Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Stick nice policy in its own subsystem and call the listener "resource" 

rather than "rlimit"...
This commit is contained in:
elad 2009-10-02 22:46:18 +00:00
parent bcc5014bd0
commit 09f3ac9e2f
2 changed files with 52 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
sys/kern/kern_resource.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: kern_resource.c,v 1.153 2009/10/02 22:38:45 elad Exp $ */
/* $NetBSD: kern_resource.c,v 1.154 2009/10/02 22:46:18 elad Exp $ */
/*-
* Copyright (c) 1982, 1986, 1991, 1993
@ -37,7 +37,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: kern_resource.c,v 1.153 2009/10/02 22:38:45 elad Exp $");
__KERNEL_RCSID(0, "$NetBSD: kern_resource.c,v 1.154 2009/10/02 22:46:18 elad Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@ -69,38 +69,66 @@ rlim_t maxsmap = MAXSSIZ;
static pool_cache_t plimit_cache;
static pool_cache_t pstats_cache;
static kauth_listener_t rlimit_listener;
static kauth_listener_t resource_listener;
static int
rlimit_listener_cb(kauth_cred_t cred, kauth_action_t action, void *cookie,
resource_listener_cb(kauth_cred_t cred, kauth_action_t action, void *cookie,
void *arg0, void *arg1, void *arg2, void *arg3)
{
struct proc *p;
int result;
enum kauth_process_req req;
result = KAUTH_RESULT_DEFER;
p = arg0;
req = (enum kauth_process_req)(unsigned long)arg1;
if (action != KAUTH_PROCESS_RLIMIT)
return result;
switch (action) {
case KAUTH_PROCESS_NICE:
if (kauth_cred_geteuid(cred) != kauth_cred_geteuid(p->p_cred) &&
kauth_cred_getuid(cred) != kauth_cred_geteuid(p->p_cred)) {
break;
}
if (req == KAUTH_REQ_PROCESS_RLIMIT_SET) {
struct rlimit *new_rlimit;
u_long which;
if ((u_long)arg1 >= p->p_nice)
result = KAUTH_RESULT_ALLOW;
if ((p != curlwp->l_proc) &&
(proc_uidmatch(cred, p->p_cred) != 0))
return result;
break;
new_rlimit = arg2;
which = (u_long)arg3;
case KAUTH_PROCESS_RLIMIT: {
enum kauth_process_req req;
if (new_rlimit->rlim_max <= p->p_rlimit[which].rlim_max)
req = (enum kauth_process_req)(unsigned long)arg1;
switch (req) {
case KAUTH_REQ_PROCESS_RLIMIT_GET:
result = KAUTH_RESULT_ALLOW;
} else if (req == KAUTH_REQ_PROCESS_RLIMIT_GET) {
result = KAUTH_RESULT_ALLOW;
break;
case KAUTH_REQ_PROCESS_RLIMIT_SET: {
struct rlimit *new_rlimit;
u_long which;
if ((p != curlwp->l_proc) &&
(proc_uidmatch(cred, p->p_cred) != 0))
break;
new_rlimit = arg2;
which = (u_long)arg3;
if (new_rlimit->rlim_max <= p->p_rlimit[which].rlim_max)
result = KAUTH_RESULT_ALLOW;
break;
}
default:
break;
}
break;
}
default:
break;
}
return result;
@ -115,8 +143,8 @@ resource_init(void)
pstats_cache = pool_cache_init(sizeof(struct pstats), 0, 0, 0,
"pstatspl", NULL, IPL_NONE, NULL, NULL, NULL);
rlimit_listener = kauth_listen_scope(KAUTH_SCOPE_PROCESS,
rlimit_listener_cb, NULL);
resource_listener = kauth_listen_scope(KAUTH_SCOPE_PROCESS,
resource_listener_cb, NULL);
}
/*

18
sys/secmodel/suser/secmodel_suser.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: secmodel_suser.c,v 1.6 2009/10/02 22:38:45 elad Exp $ */
/* $NetBSD: secmodel_suser.c,v 1.7 2009/10/02 22:46:18 elad Exp $ */
/*-
* Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
* All rights reserved.
@ -38,7 +38,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.6 2009/10/02 22:38:45 elad Exp $");
__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.7 2009/10/02 22:46:18 elad Exp $");
#include <sys/types.h>
#include <sys/param.h>
@ -645,19 +645,7 @@ secmodel_suser_process_cb(kauth_cred_t cred, kauth_action_t action,
break;
case KAUTH_PROCESS_NICE:
if (isroot) {
result = KAUTH_RESULT_ALLOW;
break;
}
if (kauth_cred_geteuid(cred) !=
kauth_cred_geteuid(p->p_cred) &&
kauth_cred_getuid(cred) !=
kauth_cred_geteuid(p->p_cred)) {
break;
}
if ((u_long)arg1 >= p->p_nice)
if (isroot)
result = KAUTH_RESULT_ALLOW;
break;