freebsd-dev/sys/kern/kern_loginclass.c
Andriy Gapon f87beb93e8 call racct_proc_ucred_changed() under the proc lock
The lock is required to ensure that the switch to the new credentials
and the transfer of the process's accounting data from the old
credentials to the new ones is done atomically.  Otherwise, some updates
may be applied to the new credentials and then additionally transferred
from the old credentials if the updates happen after proc_set_cred() and
before racct_proc_ucred_changed().

The problem is especially pronounced for RACCT_RSS because
- there is a strict accounting for this resource (it's reclaimable)
- it's updated asynchronously by the vm daemon
- it's updated by setting an absolute value instead of applying a delta

I had to remove a call to rctl_proc_ucred_changed() from
racct_proc_ucred_changed() and make all callers of latter call the
former as well.  The reason is that rctl_proc_ucred_changed, as it is
implemented now, cannot be called while holding the proc lock, so the
lock is dropped after calling racct_proc_ucred_changed.  Additionally,
I've added calls to crhold / crfree around the rctl call, because
without the proc lock there is no gurantee that the new credentials,
owned by the process, will stay stable.  That does not eliminate a
possibility that the credentials passed to the rctl will get stale.
Ideally, rctl_proc_ucred_changed should be able to work under the proc
lock.

Many thanks to kib for pointing out the above problems.

PR:		222027
Discussed with:	kib
No comment:	trasz
MFC after:	2 weeks
Differential Revision: https://reviews.freebsd.org/D15048
2018-04-20 13:08:04 +00:00

265 lines
6.8 KiB
C

/*-
* SPDX-License-Identifier: BSD-2-Clause-FreeBSD
*
* Copyright (c) 2011 The FreeBSD Foundation
* All rights reserved.
*
* This software was developed by Edward Tomasz Napierala under sponsorship
* from the FreeBSD Foundation.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD$
*/
/*
* Processes may set login class name using setloginclass(2). This
* is usually done through call to setusercontext(3), by programs
* such as login(1), based on information from master.passwd(5). Kernel
* uses this information to enforce per-class resource limits. Current
* login class can be determined using id(1). Login class is inherited
* from the parent process during fork(2). If not set, it defaults
* to "default".
*
* Code in this file implements setloginclass(2) and getloginclass(2)
* system calls, and maintains class name storage and retrieval.
*/
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
#include <sys/param.h>
#include <sys/eventhandler.h>
#include <sys/kernel.h>
#include <sys/lock.h>
#include <sys/loginclass.h>
#include <sys/malloc.h>
#include <sys/types.h>
#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/queue.h>
#include <sys/racct.h>
#include <sys/rctl.h>
#include <sys/refcount.h>
#include <sys/rwlock.h>
#include <sys/sysproto.h>
#include <sys/systm.h>
static MALLOC_DEFINE(M_LOGINCLASS, "loginclass", "loginclass structures");
LIST_HEAD(, loginclass) loginclasses;
/*
* Lock protecting loginclasses list.
*/
static struct rwlock loginclasses_lock;
RW_SYSINIT(loginclasses_init, &loginclasses_lock, "loginclasses lock");
void
loginclass_hold(struct loginclass *lc)
{
refcount_acquire(&lc->lc_refcount);
}
void
loginclass_free(struct loginclass *lc)
{
int old;
old = lc->lc_refcount;
if (old > 1 && atomic_cmpset_int(&lc->lc_refcount, old, old - 1))
return;
rw_wlock(&loginclasses_lock);
if (!refcount_release(&lc->lc_refcount)) {
rw_wunlock(&loginclasses_lock);
return;
}
racct_destroy(&lc->lc_racct);
LIST_REMOVE(lc, lc_next);
rw_wunlock(&loginclasses_lock);
free(lc, M_LOGINCLASS);
}
/*
* Look up a loginclass struct for the parameter name.
* loginclasses_lock must be locked.
* Increase refcount on loginclass struct returned.
*/
static struct loginclass *
loginclass_lookup(const char *name)
{
struct loginclass *lc;
rw_assert(&loginclasses_lock, RA_LOCKED);
LIST_FOREACH(lc, &loginclasses, lc_next)
if (strcmp(name, lc->lc_name) == 0) {
loginclass_hold(lc);
break;
}
return (lc);
}
/*
* Return loginclass structure with a corresponding name. Not
* performance critical, as it's used mainly by setloginclass(2),
* which happens once per login session. Caller has to use
* loginclass_free() on the returned value when it's no longer
* needed.
*/
struct loginclass *
loginclass_find(const char *name)
{
struct loginclass *lc, *new_lc;
if (name[0] == '\0' || strlen(name) >= MAXLOGNAME)
return (NULL);
lc = curthread->td_ucred->cr_loginclass;
if (strcmp(name, lc->lc_name) == 0) {
loginclass_hold(lc);
return (lc);
}
rw_rlock(&loginclasses_lock);
lc = loginclass_lookup(name);
rw_runlock(&loginclasses_lock);
if (lc != NULL)
return (lc);
new_lc = malloc(sizeof(*new_lc), M_LOGINCLASS, M_ZERO | M_WAITOK);
racct_create(&new_lc->lc_racct);
refcount_init(&new_lc->lc_refcount, 1);
strcpy(new_lc->lc_name, name);
rw_wlock(&loginclasses_lock);
/*
* There's a chance someone created our loginclass while we
* were in malloc and not holding the lock, so we have to
* make sure we don't insert a duplicate loginclass.
*/
if ((lc = loginclass_lookup(name)) == NULL) {
LIST_INSERT_HEAD(&loginclasses, new_lc, lc_next);
rw_wunlock(&loginclasses_lock);
lc = new_lc;
} else {
rw_wunlock(&loginclasses_lock);
racct_destroy(&new_lc->lc_racct);
free(new_lc, M_LOGINCLASS);
}
return (lc);
}
/*
* Get login class name.
*/
#ifndef _SYS_SYSPROTO_H_
struct getloginclass_args {
char *namebuf;
size_t namelen;
};
#endif
/* ARGSUSED */
int
sys_getloginclass(struct thread *td, struct getloginclass_args *uap)
{
struct loginclass *lc;
size_t lcnamelen;
lc = td->td_ucred->cr_loginclass;
lcnamelen = strlen(lc->lc_name) + 1;
if (lcnamelen > uap->namelen)
return (ERANGE);
return (copyout(lc->lc_name, uap->namebuf, lcnamelen));
}
/*
* Set login class name.
*/
#ifndef _SYS_SYSPROTO_H_
struct setloginclass_args {
const char *namebuf;
};
#endif
/* ARGSUSED */
int
sys_setloginclass(struct thread *td, struct setloginclass_args *uap)
{
struct proc *p = td->td_proc;
int error;
char lcname[MAXLOGNAME];
struct loginclass *newlc;
struct ucred *newcred, *oldcred;
error = priv_check(td, PRIV_PROC_SETLOGINCLASS);
if (error != 0)
return (error);
error = copyinstr(uap->namebuf, lcname, sizeof(lcname), NULL);
if (error != 0)
return (error);
newlc = loginclass_find(lcname);
if (newlc == NULL)
return (EINVAL);
newcred = crget();
PROC_LOCK(p);
oldcred = crcopysafe(p, newcred);
newcred->cr_loginclass = newlc;
proc_set_cred(p, newcred);
#ifdef RACCT
racct_proc_ucred_changed(p, oldcred, newcred);
crhold(newcred);
#endif
PROC_UNLOCK(p);
#ifdef RCTL
rctl_proc_ucred_changed(p, newcred);
crfree(newcred);
#endif
loginclass_free(oldcred->cr_loginclass);
crfree(oldcred);
return (0);
}
void
loginclass_racct_foreach(void (*callback)(struct racct *racct,
void *arg2, void *arg3), void (*pre)(void), void (*post)(void),
void *arg2, void *arg3)
{
struct loginclass *lc;
rw_rlock(&loginclasses_lock);
if (pre != NULL)
(pre)();
LIST_FOREACH(lc, &loginclasses, lc_next)
(callback)(lc->lc_racct, arg2, arg3);
if (post != NULL)
(post)();
rw_runlock(&loginclasses_lock);
}