Add rctl. It's used by racct to take user-configurable actions based

on the set of rules it maintains and the current resource usage.  It also
privides userland API to manage that ruleset.

Sponsored by:	The FreeBSD Foundation
Reviewed by:	kib (earlier version)

9 files changed, 2070 insertions, 1 deletions

diff --git a/sys/compat/freebsd32/syscalls.master b/sys/compat/freebsd32/syscalls.master
index 31a67b6..8a4cadf 100644
--- a/sys/compat/freebsd32/syscalls.master
+++ b/sys/compat/freebsd32/syscalls.master
@@ -965,3 +965,18 @@
 523	AUE_NULL	NOPROTO	{ int getloginclass(char *namebuf, \
 				    size_t namelen); }
 524	AUE_NULL	NOPROTO	{ int setloginclass(const char *namebuf); }
+525	AUE_NULL	NOPROTO	{ int rctl_get_racct(const void *inbufp, \
+				    size_t inbuflen, void *outbufp, \
+				    size_t outbuflen); }
+526	AUE_NULL	NOPROTO	{ int rctl_get_rules(const void *inbufp, \
+				    size_t inbuflen, void *outbufp, \
+				    size_t outbuflen); }
+527	AUE_NULL	NOPROTO	{ int rctl_get_limits(const void *inbufp, \
+				    size_t inbuflen, void *outbufp, \
+				    size_t outbuflen); }
+528	AUE_NULL	NOPROTO	{ int rctl_add_rule(const void *inbufp, \
+				    size_t inbuflen, void *outbufp, \
+				    size_t outbuflen); }
+529	AUE_NULL	NOPROTO	{ int rctl_remove_rule(const void *inbufp, \
+				    size_t inbuflen, void *outbufp, \
+				    size_t outbuflen); }
diff --git a/sys/conf/NOTES b/sys/conf/NOTES
index d5fb648..9d99a92 100644
--- a/sys/conf/NOTES
+++ b/sys/conf/NOTES
@@ -2933,6 +2933,9 @@ options 	AAC_DEBUG	# Debugging levels:
 # Resource Accounting
 options 	RACCT
 
+# Resource Limits
+options 	RCTL
+
 # Yet more undocumented options for linting.
 # BKTR_ALLOC_PAGES has no effect except to cause warnings, and
 # BROOKTREE_ALLOC_PAGES hasn't actually been superseded by it, since the
diff --git a/sys/conf/files b/sys/conf/files
index 1cf8ff1..7b2a5d5 100644
--- a/sys/conf/files
+++ b/sys/conf/files
@@ -2226,6 +2226,7 @@ kern/kern_priv.c		standard
 kern/kern_proc.c		standard
 kern/kern_prot.c		standard
 kern/kern_racct.c		standard
+kern/kern_rctl.c		standard
 kern/kern_resource.c		standard
 kern/kern_rmlock.c		standard
 kern/kern_rwlock.c		standard
diff --git a/sys/conf/options b/sys/conf/options
index 56dbd34..4ede826 100644
--- a/sys/conf/options
+++ b/sys/conf/options
@@ -876,6 +876,9 @@ IPOIB_CM	opt_ofed.h
 # Resource Accounting
 RACCT		opt_global.h
 
+# Resource Limits
+RCTL		opt_global.h
+
 # At least one of the AR71XX ubiquiti boards has a Redboot configuration
 # that "lies" about the amount of RAM it has. Until a cleaner method is
 # defined, this option will suffice in overriding what Redboot says.
diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c
index 6f72feb..22b97e8 100644
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@@ -50,6 +50,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/lock.h>
 #include <sys/mutex.h>
 #include <sys/racct.h>
+#include <sys/rctl.h>
 #include <sys/sx.h>
 #include <sys/sysent.h>
 #include <sys/namei.h>
@@ -2532,6 +2533,9 @@ prison_deref(struct prison *pr, int flags)
 		if (pr->pr_cpuset != NULL)
 			cpuset_rel(pr->pr_cpuset);
 		osd_jail_exit(pr);
+#ifdef RCTL
+		rctl_racct_release(pr->pr_racct);
+#endif
 		racct_destroy(&pr->pr_racct);
 		free(pr, M_PRISON);
 
diff --git a/sys/kern/kern_rctl.c b/sys/kern/kern_rctl.c
new file mode 100644
index 0000000..890183d
--- /dev/null
+++ b/sys/kern/kern_rctl.c
@@ -0,0 +1,1850 @@
+/*-
+ * Copyright (c) 2010 The FreeBSD Foundation
+ * All rights reserved.
+ *
+ * This software was developed by Edward Tomasz Napierala under sponsorship
+ * from the FreeBSD Foundation.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <sys/cdefs.h>
+__FBSDID("$FreeBSD$");
+
+#include <sys/param.h>
+#include <sys/bus.h>
+#include <sys/malloc.h>
+#include <sys/queue.h>
+#include <sys/refcount.h>
+#include <sys/jail.h>
+#include <sys/kernel.h>
+#include <sys/limits.h>
+#include <sys/loginclass.h>
+#include <sys/priv.h>
+#include <sys/proc.h>
+#include <sys/racct.h>
+#include <sys/rctl.h>
+#include <sys/resourcevar.h>
+#include <sys/sx.h>
+#include <sys/sysent.h>
+#include <sys/sysproto.h>
+#include <sys/systm.h>
+#include <sys/types.h>
+#include <sys/eventhandler.h>
+#include <sys/lock.h>
+#include <sys/mutex.h>
+#include <sys/rwlock.h>
+#include <sys/sbuf.h>
+#include <sys/taskqueue.h>
+#include <sys/tree.h>
+#include <vm/uma.h>
+
+#ifdef RCTL
+#ifndef RACCT
+#error "The RCTL option requires the RACCT option"
+#endif
+
+FEATURE(rctl, "Resource Limits");
+
+#define	HRF_DEFAULT		0
+#define	HRF_DONT_INHERIT	1
+#define	HRF_DONT_ACCUMULATE	2
+
+/* Default buffer size for rctl_get_rules(2). */
+#define	RCTL_DEFAULT_BUFSIZE	4096
+#define	RCTL_LOG_BUFSIZE	128
+
+/*
+ * 'rctl_rule_link' connects a rule with every racct it's related to.
+ * For example, rule 'user:X:openfiles:deny=N/process' is linked
+ * with uidinfo for user X, and to each process of that user.
+ */
+struct rctl_rule_link {
+	LIST_ENTRY(rctl_rule_link)	rrl_next;
+	struct rctl_rule		*rrl_rule;
+	int				rrl_exceeded;
+};
+
+struct dict {
+	const char	*d_name;
+	int		d_value;
+};
+
+static struct dict subjectnames[] = {
+	{ "process", RCTL_SUBJECT_TYPE_PROCESS },
+	{ "user", RCTL_SUBJECT_TYPE_USER },
+	{ "loginclass", RCTL_SUBJECT_TYPE_LOGINCLASS },
+	{ "jail", RCTL_SUBJECT_TYPE_JAIL },
+	{ NULL, -1 }};
+
+static struct dict resourcenames[] = {
+	{ "cpu", RACCT_CPU },
+	{ "fsize", RACCT_FSIZE },
+	{ "data", RACCT_DATA },
+	{ "stack", RACCT_STACK },
+	{ "core", RACCT_CORE },
+	{ "rss", RACCT_RSS },
+	{ "memlock", RACCT_MEMLOCK },
+	{ "nproc", RACCT_NPROC },
+	{ "nofile", RACCT_NOFILE },
+	{ "sbsize", RACCT_SBSIZE },
+	{ "vmem", RACCT_VMEM },
+	{ "npts", RACCT_NPTS },
+	{ "swap", RACCT_SWAP },
+	{ "nthr", RACCT_NTHR },
+	{ "msgqqueued", RACCT_MSGQQUEUED },
+	{ "msgqsize", RACCT_MSGQSIZE },
+	{ "nmsgq", RACCT_NMSGQ },
+	{ "nsem", RACCT_NSEM },
+	{ "nsemop", RACCT_NSEMOP },
+	{ "nshm", RACCT_NSHM },
+	{ "shmsize", RACCT_SHMSIZE },
+	{ "wallclock", RACCT_WALLCLOCK },
+	{ NULL, -1 }};
+
+static struct dict actionnames[] = {
+	{ "sighup", RCTL_ACTION_SIGHUP },
+	{ "sigint", RCTL_ACTION_SIGINT },
+	{ "sigquit", RCTL_ACTION_SIGQUIT },
+	{ "sigill", RCTL_ACTION_SIGILL },
+	{ "sigtrap", RCTL_ACTION_SIGTRAP },
+	{ "sigabrt", RCTL_ACTION_SIGABRT },
+	{ "sigemt", RCTL_ACTION_SIGEMT },
+	{ "sigfpe", RCTL_ACTION_SIGFPE },
+	{ "sigkill", RCTL_ACTION_SIGKILL },
+	{ "sigbus", RCTL_ACTION_SIGBUS },
+	{ "sigsegv", RCTL_ACTION_SIGSEGV },
+	{ "sigsys", RCTL_ACTION_SIGSYS },
+	{ "sigpipe", RCTL_ACTION_SIGPIPE },
+	{ "sigalrm", RCTL_ACTION_SIGALRM },
+	{ "sigterm", RCTL_ACTION_SIGTERM },
+	{ "sigurg", RCTL_ACTION_SIGURG },
+	{ "sigstop", RCTL_ACTION_SIGSTOP },
+	{ "sigtstp", RCTL_ACTION_SIGTSTP },
+	{ "sigchld", RCTL_ACTION_SIGCHLD },
+	{ "sigttin", RCTL_ACTION_SIGTTIN },
+	{ "sigttou", RCTL_ACTION_SIGTTOU },
+	{ "sigio", RCTL_ACTION_SIGIO },
+	{ "sigxcpu", RCTL_ACTION_SIGXCPU },
+	{ "sigxfsz", RCTL_ACTION_SIGXFSZ },
+	{ "sigvtalrm", RCTL_ACTION_SIGVTALRM },
+	{ "sigprof", RCTL_ACTION_SIGPROF },
+	{ "sigwinch", RCTL_ACTION_SIGWINCH },
+	{ "siginfo", RCTL_ACTION_SIGINFO },
+	{ "sigusr1", RCTL_ACTION_SIGUSR1 },
+	{ "sigusr2", RCTL_ACTION_SIGUSR2 },
+	{ "sigthr", RCTL_ACTION_SIGTHR },
+	{ "deny", RCTL_ACTION_DENY },
+	{ "log", RCTL_ACTION_LOG },
+	{ "devctl", RCTL_ACTION_DEVCTL },
+	{ NULL, -1 }};
+
+static void rctl_init(void);
+SYSINIT(rctl, SI_SUB_RACCT, SI_ORDER_FIRST, rctl_init, NULL);
+
+static uma_zone_t rctl_rule_link_zone;
+static uma_zone_t rctl_rule_zone;
+static struct rwlock rctl_lock;
+RW_SYSINIT(rctl_lock, &rctl_lock, "RCTL lock");
+
+static int rctl_rule_fully_specified(const struct rctl_rule *rule);
+static void rctl_rule_to_sbuf(struct sbuf *sb, const struct rctl_rule *rule);
+
+MALLOC_DEFINE(M_RCTL, "rctl", "Resource Limits");
+
+static const char *
+rctl_subject_type_name(int subject)
+{
+	int i;
+
+	for (i = 0; subjectnames[i].d_name != NULL; i++) {
+		if (subjectnames[i].d_value == subject)
+			return (subjectnames[i].d_name);
+	}
+
+	panic("rctl_subject_type_name: unknown subject type %d", subject);
+}
+
+static const char *
+rctl_action_name(int action)
+{
+	int i;
+
+	for (i = 0; actionnames[i].d_name != NULL; i++) {
+		if (actionnames[i].d_value == action)
+			return (actionnames[i].d_name);
+	}
+
+	panic("rctl_action_name: unknown action %d", action);
+}
+
+const char *
+rctl_resource_name(int resource)
+{
+	int i;
+
+	for (i = 0; resourcenames[i].d_name != NULL; i++) {
+		if (resourcenames[i].d_value == resource)
+			return (resourcenames[i].d_name);
+	}
+
+	panic("rctl_resource_name: unknown resource %d", resource);
+}
+
+/*
+ * Return the amount of resource that can be allocated by 'p' before
+ * hitting 'rule'.
+ */
+static int64_t
+rctl_available_resource(const struct proc *p, const struct rctl_rule *rule)
+{
+	int resource;
+	int64_t available = INT64_MAX;
+	struct ucred *cred = p->p_ucred;
+
+	rw_assert(&rctl_lock, RA_LOCKED);
+
+	resource = rule->rr_resource;
+	switch (rule->rr_per) {
+	case RCTL_SUBJECT_TYPE_PROCESS:
+		available = rule->rr_amount -
+		    p->p_racct->r_resources[resource];
+		break;
+	case RCTL_SUBJECT_TYPE_USER:
+		available = rule->rr_amount -
+		    cred->cr_ruidinfo->ui_racct->r_resources[resource];
+		break;
+	case RCTL_SUBJECT_TYPE_LOGINCLASS:
+		available = rule->rr_amount -
+		    cred->cr_loginclass->lc_racct->r_resources[resource];
+		break;
+	case RCTL_SUBJECT_TYPE_JAIL:
+		available = rule->rr_amount -
+		    cred->cr_prison->pr_racct->r_resources[resource];
+		break;
+	default:
+		panic("rctl_compute_available: unknown per %d",
+		    rule->rr_per);
+	}
+
+	return (available);
+}
+
+/*
+ * Return non-zero if allocating 'amount' by proc 'p' would exceed
+ * resource limit specified by 'rule'.
+ */
+static int
+rctl_would_exceed(const struct proc *p, const struct rctl_rule *rule,
+    int64_t amount)
+{
+	int64_t available;
+
+	rw_assert(&rctl_lock, RA_LOCKED);
+
+	available = rctl_available_resource(p, rule);
+	if (available >= amount)
+		return (0);
+
+	return (1);
+}
+
+/*
+ * Check whether the proc 'p' can allocate 'amount' of 'resource' in addition
+ * to what it keeps allocated now.  Returns non-zero if the allocation should
+ * be denied, 0 otherwise.
+ */
+int
+rctl_enforce(struct proc *p, int resource, uint64_t amount)
+{
+	struct rctl_rule *rule;
+	struct rctl_rule_link *link;
+	struct sbuf sb;
+	int should_deny = 0;
+	char *buf;
+	static int curtime = 0;
+	static struct timeval lasttime;
+
+	rw_rlock(&rctl_lock);
+
+	/*
+	 * There may be more than one matching rule; go through all of them.
+	 * Denial should be done last, after logging and sending signals.
+	 */
+	LIST_FOREACH(link, &p->p_racct->r_rule_links, rrl_next) {
+		rule = link->rrl_rule;
+		if (rule->rr_resource != resource)
+			continue;
+		if (!rctl_would_exceed(p, rule, amount)) {
+			link->rrl_exceeded = 0;
+			continue;
+		}
+
+		switch (rule->rr_action) {
+		case RCTL_ACTION_DENY:
+			should_deny = 1;
+			continue;
+		case RCTL_ACTION_LOG:
+			/*
+			 * If rrl_exceeded != 0, it means we've already
+			 * logged a warning for this process.
+			 */
+			if (link->rrl_exceeded != 0)
+				continue;
+
+			if (!ppsratecheck(&lasttime, &curtime, 10))
+				continue;
+
+			buf = malloc(RCTL_LOG_BUFSIZE, M_RCTL, M_NOWAIT);
+			if (buf == NULL) {
+				printf("rctl_enforce: out of memory\n");
+				continue;
+			}
+			sbuf_new(&sb, buf, RCTL_LOG_BUFSIZE, SBUF_FIXEDLEN);
+			rctl_rule_to_sbuf(&sb, rule);
+			sbuf_finish(&sb);
+			printf("rctl: rule \"%s\" matched by pid %d "
+			    "(%s), uid %d, jail %s\n", sbuf_data(&sb),
+			    p->p_pid, p->p_comm, p->p_ucred->cr_uid,
+			    p->p_ucred->cr_prison->pr_name);
+			sbuf_delete(&sb);
+			free(buf, M_RCTL);
+			link->rrl_exceeded = 1;
+			continue;
+		case RCTL_ACTION_DEVCTL:
+			if (link->rrl_exceeded != 0)
+				continue;
+
+			buf = malloc(RCTL_LOG_BUFSIZE, M_RCTL, M_NOWAIT);
+			if (buf == NULL) {
+				printf("rctl_enforce: out of memory\n");
+				continue;
+			}
+			sbuf_new(&sb, buf, RCTL_LOG_BUFSIZE, SBUF_FIXEDLEN);
+			sbuf_printf(&sb, "rule=");
+			rctl_rule_to_sbuf(&sb, rule);
+			sbuf_printf(&sb, " pid=%d ruid=%d jail=%s",
+			    p->p_pid, p->p_ucred->cr_ruid,
+			    p->p_ucred->cr_prison->pr_name);
+			sbuf_finish(&sb);
+			devctl_notify_f("RCTL", "rule", "matched",
+			    sbuf_data(&sb), M_NOWAIT);
+			sbuf_delete(&sb);
+			free(buf, M_RCTL);
+			link->rrl_exceeded = 1;
+			continue;
+		default:
+			if (link->rrl_exceeded != 0)
+				continue;
+
+			KASSERT(rule->rr_action > 0 &&
+			    rule->rr_action <= RCTL_ACTION_SIGNAL_MAX,
+			    ("rctl_enforce: unknown action %d",
+			     rule->rr_action));
+
+			/*
+			 * We're using the fact that RCTL_ACTION_SIG* values
+			 * are equal to their counterparts from sys/signal.h.
+			 */
+			psignal(p, rule->rr_action);
+			link->rrl_exceeded = 1;
+			continue;
+		}
+	}
+
+	rw_runlock(&rctl_lock);
+
+	if (should_deny) {
+		/*
+		 * Return fake error code; the caller should change it
+		 * into one proper for the situation - EFSIZ, ENOMEM etc.
+		 */
+		return (EDOOFUS);
+	}
+
+	return (0);
+}
+
+uint64_t
+rctl_get_limit(struct proc *p, int resource)
+{
+	struct rctl_rule *rule;
+	struct rctl_rule_link *link;
+	uint64_t amount = UINT64_MAX;
+
+	rw_rlock(&rctl_lock);
+
+	/*
+	 * There may be more than one matching rule; go through all of them.
+	 * Denial should be done last, after logging and sending signals.
+	 */
+	LIST_FOREACH(link, &p->p_racct->r_rule_links, rrl_next) {
+		rule = link->rrl_rule;
+		if (rule->rr_resource != resource)
+			continue;
+		if (rule->rr_action != RCTL_ACTION_DENY)
+			continue;
+		if (rule->rr_amount < amount)
+			amount = rule->rr_amount;
+	}
+
+	rw_runlock(&rctl_lock);
+
+	return (amount);
+}
+
+uint64_t
+rctl_get_available(struct proc *p, int resource)
+{
+	struct rctl_rule *rule;
+	struct rctl_rule_link *link;
+	int64_t available, minavailable, allocated;
+
+	minavailable = INT64_MAX;
+
+	rw_rlock(&rctl_lock);
+
+	/*
+	 * There may be more than one matching rule; go through all of them.
+	 * Denial should be done last, after logging and sending signals.
+	 */
+	LIST_FOREACH(link, &p->p_racct->r_rule_links, rrl_next) {
+		rule = link->rrl_rule;
+		if (rule->rr_resource != resource)
+			continue;
+		if (rule->rr_action != RCTL_ACTION_DENY)
+			continue;
+		available = rctl_available_resource(p, rule);
+		if (available < minavailable)
+			minavailable = available;
+	}
+
+	rw_runlock(&rctl_lock);
+
+	/*
+	 * XXX: Think about this _hard_.
+	 */
+	allocated = p->p_racct->r_resources[resource];
+	if (minavailable < INT64_MAX - allocated)
+		minavailable += allocated;
+	if (minavailable < 0)
+		minavailable = 0;
+	return (minavailable);
+}
+
+static int
+rctl_rule_matches(const struct rctl_rule *rule, const struct rctl_rule *filter)
+{
+
+	if (filter->rr_subject_type != RCTL_SUBJECT_TYPE_UNDEFINED) {
+		if (rule->rr_subject_type != filter->rr_subject_type)
+			return (0);
+
+		switch (filter->rr_subject_type) {
+		case RCTL_SUBJECT_TYPE_PROCESS:
+			if (filter->rr_subject.rs_proc != NULL &&
+			    rule->rr_subject.rs_proc !=
+			    filter->rr_subject.rs_proc)
+				return (0);
+			break;
+		case RCTL_SUBJECT_TYPE_USER:
+			if (filter->rr_subject.rs_uip != NULL &&
+			    rule->rr_subject.rs_uip !=
+			    filter->rr_subject.rs_uip)
+				return (0);
+			break;
+		case RCTL_SUBJECT_TYPE_LOGINCLASS:
+			if (filter->rr_subject.hr_loginclass != NULL &&
+			    rule->rr_subject.hr_loginclass !=
+			    filter->rr_subject.hr_loginclass)
+				return (0);
+			break;
+		case RCTL_SUBJECT_TYPE_JAIL:
+			if (filter->rr_subject.rs_prison != NULL &&
+			    rule->rr_subject.rs_prison !=
+			    filter->rr_subject.rs_prison)
+				return (0);
+			break;
+		default:
+			panic("rctl_rule_matches: unknown subject type %d",
+			    filter->rr_subject_type);
+		}
+	}
+
+	if (filter->rr_resource != RACCT_UNDEFINED) {
+		if (rule->rr_resource != filter->rr_resource)
+			return (0);
+	}
+
+	if (filter->rr_action != RCTL_ACTION_UNDEFINED) {
+		if (rule->rr_action != filter->rr_action)
+			return (0);
+	}
+
+	if (filter->rr_amount != RCTL_AMOUNT_UNDEFINED) {
+		if (rule->rr_amount != filter->rr_amount)
+			return (0);
+	}
+
+	if (filter->rr_per != RCTL_SUBJECT_TYPE_UNDEFINED) {
+		if (rule->rr_per != filter->rr_per)
+			return (0);
+	}
+
+	return (1);
+}
+
+static int
+str2value(const char *str, int *value, struct dict *table)
+{
+	int i;
+
+	if (value == NULL)
+		return (EINVAL);
+
+	for (i = 0; table[i].d_name != NULL; i++) {
+		if (strcasecmp(table[i].d_name, str) == 0) {
+			*value =  table[i].d_value;
+			return (0);
+		}
+	}
+
+	return (EINVAL);
+}
+
+static int
+str2id(const char *str, id_t *value)
+{
+	char *end;
+
+	if (str == NULL)
+		return (EINVAL);
+
+	*value = strtoul(str, &end, 10);
+	if ((size_t)(end - str) != strlen(str))
+		return (EINVAL);
+
+	return (0);
+}
+
+static int
+str2int64(const char *str, int64_t *value)
+{
+	char *end;
+
+	if (str == NULL)
+		return (EINVAL);
+
+	*value = strtoul(str, &end, 10);
+	if ((size_t)(end - str) != strlen(str))
+		return (EINVAL);
+
+	return (0);
+}
+
+/*
+ * Connect the rule to the racct, increasing refcount for the rule.
+ */
+static void
+rctl_racct_add_rule(struct racct *racct, struct rctl_rule *rule)
+{
+	struct rctl_rule_link *link;
+
+	KASSERT(rctl_rule_fully_specified(rule), ("rule not fully specified"));
+
+	rctl_rule_acquire(rule);
+	link = uma_zalloc(rctl_rule_link_zone, M_WAITOK);
+	link->rrl_rule = rule;
+	link->rrl_exceeded = 0;
+
+	rw_wlock(&rctl_lock);
+	LIST_INSERT_HEAD(&racct->r_rule_links, link, rrl_next);
+	rw_wunlock(&rctl_lock);
+}
+
+static int
+rctl_racct_add_rule_locked(struct racct *racct, struct rctl_rule *rule)
+{
+	struct rctl_rule_link *link;
+
+	KASSERT(rctl_rule_fully_specified(rule), ("rule not fully specified"));
+	rw_assert(&rctl_lock, RA_WLOCKED);
+
+	link = uma_zalloc(rctl_rule_link_zone, M_NOWAIT);
+	if (link == NULL)
+		return (ENOMEM);
+	rctl_rule_acquire(rule);
+	link->rrl_rule = rule;
+	link->rrl_exceeded = 0;
+
+	LIST_INSERT_HEAD(&racct->r_rule_links, link, rrl_next);
+	return (0);
+}
+
+/*
+ * Remove limits for a rules matching the filter and release
+ * the refcounts for the rules, possibly freeing them.  Returns
+ * the number of limit structures removed.
+ */
+static int
+rctl_racct_remove_rules(struct racct *racct,
+    const struct rctl_rule *filter)
+{
+	int removed = 0;
+	struct rctl_rule_link *link, *linktmp;
+
+	rw_assert(&rctl_lock, RA_WLOCKED);
+
+	LIST_FOREACH_SAFE(link, &racct->r_rule_links, rrl_next, linktmp) {
+		if (!rctl_rule_matches(link->rrl_rule, filter))
+			continue;
+
+		LIST_REMOVE(link, rrl_next);
+		rctl_rule_release(link->rrl_rule);
+		uma_zfree(rctl_rule_link_zone, link);
+		removed++;
+	}
+	return (removed);
+}
+
+static void
+rctl_rule_acquire_subject(struct rctl_rule *rule)
+{
+
+	switch (rule->rr_subject_type) {
+	case RCTL_SUBJECT_TYPE_UNDEFINED:
+	case RCTL_SUBJECT_TYPE_PROCESS:
+	case RCTL_SUBJECT_TYPE_JAIL:
+		break;
+	case RCTL_SUBJECT_TYPE_USER:
+		if (rule->rr_subject.rs_uip != NULL)
+			uihold(rule->rr_subject.rs_uip);
+		break;
+	case RCTL_SUBJECT_TYPE_LOGINCLASS:
+		if (rule->rr_subject.hr_loginclass != NULL)
+			loginclass_hold(rule->rr_subject.hr_loginclass);
+		break;
+	default:
+		panic("rctl_rule_acquire_subject: unknown subject type %d",
+		    rule->rr_subject_type);
+	}
+}
+
+static void
+rctl_rule_release_subject(struct rctl_rule *rule)
+{
+
+	switch (rule->rr_subject_type) {
+	case RCTL_SUBJECT_TYPE_UNDEFINED:
+	case RCTL_SUBJECT_TYPE_PROCESS:
+	case RCTL_SUBJECT_TYPE_JAIL:
+		break;
+	case RCTL_SUBJECT_TYPE_USER:
+		if (rule->rr_subject.rs_uip != NULL)
+			uifree(rule->rr_subject.rs_uip);
+		break;
+	case RCTL_SUBJECT_TYPE_LOGINCLASS:
+		if (rule->rr_subject.hr_loginclass != NULL)
+			loginclass_free(rule->rr_subject.hr_loginclass);
+		break;
+	default:
+		panic("rctl_rule_release_subject: unknown subject type %d",
+		    rule->rr_subject_type);
+	}
+}
+
+struct rctl_rule *
+rctl_rule_alloc(int flags)
+{
+	struct rctl_rule *rule;
+
+	rule = uma_zalloc(rctl_rule_zone, flags);
+	if (rule == NULL)
+		return (NULL);
+	rule->rr_subject_type = RCTL_SUBJECT_TYPE_UNDEFINED;
+	rule->rr_subject.rs_proc = NULL;
+	rule->rr_subject.rs_uip = NULL;
+	rule->rr_subject.hr_loginclass = NULL;
+	rule->rr_subject.rs_prison = NULL;
+	rule->rr_per = RCTL_SUBJECT_TYPE_UNDEFINED;
+	rule->rr_resource = RACCT_UNDEFINED;
+	rule->rr_action = RCTL_ACTION_UNDEFINED;
+	rule->rr_amount = RCTL_AMOUNT_UNDEFINED;
+	refcount_init(&rule->rr_refcount, 1);
+
+	return (rule);
+}
+
+struct rctl_rule *
+rctl_rule_duplicate(const struct rctl_rule *rule, int flags)
+{
+	struct rctl_rule *copy;
+
+	copy = uma_zalloc(rctl_rule_zone, flags);
+	if (copy == NULL)
+		return (NULL);
+	copy->rr_subject_type = rule->rr_subject_type;
+	copy->rr_subject.rs_proc = rule->rr_subject.rs_proc;
+	copy->rr_subject.rs_uip = rule->rr_subject.rs_uip;
+	copy->rr_subject.hr_loginclass = rule->rr_subject.hr_loginclass;
+	copy->rr_subject.rs_prison = rule->rr_subject.rs_prison;
+	copy->rr_per = rule->rr_per;
+	copy->rr_resource = rule->rr_resource;
+	copy->rr_action = rule->rr_action;
+	copy->rr_amount = rule->rr_amount;
+	refcount_init(&copy->rr_refcount, 1);
+	rctl_rule_acquire_subject(copy);
+
+	return (copy);
+}
+
+void
+rctl_rule_acquire(struct rctl_rule *rule)
+{
+
+	KASSERT(rule->rr_refcount > 0, ("rule->rr_refcount <= 0"));
+
+	refcount_acquire(&rule->rr_refcount);
+}
+
+static void
+rctl_rule_free(void *context, int pending)
+{
+	struct rctl_rule *rule;
+	
+	rule = (struct rctl_rule *)context;
+
+	KASSERT(rule->rr_refcount == 0, ("rule->rr_refcount != 0"));
+	
+	/*
+	 * We don't need locking here; rule is guaranteed to be inaccessible.
+	 */
+	
+	rctl_rule_release_subject(rule);
+	uma_zfree(rctl_rule_zone, rule);
+}
+
+void
+rctl_rule_release(struct rctl_rule *rule)
+{
+
+	KASSERT(rule->rr_refcount > 0, ("rule->rr_refcount <= 0"));
+
+	if (refcount_release(&rule->rr_refcount)) {
+		/*
+		 * rctl_rule_release() is often called when iterating
+		 * over all the uidinfo structures in the system,
+		 * holding uihashtbl_lock.  Since rctl_rule_free()
+		 * might end up calling uifree(), this would lead
+		 * to lock recursion.  Use taskqueue to avoid this.
+		 */
+		TASK_INIT(&rule->rr_task, 0, rctl_rule_free, rule);
+		taskqueue_enqueue(taskqueue_thread, &rule->rr_task);
+	}
+}
+
+static int
+rctl_rule_fully_specified(const struct rctl_rule *rule)
+{
+
+	switch (rule->rr_subject_type) {
+	case RCTL_SUBJECT_TYPE_UNDEFINED:
+		return (0);
+	case RCTL_SUBJECT_TYPE_PROCESS:
+		if (rule->rr_subject.rs_proc == NULL)
+			return (0);
+		break;
+	case RCTL_SUBJECT_TYPE_USER:
+		if (rule->rr_subject.rs_uip == NULL)
+			return (0);
+		break;
+	case RCTL_SUBJECT_TYPE_LOGINCLASS:
+		if (rule->rr_subject.hr_loginclass == NULL)
+			return (0);
+		break;
+	case RCTL_SUBJECT_TYPE_JAIL:
+		if (rule->rr_subject.rs_prison == NULL)
+			return (0);
+		break;
+	default:
+		panic("rctl_rule_fully_specified: unknown subject type %d",
+		    rule->rr_subject_type);
+	}
+	if (rule->rr_resource == RACCT_UNDEFINED)
+		return (0);
+	if (rule->rr_action == RCTL_ACTION_UNDEFINED)
+		return (0);
+	if (rule->rr_amount == RCTL_AMOUNT_UNDEFINED)
+		return (0);
+	if (rule->rr_per == RCTL_SUBJECT_TYPE_UNDEFINED)
+		return (0);
+
+	return (1);
+}
+
+static int
+rctl_string_to_rule(char *rulestr, struct rctl_rule **rulep)
+{
+	int error = 0;
+	char *subjectstr, *subject_idstr, *resourcestr, *actionstr,
+	     *amountstr, *perstr;
+	struct rctl_rule *rule;
+	id_t id;
+
+	rule = rctl_rule_alloc(M_WAITOK);
+
+	subjectstr = strsep(&rulestr, ":");
+	subject_idstr = strsep(&rulestr, ":");
+	resourcestr = strsep(&rulestr, ":");
+	actionstr = strsep(&rulestr, "=/");
+	amountstr = strsep(&rulestr, "/");
+	perstr = rulestr;
+
+	if (subjectstr == NULL || subjectstr[0] == '\0')
+		rule->rr_subject_type = RCTL_SUBJECT_TYPE_UNDEFINED;
+	else {
+		error = str2value(subjectstr, &rule->rr_subject_type, subjectnames);
+		if (error != 0)
+			goto out;
+	}
+
+	if (subject_idstr == NULL || subject_idstr[0] == '\0') {
+		rule->rr_subject.rs_proc = NULL;
+		rule->rr_subject.rs_uip = NULL;
+		rule->rr_subject.hr_loginclass = NULL;
+		rule->rr_subject.rs_prison = NULL;
+	} else {
+		switch (rule->rr_subject_type) {
+		case RCTL_SUBJECT_TYPE_UNDEFINED:
+			error = EINVAL;
+			goto out;
+		case RCTL_SUBJECT_TYPE_PROCESS:
+			error = str2id(subject_idstr, &id);
+			if (error != 0)
+				goto out;
+			sx_assert(&allproc_lock, SA_LOCKED);
+			rule->rr_subject.rs_proc = pfind(id);
+			if (rule->rr_subject.rs_proc == NULL) {
+				error = ESRCH;
+				goto out;
+			}
+			PROC_UNLOCK(rule->rr_subject.rs_proc);
+			break;
+		case RCTL_SUBJECT_TYPE_USER:
+			error = str2id(subject_idstr, &id);
+			if (error != 0)
+				goto out;
+			rule->rr_subject.rs_uip = uifind(id);
+			break;
+		case RCTL_SUBJECT_TYPE_LOGINCLASS:
+			rule->rr_subject.hr_loginclass =
+			    loginclass_find(subject_idstr);
+			if (rule->rr_subject.hr_loginclass == NULL) {
+				error = ENAMETOOLONG;
+				goto out;
+			}
+			break;
+		case RCTL_SUBJECT_TYPE_JAIL:
+			rule->rr_subject.rs_prison =
+			    prison_find_name(&prison0, subject_idstr);
+			if (rule->rr_subject.rs_prison == NULL) {
+				/*
+				 * No jail with that name; try with the JID.
+				 */
+				error = str2id(subject_idstr, &id);
+				if (error != 0)
+					goto out;
+				rule->rr_subject.rs_prison = prison_find(id);
+				if (rule->rr_subject.rs_prison == NULL) {
+					error = ESRCH;
+					goto out;
+				}
+			}
+			/* prison_find() returns with mutex held. */
+			mtx_unlock(&rule->rr_subject.rs_prison->pr_mtx);
+			break;
+               default:
+                       panic("rctl_string_to_rule: unknown subject type %d",
+                           rule->rr_subject_type);
+               }
+	}
+
+	if (resourcestr == NULL || resourcestr[0] == '\0')
+		rule->rr_resource = RACCT_UNDEFINED;
+	else {
+		error = str2value(resourcestr, &rule->rr_resource,
+		    resourcenames);
+		if (error != 0)
+			goto out;
+	}
+
+	if (actionstr == NULL || actionstr[0] == '\0')
+		rule->rr_action = RCTL_ACTION_UNDEFINED;
+	else {
+		error = str2value(actionstr, &rule->rr_action, actionnames);
+		if (error != 0)
+			goto out;
+	}
+
+	if (amountstr == NULL || amountstr[0] == '\0')
+		rule->rr_amount = RCTL_AMOUNT_UNDEFINED;
+	else {
+		error = str2int64(amountstr, &rule->rr_amount);
+		if (error != 0)
+			goto out;
+		if (racct_is_in_thousands(rule->rr_resource))
+			rule->rr_amount *= 1000;
+	}
+
+	if (perstr == NULL || perstr[0] == '\0')
+		rule->rr_per = RCTL_SUBJECT_TYPE_UNDEFINED;
+	else {
+		error = str2value(perstr, &rule->rr_per, subjectnames);
+		if (error != 0)
+			goto out;
+	}
+
+out:
+	if (error == 0)
+		*rulep = rule;
+	else
+		rctl_rule_release(rule);
+
+	return (error);
+}
+
+/*
+ * Link a rule with all the subjects it applies to.
+ */
+int
+rctl_rule_add(struct rctl_rule *rule)
+{
+	struct proc *p;
+	struct ucred *cred;
+	struct uidinfo *uip;
+	struct prison *pr;
+	struct loginclass *lc;
+	struct rctl_rule *rule2;
+	int match;
+
+	KASSERT(rctl_rule_fully_specified(rule), ("rule not fully specified"));
+
+	/*
+	 * Some rules just don't make sense.  Note that the one below
+	 * cannot be rewritten using racct_is_deniable(); the RACCT_PCTCPU,
+	 * for example, is not deniable in the racct sense, but the
+	 * limit is enforced in a different way, so "deny" rules for %CPU
+	 * do make sense.
+	 */
+	if (rule->rr_action == RCTL_ACTION_DENY &&
+	    (rule->rr_resource == RACCT_CPU ||
+	    rule->rr_resource == RACCT_WALLCLOCK))
+		return (EOPNOTSUPP);
+
+	if (rule->rr_per == RCTL_SUBJECT_TYPE_PROCESS &&
+	    racct_is_sloppy(rule->rr_resource))
+		return (EOPNOTSUPP);
+
+	/*
+	 * Make sure there are no duplicated rules.  Also, for the "deny"
+	 * rules, remove ones differing only by "amount".
+	 */
+	if (rule->rr_action == RCTL_ACTION_DENY) {
+		rule2 = rctl_rule_duplicate(rule, M_WAITOK);
+		rule2->rr_amount = RCTL_AMOUNT_UNDEFINED;
+		rctl_rule_remove(rule2);
+		rctl_rule_release(rule2);
+	} else
+		rctl_rule_remove(rule);
+
+	switch (rule->rr_subject_type) {
+	case RCTL_SUBJECT_TYPE_PROCESS:
+		p = rule->rr_subject.rs_proc;
+		KASSERT(p != NULL, ("rctl_rule_add: NULL proc"));
+		/*
+		 * No resource limits for system processes.
+		 */
+		if (p->p_flag & P_SYSTEM)
+			return (EPERM);
+
+		rctl_racct_add_rule(p->p_racct, rule);
+		/*
+		 * In case of per-process rule, we don't have anything more
+		 * to do.
+		 */
+		return (0);
+
+	case RCTL_SUBJECT_TYPE_USER:
+		uip = rule->rr_subject.rs_uip;
+		KASSERT(uip != NULL, ("rctl_rule_add: NULL uip"));
+		rctl_racct_add_rule(uip->ui_racct, rule);
+		break;
+
+	case RCTL_SUBJECT_TYPE_LOGINCLASS:
+		lc = rule->rr_subject.hr_loginclass;
+		KASSERT(lc != NULL, ("rctl_rule_add: NULL loginclass"));
+		rctl_racct_add_rule(lc->lc_racct, rule);
+		break;
+
+	case RCTL_SUBJECT_TYPE_JAIL:
+		pr = rule->rr_subject.rs_prison;
+		KASSERT(pr != NULL, ("rctl_rule_add: NULL pr"));
+		rctl_racct_add_rule(pr->pr_racct, rule);
+		break;
+
+	default:
+		panic("rctl_rule_add: unknown subject type %d",
+		    rule->rr_subject_type);
+	}
+
+	/*
+	 * Now go through all the processes and add the new rule to the ones
+	 * it applies to.
+	 */
+	sx_assert(&allproc_lock, SA_LOCKED);
+	FOREACH_PROC_IN_SYSTEM(p) {
+		if (p->p_flag & P_SYSTEM)
+			continue;
+		cred = p->p_ucred;
+		switch (rule->rr_subject_type) {
+		case RCTL_SUBJECT_TYPE_USER:
+			if (cred->cr_uidinfo == rule->rr_subject.rs_uip ||
+			    cred->cr_ruidinfo == rule->rr_subject.rs_uip)
+				break;
+			continue;
+		case RCTL_SUBJECT_TYPE_LOGINCLASS:
+			if (cred->cr_loginclass == rule->rr_subject.hr_loginclass)
+				break;
+			continue;
+		case RCTL_SUBJECT_TYPE_JAIL:
+			match = 0;
+			for (pr = cred->cr_prison; pr != NULL; pr = pr->pr_parent) {
+				if (pr == rule->rr_subject.rs_prison) {
+					match = 1;
+					break;
+				}
+			}
+			if (match)
+				break;
+			continue;
+		default:
+			panic("rctl_rule_add: unknown subject type %d",
+			    rule->rr_subject_type);
+		}
+
+		rctl_racct_add_rule(p->p_racct, rule);
+	}
+
+	return (0);
+}
+
+static void
+rctl_rule_remove_callback(struct racct *racct, void *arg2, void *arg3)
+{
+	struct rctl_rule *filter = (struct rctl_rule *)arg2;
+	int found = 0;
+
+	rw_wlock(&rctl_lock);
+	found += rctl_racct_remove_rules(racct, filter);
+	rw_wunlock(&rctl_lock);
+
+	*((int *)arg3) += found;
+}
+
+/*
+ * Remove all rules that match the filter.
+ */
+int
+rctl_rule_remove(struct rctl_rule *filter)
+{
+	int found = 0;
+	struct proc *p;
+
+	if (filter->rr_subject_type == RCTL_SUBJECT_TYPE_PROCESS &&
+	    filter->rr_subject.rs_proc != NULL) {
+		p = filter->rr_subject.rs_proc;
+		rw_wlock(&rctl_lock);
+		found = rctl_racct_remove_rules(p->p_racct, filter);
+		rw_wunlock(&rctl_lock);
+		if (found)
+			return (0);
+		return (ESRCH);
+	}
+
+	loginclass_racct_foreach(rctl_rule_remove_callback, filter,
+	    (void *)&found);
+	ui_racct_foreach(rctl_rule_remove_callback, filter,
+	    (void *)&found);
+	prison_racct_foreach(rctl_rule_remove_callback, filter,
+	    (void *)&found);
+
+	sx_assert(&allproc_lock, SA_LOCKED);
+	rw_wlock(&rctl_lock);
+	FOREACH_PROC_IN_SYSTEM(p) {
+		found += rctl_racct_remove_rules(p->p_racct, filter);
+	}
+	rw_wunlock(&rctl_lock);
+
+	if (found)
+		return (0);
+	return (ESRCH);
+}
+
+/*
+ * Appends a rule to the sbuf.
+ */
+static void
+rctl_rule_to_sbuf(struct sbuf *sb, const struct rctl_rule *rule)
+{
+	int64_t amount;
+
+	sbuf_printf(sb, "%s:", rctl_subject_type_name(rule->rr_subject_type));
+
+	switch (rule->rr_subject_type) {
+	case RCTL_SUBJECT_TYPE_PROCESS:
+		if (rule->rr_subject.rs_proc == NULL)
+			sbuf_printf(sb, ":");
+		else
+			sbuf_printf(sb, "%d:",
+			    rule->rr_subject.rs_proc->p_pid);
+		break;
+	case RCTL_SUBJECT_TYPE_USER:
+		if (rule->rr_subject.rs_uip == NULL)
+			sbuf_printf(sb, ":");
+		else
+			sbuf_printf(sb, "%d:",
+			    rule->rr_subject.rs_uip->ui_uid);
+		break;
+	case RCTL_SUBJECT_TYPE_LOGINCLASS:
+		if (rule->rr_subject.hr_loginclass == NULL)
+			sbuf_printf(sb, ":");
+		else
+			sbuf_printf(sb, "%s:",
+			    rule->rr_subject.hr_loginclass->lc_name);
+		break;
+	case RCTL_SUBJECT_TYPE_JAIL:
+		if (rule->rr_subject.rs_prison == NULL)
+			sbuf_printf(sb, ":");
+		else
+			sbuf_printf(sb, "%s:",
+			    rule->rr_subject.rs_prison->pr_name);
+		break;
+	default:
+		panic("rctl_rule_to_sbuf: unknown subject type %d",
+		    rule->rr_subject_type);
+	}
+
+	amount = rule->rr_amount;
+	if (amount != RCTL_AMOUNT_UNDEFINED &&
+	    racct_is_in_thousands(rule->rr_resource))
+		amount /= 1000;
+
+	sbuf_printf(sb, "%s:%s=%jd",
+	    rctl_resource_name(rule->rr_resource),
+	    rctl_action_name(rule->rr_action),
+	    amount);
+
+	if (rule->rr_per != rule->rr_subject_type)
+		sbuf_printf(sb, "/%s", rctl_subject_type_name(rule->rr_per));
+}
+
+/*
+ * Routine used by RCTL syscalls to read in input string.
+ */
+static int
+rctl_read_inbuf(char **inputstr, const char *inbufp, size_t inbuflen)
+{
+	int error;
+	char *str;
+
+	if (inbuflen <= 0)
+		return (EINVAL);
+
+	str = malloc(inbuflen + 1, M_RCTL, M_WAITOK);
+	error = copyinstr(inbufp, str, inbuflen, NULL);
+	if (error != 0) {
+		free(str, M_RCTL);
+		return (error);
+	}
+
+	*inputstr = str;
+
+	return (0);
+}
+
+/*
+ * Routine used by RCTL syscalls to write out output string.
+ */
+static int
+rctl_write_outbuf(struct sbuf *outputsbuf, char *outbufp, size_t outbuflen)
+{
+	int error;
+
+	if (outputsbuf == NULL)
+		return (0);
+
+	sbuf_finish(outputsbuf);
+	if (outbuflen < sbuf_len(outputsbuf) + 1) {
+		sbuf_delete(outputsbuf);
+		return (ERANGE);
+	}
+	error = copyout(sbuf_data(outputsbuf), outbufp,
+	    sbuf_len(outputsbuf) + 1);
+	sbuf_delete(outputsbuf);
+	return (error);
+}
+
+static struct sbuf *
+rctl_racct_to_sbuf(struct racct *racct, int sloppy)
+{
+	int i;
+	int64_t amount;
+	struct sbuf *sb;
+
+	sb = sbuf_new_auto();
+	for (i = 0; i <= RACCT_MAX; i++) {
+		if (sloppy == 0 && racct_is_sloppy(i))
+			continue;
+		amount = racct->r_resources[i];
+		if (racct_is_in_thousands(i))
+			amount /= 1000;
+		sbuf_printf(sb, "%s=%jd,", rctl_resource_name(i), amount);
+	}
+	sbuf_setpos(sb, sbuf_len(sb) - 1);
+	return (sb);
+}
+
+int
+rctl_get_racct(struct thread *td, struct rctl_get_racct_args *uap)
+{
+	int error;
+	char *inputstr;
+	struct rctl_rule *filter;
+	struct sbuf *outputsbuf = NULL;
+	struct proc *p;
+	struct uidinfo *uip;
+	struct loginclass *lc;
+	struct prison *pr;
+
+	error = priv_check(td, PRIV_RCTL_GET_USAGE);
+	if (error != 0)
+		return (error);
+
+	error = rctl_read_inbuf(&inputstr, uap->inbufp, uap->inbuflen);
+	if (error != 0)
+		return (error);
+
+	sx_slock(&allproc_lock);
+	sx_slock(&allprison_lock);
+	error = rctl_string_to_rule(inputstr, &filter);
+	free(inputstr, M_RCTL);
+	if (error != 0) {
+		sx_sunlock(&allprison_lock);
+		sx_sunlock(&allproc_lock);
+		return (error);
+	}
+
+	switch (filter->rr_subject_type) {
+	case RCTL_SUBJECT_TYPE_PROCESS:
+		p = filter->rr_subject.rs_proc;
+		if (p == NULL) {
+			error = EINVAL;
+			goto out;
+		}
+		if (p->p_flag & P_SYSTEM) {
+			error = EINVAL;
+			goto out;
+		}
+		outputsbuf = rctl_racct_to_sbuf(p->p_racct, 0);
+		break;
+	case RCTL_SUBJECT_TYPE_USER:
+		uip = filter->rr_subject.rs_uip;
+		if (uip == NULL) {
+			error = EINVAL;
+			goto out;
+		}
+		outputsbuf = rctl_racct_to_sbuf(uip->ui_racct, 1);
+		break;
+	case RCTL_SUBJECT_TYPE_LOGINCLASS:
+		lc = filter->rr_subject.hr_loginclass;
+		if (lc == NULL) {
+			error = EINVAL;
+			goto out;
+		}
+		outputsbuf = rctl_racct_to_sbuf(lc->lc_racct, 1);
+		break;
+	case RCTL_SUBJECT_TYPE_JAIL:
+		pr = filter->rr_subject.rs_prison;
+		if (pr == NULL) {
+			error = EINVAL;
+			goto out;
+		}
+		outputsbuf = rctl_racct_to_sbuf(pr->pr_racct, 1);
+		break;
+	default:
+		error = EINVAL;
+	}
+out:
+	rctl_rule_release(filter);
+	sx_sunlock(&allprison_lock);
+	sx_sunlock(&allproc_lock);
+	if (error != 0)
+		return (error);
+
+	error = rctl_write_outbuf(outputsbuf, uap->outbufp, uap->outbuflen);
+
+	return (error);
+}
+
+static void
+rctl_get_rules_callback(struct racct *racct, void *arg2, void *arg3)
+{
+	struct rctl_rule *filter = (struct rctl_rule *)arg2;
+	struct rctl_rule_link *link;
+	struct sbuf *sb = (struct sbuf *)arg3;
+
+	rw_rlock(&rctl_lock);
+	LIST_FOREACH(link, &racct->r_rule_links, rrl_next) {
+		if (!rctl_rule_matches(link->rrl_rule, filter))
+			continue;
+		rctl_rule_to_sbuf(sb, link->rrl_rule);
+		sbuf_printf(sb, ",");
+	}
+	rw_runlock(&rctl_lock);
+}
+
+int
+rctl_get_rules(struct thread *td, struct rctl_get_rules_args *uap)
+{
+	int error;
+	size_t bufsize = RCTL_DEFAULT_BUFSIZE;
+	char *inputstr, *buf;
+	struct sbuf *sb;
+	struct rctl_rule *filter;
+	struct rctl_rule_link *link;
+	struct proc *p;
+
+	error = priv_check(td, PRIV_RCTL_GET_RULES);
+	if (error != 0)
+		return (error);
+
+	error = rctl_read_inbuf(&inputstr, uap->inbufp, uap->inbuflen);
+	if (error != 0)
+		return (error);
+
+	sx_slock(&allproc_lock);
+	sx_slock(&allprison_lock);
+	error = rctl_string_to_rule(inputstr, &filter);
+	free(inputstr, M_RCTL);
+	if (error != 0) {
+		sx_sunlock(&allprison_lock);
+		sx_sunlock(&allproc_lock);
+		return (error);
+	}
+
+again:
+	buf = malloc(bufsize, M_RCTL, M_WAITOK);
+	sb = sbuf_new(NULL, buf, bufsize, SBUF_FIXEDLEN);
+	KASSERT(sb != NULL, ("sbuf_new failed"));
+
+	sx_assert(&allproc_lock, SA_LOCKED);
+	FOREACH_PROC_IN_SYSTEM(p) {
+		rw_rlock(&rctl_lock);
+		LIST_FOREACH(link, &p->p_racct->r_rule_links, rrl_next) {
+			/*
+			 * Non-process rules will be added to the buffer later.
+			 * Adding them here would result in duplicated output.
+			 */
+			if (link->rrl_rule->rr_subject_type !=
+			    RCTL_SUBJECT_TYPE_PROCESS)
+				continue;
+			if (!rctl_rule_matches(link->rrl_rule, filter))
+				continue;
+			rctl_rule_to_sbuf(sb, link->rrl_rule);
+			sbuf_printf(sb, ",");
+		}
+		rw_runlock(&rctl_lock);
+	}
+
+	loginclass_racct_foreach(rctl_get_rules_callback, filter, sb);
+	ui_racct_foreach(rctl_get_rules_callback, filter, sb);
+	prison_racct_foreach(rctl_get_rules_callback, filter, sb);
+	if (sbuf_error(sb) == ENOMEM) {
+		sbuf_delete(sb);
+		free(buf, M_RCTL);
+		bufsize *= 4;
+		goto again;
+	}
+
+	/*
+	 * Remove trailing ",".
+	 */
+	if (sbuf_len(sb) > 0)
+		sbuf_setpos(sb, sbuf_len(sb) - 1);
+
+	error = rctl_write_outbuf(sb, uap->outbufp, uap->outbuflen);
+
+	rctl_rule_release(filter);
+	sx_sunlock(&allprison_lock);
+	sx_sunlock(&allproc_lock);
+	free(buf, M_RCTL);
+	return (error);
+}
+
+int
+rctl_get_limits(struct thread *td, struct rctl_get_limits_args *uap)
+{
+	int error;
+	size_t bufsize = RCTL_DEFAULT_BUFSIZE;
+	char *inputstr, *buf;
+	struct sbuf *sb;
+	struct rctl_rule *filter;
+	struct rctl_rule_link *link;
+
+	error = priv_check(td, PRIV_RCTL_GET_LIMITS);
+	if (error != 0)
+		return (error);
+
+	error = rctl_read_inbuf(&inputstr, uap->inbufp, uap->inbuflen);
+	if (error != 0)
+		return (error);
+
+	sx_slock(&allproc_lock);
+	sx_slock(&allprison_lock);
+	error = rctl_string_to_rule(inputstr, &filter);
+	free(inputstr, M_RCTL);
+	if (error != 0) {
+		sx_sunlock(&allprison_lock);
+		sx_sunlock(&allproc_lock);
+		return (error);
+	}
+
+	if (filter->rr_subject_type == RCTL_SUBJECT_TYPE_UNDEFINED) {
+		rctl_rule_release(filter);
+		sx_sunlock(&allprison_lock);
+		sx_sunlock(&allproc_lock);
+		return (EINVAL);
+	}
+	if (filter->rr_subject_type != RCTL_SUBJECT_TYPE_PROCESS) {
+		rctl_rule_release(filter);
+		sx_sunlock(&allprison_lock);
+		sx_sunlock(&allproc_lock);
+		return (EOPNOTSUPP);
+	}
+	if (filter->rr_subject.rs_proc == NULL) {
+		rctl_rule_release(filter);
+		sx_sunlock(&allprison_lock);
+		sx_sunlock(&allproc_lock);
+		return (EINVAL);
+	}
+
+again:
+	buf = malloc(bufsize, M_RCTL, M_WAITOK);
+	sb = sbuf_new(NULL, buf, bufsize, SBUF_FIXEDLEN);
+	KASSERT(sb != NULL, ("sbuf_new failed"));
+
+	rw_rlock(&rctl_lock);
+	LIST_FOREACH(link, &filter->rr_subject.rs_proc->p_racct->r_rule_links,
+	    rrl_next) {
+		rctl_rule_to_sbuf(sb, link->rrl_rule);
+		sbuf_printf(sb, ",");
+	}
+	rw_runlock(&rctl_lock);
+	if (sbuf_error(sb) == ENOMEM) {
+		sbuf_delete(sb);
+		free(buf, M_RCTL);
+		bufsize *= 4;
+		goto again;
+	}
+
+	/*
+	 * Remove trailing ",".
+	 */
+	if (sbuf_len(sb) > 0)
+		sbuf_setpos(sb, sbuf_len(sb) - 1);
+
+	error = rctl_write_outbuf(sb, uap->outbufp, uap->outbuflen);
+	rctl_rule_release(filter);
+	sx_sunlock(&allprison_lock);
+	sx_sunlock(&allproc_lock);
+	free(buf, M_RCTL);
+	return (error);
+}
+
+int
+rctl_add_rule(struct thread *td, struct rctl_add_rule_args *uap)
+{
+	int error;
+	struct rctl_rule *rule;
+	char *inputstr;
+
+	error = priv_check(td, PRIV_RCTL_ADD_RULE);
+	if (error != 0)
+		return (error);
+
+	error = rctl_read_inbuf(&inputstr, uap->inbufp, uap->inbuflen);
+	if (error != 0)
+		return (error);
+
+	sx_slock(&allproc_lock);
+	sx_slock(&allprison_lock);
+	error = rctl_string_to_rule(inputstr, &rule);
+	free(inputstr, M_RCTL);
+	if (error != 0) {
+		sx_sunlock(&allprison_lock);
+		sx_sunlock(&allproc_lock);
+		return (error);
+	}
+	/*
+	 * The 'per' part of a rule is optional.
+	 */
+	if (rule->rr_per == RCTL_SUBJECT_TYPE_UNDEFINED &&
+	    rule->rr_subject_type != RCTL_SUBJECT_TYPE_UNDEFINED)
+		rule->rr_per = rule->rr_subject_type;
+
+	if (!rctl_rule_fully_specified(rule)) {
+		error = EINVAL;
+		goto out;
+	}
+
+	error = rctl_rule_add(rule);
+
+out:
+	rctl_rule_release(rule);
+	sx_sunlock(&allprison_lock);
+	sx_sunlock(&allproc_lock);
+	return (error);
+}
+
+int
+rctl_remove_rule(struct thread *td, struct rctl_remove_rule_args *uap)
+{
+	int error;
+	struct rctl_rule *filter;
+	char *inputstr;
+
+	error = priv_check(td, PRIV_RCTL_REMOVE_RULE);
+	if (error != 0)
+		return (error);
+
+	error = rctl_read_inbuf(&inputstr, uap->inbufp, uap->inbuflen);
+	if (error != 0)
+		return (error);
+
+	sx_slock(&allproc_lock);
+	sx_slock(&allprison_lock);
+	error = rctl_string_to_rule(inputstr, &filter);
+	free(inputstr, M_RCTL);
+	if (error != 0) {
+		sx_sunlock(&allprison_lock);
+		sx_sunlock(&allproc_lock);
+		return (error);
+	}
+
+	error = rctl_rule_remove(filter);
+	rctl_rule_release(filter);
+	sx_sunlock(&allprison_lock);
+	sx_sunlock(&allproc_lock);
+
+	return (error);
+}
+
+/*
+ * Update RCTL rule list after credential change.
+ */
+void
+rctl_proc_ucred_changed(struct proc *p, struct ucred *newcred)
+{
+	int rulecnt, i;
+	struct rctl_rule_link *link, *newlink;
+	struct uidinfo *newuip;
+	struct loginclass *newlc;
+	struct prison *newpr;
+	LIST_HEAD(, rctl_rule_link) newrules;
+
+	newuip = newcred->cr_ruidinfo;
+	newlc = newcred->cr_loginclass;
+	newpr = newcred->cr_prison;
+	
+	LIST_INIT(&newrules);
+
+again:
+	/*
+	 * First, count the rules that apply to the process with new
+	 * credentials.
+	 */
+	rulecnt = 0;
+	rw_rlock(&rctl_lock);
+	LIST_FOREACH(link, &p->p_racct->r_rule_links, rrl_next) {
+		if (link->rrl_rule->rr_subject_type ==
+		    RCTL_SUBJECT_TYPE_PROCESS)
+			rulecnt++;
+	}
+	LIST_FOREACH(link, &newuip->ui_racct->r_rule_links, rrl_next)
+		rulecnt++;
+	LIST_FOREACH(link, &newlc->lc_racct->r_rule_links, rrl_next)
+		rulecnt++;
+	LIST_FOREACH(link, &newpr->pr_racct->r_rule_links, rrl_next)
+		rulecnt++;
+	rw_runlock(&rctl_lock);
+
+	/*
+	 * Create temporary list.  We've dropped the rctl_lock in order
+	 * to use M_WAITOK.
+	 */
+	for (i = 0; i < rulecnt; i++) {
+		newlink = uma_zalloc(rctl_rule_link_zone, M_WAITOK);
+		newlink->rrl_rule = NULL;
+		LIST_INSERT_HEAD(&newrules, newlink, rrl_next);
+	}
+
+	newlink = LIST_FIRST(&newrules);
+
+	/*
+	 * Assign rules to the newly allocated list entries.
+	 */
+	rw_wlock(&rctl_lock);
+	LIST_FOREACH(link, &p->p_racct->r_rule_links, rrl_next) {
+		if (link->rrl_rule->rr_subject_type ==
+		    RCTL_SUBJECT_TYPE_PROCESS) {
+			if (newlink == NULL)
+				goto goaround;
+			rctl_rule_acquire(link->rrl_rule);
+			newlink->rrl_rule = link->rrl_rule;
+			newlink = LIST_NEXT(newlink, rrl_next);
+			rulecnt--;
+		}
+	}
+	
+	LIST_FOREACH(link, &newuip->ui_racct->r_rule_links, rrl_next) {
+		if (newlink == NULL)
+			goto goaround;
+		rctl_rule_acquire(link->rrl_rule);
+		newlink->rrl_rule = link->rrl_rule;
+		newlink = LIST_NEXT(newlink, rrl_next);
+		rulecnt--;
+	}
+
+	LIST_FOREACH(link, &newlc->lc_racct->r_rule_links, rrl_next) {
+		if (newlink == NULL)
+			goto goaround;
+		rctl_rule_acquire(link->rrl_rule);
+		newlink->rrl_rule = link->rrl_rule;
+		newlink = LIST_NEXT(newlink, rrl_next);
+		rulecnt--;
+	}
+
+	LIST_FOREACH(link, &newpr->pr_racct->r_rule_links, rrl_next) {
+		if (newlink == NULL)
+			goto goaround;
+		rctl_rule_acquire(link->rrl_rule);
+		newlink->rrl_rule = link->rrl_rule;
+		newlink = LIST_NEXT(newlink, rrl_next);
+		rulecnt--;
+	}
+
+	if (rulecnt == 0) {
+		/*
+		 * Free the old rule list.
+		 */
+		while (!LIST_EMPTY(&p->p_racct->r_rule_links)) {
+			link = LIST_FIRST(&p->p_racct->r_rule_links);
+			LIST_REMOVE(link, rrl_next);
+			rctl_rule_release(link->rrl_rule);
+			uma_zfree(rctl_rule_link_zone, link);
+		}
+
+		/*
+		 * Replace lists and we're done.
+		 *
+		 * XXX: Is there any way to switch list heads instead
+		 *      of iterating here?
+		 */
+		while (!LIST_EMPTY(&newrules)) {
+			newlink = LIST_FIRST(&newrules);
+			LIST_REMOVE(newlink, rrl_next);
+			LIST_INSERT_HEAD(&p->p_racct->r_rule_links,
+			    newlink, rrl_next);
+		}
+
+		rw_wunlock(&rctl_lock);
+
+		return;
+	}
+
+goaround:
+	rw_wunlock(&rctl_lock);
+
+	/*
+	 * Rule list changed while we were not holding the rctl_lock.
+	 * Free the new list and try again.
+	 */
+	while (!LIST_EMPTY(&newrules)) {
+		newlink = LIST_FIRST(&newrules);
+		LIST_REMOVE(newlink, rrl_next);
+		if (newlink->rrl_rule != NULL)
+			rctl_rule_release(newlink->rrl_rule);
+		uma_zfree(rctl_rule_link_zone, newlink);
+	}
+
+	goto again;
+}
+
+/*
+ * Assign RCTL rules to the newly created process.
+ */
+int
+rctl_proc_fork(struct proc *parent, struct proc *child)
+{
+	int error;
+	struct rctl_rule_link *link;
+	struct rctl_rule *rule;
+
+	LIST_INIT(&child->p_racct->r_rule_links);
+
+	/*
+	 * No limits for kernel processes.
+	 */
+	if (child->p_flag & P_SYSTEM)
+		return (0);
+
+	/*
+	 * Nothing to inherit from P_SYSTEM parents.
+	 */
+	if (parent->p_racct == NULL) {
+		KASSERT(parent->p_flag & P_SYSTEM,
+		    ("non-system process without racct; p = %p", parent));
+		return (0);
+	}
+
+	rw_wlock(&rctl_lock);
+
+	/*
+	 * Go through limits applicable to the parent and assign them
+	 * to the child.  Rules with 'process' subject have to be duplicated
+	 * in order to make their rr_subject point to the new process.
+	 */
+	LIST_FOREACH(link, &parent->p_racct->r_rule_links, rrl_next) {
+		if (link->rrl_rule->rr_subject_type ==
+		    RCTL_SUBJECT_TYPE_PROCESS) {
+			rule = rctl_rule_duplicate(link->rrl_rule, M_NOWAIT);
+			if (rule == NULL)
+				goto fail;
+			KASSERT(rule->rr_subject.rs_proc == parent,
+			    ("rule->rr_subject.rs_proc != parent"));
+			rule->rr_subject.rs_proc = child;
+			error = rctl_racct_add_rule_locked(child->p_racct,
+			    rule);
+			rctl_rule_release(rule);
+			if (error != 0)
+				goto fail;
+		} else {
+			error = rctl_racct_add_rule_locked(child->p_racct,
+			    link->rrl_rule);
+			if (error != 0)
+				goto fail;
+		}
+	}
+
+	rw_wunlock(&rctl_lock);
+	return (0);
+
+fail:
+	while (!LIST_EMPTY(&child->p_racct->r_rule_links)) {
+		link = LIST_FIRST(&child->p_racct->r_rule_links);
+		LIST_REMOVE(link, rrl_next);
+		rctl_rule_release(link->rrl_rule);
+		uma_zfree(rctl_rule_link_zone, link);
+	}
+	rw_wunlock(&rctl_lock);
+	return (EAGAIN);
+}
+
+/*
+ * Release rules attached to the racct.
+ */
+void
+rctl_racct_release(struct racct *racct)
+{
+	struct rctl_rule_link *link;
+
+	rw_wlock(&rctl_lock);
+	while (!LIST_EMPTY(&racct->r_rule_links)) {
+		link = LIST_FIRST(&racct->r_rule_links);
+		LIST_REMOVE(link, rrl_next);
+		rctl_rule_release(link->rrl_rule);
+		uma_zfree(rctl_rule_link_zone, link);
+	}
+	rw_wunlock(&rctl_lock);
+}
+
+static void
+rctl_init(void)
+{
+
+	rctl_rule_link_zone = uma_zcreate("rctl_rule_link",
+	    sizeof(struct rctl_rule_link), NULL, NULL, NULL, NULL,
+	    UMA_ALIGN_PTR, UMA_ZONE_NOFREE);
+	rctl_rule_zone = uma_zcreate("rctl_rule", sizeof(struct rctl_rule),
+	    NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE);
+}
+
+#else /* !RCTL */
+
+int
+rctl_get_racct(struct thread *td, struct rctl_get_racct_args *uap)
+{
+	
+	return (ENOSYS);
+}
+
+int
+rctl_get_rules(struct thread *td, struct rctl_get_rules_args *uap)
+{
+	
+	return (ENOSYS);
+}
+
+int
+rctl_get_limits(struct thread *td, struct rctl_get_limits_args *uap)
+{
+	
+	return (ENOSYS);
+}
+
+int
+rctl_add_rule(struct thread *td, struct rctl_add_rule_args *uap)
+{
+	
+	return (ENOSYS);
+}
+
+int
+rctl_remove_rule(struct thread *td, struct rctl_remove_rule_args *uap)
+{
+	
+	return (ENOSYS);
+}
+
+#endif /* !RCTL */
diff --git a/sys/kern/syscalls.master b/sys/kern/syscalls.master
index b204254..e209731 100644
--- a/sys/kern/syscalls.master
+++ b/sys/kern/syscalls.master
@@ -929,5 +929,20 @@
 523	AUE_NULL	STD	{ int getloginclass(char *namebuf, \
 				    size_t namelen); }
 524	AUE_NULL	STD	{ int setloginclass(const char *namebuf); }
+525	AUE_NULL	STD	{ int rctl_get_racct(const void *inbufp, \
+				    size_t inbuflen, void *outbufp, \
+				    size_t outbuflen); }
+526	AUE_NULL	STD	{ int rctl_get_rules(const void *inbufp, \
+				    size_t inbuflen, void *outbufp, \
+				    size_t outbuflen); }
+527	AUE_NULL	STD	{ int rctl_get_limits(const void *inbufp, \
+				    size_t inbuflen, void *outbufp, \
+				    size_t outbuflen); }
+528	AUE_NULL	STD	{ int rctl_add_rule(const void *inbufp, \
+				    size_t inbuflen, void *outbufp, \
+				    size_t outbuflen); }
+529	AUE_NULL	STD	{ int rctl_remove_rule(const void *inbufp, \
+				    size_t inbuflen, void *outbufp, \
+				    size_t outbuflen); }
 ; Please copy any additions and changes to the following compatability tables:
 ; sys/compat/freebsd32/syscalls.master
diff --git a/sys/sys/priv.h b/sys/sys/priv.h
index 5383d58..be92639 100644
--- a/sys/sys/priv.h
+++ b/sys/sys/priv.h
@@ -484,9 +484,18 @@
 #define	PRIV_AFS_DAEMON		661	/* Can become the AFS daemon. */
 
 /*
+ * Resource Limits privileges.
+ */
+#define	PRIV_RCTL_GET_RULES	670
+#define	PRIV_RCTL_ADD_RULE	671
+#define	PRIV_RCTL_REMOVE_RULE	672
+#define	PRIV_RCTL_GET_USAGE	673
+#define	PRIV_RCTL_GET_LIMITS	674
+
+/*
  * Track end of privilege list.
  */
-#define	_PRIV_HIGHEST		662
+#define	_PRIV_HIGHEST		675
 
 /*
  * Validate that a named privilege is known by the privilege system.  Invalid
diff --git a/sys/sys/rctl.h b/sys/sys/rctl.h
new file mode 100644
index 0000000..36ee234
--- /dev/null
+++ b/sys/sys/rctl.h
@@ -0,0 +1,169 @@
+/*-
+ * Copyright (c) 2010 The FreeBSD Foundation
+ * All rights reserved.
+ *
+ * This software was developed by Edward Tomasz Napierala under sponsorship
+ * from the FreeBSD Foundation.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+/*
+ * Resource Limits.
+ */
+
+#ifndef _RCTL_H_
+#define	_RCTL_H_
+
+#include <sys/cdefs.h>
+#include <sys/queue.h>
+#include <sys/types.h>
+#include <sys/_task.h>
+
+struct proc;
+struct uidinfo;
+struct loginclass;
+struct prison;
+struct ucred;
+struct rctl_rule_link;
+
+#ifdef _KERNEL
+
+/*
+ * Rules describe an action to be taken when conditions defined
+ * in the rule are met.  There is no global list of rules; instead,
+ * rules are linked to by the racct structures for all the subjects
+ * they apply to - for example, a rule of type "user" is linked to the
+ * appropriate struct uidinfo, and to all the processes of that user.
+ *
+ * 'rr_refcount' is equal to the number of rctl_rule_link structures
+ * pointing to the rule.
+ *
+ * This structure must never change after being added, via rctl_rule_link
+ * structures, to subjects.  In order to change a rule, add a new rule
+ * and remove the previous one.
+ */
+struct rctl_rule {
+	int		rr_subject_type;
+	union {
+		struct proc	*rs_proc;
+		struct uidinfo	*rs_uip;
+		struct loginclass *hr_loginclass;
+		struct prison	*rs_prison;
+	} rr_subject;
+	int		rr_per;
+	int		rr_resource;
+	int		rr_action;
+	int64_t		rr_amount;
+	u_int		rr_refcount;
+	struct task	rr_task;
+};
+
+/*
+ * Allowed values for rr_subject_type and rr_per fields.
+ */
+#define	RCTL_SUBJECT_TYPE_UNDEFINED	-1
+#define	RCTL_SUBJECT_TYPE_PROCESS	0x0000
+#define	RCTL_SUBJECT_TYPE_USER		0x0001
+#define	RCTL_SUBJECT_TYPE_LOGINCLASS	0x0003
+#define	RCTL_SUBJECT_TYPE_JAIL		0x0004
+#define	RCTL_SUBJECT_TYPE_MAX		RCTL_SUBJECT_TYPE_JAIL
+
+/*
+ * Allowed values for rr_action field.
+ */
+#define	RCTL_ACTION_UNDEFINED		-1
+#define	RCTL_ACTION_SIGHUP		SIGHUP
+#define	RCTL_ACTION_SIGINT		SIGINT
+#define	RCTL_ACTION_SIGQUIT		SIGQUIT
+#define	RCTL_ACTION_SIGILL		SIGILL
+#define	RCTL_ACTION_SIGTRAP		SIGTRAP
+#define	RCTL_ACTION_SIGABRT		SIGABRT
+#define	RCTL_ACTION_SIGEMT		SIGEMT
+#define	RCTL_ACTION_SIGFPE		SIGFPE
+#define	RCTL_ACTION_SIGKILL		SIGKILL
+#define	RCTL_ACTION_SIGBUS		SIGBUS
+#define	RCTL_ACTION_SIGSEGV		SIGSEGV
+#define	RCTL_ACTION_SIGSYS		SIGSYS
+#define	RCTL_ACTION_SIGPIPE		SIGPIPE
+#define	RCTL_ACTION_SIGALRM		SIGALRM
+#define	RCTL_ACTION_SIGTERM		SIGTERM
+#define	RCTL_ACTION_SIGURG		SIGURG
+#define	RCTL_ACTION_SIGSTOP		SIGSTOP
+#define	RCTL_ACTION_SIGTSTP		SIGTSTP
+#define	RCTL_ACTION_SIGCHLD		SIGCHLD
+#define	RCTL_ACTION_SIGTTIN		SIGTTIN
+#define	RCTL_ACTION_SIGTTOU		SIGTTOU
+#define	RCTL_ACTION_SIGIO		SIGIO
+#define	RCTL_ACTION_SIGXCPU		SIGXCPU
+#define	RCTL_ACTION_SIGXFSZ		SIGXFSZ
+#define	RCTL_ACTION_SIGVTALRM		SIGVTALRM
+#define	RCTL_ACTION_SIGPROF		SIGPROF
+#define	RCTL_ACTION_SIGWINCH		SIGWINCH
+#define	RCTL_ACTION_SIGINFO		SIGINFO
+#define	RCTL_ACTION_SIGUSR1		SIGUSR1
+#define	RCTL_ACTION_SIGUSR2		SIGUSR2
+#define	RCTL_ACTION_SIGTHR		SIGTHR
+#define	RCTL_ACTION_SIGNAL_MAX		RCTL_ACTION_SIGTHR
+#define	RCTL_ACTION_DENY		(RCTL_ACTION_SIGNAL_MAX + 1)
+#define	RCTL_ACTION_LOG			(RCTL_ACTION_SIGNAL_MAX + 2)
+#define	RCTL_ACTION_DEVCTL		(RCTL_ACTION_SIGNAL_MAX + 3)
+#define	RCTL_ACTION_MAX			RCTL_ACTION_DEVCTL
+
+#define	RCTL_AMOUNT_UNDEFINED		-1
+
+struct rctl_rule *rctl_rule_alloc(int flags);
+struct rctl_rule *rctl_rule_duplicate(const struct rctl_rule *rule, int flags);
+void	rctl_rule_acquire(struct rctl_rule *rule);
+void	rctl_rule_release(struct rctl_rule *rule);
+int	rctl_rule_add(struct rctl_rule *rule);
+int	rctl_rule_remove(struct rctl_rule *filter);
+int	rctl_enforce(struct proc *p, int resource, uint64_t amount);
+uint64_t rctl_get_limit(struct proc *p, int resource);
+uint64_t rctl_get_available(struct proc *p, int resource);
+const char *rctl_resource_name(int resource);
+void	rctl_proc_ucred_changed(struct proc *p, struct ucred *newcred);
+int	rctl_proc_fork(struct proc *parent, struct proc *child);
+void	rctl_racct_release(struct racct *racct);
+#else /* !_KERNEL */
+
+/*
+ * Syscall interface.
+ */
+__BEGIN_DECLS
+int	rctl_get_racct(const char *inbufp, size_t inbuflen, char *outbufp,
+	    size_t outbuflen);
+int	rctl_get_rules(const char *inbufp, size_t inbuflen, char *outbufp,
+	    size_t outbuflen);
+int	rctl_get_limits(const char *inbufp, size_t inbuflen, char *outbufp,
+	    size_t outbuflen);
+int	rctl_add_rule(const char *inbufp, size_t inbuflen, char *outbufp,
+	    size_t outbuflen);
+int	rctl_remove_rule(const char *inbufp, size_t inbuflen, char *outbufp,
+	    size_t outbuflen);
+__END_DECLS
+
+#endif /* !_KERNEL */
+
+#endif /* !_RCTL_H_ */