xref: /freebsd-11-stable/sys/kern/kern_loginclass.c (revision 7f2d627cfc076bebe547b2d7453a5cc61b4c57c4)
1 /*-
2  * Copyright (c) 2011 The FreeBSD Foundation
3  * All rights reserved.
4  *
5  * This software was developed by Edward Tomasz Napierala under sponsorship
6  * from the FreeBSD Foundation.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  * 1. Redistributions of source code must retain the above copyright
12  *    notice, this list of conditions and the following disclaimer.
13  * 2. Redistributions in binary form must reproduce the above copyright
14  *    notice, this list of conditions and the following disclaimer in the
15  *    documentation and/or other materials provided with the distribution.
16  *
17  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27  * SUCH DAMAGE.
28  *
29  * $FreeBSD$
30  */
31 
32 /*
33  * Processes may set login class name using setloginclass(2).  This
34  * is usually done through call to setusercontext(3), by programs
35  * such as login(1), based on information from master.passwd(5).  Kernel
36  * uses this information to enforce per-class resource limits.  Current
37  * login class can be determined using id(1).  Login class is inherited
38  * from the parent process during fork(2).  If not set, it defaults
39  * to "default".
40  *
41  * Code in this file implements setloginclass(2) and getloginclass(2)
42  * system calls, and maintains class name storage and retrieval.
43  */
44 
45 #include <sys/cdefs.h>
46 __FBSDID("$FreeBSD$");
47 
48 #include <sys/param.h>
49 #include <sys/eventhandler.h>
50 #include <sys/kernel.h>
51 #include <sys/lock.h>
52 #include <sys/loginclass.h>
53 #include <sys/malloc.h>
54 #include <sys/types.h>
55 #include <sys/priv.h>
56 #include <sys/proc.h>
57 #include <sys/queue.h>
58 #include <sys/racct.h>
59 #include <sys/rctl.h>
60 #include <sys/refcount.h>
61 #include <sys/rwlock.h>
62 #include <sys/sysproto.h>
63 #include <sys/systm.h>
64 
65 static MALLOC_DEFINE(M_LOGINCLASS, "loginclass", "loginclass structures");
66 
67 LIST_HEAD(, loginclass)	loginclasses;
68 
69 /*
70  * Lock protecting loginclasses list.
71  */
72 static struct rwlock loginclasses_lock;
73 RW_SYSINIT(loginclasses_init, &loginclasses_lock, "loginclasses lock");
74 
75 void
loginclass_hold(struct loginclass * lc)76 loginclass_hold(struct loginclass *lc)
77 {
78 
79 	refcount_acquire(&lc->lc_refcount);
80 }
81 
82 void
loginclass_free(struct loginclass * lc)83 loginclass_free(struct loginclass *lc)
84 {
85 	int old;
86 
87 	old = lc->lc_refcount;
88 	if (old > 1 && atomic_cmpset_int(&lc->lc_refcount, old, old - 1))
89 		return;
90 
91 	rw_wlock(&loginclasses_lock);
92 	if (!refcount_release(&lc->lc_refcount)) {
93 		rw_wunlock(&loginclasses_lock);
94 		return;
95 	}
96 
97 	racct_destroy(&lc->lc_racct);
98 	LIST_REMOVE(lc, lc_next);
99 	rw_wunlock(&loginclasses_lock);
100 
101 	free(lc, M_LOGINCLASS);
102 }
103 
104 /*
105  * Look up a loginclass struct for the parameter name.
106  * loginclasses_lock must be locked.
107  * Increase refcount on loginclass struct returned.
108  */
109 static struct loginclass *
loginclass_lookup(const char * name)110 loginclass_lookup(const char *name)
111 {
112 	struct loginclass *lc;
113 
114 	rw_assert(&loginclasses_lock, RA_LOCKED);
115 	LIST_FOREACH(lc, &loginclasses, lc_next)
116 		if (strcmp(name, lc->lc_name) == 0) {
117 			loginclass_hold(lc);
118 			break;
119 		}
120 
121 	return (lc);
122 }
123 
124 /*
125  * Return loginclass structure with a corresponding name.  Not
126  * performance critical, as it's used mainly by setloginclass(2),
127  * which happens once per login session.  Caller has to use
128  * loginclass_free() on the returned value when it's no longer
129  * needed.
130  */
131 struct loginclass *
loginclass_find(const char * name)132 loginclass_find(const char *name)
133 {
134 	struct loginclass *lc, *new_lc;
135 
136 	if (name[0] == '\0' || strlen(name) >= MAXLOGNAME)
137 		return (NULL);
138 
139 	rw_rlock(&loginclasses_lock);
140 	lc = loginclass_lookup(name);
141 	rw_runlock(&loginclasses_lock);
142 	if (lc != NULL)
143 		return (lc);
144 
145 	new_lc = malloc(sizeof(*new_lc), M_LOGINCLASS, M_ZERO | M_WAITOK);
146 	racct_create(&new_lc->lc_racct);
147 	refcount_init(&new_lc->lc_refcount, 1);
148 	strcpy(new_lc->lc_name, name);
149 
150 	rw_wlock(&loginclasses_lock);
151 	/*
152 	 * There's a chance someone created our loginclass while we
153 	 * were in malloc and not holding the lock, so we have to
154 	 * make sure we don't insert a duplicate loginclass.
155 	 */
156 	if ((lc = loginclass_lookup(name)) == NULL) {
157 		LIST_INSERT_HEAD(&loginclasses, new_lc, lc_next);
158 		rw_wunlock(&loginclasses_lock);
159 		lc = new_lc;
160 	} else {
161 		rw_wunlock(&loginclasses_lock);
162 		racct_destroy(&new_lc->lc_racct);
163 		free(new_lc, M_LOGINCLASS);
164 	}
165 
166 	return (lc);
167 }
168 
169 /*
170  * Get login class name.
171  */
172 #ifndef _SYS_SYSPROTO_H_
173 struct getloginclass_args {
174 	char	*namebuf;
175 	size_t	namelen;
176 };
177 #endif
178 /* ARGSUSED */
179 int
sys_getloginclass(struct thread * td,struct getloginclass_args * uap)180 sys_getloginclass(struct thread *td, struct getloginclass_args *uap)
181 {
182 	struct loginclass *lc;
183 	size_t lcnamelen;
184 
185 	lc = td->td_ucred->cr_loginclass;
186 	lcnamelen = strlen(lc->lc_name) + 1;
187 	if (lcnamelen > uap->namelen)
188 		return (ERANGE);
189 	return (copyout(lc->lc_name, uap->namebuf, lcnamelen));
190 }
191 
192 /*
193  * Set login class name.
194  */
195 #ifndef _SYS_SYSPROTO_H_
196 struct setloginclass_args {
197 	const char	*namebuf;
198 };
199 #endif
200 /* ARGSUSED */
201 int
sys_setloginclass(struct thread * td,struct setloginclass_args * uap)202 sys_setloginclass(struct thread *td, struct setloginclass_args *uap)
203 {
204 	struct proc *p = td->td_proc;
205 	int error;
206 	char lcname[MAXLOGNAME];
207 	struct loginclass *newlc;
208 	struct ucred *newcred, *oldcred;
209 
210 	error = priv_check(td, PRIV_PROC_SETLOGINCLASS);
211 	if (error != 0)
212 		return (error);
213 	error = copyinstr(uap->namebuf, lcname, sizeof(lcname), NULL);
214 	if (error != 0)
215 		return (error);
216 
217 	newlc = loginclass_find(lcname);
218 	if (newlc == NULL)
219 		return (EINVAL);
220 	newcred = crget();
221 
222 	PROC_LOCK(p);
223 	oldcred = crcopysafe(p, newcred);
224 	newcred->cr_loginclass = newlc;
225 	proc_set_cred(p, newcred);
226 #ifdef RACCT
227 	racct_proc_ucred_changed(p, oldcred, newcred);
228 	crhold(newcred);
229 #endif
230 	PROC_UNLOCK(p);
231 #ifdef RCTL
232 	rctl_proc_ucred_changed(p, newcred);
233 	crfree(newcred);
234 #endif
235 	loginclass_free(oldcred->cr_loginclass);
236 	crfree(oldcred);
237 
238 	return (0);
239 }
240 
241 void
loginclass_racct_foreach(void (* callback)(struct racct * racct,void * arg2,void * arg3),void (* pre)(void),void (* post)(void),void * arg2,void * arg3)242 loginclass_racct_foreach(void (*callback)(struct racct *racct,
243     void *arg2, void *arg3), void (*pre)(void), void (*post)(void),
244     void *arg2, void *arg3)
245 {
246 	struct loginclass *lc;
247 
248 	rw_rlock(&loginclasses_lock);
249 	if (pre != NULL)
250 		(pre)();
251 	LIST_FOREACH(lc, &loginclasses, lc_next)
252 		(callback)(lc->lc_racct, arg2, arg3);
253 	if (post != NULL)
254 		(post)();
255 	rw_runlock(&loginclasses_lock);
256 }
257