Adding setloginclass(2) and getloginclass(2).

[Edward Tomasz Napierała]

Wiadomość napisana przez Robert Watson w dniu 2011-03-01, o godz. 23:12:
> On Tue, 1 Mar 2011, Edward Tomasz Napierała wrote:
>> At http://people.freebsd.org/~trasz/loginclass.diff, you can find a patch that adds login class information to the kernel.  The patch does not contain changes to autogenerated files; to test it, do "make sysent" in sys/kern/ and sys/compat/freebsd32/.
>> 
>> The patch itself doesn't add much user-visible functionality, although being able to do "ps aux -o class" might be useful.  However, login classes are a prerequisite for RCTL, aka Resource Containers - system administrator can use rules such as "loginclass:users:nproc:deny=100/user", to replace resource limits usually defined in login.conf(5), or use rule such as "loginclass:users:nproc:deny=100/loginclass", to limit the number of processes for the whole login class, achieving something similar to SunOS "projects".
>> 
>> Since this involves adding two new syscalls, I'd like to hear some opinion about it - it's hard to change these afterwards.
> 
> Could you say a little about how you hande jails/chroots/etc?

I don't; I consider them orthogonal.  There is, of course, the problem
of jailed root setting the same login class as the one used outside,
but it's similar to the UIDs shared between jails and the outside.

As for the other behaviour - login classes are very similar to uidinfo;
the biggest differences are that they are not used for access control
and are not supposed to be changed after logging in.

I just realized I forgot to include code that allows jailed root to use
setloginclass(2).  I'll update the patch later today.

--
If you cut off my head, what would I say?  Me and my head, or me and my body?