
1970 	PROC_LOCK_ASSERT(p, MA_NOTOWNED);
1971 
1972 	newuip = newcred->cr_ruidinfo;
1973 	newlc = newcred->cr_loginclass;
1974 	newprr = newcred->cr_prison->pr_prison_racct;
1975 
1976 	LIST_INIT(&newrules);
1977 
1978 again:
1979 	/*
1980 	 * First, count the rules that apply to the process with new
1981 	 * credentials.
1982 	 */
1983 	rulecnt = 0;
1984 	RACCT_LOCK();
1985 	LIST_FOREACH(link, &p->p_racct->r_rule_links, rrl_next) {
1986 		if (link->rrl_rule->rr_subject_type ==
1987 		    RCTL_SUBJECT_TYPE_PROCESS)
1988 			rulecnt++;
1989 	}
1990 	LIST_FOREACH(link, &newuip->ui_racct->r_rule_links, rrl_next)
1991 		rulecnt++;
1992 	LIST_FOREACH(link, &newlc->lc_racct->r_rule_links, rrl_next)
1993 		rulecnt++;
1994 	LIST_FOREACH(link, &newprr->prr_racct->r_rule_links, rrl_next)
1995 		rulecnt++;
1996 	RACCT_UNLOCK();
1997 
1998 	/*
1999 	 * Create temporary list.  We've dropped the rctl_lock in order
2000 	 * to use M_WAITOK.
2001 	 */
2002 	for (i = 0; i < rulecnt; i++) {
2003 		newlink = uma_zalloc(rctl_rule_link_zone, M_WAITOK);
2004 		newlink->rrl_rule = NULL;
2005 		newlink->rrl_exceeded = 0;
2006 		LIST_INSERT_HEAD(&newrules, newlink, rrl_next);
2007 	}
2008 
2009 	newlink = LIST_FIRST(&newrules);
2010 
2011 	/*
2012 	 * Assign rules to the newly allocated list entries.
2013 	 */
2014 	RACCT_LOCK();
2015 	LIST_FOREACH(link, &p->p_racct->r_rule_links, rrl_next) {
2016 		if (link->rrl_rule->rr_subject_type ==
2017 		    RCTL_SUBJECT_TYPE_PROCESS) {
2018 			if (newlink == NULL)
2019 				goto goaround;
2020 			rctl_rule_acquire(link->rrl_rule);
2021 			newlink->rrl_rule = link->rrl_rule;
2022 			newlink->rrl_exceeded = link->rrl_exceeded;
2023 			newlink = LIST_NEXT(newlink, rrl_next);
2024 			rulecnt--;
2025 		}
2026 	}
2027 
2028 	LIST_FOREACH(link, &newuip->ui_racct->r_rule_links, rrl_next) {
2029 		if (newlink == NULL)
2030 			goto goaround;
2031 		rctl_rule_acquire(link->rrl_rule);
2032 		newlink->rrl_rule = link->rrl_rule;
2033 		newlink->rrl_exceeded = link->rrl_exceeded;
2034 		newlink = LIST_NEXT(newlink, rrl_next);
2035 		rulecnt--;
2036 	}
2037 
2038 	LIST_FOREACH(link, &newlc->lc_racct->r_rule_links, rrl_next) {
2039 		if (newlink == NULL)
2040 			goto goaround;
2041 		rctl_rule_acquire(link->rrl_rule);
2042 		newlink->rrl_rule = link->rrl_rule;
2043 		newlink->rrl_exceeded = link->rrl_exceeded;
2044 		newlink = LIST_NEXT(newlink, rrl_next);
2045 		rulecnt--;
2046 	}
2047 
2048 	LIST_FOREACH(link, &newprr->prr_racct->r_rule_links, rrl_next) {
2049 		if (newlink == NULL)
2050 			goto goaround;
2051 		rctl_rule_acquire(link->rrl_rule);
2052 		newlink->rrl_rule = link->rrl_rule;
2053 		newlink->rrl_exceeded = link->rrl_exceeded;
2054 		newlink = LIST_NEXT(newlink, rrl_next);
2055 		rulecnt--;
2056 	}
2057 
2058 	if (rulecnt == 0) {
2059 		/*
2060 		 * Free the old rule list.
2061 		 */
2062 		while (!LIST_EMPTY(&p->p_racct->r_rule_links)) {
2063 			link = LIST_FIRST(&p->p_racct->r_rule_links);
2064 			LIST_REMOVE(link, rrl_next);
2065 			rctl_rule_release(link->rrl_rule);
2066 			uma_zfree(rctl_rule_link_zone, link);
2067 		}
2068 
2069 		/*
2070 		 * Replace lists and we're done.
2071 		 *
2072 		 * XXX: Is there any way to switch list heads instead
2073 		 *      of iterating here?
2074 		 */
2075 		while (!LIST_EMPTY(&newrules)) {
2076 			newlink = LIST_FIRST(&newrules);
2077 			LIST_REMOVE(newlink, rrl_next);
2078 			LIST_INSERT_HEAD(&p->p_racct->r_rule_links,
2079 			    newlink, rrl_next);
2080 		}
2081 
2082 		RACCT_UNLOCK();
2083 
2084 		return;
2085 	}
2086 
2087 goaround:
2088 	RACCT_UNLOCK();
2089 
2090 	/*
2091 	 * Rule list changed while we were not holding the rctl_lock.
2092 	 * Free the new list and try again.
2093 	 */
2094 	while (!LIST_EMPTY(&newrules)) {
2095 		newlink = LIST_FIRST(&newrules);
2096 		LIST_REMOVE(newlink, rrl_next);
2097 		if (newlink->rrl_rule != NULL)
2098 			rctl_rule_release(newlink->rrl_rule);
2099 		uma_zfree(rctl_rule_link_zone, newlink);
2100 	}
2101 
2102 	goto again;
2103 }
2104 
2105 /*
2106  * Assign RCTL rules to the newly created process.
2107  */
2108 int
2109 rctl_proc_fork(struct proc *parent, struct proc *child)
2110 {
2111 	struct rctl_rule *rule;
2112 	struct rctl_rule_link *link;
2113 	int error;
2114 
2115 	ASSERT_RACCT_ENABLED();
2116 	RACCT_LOCK_ASSERT();
2117 	KASSERT(parent->p_racct != NULL, ("process without racct; p = %p", parent));
2118 
2119 	LIST_INIT(&child->p_racct->r_rule_links);
2120 
2121 	/*
2122 	 * Go through limits applicable to the parent and assign them
2123 	 * to the child.  Rules with 'process' subject have to be duplicated
2124 	 * in order to make their rr_subject point to the new process.
2125 	 */
2126 	LIST_FOREACH(link, &parent->p_racct->r_rule_links, rrl_next) {
2127 		if (link->rrl_rule->rr_subject_type ==
2128 		    RCTL_SUBJECT_TYPE_PROCESS) {
2129 			rule = rctl_rule_duplicate(link->rrl_rule, M_NOWAIT);
2130 			if (rule == NULL)
2131 				goto fail;
2132 			KASSERT(rule->rr_subject.rs_proc == parent,
2133 			    ("rule->rr_subject.rs_proc != parent"));
2134 			rule->rr_subject.rs_proc = child;
2135 			error = rctl_racct_add_rule_locked(child->p_racct,
2136 			    rule);
2137 			rctl_rule_release(rule);
2138 			if (error != 0)
2139 				goto fail;
2140 		} else {
2141 			error = rctl_racct_add_rule_locked(child->p_racct,
2142 			    link->rrl_rule);
2143 			if (error != 0)
2144 				goto fail;
2145 		}
2146 	}
2147 
2148 	return (0);
2149 
2150 fail:
2151 	while (!LIST_EMPTY(&child->p_racct->r_rule_links)) {
2152 		link = LIST_FIRST(&child->p_racct->r_rule_links);
2153 		LIST_REMOVE(link, rrl_next);
2154 		rctl_rule_release(link->rrl_rule);
2155 		uma_zfree(rctl_rule_link_zone, link);
2156 	}
2157 
2158 	return (EAGAIN);
2159 }
2160 
2161 /*
2162  * Release rules attached to the racct.
2163  */
2164 void
2165 rctl_racct_release(struct racct *racct)
2166 {
2167 	struct rctl_rule_link *link;
2168 
2169 	ASSERT_RACCT_ENABLED();
2170 	RACCT_LOCK_ASSERT();
2171 
2172 	while (!LIST_EMPTY(&racct->r_rule_links)) {
2173 		link = LIST_FIRST(&racct->r_rule_links);
2174 		LIST_REMOVE(link, rrl_next);
2175 		rctl_rule_release(link->rrl_rule);
2176 		uma_zfree(rctl_rule_link_zone, link);
2177 	}
2178 }
2179 
2180 static void
2181 rctl_init(void)
2182 {
2183 
2184 	if (!racct_enable)
2185 		return;
2186 
2187 	rctl_rule_zone = uma_zcreate("rctl_rule", sizeof(struct rctl_rule),
2188 	    NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, 0);
2189 	rctl_rule_link_zone = uma_zcreate("rctl_rule_link",
2190 	    sizeof(struct rctl_rule_link), NULL, NULL, NULL, NULL,
2191 	    UMA_ALIGN_PTR, 0);
2192 
2193 	/*
2194 	 * Set default values, making sure not to overwrite the ones
2195 	 * fetched from tunables.  Most of those could be set at the
2196 	 * declaration, except for the rctl_throttle_max - we cannot
2197 	 * set it there due to hz not being compile time constant.
2198 	 */
2199 	if (rctl_throttle_min < 1)
2200 		rctl_throttle_min = 1;
2201 	if (rctl_throttle_max < rctl_throttle_min)
2202 		rctl_throttle_max = 2 * hz;
2203 	if (rctl_throttle_pct < 0)
2204 		rctl_throttle_pct = 100;
2205 	if (rctl_throttle_pct2 < 0)
2206 		rctl_throttle_pct2 = 100;
2207 }
2208 
2209 #else /* !RCTL */
2210 
2211 int
2212 sys_rctl_get_racct(struct thread *td, struct rctl_get_racct_args *uap)
2213 {
2214 
2215 	return (ENOSYS);
2216 }
2217 
2218 int
2219 sys_rctl_get_rules(struct thread *td, struct rctl_get_rules_args *uap)
2220 {
2221 
2222 	return (ENOSYS);
2223 }
2224 
2225 int
2226 sys_rctl_get_limits(struct thread *td, struct rctl_get_limits_args *uap)
2227 {
2228 
2229 	return (ENOSYS);
2230 }
2231 
2232 int
2233 sys_rctl_add_rule(struct thread *td, struct rctl_add_rule_args *uap)
2234 {
2235 
2236 	return (ENOSYS);
2237 }
2238 
2239 int
2240 sys_rctl_remove_rule(struct thread *td, struct rctl_remove_rule_args *uap)
2241 {
2242 
2243 	return (ENOSYS);
2244 }
2245 
2246 #endif /* !RCTL */
2247