A few misc forkbomb defenses:

- Leave 10 processes for root-only use, the previous
  value of 1 was insufficient to run ps ax | more.
- Remove the printing of "proc: table full".  When the table
  really is full, this would flood the screen/logs, making
  the problem tougher to deal with.
- Force any process trying to fork beyond its user's maximum
  number of processes to sleep for .5 seconds before returning
  failure.  This turns 2000 rampaging fork monsters into 2000
  harmlessly snoozing fork monsters.

Reviewed by:	dillon, peter
MFC after:	1 week

1 files changed, 5 insertions, 2 deletions

diff --git a/sys/kern/kern_fork.c b/sys/kern/kern_fork.c
index c7cbf28..d791302 100644
--- a/sys/kern/kern_fork.c
+++ b/sys/kern/kern_fork.c
@@ -93,6 +93,8 @@ struct fork_args {
 };
 #endif
 
+int forksleep; /* Place for fork1() to sleep on. */
+
 static void
 init_fork_list(void *data __unused)
 {
@@ -297,8 +299,8 @@ fork1(td, flags, procp)
 	 * processes, maxproc is the limit.
 	 */
 	uid = p1->p_ucred->cr_ruid;
-	if ((nprocs >= maxproc - 1 && uid != 0) || nprocs >= maxproc) {
-		tablefull("proc");
+	if ((nprocs >= maxproc - 10 && uid != 0) || nprocs >= maxproc) {
+		tsleep(&forksleep, PUSER, "fork", hz / 2);
 		return (EAGAIN);
 	}
 	/*
@@ -318,6 +320,7 @@ fork1(td, flags, procp)
 		 * Back out the process count
 		 */
 		nprocs--;
+		tsleep(&forksleep, PUSER, "fork", hz / 2);
 		return (EAGAIN);
 	}