diff options
author | pjd <pjd@FreeBSD.org> | 2006-06-27 11:28:50 +0000 |
---|---|---|
committer | pjd <pjd@FreeBSD.org> | 2006-06-27 11:28:50 +0000 |
commit | 03a43a81a398b4794bc398cdd2b28a16da2002ed (patch) | |
tree | dfc8129b8b0894f165b0f2763940cc5c38374160 /sys/kern/kern_fork.c | |
parent | e05c27b796fec1493f0c77cdbbef89739d5fe907 (diff) | |
download | FreeBSD-src-03a43a81a398b4794bc398cdd2b28a16da2002ed.zip FreeBSD-src-03a43a81a398b4794bc398cdd2b28a16da2002ed.tar.gz |
- Use suser_cred(9) instead of checking cr_ruid directly.
- For privileged processes safe two mutex operations.
We may want to consider if this is good idea to use SUSER_ALLOWJAIL here,
but for now I didn't wanted to change the original behaviour.
Reviewed by: rwatson
Diffstat (limited to 'sys/kern/kern_fork.c')
-rw-r--r-- | sys/kern/kern_fork.c | 17 |
1 files changed, 10 insertions, 7 deletions
diff --git a/sys/kern/kern_fork.c b/sys/kern/kern_fork.c index c6724b7..3b2de92 100644 --- a/sys/kern/kern_fork.c +++ b/sys/kern/kern_fork.c @@ -197,7 +197,6 @@ fork1(td, flags, pages, procp) struct proc **procp; { struct proc *p1, *p2, *pptr; - uid_t uid; struct proc *newproc; int ok, trypid; static int curfail, pidchecked = 0; @@ -308,7 +307,6 @@ fork1(td, flags, pages, procp) * processes, maxproc is the limit. */ sx_xlock(&allproc_lock); - uid = td->td_ucred->cr_ruid; if ((nprocs >= maxproc - 10 && suser_cred(td->td_ucred, SUSER_RUID) != 0) || nprocs >= maxproc) { @@ -320,10 +318,15 @@ fork1(td, flags, pages, procp) * Increment the count of procs running with this uid. Don't allow * a nonprivileged user to exceed their current limit. */ - PROC_LOCK(p1); - ok = chgproccnt(td->td_ucred->cr_ruidinfo, 1, - (uid != 0) ? lim_cur(p1, RLIMIT_NPROC) : 0); - PROC_UNLOCK(p1); + error = suser_cred(td->td_ucred, SUSER_RUID | SUSER_ALLOWJAIL); + if (error == 0) + ok = chgproccnt(td->td_ucred->cr_ruidinfo, 1, 0); + else { + PROC_LOCK(p1); + ok = chgproccnt(td->td_ucred->cr_ruidinfo, 1, + lim_cur(p1, RLIMIT_NPROC)); + PROC_UNLOCK(p1); + } if (!ok) { error = EAGAIN; goto fail; @@ -752,7 +755,7 @@ fail: sx_sunlock(&proctree_lock); if (ppsratecheck(&lastfail, &curfail, 1)) printf("maxproc limit exceeded by uid %i, please see tuning(7) and login.conf(5).\n", - uid); + td->td_ucred->cr_ruid); sx_xunlock(&allproc_lock); #ifdef MAC mac_destroy_proc(newproc); |