current-users: Re: setrlimit seems to have changed: breaks pkgsrc/net/tor

Subject: Re: setrlimit seems to have changed: breaks pkgsrc/net/tor
To: None <tech-kern@NetBSD.org>
From: Elad Efrat <elad@NetBSD.org>
List: current-users
Date: 01/09/2007 20:11:45
This is a multi-part message in MIME format.
--------------070905070606080202060200
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

hi,

if there are no objections I'll commit attached patch.

-e.

--------------070905070606080202060200
Content-Type: text/plain;
 name="rlimit.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="rlimit.diff"

Index: share/examples/secmodel/secmodel_example.c
===================================================================
RCS file: /usr/cvs/src/share/examples/secmodel/secmodel_example.c,v
retrieving revision 1.12
diff -u -p -r1.12 secmodel_example.c
--- share/examples/secmodel/secmodel_example.c	5 Jan 2007 13:23:22 -0000	1.12
+++ share/examples/secmodel/secmodel_example.c	8 Jan 2007 06:04:03 -0000
@@ -229,17 +229,8 @@ secmodel_example_process_cb(kauth_cred_t
 	case KAUTH_PROCESS_CANSYSTRACE:
 	case KAUTH_PROCESS_CANPTRACE:
         case KAUTH_PROCESS_CORENAME:
-		break;
-        case KAUTH_PROCESS_RESOURCE:
-                switch((u_long)arg0) {
-                case KAUTH_REQ_PROCESS_RESOURCE_NICE:
-                case KAUTH_REQ_PROCESS_RESOURCE_RLIMIT:
-                default:
-                        result = KAUTH_RESULT_DEFER;
-                        break;                        
-                }
-                break;
-
+	case KAUTH_PROCESS_NICE:
+	case KAUTH_PROCESS_RLIMIT:
         case KAUTH_PROCESS_SETID:
 	case KAUTH_PROCESS_STOPFLAG:
         default:
Index: share/man/man9/kauth.9
===================================================================
RCS file: /usr/cvs/src/share/man/man9/kauth.9,v
retrieving revision 1.46
diff -u -p -r1.46 kauth.9
--- share/man/man9/kauth.9	9 Jan 2007 12:49:36 -0000	1.46
+++ share/man/man9/kauth.9	8 Jan 2007 06:03:34 -0000
@@ -25,7 +25,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd January 2, 2007
+.Dd January 9, 2007
 .Dt KAUTH 9
 .Os
 .Sh NAME
@@ -376,27 +376,24 @@ can be changed.
 .Pp
 .Ar arg1
 is the new corename.
-.It Dv KAUTH_PROCESS_RESOURCE
-Groups authorization requests related to resource management.
-.Ar arg0
-indicates the sub-action, and can be one of the following:
-.Bl -tag
-.It Dv KAUTH_REQ_PROCESS_RESOURCE_NICE
+.It Dv KAUTH_PROCESS_NICE
 Checks whether the
 .Em nice
 value of
 .Ar p
 can be changed to
-.Ar arg2 .
-.It Dv KAUTH_REQ_PROCESS_RESOURCE_RLIMIT
+.Ar arg1 .
+.It Dv KAUTH_PROCESS_RLIMIT
 Checks whether the
 .Em rlimit
 value for
-.Ar arg3
+.Ar arg2
 in
 .Ar p
 can be set to
-.Ar arg2 .
+.Ar arg1 .
+.Ar arg3
+is the process requesting the change.
 .El
 .It Dv KAUTH_PROCESS_SETID
 Check if changing the user- or group-ids, groups, or login-name for
Index: sys/sys/kauth.h
===================================================================
RCS file: /usr/cvs/src/sys/sys/kauth.h,v
retrieving revision 1.32
diff -u -p -r1.32 kauth.h
--- sys/sys/kauth.h	9 Jan 2007 12:49:37 -0000	1.32
+++ sys/sys/kauth.h	8 Jan 2007 05:56:15 -0000
@@ -126,7 +126,8 @@ enum {
 	KAUTH_PROCESS_CANSIGNAL,
 	KAUTH_PROCESS_CANSYSTRACE,
 	KAUTH_PROCESS_CORENAME,
-	KAUTH_PROCESS_RESOURCE,
+	KAUTH_PROCESS_NICE,
+	KAUTH_PROCESS_RLIMIT,
 	KAUTH_PROCESS_SETID,
 	KAUTH_PROCESS_STOPFLAG
 };
@@ -138,9 +139,7 @@ enum kauth_process_req {
 	KAUTH_REQ_PROCESS_CANPROCFS_CTL=1,
 	KAUTH_REQ_PROCESS_CANPROCFS_READ,
 	KAUTH_REQ_PROCESS_CANPROCFS_RW,
-	KAUTH_REQ_PROCESS_CANPROCFS_WRITE,
-	KAUTH_REQ_PROCESS_RESOURCE_NICE,
-	KAUTH_REQ_PROCESS_RESOURCE_RLIMIT
+	KAUTH_REQ_PROCESS_CANPROCFS_WRITE
 };
 
 /*
Index: sys/kern/kern_resource.c
===================================================================
RCS file: /usr/cvs/src/sys/kern/kern_resource.c,v
retrieving revision 1.111
diff -u -p -r1.111 kern_resource.c
--- sys/kern/kern_resource.c	14 Dec 2006 11:45:08 -0000	1.111
+++ sys/kern/kern_resource.c	8 Jan 2007 05:58:57 -0000
@@ -202,8 +202,8 @@ donice(struct lwp *l, struct proc *chgp,
 	if (n < PRIO_MIN)
 		n = PRIO_MIN;
 	n += NZERO;
-	if (kauth_authorize_process(cred, KAUTH_PROCESS_RESOURCE, chgp,
-	    (void *)KAUTH_REQ_PROCESS_RESOURCE_NICE, KAUTH_ARG(n), NULL))
+	if (kauth_authorize_process(cred, KAUTH_PROCESS_NICE, chgp,
+	    KAUTH_ARG(n), NULL, NULL) != 0)
 		return (EACCES);
 	chgp->p_nice = n;
 	SCHED_LOCK(s);
@@ -256,11 +256,10 @@ dosetrlimit(struct lwp *l, struct proc *
 		 */
 		return (EINVAL);
 	}
-	error = kauth_authorize_process(l->l_cred, KAUTH_PROCESS_RESOURCE,
-	    p, KAUTH_ARG(KAUTH_REQ_PROCESS_RESOURCE_RLIMIT), limp,
-	    KAUTH_ARG(which));
+	error = kauth_authorize_process(l->l_cred, KAUTH_PROCESS_RLIMIT, p,
+	    limp, KAUTH_ARG(which), l->l_proc);
 	if (error)
-			return (error);
+		return (error);
 
 	if (p->p_limit->p_refcnt > 1 &&
 	    (p->p_limit->p_lflags & PL_SHAREMOD) == 0) {
Index: sys/secmodel/bsd44/secmodel_bsd44_suser.c
===================================================================
RCS file: /usr/cvs/src/sys/secmodel/bsd44/secmodel_bsd44_suser.c,v
retrieving revision 1.31
diff -u -p -r1.31 secmodel_bsd44_suser.c
--- sys/secmodel/bsd44/secmodel_bsd44_suser.c	9 Jan 2007 16:19:27 -0000	1.31
+++ sys/secmodel/bsd44/secmodel_bsd44_suser.c	8 Jan 2007 06:25:31 -0000
@@ -485,55 +485,45 @@ secmodel_bsd44_suser_process_cb(kauth_cr
 
 		break;
 
-	case KAUTH_PROCESS_RESOURCE:
-		switch ((u_long)arg1) {
-		case KAUTH_REQ_PROCESS_RESOURCE_NICE:
-			if (isroot) {
-				result = KAUTH_RESULT_ALLOW;
-				break;
-			}
-
-			if (kauth_cred_geteuid(cred) !=
-			    kauth_cred_geteuid(p->p_cred) &&
-			    kauth_cred_getuid(cred) !=
-			    kauth_cred_geteuid(p->p_cred)) {
-				result = KAUTH_RESULT_DENY;
-				break;
-			}
-
-			if ((u_long)arg2 >= p->p_nice)
-				result = KAUTH_RESULT_ALLOW;
-
+	case KAUTH_PROCESS_NICE:
+		if (isroot) {
+			result = KAUTH_RESULT_ALLOW;
 			break;
+		}
 
-		case KAUTH_REQ_PROCESS_RESOURCE_RLIMIT: {
-			struct rlimit *new_rlimit;
-			u_long which;
+		if (kauth_cred_geteuid(cred) != kauth_cred_geteuid(p->p_cred) &&
+		    kauth_cred_getuid(cred) != kauth_cred_geteuid(p->p_cred)) {
+			result = KAUTH_RESULT_DENY;
+			break;
+		}
 
-			if (isroot) {
-				result = KAUTH_RESULT_ALLOW;
-				break;
-			}
+		if ((u_char)(u_long)arg1 >= p->p_nice)
+			result = KAUTH_RESULT_ALLOW;
 
-			if (proc_uidmatch(cred, p->p_cred) != 0) {
-				result = KAUTH_RESULT_DENY;
-				break;
-			}
+		break;
 
-			new_rlimit = arg2;
-			which = (u_long)arg3;
+	case KAUTH_PROCESS_RLIMIT: {
+		struct rlimit *new_rlimit;
+		u_long which;
 
-			if (new_rlimit->rlim_max <=
-			    p->p_rlimit[which].rlim_max)
-				result = KAUTH_RESULT_ALLOW;
+		if (isroot) {
+			result = KAUTH_RESULT_ALLOW;
 			break;
-			}
+		}
 
-		default:
-			result = KAUTH_RESULT_DEFER;
+		if (p != arg3 && proc_uidmatch(cred, p->p_cred) != 0) {
+			result = KAUTH_RESULT_DENY;
 			break;
 		}
+
+		new_rlimit = arg1;
+		which = (u_long)arg2;
+
+		if (new_rlimit->rlim_max <= p->p_rlimit[which].rlim_max)
+			result = KAUTH_RESULT_ALLOW;
+
 		break;
+		}
 
 	case KAUTH_PROCESS_SETID:
 		if (isroot)

--------------070905070606080202060200--