git: 76fb5c23dcca - releng/15.0 - setcred(): Fix RACCT resource accounting on credentials change

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Colin Percival <cperciva_at_FreeBSD.org>
Date: Thu, 06 Nov 2025 23:11:56 UTC

The branch releng/15.0 has been updated by cperciva:

URL: https://cgit.FreeBSD.org/src/commit/?id=76fb5c23dcca4696d3682bec2dd0e60d81c6db1e

commit 76fb5c23dcca4696d3682bec2dd0e60d81c6db1e
Author:     Olivier Certner <olce@FreeBSD.org>
AuthorDate: 2025-10-29 17:07:59 +0000
Commit:     Colin Percival <cperciva@FreeBSD.org>
CommitDate: 2025-11-06 23:11:10 +0000

    setcred(): Fix RACCT resource accounting on credentials change
    
    When credentials are changed, we need to adjust the sum of resources
    associated to the initial and new process' user IDs (and old and new
    login classes and jails, but setcred() does not change them) for them to
    stay consistent.
    
    Approved by:    re (cperciva)
    PR:             290352
    MFC after:      3 days
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D53457
    
    (cherry picked from commit 2be5127c4a31bacac9b4158395bfa844f6033626)
    (cherry picked from commit 2e76660cb71dc113a4f4e0eb05eb190d7fc99e7f)
---
 sys/kern/kern_prot.c | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index df725cfebd97..3c145851b683 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -696,7 +696,7 @@ kern_setcred(struct thread *const td, const u_int flags,
 	gid_t *groups = NULL;
 	gid_t smallgroups[CRED_SMALLGROUPS_NB];
 	int error;
-	bool cred_set;
+	bool cred_set = false;
 
 	/* Bail out on unrecognized flags. */
 	if (flags & ~SETCREDF_MASK)
@@ -839,17 +839,32 @@ kern_setcred(struct thread *const td, const u_int flags,
 	if (cred_set) {
 		setsugid(p);
 		to_free_cred = old_cred;
+#ifdef RACCT
+		racct_proc_ucred_changed(p, old_cred, new_cred);
+#endif
+#ifdef RCTL
+		crhold(new_cred);
+#endif
 		MPASS(error == 0);
 	} else
 		error = EAGAIN;
 
 unlock_finish:
 	PROC_UNLOCK(p);
+
 	/*
 	 * Part 3: After releasing the process lock, we perform cleanups and
 	 * finishing operations.
 	 */
 
+#ifdef RCTL
+	if (cred_set) {
+		rctl_proc_ucred_changed(p, new_cred);
+		/* Paired with the crhold() just above. */
+		crfree(new_cred);
+	}
+#endif
+
 #ifdef MAC
 	if (mac_set_proc_data != NULL)
 		mac_set_proc_finish(td, proc_label_set, mac_set_proc_data);