xref: /titanic_44/usr/src/uts/common/syscall/rctlsys.c (revision a576ab5b6e08c47732b3dedca9eaa8a8cbb85720)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #pragma ident	"%Z%%M%	%I%	%E% SMI"
27 
28 #include <sys/types.h>
29 
30 #include <sys/cmn_err.h>
31 #include <sys/cred.h>
32 #include <sys/errno.h>
33 #include <sys/rctl.h>
34 #include <sys/rctl_impl.h>
35 #include <sys/strlog.h>
36 #include <sys/syslog.h>
37 #include <sys/sysmacros.h>
38 #include <sys/systm.h>
39 #include <sys/policy.h>
40 #include <sys/proc.h>
41 #include <sys/task.h>
42 
43 /*
44  * setrctl(2), getrctl(2), and private rctlsys(2*) system calls
45  *
46  * Resource control block (rctlblk_ptr_t, rctl_opaque_t)
47  *   The resource control system call interfaces present the resource control
48  *   values and flags via the resource control block abstraction, made manifest
49  *   via an opaque data type with strict type definitions.  Keeping the formal
50  *   definitions in the rcontrol block allows us to be clever in the kernel,
51  *   combining attributes where appropriate in the current implementation while
52  *   preserving binary compatibility in the face of implementation changes.
53  */
54 
55 #define	RBX_TO_BLK	0x1
56 #define	RBX_FROM_BLK	0x2
57 #define	RBX_VAL		0x4
58 #define	RBX_CTL		0x8
59 
60 static void
61 rctlsys_rblk_xfrm(rctl_opaque_t *blk, rctl_dict_entry_t *rde,
62     rctl_val_t *val, int flags)
63 {
64 	if (flags & RBX_FROM_BLK) {
65 		if (flags & RBX_VAL) {
66 			/*
67 			 * Firing time cannot be set.
68 			 */
69 			val->rcv_privilege = blk->rcq_privilege;
70 			val->rcv_value = blk->rcq_value;
71 			val->rcv_flagaction = blk->rcq_local_flagaction;
72 			val->rcv_action_signal = blk->rcq_local_signal;
73 			val->rcv_action_recip_pid =
74 			    blk->rcq_local_recipient_pid;
75 		}
76 		if (flags & RBX_CTL) {
77 			rde->rcd_flagaction = blk->rcq_global_flagaction;
78 			rde->rcd_syslog_level = blk->rcq_global_syslog_level;
79 
80 			/*
81 			 * Because the strlog() interface supports fewer options
82 			 * than are made available via the syslog() interface to
83 			 * userland, we map the syslog level down to a smaller
84 			 * set of distinct logging behaviours.
85 			 */
86 			rde->rcd_strlog_flags = 0;
87 			switch (blk->rcq_global_syslog_level) {
88 				case LOG_EMERG:
89 				case LOG_ALERT:
90 				case LOG_CRIT:
91 					rde->rcd_strlog_flags |= SL_CONSOLE;
92 					/*FALLTHROUGH*/
93 				case LOG_ERR:
94 					rde->rcd_strlog_flags |= SL_ERROR;
95 					/*FALLTHROUGH*/
96 				case LOG_WARNING:
97 					rde->rcd_strlog_flags |= SL_WARN;
98 					break;
99 				case LOG_NOTICE:
100 					rde->rcd_strlog_flags |= SL_CONSOLE;
101 					/*FALLTHROUGH*/
102 				case LOG_INFO:	/* informational */
103 				case LOG_DEBUG:	/* debug-level messages */
104 				default:
105 					rde->rcd_strlog_flags |= SL_NOTE;
106 					break;
107 			}
108 		}
109 	} else {
110 		bzero(blk,  sizeof (rctl_opaque_t));
111 		if (flags & RBX_VAL) {
112 			blk->rcq_privilege = val->rcv_privilege;
113 			blk->rcq_value = val->rcv_value;
114 			blk->rcq_enforced_value = rctl_model_value(rde,
115 			    curproc, val->rcv_value);
116 			blk->rcq_local_flagaction = val->rcv_flagaction;
117 			blk->rcq_local_signal = val->rcv_action_signal;
118 			blk->rcq_firing_time = val->rcv_firing_time;
119 			blk->rcq_local_recipient_pid =
120 			    val->rcv_action_recip_pid;
121 		}
122 		if (flags & RBX_CTL) {
123 			blk->rcq_global_flagaction = rde->rcd_flagaction;
124 			blk->rcq_global_syslog_level = rde->rcd_syslog_level;
125 		}
126 	}
127 }
128 
129 /*
130  * int rctl_invalid_value(rctl_dict_entry_t *, rctl_val_t *)
131  *
132  * Overview
133  *   Perform basic validation of proposed new resource control value against the
134  *   global properties set on the control.  Any system call operation presented
135  *   with an invalid resource control value should return -1 and set errno to
136  *   EINVAL.
137  *
138  * Return values
139  *   0 if valid, 1 if invalid.
140  *
141  * Caller's context
142  *   No restriction on context.
143  */
144 int
145 rctl_invalid_value(rctl_dict_entry_t *rde, rctl_val_t *rval)
146 {
147 	rctl_val_t *sys_rval;
148 
149 	if (rval->rcv_privilege != RCPRIV_BASIC &&
150 	    rval->rcv_privilege != RCPRIV_PRIVILEGED &&
151 	    rval->rcv_privilege != RCPRIV_SYSTEM)
152 		return (1);
153 
154 	if (rval->rcv_flagaction & ~RCTL_LOCAL_MASK)
155 		return (1);
156 
157 	if (rval->rcv_privilege == RCPRIV_BASIC &&
158 	    (rde->rcd_flagaction & RCTL_GLOBAL_NOBASIC) != 0)
159 		return (1);
160 
161 	if ((rval->rcv_flagaction & RCTL_LOCAL_DENY) == 0 &&
162 	    (rde->rcd_flagaction & RCTL_GLOBAL_DENY_ALWAYS) != 0)
163 		return (1);
164 
165 	if ((rval->rcv_flagaction & RCTL_LOCAL_DENY) &&
166 	    (rde->rcd_flagaction & RCTL_GLOBAL_DENY_NEVER))
167 		return (1);
168 
169 	if ((rval->rcv_flagaction & RCTL_LOCAL_SIGNAL) &&
170 	    (rde->rcd_flagaction & RCTL_GLOBAL_SIGNAL_NEVER))
171 		return (1);
172 
173 	if ((rval->rcv_flagaction & RCTL_LOCAL_SIGNAL) &&
174 	    rval->rcv_action_signal == 0)
175 		return (1);
176 
177 	if (rval->rcv_action_signal == SIGXCPU &&
178 	    (rde->rcd_flagaction & RCTL_GLOBAL_CPU_TIME) == 0)
179 		return (1);
180 	else if (rval->rcv_action_signal == SIGXFSZ &&
181 	    (rde->rcd_flagaction & RCTL_GLOBAL_FILE_SIZE) == 0)
182 		return (1);
183 	else if (rval->rcv_action_signal != SIGHUP &&
184 	    rval->rcv_action_signal != SIGABRT &&
185 	    rval->rcv_action_signal != SIGKILL &&
186 	    rval->rcv_action_signal != SIGTERM &&
187 	    rval->rcv_action_signal != SIGSTOP &&
188 	    rval->rcv_action_signal != SIGXCPU &&
189 	    rval->rcv_action_signal != SIGXFSZ &&
190 	    rval->rcv_action_signal != SIGXRES &&
191 	    rval->rcv_action_signal != 0)	/* That is, no signal is ok. */
192 		return (1);
193 
194 	sys_rval = rde->rcd_default_value;
195 	while (sys_rval->rcv_privilege != RCPRIV_SYSTEM)
196 		sys_rval = sys_rval->rcv_next;
197 
198 	if (rval->rcv_value > sys_rval->rcv_value)
199 		return (1);
200 
201 	return (0);
202 }
203 
204 /*
205  * static long rctlsys_get(char *name, rctl_opaque_t *old_rblk,
206  *   rctl_opaque_t *new_rblk, int flags)
207  *
208  * Overview
209  *   rctlsys_get() is the implementation of the core logic of getrctl(2), the
210  *   public system call for fetching resource control values.  Two mutually
211  *   exclusive flag values are supported:  RCTL_FIRST and RCTL_NEXT.  When
212  *   RCTL_FIRST is presented, the value of old_rblk is ignored, and the first
213  *   value in the resource control value sequence for the named control is
214  *   transformed and placed in the user memory location at new_rblk.  In the
215  *   RCTL_NEXT case, the value of old_rblk is examined, and the next value in
216  *   the sequence is transformed and placed at new_rblk.
217  */
218 static long
219 rctlsys_get(char *name, rctl_opaque_t *old_rblk, rctl_opaque_t *new_rblk,
220     int flags)
221 {
222 	rctl_val_t *nval;
223 	rctl_opaque_t *nblk;
224 	rctl_hndl_t hndl;
225 	char *kname;
226 	size_t klen;
227 	rctl_dict_entry_t *krde;
228 	int ret;
229 	int action = flags & (~RCTLSYS_ACTION_MASK);
230 
231 	if (flags & (~RCTLSYS_MASK))
232 		return (set_errno(EINVAL));
233 
234 	if (action != RCTL_FIRST && action != RCTL_NEXT &&
235 	    action != RCTL_USAGE)
236 		return (set_errno(EINVAL));
237 
238 	if (new_rblk == NULL || name == NULL)
239 		return (set_errno(EFAULT));
240 
241 	kname = kmem_alloc(MAXPATHLEN, KM_SLEEP);
242 	krde = kmem_alloc(sizeof (rctl_dict_entry_t), KM_SLEEP);
243 
244 	if (copyinstr(name, kname, MAXPATHLEN, &klen) != 0) {
245 		kmem_free(kname, MAXPATHLEN);
246 		kmem_free(krde, sizeof (rctl_dict_entry_t));
247 		return (set_errno(EFAULT));
248 	}
249 
250 	if ((hndl = rctl_hndl_lookup(kname)) == -1) {
251 		kmem_free(kname, MAXPATHLEN);
252 		kmem_free(krde, sizeof (rctl_dict_entry_t));
253 		return (set_errno(EINVAL));
254 	}
255 
256 	if (rctl_global_get(kname, krde) == -1) {
257 		kmem_free(kname, MAXPATHLEN);
258 		kmem_free(krde, sizeof (rctl_dict_entry_t));
259 		return (set_errno(ESRCH));
260 	}
261 
262 	kmem_free(kname, MAXPATHLEN);
263 
264 	nval = kmem_cache_alloc(rctl_val_cache, KM_SLEEP);
265 
266 	if (action == RCTL_USAGE) {
267 		kmem_cache_free(rctl_val_cache, nval);
268 		kmem_free(krde, sizeof (rctl_dict_entry_t));
269 		return (set_errno(ENOTSUP));
270 	} else if (action == RCTL_FIRST) {
271 
272 		mutex_enter(&curproc->p_lock);
273 		if (ret = rctl_local_get(hndl, NULL, nval, curproc)) {
274 			mutex_exit(&curproc->p_lock);
275 			kmem_cache_free(rctl_val_cache, nval);
276 			kmem_free(krde, sizeof (rctl_dict_entry_t));
277 			return (set_errno(ret));
278 		}
279 		mutex_exit(&curproc->p_lock);
280 	} else {
281 		/*
282 		 * RCTL_NEXT
283 		 */
284 		rctl_val_t *oval;
285 		rctl_opaque_t *oblk;
286 
287 		oblk = kmem_alloc(sizeof (rctl_opaque_t), KM_SLEEP);
288 
289 		if (copyin(old_rblk, oblk, sizeof (rctl_opaque_t)) == -1) {
290 			kmem_cache_free(rctl_val_cache, nval);
291 			kmem_free(oblk, sizeof (rctl_opaque_t));
292 			kmem_free(krde, sizeof (rctl_dict_entry_t));
293 			return (set_errno(EFAULT));
294 		}
295 
296 		oval = kmem_cache_alloc(rctl_val_cache, KM_SLEEP);
297 
298 		rctlsys_rblk_xfrm(oblk, NULL, oval, RBX_FROM_BLK | RBX_VAL);
299 		mutex_enter(&curproc->p_lock);
300 		ret = rctl_local_get(hndl, oval, nval, curproc);
301 		mutex_exit(&curproc->p_lock);
302 
303 		kmem_cache_free(rctl_val_cache, oval);
304 		kmem_free(oblk, sizeof (rctl_opaque_t));
305 
306 		if (ret != 0) {
307 			kmem_cache_free(rctl_val_cache, nval);
308 			kmem_free(krde, sizeof (rctl_dict_entry_t));
309 			return (set_errno(ret));
310 		}
311 	}
312 
313 	nblk = kmem_alloc(sizeof (rctl_opaque_t), KM_SLEEP);
314 
315 	rctlsys_rblk_xfrm(nblk, krde, nval, RBX_TO_BLK | RBX_VAL | RBX_CTL);
316 
317 	kmem_free(krde, sizeof (rctl_dict_entry_t));
318 	kmem_cache_free(rctl_val_cache, nval);
319 
320 	if (copyout(nblk, new_rblk, sizeof (rctl_opaque_t)) == -1) {
321 		kmem_free(nblk, sizeof (rctl_opaque_t));
322 		return (set_errno(EFAULT));
323 	}
324 
325 	kmem_free(nblk, sizeof (rctl_opaque_t));
326 
327 	return (0);
328 }
329 
330 /*
331  * static long rctlsys_set(char *name, rctl_opaque_t *old_rblk,
332  *   rctl_opaque_t *new_rblk, int flags)
333  *
334  * Overview
335  *   rctlsys_set() is the implementation of the core login of setrctl(2), which
336  *   allows the establishment of resource control values.  Flags may take on any
337  *   of three exclusive values:  RCTL_INSERT, RCTL_DELETE, and RCTL_REPLACE.
338  *   RCTL_INSERT ignores old_rblk and inserts the value in the appropriate
339  *   position in the ordered sequence of resource control values.  RCTL_DELETE
340  *   ignores old_rblk and deletes the first resource control value matching
341  *   (value, priority) in the given resource block.  If no matching value is
342  *   found, -1 is returned and errno is set to ENOENT.  Finally, in the case of
343  *   RCTL_REPLACE, old_rblk is used to match (value, priority); the matching
344  *   resource control value in the sequence is replaced with the contents of
345  *   new_rblk.  Again, if no match is found, -1 is returned and errno is set to
346  *   ENOENT.
347  *
348  *   rctlsys_set() causes a cursor test, which can reactivate resource controls
349  *   that have previously fired.
350  */
351 static long
352 rctlsys_set(char *name, rctl_opaque_t *old_rblk, rctl_opaque_t *new_rblk,
353     int flags)
354 {
355 	rctl_val_t *nval;
356 	rctl_dict_entry_t *rde;
357 	rctl_opaque_t *nblk;
358 	rctl_hndl_t hndl;
359 	char *kname;
360 	size_t klen;
361 	long ret = 0;
362 	proc_t *pp = NULL;
363 	pid_t pid;
364 	int action = flags & (~RCTLSYS_ACTION_MASK);
365 	rctl_val_t *oval;
366 	rctl_val_t *rval1;
367 	rctl_val_t *rval2;
368 	rctl_val_t *tval;
369 	rctl_opaque_t *oblk;
370 
371 	if (flags & (~RCTLSYS_MASK))
372 		return (set_errno(EINVAL));
373 
374 	if (action != RCTL_INSERT &&
375 	    action != RCTL_DELETE &&
376 	    action != RCTL_REPLACE)
377 		return (set_errno(EINVAL));
378 
379 	if (new_rblk == NULL || name == NULL)
380 		return (set_errno(EFAULT));
381 
382 	kname = kmem_alloc(MAXPATHLEN, KM_SLEEP);
383 	if (copyinstr(name, kname, MAXPATHLEN, &klen) != 0) {
384 		kmem_free(kname, MAXPATHLEN);
385 		return (set_errno(EFAULT));
386 	}
387 
388 	if ((hndl = rctl_hndl_lookup(kname)) == -1) {
389 		kmem_free(kname, MAXPATHLEN);
390 		return (set_errno(EINVAL));
391 	}
392 
393 	kmem_free(kname, MAXPATHLEN);
394 
395 	rde = rctl_dict_lookup_hndl(hndl);
396 
397 	nblk = kmem_alloc(sizeof (rctl_opaque_t), KM_SLEEP);
398 
399 	if (copyin(new_rblk, nblk, sizeof (rctl_opaque_t)) == -1) {
400 		kmem_free(nblk, sizeof (rctl_opaque_t));
401 		return (set_errno(EFAULT));
402 	}
403 
404 	nval = kmem_cache_alloc(rctl_val_cache, KM_SLEEP);
405 
406 	rctlsys_rblk_xfrm(nblk, NULL, nval, RBX_FROM_BLK | RBX_VAL);
407 
408 	if (rctl_invalid_value(rde, nval)) {
409 		kmem_free(nblk, sizeof (rctl_opaque_t));
410 		kmem_cache_free(rctl_val_cache, nval);
411 		return (set_errno(EINVAL));
412 	}
413 
414 	/* allocate what we might need before potentially grabbing p_lock */
415 	oblk = kmem_alloc(sizeof (rctl_opaque_t), KM_SLEEP);
416 	oval = kmem_cache_alloc(rctl_val_cache, KM_SLEEP);
417 	rval1 = kmem_cache_alloc(rctl_val_cache, KM_SLEEP);
418 	rval2 = kmem_cache_alloc(rctl_val_cache, KM_SLEEP);
419 
420 	if (nval->rcv_privilege == RCPRIV_BASIC) {
421 		if (flags & RCTL_USE_RECIPIENT_PID) {
422 			pid = nval->rcv_action_recip_pid;
423 
424 			/* case for manipulating rctl values on other procs */
425 			if (pid != curproc->p_pid) {
426 				/* cannot be other pid on process rctls */
427 				if (rde->rcd_entity == RCENTITY_PROCESS) {
428 					ret = set_errno(EINVAL);
429 					goto rctlsys_out;
430 				}
431 				/*
432 				 * must have privilege to manipulate controls
433 				 * on other processes
434 				 */
435 				if (secpolicy_rctlsys(CRED(), B_FALSE) != 0) {
436 					ret = set_errno(EACCES);
437 					goto rctlsys_out;
438 				}
439 
440 				pid = nval->rcv_action_recip_pid;
441 				mutex_enter(&pidlock);
442 				pp = prfind(pid);
443 				if (!pp) {
444 					mutex_exit(&pidlock);
445 					ret = set_errno(ESRCH);
446 					goto rctlsys_out;
447 				}
448 
449 				/*
450 				 * idle or zombie procs have either not yet
451 				 * set up their rctls or have already done
452 				 * their rctl_set_tearoff's.
453 				 */
454 				if (pp->p_stat == SZOMB ||
455 				    pp->p_stat == SIDL) {
456 					mutex_exit(&pidlock);
457 					ret = set_errno(ESRCH);
458 					goto rctlsys_out;
459 				}
460 
461 				/*
462 				 * hold this pp's p_lock to ensure that
463 				 * it does not do it's rctl_set_tearoff
464 				 * If we did not do this, we could
465 				 * potentially add rctls to the entity
466 				 * with a recipient that is a process
467 				 * that has exited.
468 				 */
469 				mutex_enter(&pp->p_lock);
470 				mutex_exit(&pidlock);
471 
472 				/*
473 				 * We know that curproc's task, project,
474 				 * and zone pointers will not change
475 				 * because functions that change them
476 				 * call holdlwps(SHOLDFORK1) first.
477 				 */
478 
479 				/*
480 				 * verify that the found pp is in the
481 				 * current task.  If it is, then it
482 				 * is also within the current project
483 				 * and zone.
484 				 */
485 				if (rde->rcd_entity == RCENTITY_TASK &&
486 				    pp->p_task != curproc->p_task) {
487 					ret = set_errno(ESRCH);
488 					goto rctlsys_out;
489 				}
490 
491 				ASSERT(pp->p_task->tk_proj ==
492 				    curproc->p_task->tk_proj);
493 				ASSERT(pp->p_zone == curproc->p_zone);
494 
495 
496 				nval->rcv_action_recipient = pp;
497 				nval->rcv_action_recip_pid = pid;
498 
499 			} else {
500 				/* for manipulating rctl values on this proc */
501 				mutex_enter(&curproc->p_lock);
502 				pp = curproc;
503 				nval->rcv_action_recipient = curproc;
504 				nval->rcv_action_recip_pid = curproc->p_pid;
505 			}
506 
507 		} else {
508 			/* RCTL_USE_RECIPIENT_PID not set, use this proc */
509 			mutex_enter(&curproc->p_lock);
510 			pp = curproc;
511 			nval->rcv_action_recipient = curproc;
512 			nval->rcv_action_recip_pid = curproc->p_pid;
513 		}
514 
515 	} else {
516 		/* privileged controls have no recipient pid */
517 		mutex_enter(&curproc->p_lock);
518 		pp = curproc;
519 		nval->rcv_action_recipient = NULL;
520 		nval->rcv_action_recip_pid = -1;
521 	}
522 
523 	nval->rcv_firing_time = 0;
524 
525 	if (action == RCTL_REPLACE) {
526 
527 		if (copyin(old_rblk, oblk, sizeof (rctl_opaque_t)) == -1) {
528 			ret = set_errno(EFAULT);
529 			goto rctlsys_out;
530 		}
531 
532 		rctlsys_rblk_xfrm(oblk, NULL, oval, RBX_FROM_BLK | RBX_VAL);
533 
534 		if (rctl_invalid_value(rde, oval)) {
535 			ret = set_errno(EINVAL);
536 			goto rctlsys_out;
537 		}
538 
539 		if (oval->rcv_privilege == RCPRIV_BASIC) {
540 			if (!(flags & RCTL_USE_RECIPIENT_PID)) {
541 				oval->rcv_action_recipient = curproc;
542 				oval->rcv_action_recip_pid = curproc->p_pid;
543 			}
544 		} else {
545 			oval->rcv_action_recipient = NULL;
546 			oval->rcv_action_recip_pid = -1;
547 		}
548 
549 		/*
550 		 * Find the real value we're attempting to replace on the
551 		 * sequence, rather than trusting the one delivered from
552 		 * userland.
553 		 */
554 		if (ret = rctl_local_get(hndl, NULL, rval1, pp)) {
555 			(void) set_errno(ret);
556 			goto rctlsys_out;
557 		}
558 
559 		do {
560 			if (rval1->rcv_privilege == RCPRIV_SYSTEM ||
561 			    rctl_val_cmp(oval, rval1, 0) == 0)
562 				break;
563 
564 			tval = rval1;
565 			rval1 = rval2;
566 			rval2 = tval;
567 		} while (rctl_local_get(hndl, rval2, rval1, pp) == 0);
568 
569 		if (rval1->rcv_privilege == RCPRIV_SYSTEM) {
570 			if (rctl_val_cmp(oval, rval1, 1) == 0)
571 				ret = set_errno(EPERM);
572 			else
573 				ret = set_errno(ESRCH);
574 
575 			goto rctlsys_out;
576 		}
577 
578 		bcopy(rval1, oval, sizeof (rctl_val_t));
579 
580 		/*
581 		 * System controls are immutable.
582 		 */
583 		if (nval->rcv_privilege == RCPRIV_SYSTEM) {
584 			ret = set_errno(EPERM);
585 			goto rctlsys_out;
586 		}
587 
588 		/*
589 		 * Only privileged processes in the global zone can modify
590 		 * privileged rctls of type RCENTITY_ZONE; replacing privileged
591 		 * controls with basic ones are not allowed either.  Lowering a
592 		 * lowerable one might be OK for privileged processes in a
593 		 * non-global zone, but lowerable rctls probably don't make
594 		 * sense for zones (hence, not modifiable from within a zone).
595 		 */
596 		if (rde->rcd_entity == RCENTITY_ZONE &&
597 		    (nval->rcv_privilege == RCPRIV_PRIVILEGED ||
598 		    oval->rcv_privilege == RCPRIV_PRIVILEGED) &&
599 		    secpolicy_rctlsys(CRED(), B_TRUE) != 0) {
600 			ret = set_errno(EACCES);
601 			goto rctlsys_out;
602 		}
603 
604 		/*
605 		 * Must be privileged to replace a privileged control with
606 		 * a basic one.
607 		 */
608 		if (oval->rcv_privilege == RCPRIV_PRIVILEGED &&
609 		    nval->rcv_privilege != RCPRIV_PRIVILEGED &&
610 		    secpolicy_rctlsys(CRED(), B_FALSE) != 0) {
611 			ret = set_errno(EACCES);
612 			goto rctlsys_out;
613 		}
614 
615 		/*
616 		 * Must have lowerable global property for non-privileged
617 		 * to lower the value of a privileged control; otherwise must
618 		 * have sufficient privileges to modify privileged controls
619 		 * at all.
620 		 */
621 		if (oval->rcv_privilege == RCPRIV_PRIVILEGED &&
622 		    nval->rcv_privilege == RCPRIV_PRIVILEGED &&
623 		    ((((rde->rcd_flagaction & RCTL_GLOBAL_LOWERABLE) == 0) ||
624 		    oval->rcv_flagaction != nval->rcv_flagaction ||
625 		    oval->rcv_action_signal != nval->rcv_action_signal ||
626 		    oval->rcv_value < nval->rcv_value)) &&
627 		    secpolicy_rctlsys(CRED(), B_FALSE) != 0) {
628 			ret = set_errno(EACCES);
629 			goto rctlsys_out;
630 		}
631 
632 		if (ret = rctl_local_replace(hndl, oval, nval, pp)) {
633 			(void) set_errno(ret);
634 			goto rctlsys_out;
635 		}
636 
637 		/* ensure that nval is not freed */
638 		nval = NULL;
639 
640 	} else if (action == RCTL_INSERT) {
641 		/*
642 		 * System controls are immutable.
643 		 */
644 		if (nval->rcv_privilege == RCPRIV_SYSTEM) {
645 			ret = set_errno(EPERM);
646 			goto rctlsys_out;
647 		}
648 
649 		/*
650 		 * Only privileged processes in the global zone may add
651 		 * privileged zone.* rctls.  Only privileged processes
652 		 * may add other privileged rctls.
653 		 */
654 		if (nval->rcv_privilege == RCPRIV_PRIVILEGED) {
655 			if ((rde->rcd_entity == RCENTITY_ZONE &&
656 			    secpolicy_rctlsys(CRED(), B_TRUE) != 0) ||
657 			    (rde->rcd_entity != RCENTITY_ZONE &&
658 			    secpolicy_rctlsys(CRED(), B_FALSE) != 0)) {
659 				ret = set_errno(EACCES);
660 				goto rctlsys_out;
661 			}
662 		}
663 
664 		/*
665 		 * Only one basic control is allowed per rctl.
666 		 * If a basic control is being inserted, delete
667 		 * any other basic control.
668 		 */
669 		if ((nval->rcv_privilege == RCPRIV_BASIC) &&
670 		    (rctl_local_get(hndl, NULL, rval1, pp) == 0)) {
671 			do {
672 				if (rval1->rcv_privilege == RCPRIV_BASIC &&
673 				    rval1->rcv_action_recipient == curproc) {
674 					(void) rctl_local_delete(hndl, rval1,
675 					    pp);
676 					if (rctl_local_get(hndl, NULL, rval1,
677 					    pp) != 0)
678 						break;
679 				}
680 
681 				tval = rval1;
682 				rval1 = rval2;
683 				rval2 = tval;
684 			} while (rctl_local_get(hndl, rval2, rval1, pp)
685 			    == 0);
686 		}
687 
688 
689 		if (ret = rctl_local_insert(hndl, nval, pp)) {
690 			(void) set_errno(ret);
691 			goto rctlsys_out;
692 		}
693 
694 		/* ensure that nval is not freed */
695 		nval = NULL;
696 
697 	} else {
698 		/*
699 		 * RCTL_DELETE
700 		 */
701 		if (nval->rcv_privilege == RCPRIV_SYSTEM) {
702 			ret = set_errno(EPERM);
703 			goto rctlsys_out;
704 		}
705 
706 		if (nval->rcv_privilege == RCPRIV_PRIVILEGED) {
707 			if ((rde->rcd_entity == RCENTITY_ZONE &&
708 			    secpolicy_rctlsys(CRED(), B_TRUE) != 0) ||
709 			    (rde->rcd_entity != RCENTITY_ZONE &&
710 			    secpolicy_rctlsys(CRED(), B_FALSE) != 0)) {
711 				ret = set_errno(EACCES);
712 				goto rctlsys_out;
713 			}
714 		}
715 
716 		if (ret = rctl_local_delete(hndl, nval, pp)) {
717 			(void) set_errno(ret);
718 			goto rctlsys_out;
719 		}
720 	}
721 
722 rctlsys_out:
723 
724 	if (pp)
725 		mutex_exit(&pp->p_lock);
726 
727 	kmem_free(nblk, sizeof (rctl_opaque_t));
728 	kmem_free(oblk, sizeof (rctl_opaque_t));
729 
730 	/* only free nval if we did not rctl_local_insert it */
731 	if (nval)
732 		kmem_cache_free(rctl_val_cache, nval);
733 
734 	kmem_cache_free(rctl_val_cache, oval);
735 	kmem_cache_free(rctl_val_cache, rval1);
736 	kmem_cache_free(rctl_val_cache, rval2);
737 
738 	return (ret);
739 }
740 
741 static long
742 rctlsys_lst(char *ubuf, size_t ubufsz)
743 {
744 	char *kbuf;
745 	size_t kbufsz;
746 
747 	kbufsz = rctl_build_name_buf(&kbuf);
748 
749 	if (kbufsz <= ubufsz &&
750 	    copyout(kbuf, ubuf, kbufsz) != 0) {
751 		kmem_free(kbuf, kbufsz);
752 		return (set_errno(EFAULT));
753 	}
754 
755 	kmem_free(kbuf, kbufsz);
756 
757 	return (kbufsz);
758 }
759 
760 static long
761 rctlsys_ctl(char *name, rctl_opaque_t *rblk, int flags)
762 {
763 	rctl_dict_entry_t *krde;
764 	rctl_opaque_t *krblk;
765 	char *kname;
766 	size_t klen;
767 
768 	kname = kmem_alloc(MAXPATHLEN, KM_SLEEP);
769 
770 	if (name == NULL || copyinstr(name, kname, MAXPATHLEN, &klen) != 0) {
771 		kmem_free(kname, MAXPATHLEN);
772 		return (set_errno(EFAULT));
773 	}
774 
775 	switch (flags) {
776 	case RCTLCTL_GET:
777 		krde = kmem_alloc(sizeof (rctl_dict_entry_t), KM_SLEEP);
778 		krblk = kmem_zalloc(sizeof (rctl_opaque_t), KM_SLEEP);
779 
780 		if (rctl_global_get(kname, krde) == -1) {
781 			kmem_free(krde, sizeof (rctl_dict_entry_t));
782 			kmem_free(krblk, sizeof (rctl_opaque_t));
783 			kmem_free(kname, MAXPATHLEN);
784 			return (set_errno(ESRCH));
785 		}
786 
787 		rctlsys_rblk_xfrm(krblk, krde, NULL, RBX_TO_BLK | RBX_CTL);
788 
789 		if (copyout(krblk, rblk, sizeof (rctl_opaque_t)) != 0) {
790 			kmem_free(krde, sizeof (rctl_dict_entry_t));
791 			kmem_free(krblk, sizeof (rctl_opaque_t));
792 			kmem_free(kname, MAXPATHLEN);
793 			return (set_errno(EFAULT));
794 		}
795 
796 		kmem_free(krde, sizeof (rctl_dict_entry_t));
797 		kmem_free(krblk, sizeof (rctl_opaque_t));
798 		kmem_free(kname, MAXPATHLEN);
799 		break;
800 	case RCTLCTL_SET:
801 		if (secpolicy_rctlsys(CRED(), B_TRUE) != 0) {
802 			kmem_free(kname, MAXPATHLEN);
803 			return (set_errno(EPERM));
804 		}
805 
806 		krde = kmem_alloc(sizeof (rctl_dict_entry_t), KM_SLEEP);
807 		krblk = kmem_zalloc(sizeof (rctl_opaque_t), KM_SLEEP);
808 
809 		if (rctl_global_get(kname, krde) == -1) {
810 			kmem_free(krde, sizeof (rctl_dict_entry_t));
811 			kmem_free(krblk, sizeof (rctl_opaque_t));
812 			kmem_free(kname, MAXPATHLEN);
813 			return (set_errno(ESRCH));
814 		}
815 
816 		if (copyin(rblk, krblk, sizeof (rctl_opaque_t)) != 0) {
817 			kmem_free(krde, sizeof (rctl_dict_entry_t));
818 			kmem_free(krblk, sizeof (rctl_opaque_t));
819 			kmem_free(kname, MAXPATHLEN);
820 			return (set_errno(EFAULT));
821 		}
822 
823 		rctlsys_rblk_xfrm(krblk, krde, NULL, RBX_FROM_BLK | RBX_CTL);
824 
825 		if (rctl_global_set(kname, krde) == -1) {
826 			kmem_free(krde, sizeof (rctl_dict_entry_t));
827 			kmem_free(krblk, sizeof (rctl_opaque_t));
828 			kmem_free(kname, MAXPATHLEN);
829 			return (set_errno(ESRCH));
830 		}
831 
832 		kmem_free(krde, sizeof (rctl_dict_entry_t));
833 		kmem_free(krblk, sizeof (rctl_opaque_t));
834 		kmem_free(kname, MAXPATHLEN);
835 
836 		break;
837 	default:
838 		kmem_free(kname, MAXPATHLEN);
839 		return (set_errno(EINVAL));
840 	}
841 
842 	return (0);
843 }
844 
845 /*
846  * The arbitrary maximum number of rctl_opaque_t that we can pass to
847  * rctl_projset().
848  */
849 #define	RCTL_PROJSET_MAXSIZE	1024
850 
851 static long
852 rctlsys_projset(char *name, rctl_opaque_t *rblk, size_t size, int flags)
853 {
854 	rctl_dict_entry_t *krde;
855 	rctl_opaque_t *krblk;
856 	char *kname;
857 	size_t klen;
858 	rctl_hndl_t hndl;
859 	rctl_val_t *new_values = NULL;
860 	rctl_val_t *alloc_values = NULL;
861 	rctl_val_t *new_val;
862 	rctl_val_t *alloc_val;
863 	int error = 0;
864 	int count;
865 
866 	kname = kmem_alloc(MAXPATHLEN, KM_SLEEP);
867 
868 	if (name == NULL || copyinstr(name, kname, MAXPATHLEN, &klen) != 0) {
869 		kmem_free(kname, MAXPATHLEN);
870 		return (set_errno(EFAULT));
871 	}
872 
873 	if (size > RCTL_PROJSET_MAXSIZE) {
874 		kmem_free(kname, MAXPATHLEN);
875 		return (set_errno(EINVAL));
876 	}
877 
878 	if ((hndl = rctl_hndl_lookup(kname)) == -1) {
879 		kmem_free(kname, MAXPATHLEN);
880 		return (set_errno(EINVAL));
881 	}
882 
883 	krde = rctl_dict_lookup_hndl(hndl);
884 
885 	/* If not a project entity then exit */
886 	if ((krde->rcd_entity != RCENTITY_PROJECT) || (size <= 0)) {
887 		kmem_free(kname, MAXPATHLEN);
888 		return (set_errno(EINVAL));
889 	}
890 
891 	if (secpolicy_rctlsys(CRED(), B_FALSE) != 0) {
892 		kmem_free(kname, MAXPATHLEN);
893 		return (set_errno(EPERM));
894 	}
895 
896 	/* Allocate an array large enough for all resource control blocks */
897 	krblk = kmem_zalloc(sizeof (rctl_opaque_t) * size, KM_SLEEP);
898 
899 	if (copyin(rblk, krblk, sizeof (rctl_opaque_t) * size) == 0) {
900 
901 		for (count = 0; (count < size) && (error == 0); count++) {
902 			new_val = kmem_cache_alloc(rctl_val_cache, KM_SLEEP);
903 			alloc_val = kmem_cache_alloc(rctl_val_cache, KM_SLEEP);
904 
905 			rctlsys_rblk_xfrm(&krblk[count], NULL, new_val,
906 			    RBX_FROM_BLK | RBX_VAL);
907 
908 			/*
909 			 * Project entity resource control values should always
910 			 * be privileged
911 			 */
912 			if (new_val->rcv_privilege != RCPRIV_PRIVILEGED) {
913 				kmem_cache_free(rctl_val_cache, new_val);
914 				kmem_cache_free(rctl_val_cache, alloc_val);
915 
916 				error = EPERM;
917 			} else if (rctl_invalid_value(krde, new_val) == 0) {
918 
919 				/*
920 				 * This is a project entity; we do not set
921 				 * rcv_action_recipient or rcv_action_recip_pid
922 				 */
923 				new_val->rcv_action_recipient = NULL;
924 				new_val->rcv_action_recip_pid = -1;
925 				new_val->rcv_flagaction |= RCTL_LOCAL_PROJDB;
926 				new_val->rcv_firing_time = 0;
927 
928 				new_val->rcv_prev = NULL;
929 				new_val->rcv_next = new_values;
930 				new_values = new_val;
931 
932 				/*
933 				 * alloc_val is left largely uninitialized, it
934 				 * is a pre-allocated rctl_val_t which is used
935 				 * later in rctl_local_replace_all() /
936 				 * rctl_local_insert_all().
937 				 */
938 				alloc_val->rcv_prev = NULL;
939 				alloc_val->rcv_next = alloc_values;
940 				alloc_values = alloc_val;
941 			} else {
942 				kmem_cache_free(rctl_val_cache, new_val);
943 				kmem_cache_free(rctl_val_cache, alloc_val);
944 
945 				error = EINVAL;
946 			}
947 		}
948 
949 	} else {
950 		error = EFAULT;
951 	}
952 
953 	kmem_free(krblk, sizeof (rctl_opaque_t) * size);
954 	kmem_free(kname, MAXPATHLEN);
955 
956 	if (error) {
957 		/*
958 		 * We will have the same number of items in the alloc_values
959 		 * linked list, as we have in new_values.  However, we remain
960 		 * cautious, and teardown the linked lists individually.
961 		 */
962 		while (new_values != NULL) {
963 			new_val = new_values;
964 			new_values = new_values->rcv_next;
965 			kmem_cache_free(rctl_val_cache, new_val);
966 		}
967 
968 		while (alloc_values != NULL) {
969 			alloc_val = alloc_values;
970 			alloc_values = alloc_values->rcv_next;
971 			kmem_cache_free(rctl_val_cache, alloc_val);
972 		}
973 
974 		return (set_errno(error));
975 	}
976 
977 	/*
978 	 * We take the p_lock here to maintain consistency with other functions
979 	 * - rctlsys_get() and rctlsys_set()
980 	 */
981 	mutex_enter(&curproc->p_lock);
982 	if (flags & TASK_PROJ_PURGE)  {
983 		(void) rctl_local_replace_all(hndl, new_values, alloc_values,
984 		    curproc);
985 	} else {
986 		(void) rctl_local_insert_all(hndl, new_values, alloc_values,
987 		    curproc);
988 	}
989 	mutex_exit(&curproc->p_lock);
990 
991 	return (0);
992 }
993 
994 long
995 rctlsys(int code, char *name, void *obuf, void *nbuf, size_t obufsz, int flags)
996 {
997 	switch (code) {
998 	case 0:
999 		return (rctlsys_get(name, obuf, nbuf, flags));
1000 
1001 	case 1:
1002 		return (rctlsys_set(name, obuf, nbuf, flags));
1003 
1004 	case 2:
1005 		/*
1006 		 * Private call for rctl_walk(3C).
1007 		 */
1008 		return (rctlsys_lst(obuf, obufsz));
1009 
1010 	case 3:
1011 		/*
1012 		 * Private code for rctladm(1M):  "rctlctl".
1013 		 */
1014 		return (rctlsys_ctl(name, obuf, flags));
1015 	case 4:
1016 		/*
1017 		 * Private code for setproject(3PROJECT).
1018 		 */
1019 		return (rctlsys_projset(name, nbuf, obufsz, flags));
1020 
1021 	default:
1022 		return (set_errno(EINVAL));
1023 	}
1024 }
1025