freebsd-skq/sys/security
kib fa686c638e Implement global and per-uid accounting of the anonymous memory. Add
rlimit RLIMIT_SWAP that limits the amount of swap that may be reserved
for the uid.

The accounting information (charge) is associated with either map entry,
or vm object backing the entry, assuming the object is the first one
in the shadow chain and entry does not require COW. Charge is moved
from entry to object on allocation of the object, e.g. during the mmap,
assuming the object is allocated, or on the first page fault on the
entry. It moves back to the entry on forks due to COW setup.

The per-entry granularity of accounting makes the charge process fair
for processes that change uid during lifetime, and decrements charge
for proper uid when region is unmapped.

The interface of vm_pager_allocate(9) is extended by adding struct ucred *,
that is used to charge appropriate uid when allocation if performed by
kernel, e.g. md(4).

Several syscalls, among them is fork(2), may now return ENOMEM when
global or per-uid limits are enforced.

In collaboration with:	pho
Reviewed by:	alc
Approved by:	re (kensmith)
2009-06-23 20:45:22 +00:00
..
audit Adapt vfs kqfilter to the shared vnode lock used by zfs write vop. Use 2009-06-10 20:59:32 +00:00
mac Add one further check with mac_policy_count to an mbuf copying case 2009-06-03 19:41:12 +00:00
mac_biba Implement global and per-uid accounting of the anonymous memory. Add 2009-06-23 20:45:22 +00:00
mac_bsdextended Add hierarchical jails. A jail may further virtualize its environment 2009-05-27 14:11:23 +00:00
mac_ifoff Rather than having MAC policies explicitly declare what object types 2009-01-10 10:58:41 +00:00
mac_lomac Implement global and per-uid accounting of the anonymous memory. Add 2009-06-23 20:45:22 +00:00
mac_mls Continue work to optimize performance of "options MAC" when no MAC policy 2009-06-03 18:46:28 +00:00
mac_none Rather than having MAC policies explicitly declare what object types 2009-01-10 10:58:41 +00:00
mac_partition Rather than having MAC policies explicitly declare what object types 2009-01-10 10:58:41 +00:00
mac_portacl - Correct logic in if statement - we want to allocate temporary buffer 2009-03-14 20:40:06 +00:00
mac_seeotheruids Rather than having MAC policies explicitly declare what object types 2009-01-10 10:58:41 +00:00
mac_stub Continue work to optimize performance of "options MAC" when no MAC policy 2009-06-03 18:46:28 +00:00
mac_test Continue work to optimize performance of "options MAC" when no MAC policy 2009-06-03 18:46:28 +00:00