Lines Matching defs:rule
122 * 'rctl_rule_link' connects a rule with every racct it's related to.
123 * For example, rule 'user:X:openfiles:deny=N/process' is linked
216 static int rctl_rule_fully_specified(const struct rctl_rule *rule);
217 static void rctl_rule_to_sbuf(struct sbuf *sb, const struct rctl_rule *rule);
329 rctl_proc_rule_to_racct(const struct proc *p, const struct rctl_rule *rule)
336 switch (rule->rr_per) {
346 panic("%s: unknown per %d", __func__, rule->rr_per);
352 * hitting 'rule'.
355 rctl_available_resource(const struct proc *p, const struct rctl_rule *rule)
363 racct = rctl_proc_rule_to_racct(p, rule);
364 available = rule->rr_amount - racct->r_resources[rule->rr_resource];
379 struct rctl_rule *rule;
389 rule = link->rrl_rule;
391 if (rule->rr_resource != resource)
393 if (rule->rr_action != RCTL_ACTION_THROTTLE)
396 if (rule->rr_amount < minavailable)
397 minavailable = rule->rr_amount;
405 * if we changed the rule lowering the allowed amount, it could
422 struct rctl_rule *rule;
433 rule = link->rrl_rule;
434 if (rule->rr_resource != RACCT_PCTCPU)
436 if (rule->rr_action != RCTL_ACTION_DENY)
438 available = rctl_available_resource(p, rule);
441 limit = rule->rr_amount;
496 struct rctl_rule *rule;
508 * There may be more than one matching rule; go through all of them.
512 rule = link->rrl_rule;
513 if (rule->rr_resource != resource)
516 available = rctl_available_resource(p, rule);
522 switch (rule->rr_action) {
538 * Ignore this rule for now; it will be processed just
554 rctl_rule_to_sbuf(&sb, rule);
556 printf("rctl: rule \"%s\" matched by pid %d "
581 sbuf_printf(&sb, "rule=");
582 rctl_rule_to_sbuf(&sb, rule);
587 devctl_notify_f("RCTL", "rule", "matched",
610 * rule->rr_amount;
618 if (sleep_ms < rctl_throttle_min * rule->rr_amount)
619 sleep_ms = rctl_throttle_min * rule->rr_amount;
626 * four times as much for hitting the same rule. The
631 sleep_ratio = -available / rule->rr_amount;
641 sleep_ms /= rule->rr_amount;
649 rule->rr_amount, (uintmax_t)sleep_ms,
664 KASSERT(rule->rr_action > 0 &&
665 rule->rr_action <= RCTL_ACTION_SIGNAL_MAX,
667 rule->rr_action));
673 kern_psignal(p, rule->rr_action);
693 struct rctl_rule *rule;
701 * There may be more than one matching rule; go through all of them.
705 rule = link->rrl_rule;
706 if (rule->rr_resource != resource)
708 if (rule->rr_action != RCTL_ACTION_DENY)
710 if (rule->rr_amount < amount)
711 amount = rule->rr_amount;
720 struct rctl_rule *rule;
730 * There may be more than one matching rule; go through all of them.
734 rule = link->rrl_rule;
735 if (rule->rr_resource != resource)
737 if (rule->rr_action != RCTL_ACTION_DENY)
739 available = rctl_available_resource(p, rule);
757 rctl_rule_matches(const struct rctl_rule *rule, const struct rctl_rule *filter)
763 if (rule->rr_subject_type != filter->rr_subject_type)
769 rule->rr_subject.rs_proc !=
775 rule->rr_subject.rs_uip !=
781 rule->rr_subject.rs_loginclass !=
787 rule->rr_subject.rs_prison_racct !=
798 if (rule->rr_resource != filter->rr_resource)
803 if (rule->rr_action != filter->rr_action)
808 if (rule->rr_amount != filter->rr_amount)
813 if (rule->rr_per != filter->rr_per)
872 * Connect the rule to the racct, increasing refcount for the rule.
875 rctl_racct_add_rule(struct racct *racct, struct rctl_rule *rule)
880 KASSERT(rctl_rule_fully_specified(rule), ("rule not fully specified"));
882 rctl_rule_acquire(rule);
884 link->rrl_rule = rule;
893 rctl_racct_add_rule_locked(struct racct *racct, struct rctl_rule *rule)
898 KASSERT(rctl_rule_fully_specified(rule), ("rule not fully specified"));
904 rctl_rule_acquire(rule);
905 link->rrl_rule = rule;
941 rctl_rule_acquire_subject(struct rctl_rule *rule)
946 switch (rule->rr_subject_type) {
951 if (rule->rr_subject.rs_prison_racct != NULL)
952 prison_racct_hold(rule->rr_subject.rs_prison_racct);
955 if (rule->rr_subject.rs_uip != NULL)
956 uihold(rule->rr_subject.rs_uip);
959 if (rule->rr_subject.rs_loginclass != NULL)
960 loginclass_hold(rule->rr_subject.rs_loginclass);
964 rule->rr_subject_type);
969 rctl_rule_release_subject(struct rctl_rule *rule)
974 switch (rule->rr_subject_type) {
979 if (rule->rr_subject.rs_prison_racct != NULL)
980 prison_racct_free(rule->rr_subject.rs_prison_racct);
983 if (rule->rr_subject.rs_uip != NULL)
984 uifree(rule->rr_subject.rs_uip);
987 if (rule->rr_subject.rs_loginclass != NULL)
988 loginclass_free(rule->rr_subject.rs_loginclass);
992 rule->rr_subject_type);
999 struct rctl_rule *rule;
1003 rule = uma_zalloc(rctl_rule_zone, flags);
1004 if (rule == NULL)
1006 rule->rr_subject_type = RCTL_SUBJECT_TYPE_UNDEFINED;
1007 rule->rr_subject.rs_proc = NULL;
1008 rule->rr_subject.rs_uip = NULL;
1009 rule->rr_subject.rs_loginclass = NULL;
1010 rule->rr_subject.rs_prison_racct = NULL;
1011 rule->rr_per = RCTL_SUBJECT_TYPE_UNDEFINED;
1012 rule->rr_resource = RACCT_UNDEFINED;
1013 rule->rr_action = RCTL_ACTION_UNDEFINED;
1014 rule->rr_amount = RCTL_AMOUNT_UNDEFINED;
1015 refcount_init(&rule->rr_refcount, 1);
1017 return (rule);
1021 rctl_rule_duplicate(const struct rctl_rule *rule, int flags)
1030 copy->rr_subject_type = rule->rr_subject_type;
1031 copy->rr_subject.rs_proc = rule->rr_subject.rs_proc;
1032 copy->rr_subject.rs_uip = rule->rr_subject.rs_uip;
1033 copy->rr_subject.rs_loginclass = rule->rr_subject.rs_loginclass;
1034 copy->rr_subject.rs_prison_racct = rule->rr_subject.rs_prison_racct;
1035 copy->rr_per = rule->rr_per;
1036 copy->rr_resource = rule->rr_resource;
1037 copy->rr_action = rule->rr_action;
1038 copy->rr_amount = rule->rr_amount;
1046 rctl_rule_acquire(struct rctl_rule *rule)
1050 KASSERT(rule->rr_refcount > 0, ("rule->rr_refcount <= 0"));
1052 refcount_acquire(&rule->rr_refcount);
1058 struct rctl_rule *rule;
1060 rule = (struct rctl_rule *)context;
1063 KASSERT(rule->rr_refcount == 0, ("rule->rr_refcount != 0"));
1066 * We don't need locking here; rule is guaranteed to be inaccessible.
1069 rctl_rule_release_subject(rule);
1070 uma_zfree(rctl_rule_zone, rule);
1074 rctl_rule_release(struct rctl_rule *rule)
1078 KASSERT(rule->rr_refcount > 0, ("rule->rr_refcount <= 0"));
1080 if (refcount_release(&rule->rr_refcount)) {
1088 TASK_INIT(&rule->rr_task, 0, rctl_rule_free, rule);
1089 taskqueue_enqueue(taskqueue_thread, &rule->rr_task);
1094 rctl_rule_fully_specified(const struct rctl_rule *rule)
1099 switch (rule->rr_subject_type) {
1103 if (rule->rr_subject.rs_proc == NULL)
1107 if (rule->rr_subject.rs_uip == NULL)
1111 if (rule->rr_subject.rs_loginclass == NULL)
1115 if (rule->rr_subject.rs_prison_racct == NULL)
1120 rule->rr_subject_type);
1122 if (rule->rr_resource == RACCT_UNDEFINED)
1124 if (rule->rr_action == RCTL_ACTION_UNDEFINED)
1126 if (rule->rr_amount == RCTL_AMOUNT_UNDEFINED)
1128 if (rule->rr_per == RCTL_SUBJECT_TYPE_UNDEFINED)
1137 struct rctl_rule *rule;
1145 rule = rctl_rule_alloc(M_WAITOK);
1155 rule->rr_subject_type = RCTL_SUBJECT_TYPE_UNDEFINED;
1157 error = str2value(subjectstr, &rule->rr_subject_type, subjectnames);
1163 rule->rr_subject.rs_proc = NULL;
1164 rule->rr_subject.rs_uip = NULL;
1165 rule->rr_subject.rs_loginclass = NULL;
1166 rule->rr_subject.rs_prison_racct = NULL;
1168 switch (rule->rr_subject_type) {
1177 rule->rr_subject.rs_proc = pfind(id);
1178 if (rule->rr_subject.rs_proc == NULL) {
1182 PROC_UNLOCK(rule->rr_subject.rs_proc);
1188 rule->rr_subject.rs_uip = uifind(id);
1191 rule->rr_subject.rs_loginclass =
1193 if (rule->rr_subject.rs_loginclass == NULL) {
1199 rule->rr_subject.rs_prison_racct =
1201 if (rule->rr_subject.rs_prison_racct == NULL) {
1208 rule->rr_subject_type);
1213 rule->rr_resource = RACCT_UNDEFINED;
1215 error = str2value(resourcestr, &rule->rr_resource,
1222 rule->rr_action = RCTL_ACTION_UNDEFINED;
1224 error = str2value(actionstr, &rule->rr_action, actionnames);
1230 rule->rr_amount = RCTL_AMOUNT_UNDEFINED;
1232 error = str2int64(amountstr, &rule->rr_amount);
1235 if (RACCT_IS_IN_MILLIONS(rule->rr_resource)) {
1236 if (rule->rr_amount > INT64_MAX / 1000000) {
1240 rule->rr_amount *= 1000000;
1245 rule->rr_per = RCTL_SUBJECT_TYPE_UNDEFINED;
1247 error = str2value(perstr, &rule->rr_per, subjectnames);
1254 *rulep = rule;
1256 rctl_rule_release(rule);
1262 * Link a rule with all the subjects it applies to.
1265 rctl_rule_add(struct rctl_rule *rule)
1277 KASSERT(rctl_rule_fully_specified(rule), ("rule not fully specified"));
1280 * Some rules just don't make sense, like "deny" rule for an undeniable
1285 if (rule->rr_action == RCTL_ACTION_DENY &&
1286 !RACCT_IS_DENIABLE(rule->rr_resource) &&
1287 rule->rr_resource != RACCT_RSS &&
1288 rule->rr_resource != RACCT_PCTCPU) {
1292 if (rule->rr_action == RCTL_ACTION_THROTTLE &&
1293 !RACCT_IS_DECAYING(rule->rr_resource)) {
1297 if (rule->rr_action == RCTL_ACTION_THROTTLE &&
1298 rule->rr_resource == RACCT_PCTCPU) {
1302 if (rule->rr_per == RCTL_SUBJECT_TYPE_PROCESS &&
1303 RACCT_IS_SLOPPY(rule->rr_resource)) {
1311 if (rule->rr_action == RCTL_ACTION_DENY) {
1312 rule2 = rctl_rule_duplicate(rule, M_WAITOK);
1317 rctl_rule_remove(rule);
1319 switch (rule->rr_subject_type) {
1321 p = rule->rr_subject.rs_proc;
1324 rctl_racct_add_rule(p->p_racct, rule);
1326 * In case of per-process rule, we don't have anything more
1332 uip = rule->rr_subject.rs_uip;
1334 rctl_racct_add_rule(uip->ui_racct, rule);
1338 lc = rule->rr_subject.rs_loginclass;
1340 rctl_racct_add_rule(lc->lc_racct, rule);
1344 prr = rule->rr_subject.rs_prison_racct;
1346 rctl_racct_add_rule(prr->prr_racct, rule);
1351 rule->rr_subject_type);
1355 * Now go through all the processes and add the new rule to the ones
1361 switch (rule->rr_subject_type) {
1363 if (cred->cr_uidinfo == rule->rr_subject.rs_uip ||
1364 cred->cr_ruidinfo == rule->rr_subject.rs_uip)
1368 if (cred->cr_loginclass == rule->rr_subject.rs_loginclass)
1374 if (pr->pr_prison_racct == rule->rr_subject.rs_prison_racct) {
1384 rule->rr_subject_type);
1387 rctl_racct_add_rule(p->p_racct, rule);
1466 * Appends a rule to the sbuf.
1469 rctl_rule_to_sbuf(struct sbuf *sb, const struct rctl_rule *rule)
1475 sbuf_printf(sb, "%s:", rctl_subject_type_name(rule->rr_subject_type));
1477 switch (rule->rr_subject_type) {
1479 if (rule->rr_subject.rs_proc == NULL)
1483 rule->rr_subject.rs_proc->p_pid);
1486 if (rule->rr_subject.rs_uip == NULL)
1490 rule->rr_subject.rs_uip->ui_uid);
1493 if (rule->rr_subject.rs_loginclass == NULL)
1497 rule->rr_subject.rs_loginclass->lc_name);
1500 if (rule->rr_subject.rs_prison_racct == NULL)
1504 rule->rr_subject.rs_prison_racct->prr_name);
1508 rule->rr_subject_type);
1511 amount = rule->rr_amount;
1513 RACCT_IS_IN_MILLIONS(rule->rr_resource))
1517 rctl_resource_name(rule->rr_resource),
1518 rctl_action_name(rule->rr_action),
1521 if (rule->rr_per != rule->rr_subject_type)
1522 sbuf_printf(sb, "/%s", rctl_subject_type_name(rule->rr_per));
1869 struct rctl_rule *rule;
1885 error = rctl_string_to_rule(inputstr, &rule);
1892 * The 'per' part of a rule is optional.
1894 if (rule->rr_per == RCTL_SUBJECT_TYPE_UNDEFINED &&
1895 rule->rr_subject_type != RCTL_SUBJECT_TYPE_UNDEFINED)
1896 rule->rr_per = rule->rr_subject_type;
1898 if (!rctl_rule_fully_specified(rule)) {
1903 error = rctl_rule_add(rule);
1906 rctl_rule_release(rule);
1945 * Update RCTL rule list after credential change.
2050 * Free the old rule list.
2101 struct rctl_rule *rule;
2119 rule = rctl_rule_duplicate(link->rrl_rule, M_NOWAIT);
2120 if (rule == NULL)
2122 KASSERT(rule->rr_subject.rs_proc == parent,
2123 ("rule->rr_subject.rs_proc != parent"));
2124 rule->rr_subject.rs_proc = child;
2126 rule);
2127 rctl_rule_release(rule);