PERFORCE change 166666 for review

[Edward Tomasz Napierala]

http://perforce.freebsd.org/chv.cgi?CH=166666

Change 166666 by trasz at trasz_victim on 2009/07/28 07:09:32

	Add setlogin(2), so that login(1) (and other programs using
	setusercontext(3)) can inform the kernel about login class,
	which is required for HRL rules with 'class' subject to work.
	'id -c' may be used to display the current login class.

Affected files ...

.. //depot/projects/soc2009/trasz_limits/include/unistd.h#4 edit
.. //depot/projects/soc2009/trasz_limits/lib/libc/sys/Symbol.map#8 edit
.. //depot/projects/soc2009/trasz_limits/lib/libutil/login_cap.h#2 edit
.. //depot/projects/soc2009/trasz_limits/lib/libutil/login_class.c#3 edit
.. //depot/projects/soc2009/trasz_limits/sys/compat/freebsd32/freebsd32_proto.h#5 edit
.. //depot/projects/soc2009/trasz_limits/sys/compat/freebsd32/freebsd32_syscall.h#5 edit
.. //depot/projects/soc2009/trasz_limits/sys/compat/freebsd32/freebsd32_syscalls.c#5 edit
.. //depot/projects/soc2009/trasz_limits/sys/compat/freebsd32/freebsd32_sysent.c#6 edit
.. //depot/projects/soc2009/trasz_limits/sys/compat/freebsd32/syscalls.master#7 edit
.. //depot/projects/soc2009/trasz_limits/sys/conf/files#13 edit
.. //depot/projects/soc2009/trasz_limits/sys/kern/init_sysent.c#8 edit
.. //depot/projects/soc2009/trasz_limits/sys/kern/kern_loginclass.c#1 add
.. //depot/projects/soc2009/trasz_limits/sys/kern/syscalls.c#7 edit
.. //depot/projects/soc2009/trasz_limits/sys/kern/syscalls.master#7 edit
.. //depot/projects/soc2009/trasz_limits/sys/kern/systrace_args.c#7 edit
.. //depot/projects/soc2009/trasz_limits/sys/sys/hrl.h#23 edit
.. //depot/projects/soc2009/trasz_limits/sys/sys/priv.h#8 edit
.. //depot/projects/soc2009/trasz_limits/sys/sys/proc.h#9 edit
.. //depot/projects/soc2009/trasz_limits/sys/sys/syscall.h#7 edit
.. //depot/projects/soc2009/trasz_limits/sys/sys/syscall.mk#7 edit
.. //depot/projects/soc2009/trasz_limits/sys/sys/sysproto.h#7 edit
.. //depot/projects/soc2009/trasz_limits/usr.bin/id/id.1#2 edit
.. //depot/projects/soc2009/trasz_limits/usr.bin/id/id.c#3 edit

Differences ...

==== //depot/projects/soc2009/trasz_limits/include/unistd.h#4 (text+ko) ====

@@ -503,6 +503,7 @@
 char	*fflagstostr(u_long);
 int	 getdomainname(char *, int);
 int	 getgrouplist(const char *, gid_t, gid_t *, int *);
+int	 getloginclass(char *, size_t);
 mode_t	 getmode(const void *, mode_t);
 int	 getosreldate(void);
 int	 getpeereid(int, uid_t *, gid_t *);
@@ -562,6 +563,7 @@
 #define	_SETKEY_DECLARED
 #endif
 int	 setlogin(const char *);
+int	 setloginclass(const char *);
 void	*setmode(const char *);
 void	 setproctitle(const char *_fmt, ...) __printf0like(1, 2);
 int	 setresgid(gid_t, gid_t, gid_t);

==== //depot/projects/soc2009/trasz_limits/lib/libc/sys/Symbol.map#8 (text) ====

@@ -341,6 +341,7 @@
 	fexecve;
 	fstatat;
 	futimesat;
+	getloginclass;
 	jail_get;
 	jail_set;
 	jail_remove;
@@ -354,6 +355,7 @@
 	readlinkat;
 	renameat;
 	setfib;
+	setloginclass;
 	shmctl;
 	symlinkat;
 	unlinkat;

==== //depot/projects/soc2009/trasz_limits/lib/libutil/login_cap.h#2 (text+ko) ====

@@ -49,7 +49,8 @@
 #define LOGIN_SETENV		0x0080		/* set user environment */
 #define LOGIN_SETMAC		0x0100		/* set user default MAC label */
 #define LOGIN_SETCPUMASK	0x0200		/* set user cpumask */
-#define LOGIN_SETALL		0x03ff		/* set everything */
+#define LOGIN_SETLOGINCLASS	0x0400		/* set login class in the kernel */
+#define LOGIN_SETALL		0x07ff		/* set everything */
 
 #define BI_AUTH		"authorize"		/* accepted authentication */
 #define BI_REJECT	"reject"		/* rejected authentication */

==== //depot/projects/soc2009/trasz_limits/lib/libutil/login_class.c#3 (text+ko) ====

@@ -512,6 +512,18 @@
 	return (-1);
     }
 
+    if (lc != NULL && lc->lc_class != NULL) {
+    /* Inform the kernel about current login class */
+        if ((flags & LOGIN_SETLOGINCLASS) &&
+	    setloginclass(lc->lc_class) != 0) {
+	    syslog(LOG_ERR, "setloginclass(%s): %m", lc->lc_class);
+#ifdef notyet
+	    login_close(llc);
+	    return (-1);
+#endif
+        }
+    }
+
     mymask = (flags & LOGIN_SETUMASK) ? umask(LOGIN_DEFUMASK) : 0;
     mymask = setlogincontext(lc, pwd, mymask, flags);
     login_close(llc);

==== //depot/projects/soc2009/trasz_limits/sys/compat/freebsd32/freebsd32_proto.h#5 (text+ko) ====

@@ -2,8 +2,8 @@
  * System call prototypes.
  *
  * DO NOT EDIT-- this file is automatically generated.
- * $FreeBSD: src/sys/compat/freebsd32/freebsd32_proto.h,v 1.106 2009/07/08 16:30:34 trasz Exp $
- * created from FreeBSD: head/sys/compat/freebsd32/syscalls.master 195468 2009-07-08 16:26:43Z trasz 
+ * $FreeBSD$
+ * created from FreeBSD: src/sys/compat/freebsd32/syscalls.master,v 1.123 2009/07/08 16:26:43 trasz Exp 
  */
 
 #ifndef _FREEBSD32_SYSPROTO_H_
@@ -453,6 +453,13 @@
 	char cmd_l_[PADL_(int)]; int cmd; char cmd_r_[PADR_(int)];
 	char buf_l_[PADL_(struct shmid_ds32 *)]; struct shmid_ds32 * buf; char buf_r_[PADR_(struct shmid_ds32 *)];
 };
+struct hrl_args {
+	char op_l_[PADL_(int)]; int op; char op_r_[PADR_(int)];
+	char inbufp_l_[PADL_(const void)]; const void inbufp; char inbufp_r_[PADR_(const void)];
+	char inbuflen_l_[PADL_(size_t *)]; size_t * inbuflen; char inbuflen_r_[PADR_(size_t *)];
+	char outbufp_l_[PADL_(void *)]; void * outbufp; char outbufp_r_[PADR_(void *)];
+	char outbuflen_l_[PADL_(size_t)]; size_t outbuflen; char outbuflen_r_[PADR_(size_t)];
+};
 int	freebsd32_wait4(struct thread *, struct freebsd32_wait4_args *);
 int	freebsd32_recvmsg(struct thread *, struct freebsd32_recvmsg_args *);
 int	freebsd32_sendmsg(struct thread *, struct freebsd32_sendmsg_args *);
@@ -536,6 +543,7 @@
 int	freebsd32_semctl(struct thread *, struct freebsd32_semctl_args *);
 int	freebsd32_msgctl(struct thread *, struct freebsd32_msgctl_args *);
 int	freebsd32_shmctl(struct thread *, struct freebsd32_shmctl_args *);
+int	hrl(struct thread *, struct hrl_args *);
 
 #ifdef COMPAT_43
 
@@ -814,6 +822,7 @@
 #define	FREEBSD32_SYS_AUE_freebsd32_semctl	AUE_SEMCTL
 #define	FREEBSD32_SYS_AUE_freebsd32_msgctl	AUE_MSGCTL
 #define	FREEBSD32_SYS_AUE_freebsd32_shmctl	AUE_SHMCTL
+#define	FREEBSD32_SYS_AUE_hrl	AUE_NULL
 
 #undef PAD_
 #undef PADL_

==== //depot/projects/soc2009/trasz_limits/sys/compat/freebsd32/freebsd32_syscall.h#5 (text+ko) ====

@@ -2,8 +2,8 @@
  * System call numbers.
  *
  * DO NOT EDIT-- this file is automatically generated.
- * $FreeBSD: src/sys/compat/freebsd32/freebsd32_syscall.h,v 1.105 2009/07/08 16:30:34 trasz Exp $
- * created from FreeBSD: head/sys/compat/freebsd32/syscalls.master 195468 2009-07-08 16:26:43Z trasz 
+ * $FreeBSD$
+ * created from FreeBSD: src/sys/compat/freebsd32/syscalls.master,v 1.123 2009/07/08 16:26:43 trasz Exp 
  */
 
 #define	FREEBSD32_SYS_syscall	0
@@ -382,4 +382,7 @@
 #define	FREEBSD32_SYS_freebsd32_msgctl	511
 #define	FREEBSD32_SYS_freebsd32_shmctl	512
 #define	FREEBSD32_SYS_lpathconf	513
-#define	FREEBSD32_SYS_MAXSYSCALL	514
+#define	FREEBSD32_SYS_hrl	514
+#define	FREEBSD32_SYS_getloginclass	515
+#define	FREEBSD32_SYS_setloginclass	516
+#define	FREEBSD32_SYS_MAXSYSCALL	517

==== //depot/projects/soc2009/trasz_limits/sys/compat/freebsd32/freebsd32_syscalls.c#5 (text+ko) ====

@@ -2,8 +2,8 @@
  * System call names.
  *
  * DO NOT EDIT-- this file is automatically generated.
- * $FreeBSD: src/sys/compat/freebsd32/freebsd32_syscalls.c,v 1.96 2009/07/08 16:30:34 trasz Exp $
- * created from FreeBSD: head/sys/compat/freebsd32/syscalls.master 195468 2009-07-08 16:26:43Z trasz 
+ * $FreeBSD$
+ * created from FreeBSD: src/sys/compat/freebsd32/syscalls.master,v 1.123 2009/07/08 16:26:43 trasz Exp 
  */
 
 const char *freebsd32_syscallnames[] = {
@@ -521,4 +521,7 @@
 	"freebsd32_msgctl",			/* 511 = freebsd32_msgctl */
 	"freebsd32_shmctl",			/* 512 = freebsd32_shmctl */
 	"lpathconf",			/* 513 = lpathconf */
+	"hrl",			/* 514 = hrl */
+	"getloginclass",			/* 515 = getloginclass */
+	"setloginclass",			/* 516 = setloginclass */
 };

==== //depot/projects/soc2009/trasz_limits/sys/compat/freebsd32/freebsd32_sysent.c#6 (text+ko) ====

@@ -2,8 +2,8 @@
  * System call switch table.
  *
  * DO NOT EDIT-- this file is automatically generated.
- * $FreeBSD: src/sys/compat/freebsd32/freebsd32_sysent.c,v 1.107 2009/07/08 16:30:34 trasz Exp $
- * created from FreeBSD: head/sys/compat/freebsd32/syscalls.master 195468 2009-07-08 16:26:43Z trasz 
+ * $FreeBSD$
+ * created from FreeBSD: src/sys/compat/freebsd32/syscalls.master,v 1.123 2009/07/08 16:26:43 trasz Exp 
  */
 
 #include "opt_compat.h"
@@ -558,4 +558,7 @@
 	{ AS(freebsd32_msgctl_args), (sy_call_t *)freebsd32_msgctl, AUE_MSGCTL, NULL, 0, 0, 0 },	/* 511 = freebsd32_msgctl */
 	{ AS(freebsd32_shmctl_args), (sy_call_t *)freebsd32_shmctl, AUE_SHMCTL, NULL, 0, 0, 0 },	/* 512 = freebsd32_shmctl */
 	{ AS(lpathconf_args), (sy_call_t *)lpathconf, AUE_LPATHCONF, NULL, 0, 0, 0 },	/* 513 = lpathconf */
+	{ AS(hrl_args), (sy_call_t *)hrl, AUE_NULL, NULL, 0, 0, 0 },	/* 514 = hrl */
+	{ AS(getloginclass_args), (sy_call_t *)getloginclass, AUE_NULL, NULL, 0, 0, 0 },	/* 515 = getloginclass */
+	{ AS(setloginclass_args), (sy_call_t *)setloginclass, AUE_NULL, NULL, 0, 0, 0 },	/* 516 = setloginclass */
 };

==== //depot/projects/soc2009/trasz_limits/sys/compat/freebsd32/syscalls.master#7 (text+ko) ====

@@ -902,3 +902,6 @@
 				    struct shmid_ds32 *buf); }
 513	AUE_LPATHCONF	NOPROTO	{ int lpathconf(char *path, int name); }
 514	AUE_NULL	STD	{ int hrl(int op, const void inbufp, size_t *inbuflen, void *outbufp, size_t outbuflen); }
+515	AUE_NULL	NOPROTO	{ int getloginclass(char *namebuf, size_t \
+				    namelen); }
+516	AUE_NULL	NOPROTO	{ int setloginclass(const char *namebuf); }

==== //depot/projects/soc2009/trasz_limits/sys/conf/files#13 (text+ko) ====

@@ -1958,6 +1958,7 @@
 kern/kern_lock.c		standard
 kern/kern_lockf.c		standard
 kern/kern_lockstat.c		optional kdtrace_hooks
+kern/kern_loginclass.c		standard
 kern/kern_malloc.c		standard
 kern/kern_mbuf.c		standard
 kern/kern_mib.c			standard

==== //depot/projects/soc2009/trasz_limits/sys/kern/init_sysent.c#8 (text+ko) ====

@@ -549,4 +549,6 @@
 	{ AS(shmctl_args), (sy_call_t *)lkmressys, AUE_NULL, NULL, 0, 0, 0 },	/* 512 = shmctl */
 	{ AS(lpathconf_args), (sy_call_t *)lpathconf, AUE_LPATHCONF, NULL, 0, 0, 0 },	/* 513 = lpathconf */
 	{ AS(hrl_args), (sy_call_t *)hrl, AUE_NULL, NULL, 0, 0, 0 },	/* 514 = hrl */
+	{ AS(getloginclass_args), (sy_call_t *)getloginclass, AUE_NULL, NULL, 0, 0, 0 },	/* 515 = getloginclass */
+	{ AS(setloginclass_args), (sy_call_t *)setloginclass, AUE_NULL, NULL, 0, 0, 0 },	/* 516 = setloginclass */
 };

==== //depot/projects/soc2009/trasz_limits/sys/kern/syscalls.c#7 (text+ko) ====

@@ -522,4 +522,6 @@
 	"shmctl",			/* 512 = shmctl */
 	"lpathconf",			/* 513 = lpathconf */
 	"hrl",			/* 514 = hrl */
+	"getloginclass",			/* 515 = getloginclass */
+	"setloginclass",			/* 516 = setloginclass */
 };

==== //depot/projects/soc2009/trasz_limits/sys/kern/syscalls.master#7 (text+ko) ====

@@ -912,5 +912,8 @@
 				    struct shmid_ds *buf); }
 513	AUE_LPATHCONF	STD	{ int lpathconf(char *path, int name); }
 514	AUE_NULL	STD	{ int hrl(int op, const void *inbufp, size_t inbuflen, void *outbufp, size_t outbuflen); }
+515	AUE_NULL	STD	{ int getloginclass(char *namebuf, size_t \
+				    namelen); }
+516	AUE_NULL	STD	{ int setloginclass(const char *namebuf); }
 ; Please copy any additions and changes to the following compatability tables:
 ; sys/compat/freebsd32/syscalls.master

==== //depot/projects/soc2009/trasz_limits/sys/kern/systrace_args.c#7 (text+ko) ====

@@ -3083,6 +3083,21 @@
 		*n_args = 5;
 		break;
 	}
+	/* getloginclass */
+	case 515: {
+		struct getloginclass_args *p = params;
+		uarg[0] = (intptr_t) p->namebuf; /* char * */
+		uarg[1] = p->namelen; /* size_t */
+		*n_args = 2;
+		break;
+	}
+	/* setloginclass */
+	case 516: {
+		struct setloginclass_args *p = params;
+		uarg[0] = (intptr_t) p->namebuf; /* const char * */
+		*n_args = 1;
+		break;
+	}
 	default:
 		*n_args = 0;
 		break;
@@ -8187,6 +8202,29 @@
 			break;
 		};
 		break;
+	/* getloginclass */
+	case 515:
+		switch(ndx) {
+		case 0:
+			p = "char *";
+			break;
+		case 1:
+			p = "size_t";
+			break;
+		default:
+			break;
+		};
+		break;
+	/* setloginclass */
+	case 516:
+		switch(ndx) {
+		case 0:
+			p = "const char *";
+			break;
+		default:
+			break;
+		};
+		break;
 	default:
 		break;
 	};

==== //depot/projects/soc2009/trasz_limits/sys/sys/hrl.h#23 (text+ko) ====

@@ -115,9 +115,9 @@
 };
 
 /*
- * 'hrl_limit' is used to link a subject with rules that apply
- * to it.  This way we don't have to search the whole HRL rules
- * tree to enforce the limits.
+ * 'hrl_limit' connects rule with every subject it's related to.
+ * For example, rule 'user:X:openfiles:deny=N/process' is linked
+ * with uidinfo for user X, and to each process of that user.
  */
 struct hrl_limit {
 	LIST_ENTRY(hrl_limit)	hl_next;

==== //depot/projects/soc2009/trasz_limits/sys/sys/priv.h#8 (text+ko) ====

@@ -156,6 +156,7 @@
 #define	PRIV_PROC_LIMIT		160	/* Exceed user process limit. */
 #define	PRIV_PROC_SETLOGIN	161	/* Can call setlogin. */
 #define	PRIV_PROC_SETRLIMIT	162	/* Can raise resources limits. */
+#define	PRIV_PROC_SETLOGINCLASS	163	/* Can call setloginclass(2). */
 
 /* System V IPC privileges.
  */

==== //depot/projects/soc2009/trasz_limits/sys/sys/proc.h#9 (text+ko) ====

@@ -171,6 +171,7 @@
 struct kdtrace_proc;
 struct kdtrace_thread;
 struct cpuset;
+struct loginclass;
 
 /*
  * Kernel runnable context (thread).
@@ -531,6 +532,7 @@
 	rlim_t		p_cpulimit;	/* (c) Current CPU limit in seconds. */
 	signed char	p_nice;		/* (c) Process "nice" value. */
 	int		p_fibnum;	/* in this routing domain XXX MRT */
+	struct loginclass	*p_loginclass;	/* (c) login class */
 /* End area that is copied on creation. */
 #define	p_endcopy	p_xstat
 
@@ -876,6 +878,8 @@
 struct thread	*thread_find(struct proc *p, lwpid_t tid);
 void	thr_exit1(void);
 
+struct loginclass *loginclass_find(const char *name);
+
 #endif	/* _KERNEL */
 
 #endif	/* !_SYS_PROC_H_ */

==== //depot/projects/soc2009/trasz_limits/sys/sys/syscall.h#7 (text+ko) ====

@@ -429,4 +429,6 @@
 #define	SYS_shmctl	512
 #define	SYS_lpathconf	513
 #define	SYS_hrl	514
-#define	SYS_MAXSYSCALL	515
+#define	SYS_getloginclass	515
+#define	SYS_setloginclass	516
+#define	SYS_MAXSYSCALL	517

==== //depot/projects/soc2009/trasz_limits/sys/sys/syscall.mk#7 (text+ko) ====

@@ -377,4 +377,6 @@
 	msgctl.o \
 	shmctl.o \
 	lpathconf.o \
-	hrl.o
+	hrl.o \
+	getloginclass.o \
+	setloginclass.o

==== //depot/projects/soc2009/trasz_limits/sys/sys/sysproto.h#7 (text+ko) ====

@@ -1648,6 +1648,13 @@
 	char outbufp_l_[PADL_(void *)]; void * outbufp; char outbufp_r_[PADR_(void *)];
 	char outbuflen_l_[PADL_(size_t)]; size_t outbuflen; char outbuflen_r_[PADR_(size_t)];
 };
+struct getloginclass_args {
+	char namebuf_l_[PADL_(char *)]; char * namebuf; char namebuf_r_[PADR_(char *)];
+	char namelen_l_[PADL_(size_t)]; size_t namelen; char namelen_r_[PADR_(size_t)];
+};
+struct setloginclass_args {
+	char namebuf_l_[PADL_(const char *)]; const char * namebuf; char namebuf_r_[PADR_(const char *)];
+};
 int	nosys(struct thread *, struct nosys_args *);
 void	sys_exit(struct thread *, struct sys_exit_args *);
 int	fork(struct thread *, struct fork_args *);
@@ -2007,6 +2014,8 @@
 int	shmctl(struct thread *, struct shmctl_args *);
 int	lpathconf(struct thread *, struct lpathconf_args *);
 int	hrl(struct thread *, struct hrl_args *);
+int	getloginclass(struct thread *, struct getloginclass_args *);
+int	setloginclass(struct thread *, struct setloginclass_args *);
 
 #ifdef COMPAT_43
 
@@ -2680,6 +2689,8 @@
 #define	SYS_AUE_shmctl	AUE_SHMCTL
 #define	SYS_AUE_lpathconf	AUE_LPATHCONF
 #define	SYS_AUE_hrl	AUE_NULL
+#define	SYS_AUE_getloginclass	AUE_NULL
+#define	SYS_AUE_setloginclass	AUE_NULL
 
 #undef PAD_
 #undef PADL_

==== //depot/projects/soc2009/trasz_limits/usr.bin/id/id.1#2 (text+ko) ====

@@ -55,6 +55,8 @@
 .Fl P
 .Op Ar user
 .Nm
+.Fl c
+.Nm
 .Fl g Op Fl nr
 .Op Ar user
 .Nm
@@ -93,6 +95,8 @@
 Ignored for compatibility with other
 .Nm
 implementations.
+.It Fl c
+Display current login class.
 .It Fl g
 Display the effective group ID as a number.
 .It Fl n

==== //depot/projects/soc2009/trasz_limits/usr.bin/id/id.c#3 (text+ko) ====

@@ -78,11 +78,13 @@
 	struct group *gr;
 	struct passwd *pw;
 	int Gflag, Mflag, Pflag, ch, gflag, id, nflag, pflag, rflag, uflag;
-	int Aflag;
+	int Aflag, cflag;
+	int error;
 	const char *myname;
+	char loginclass[MAXLOGNAME];
 
 	Gflag = Mflag = Pflag = gflag = nflag = pflag = rflag = uflag = 0;
-	Aflag = 0;
+	Aflag = cflag = 0;
 
 	myname = strrchr(argv[0], '/');
 	myname = (myname != NULL) ? myname + 1 : argv[0];
@@ -96,7 +98,7 @@
 	}
 
 	while ((ch = getopt(argc, argv,
-	    (isgroups || iswhoami) ? "" : "APGMagnpru")) != -1)
+	    (isgroups || iswhoami) ? "" : "APGMacgnpru")) != -1)
 		switch(ch) {
 #ifdef USE_BSM_AUDIT
 		case 'A':
@@ -114,6 +116,9 @@
 			break;
 		case 'a':
 			break;
+		case 'c':
+			cflag = 1;
+			break;
 		case 'g':
 			gflag = 1;
 			break;
@@ -162,6 +167,14 @@
 	}
 #endif
 
+	if (cflag) {
+		error = getloginclass(loginclass, sizeof(loginclass));
+		if (error)
+			err(1, "loginclass");
+		(void)printf("%s\n", loginclass);
+		exit(0);
+	}
+
 	if (gflag) {
 		id = pw ? pw->pw_gid : rflag ? getgid() : getegid();
 		if (nflag && (gr = getgrgid(id)))