Extend the support for exempting processes from being killed when swap is

exhausted.
- Add a new protect(1) command that can be used to set or revoke protection
  from arbitrary processes.  Similar to ktrace it can apply a change to all
  existing descendants of a process as well as future descendants.
- Add a new procctl(2) system call that provides a generic interface for
  control operations on processes (as opposed to the debugger-specific
  operations provided by ptrace(2)).  procctl(2) uses a combination of
  idtype_t and an id to identify the set of processes on which to operate
  similar to wait6().
- Add a PROC_SPROTECT control operation to manage the protection status
  of a set of processes.  MADV_PROTECT still works for backwards
  compatability.
- Add a p_flag2 to struct proc (and a corresponding ki_flag2 to kinfo_proc)
  the first bit of which is used to track if P_PROTECT should be inherited
  by new child processes.

Reviewed by:	kib, jilles (earlier version)
Approved by:	re (delphij)
MFC after:	1 month

8 files changed, 243 insertions, 1 deletions

diff --git a/usr.bin/Makefile b/usr.bin/Makefile
index 8f4d920..65187c5 100644
--- a/usr.bin/Makefile
+++ b/usr.bin/Makefile
@@ -132,6 +132,7 @@ SUBDIR=	alias \
 	printenv \
 	printf \
 	procstat \
+	protect \
 	rctl \
 	renice \
 	rev \
diff --git a/usr.bin/kdump/kdump.c b/usr.bin/kdump/kdump.c
index c49b45b..e3e6927 100644
--- a/usr.bin/kdump/kdump.c
+++ b/usr.bin/kdump/kdump.c
@@ -1161,6 +1161,18 @@ ktrsyscall(struct ktr_syscall *ktr, u_int flags)
 				ip++;
 				narg--;
 				break;
+			case SYS_procctl:
+				putchar('(');
+				idtypename(*ip, decimal);
+				c = ',';
+				ip++;
+				narg--;
+				print_number(ip, narg, c);
+				putchar(',');
+				procctlcmdname(*ip);
+				ip++;
+				narg--;
+				break;
 			}
 		}
 		while (narg > 0) {
diff --git a/usr.bin/kdump/mksubr b/usr.bin/kdump/mksubr
index 7fd42b7..1859086 100644
--- a/usr.bin/kdump/mksubr
+++ b/usr.bin/kdump/mksubr
@@ -169,6 +169,7 @@ cat <<_EOF_
 #include <netinet/in.h>
 #include <sys/param.h>
 #include <sys/mount.h>
+#include <sys/procctl.h>
 #include <sys/ptrace.h>
 #include <sys/resource.h>
 #include <sys/reboot.h>
@@ -465,6 +466,7 @@ auto_or_type     "mountflagsname"      "MNT_[A-Z]+[[:space:]]+0x[0-9]+"
 auto_switch_type "msyncflagsname"      "MS_[A-Z]+[[:space:]]+0x[0-9]+"                "sys/mman.h"
 auto_or_type     "nfssvcname"          "NFSSVC_[A-Z0-9]+[[:space:]]+0x[0-9]+"            "nfs/nfssvc.h"
 auto_switch_type "prioname"            "PRIO_[A-Z]+[[:space:]]+[0-9]"                 "sys/resource.h"
+auto_switch_type "procctlcmdname"      "PROC_[A-Z]+[[:space:]]+[0-9]"                 "sys/procctl.h"
 auto_switch_type "ptraceopname"        "PT_[[:alnum:]_]+[[:space:]]+[0-9]+"           "sys/ptrace.h"
 auto_switch_type "quotactlname"        "Q_[A-Z]+[[:space:]]+0x[0-9]+"                 "ufs/ufs/quota.h"
 auto_or_type     "rebootoptname"       "RB_[A-Z]+[[:space:]]+0x[0-9]+"                "sys/reboot.h"
diff --git a/usr.bin/protect/Makefile b/usr.bin/protect/Makefile
new file mode 100644
index 0000000..89bbda8
--- /dev/null
+++ b/usr.bin/protect/Makefile
@@ -0,0 +1,6 @@
+# $FreeBSD$
+
+PROG=   protect
+WARNS?=	6
+
+.include <bsd.prog.mk>
diff --git a/usr.bin/protect/protect.1 b/usr.bin/protect/protect.1
new file mode 100644
index 0000000..5a494ee
--- /dev/null
+++ b/usr.bin/protect/protect.1
@@ -0,0 +1,89 @@
+.\" Copyright (c) 2013 Advanced Computing Technologies LLC
+.\" Written by: John H. Baldwin <jhb@FreeBSD.org>
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.Dd September 19, 2013
+.Dt PROTECT 1
+.Os
+.Sh NAME
+.Nm protect
+.Nd "protect processes from being killed when swap space is exhausted"
+.Sh SYNOPSIS
+.Nm
+.Op Fl i
+.Ar command
+.Nm
+.Op Fl cdi
+.Fl g Ar pgrp | Fl p Ar pid
+.Sh DESCRIPTION
+The
+.Nm
+command is used to mark processes as protected.
+The kernel does not kill protected processes when swap space is exhausted.
+Note that this protected state is not inherited by child processes by default.
+.Pp
+The options are:
+.Bl -tag -width indent
+.It Fl c
+Remove protection from the specified processes.
+.It Fl d
+Apply the operation to all current children of the specified processes.
+.It Fl i
+Apply the operation to all future children of the specified processes.
+.It Fl g Ar pgrp
+Apply the operation to all processes in the specified process group.
+.It Fl p Ar pid
+Apply the operation to the specified process.
+.It Ar command
+Execute
+.Ar command
+as a protected process.
+.El
+.Pp
+Note that only one of the
+.Fl p
+or
+.Fl g
+flags may be specified when adjusting the state of existing processes.
+.Sh EXIT STATUS
+.Ex -std
+.Sh EXAMPLES
+Mark the Xorg server as protected:
+.Pp
+.Dl "pgrep Xorg | xargs protect -p"
+Protect all ssh sessions and their child processes:
+.Pp
+.Dl "pgrep sshd | xargs protect -dip"
+Remove protection from all current and future processes:
+.Pp
+.Dl "protect -cdi -p 1"
+.Sh SEE ALSO
+.Xr pprotect 2
+.Sh BUGS
+If you protect a runaway process that allocates all memory the system will
+deadlock.
+.Pp
+Inheritance of the protected state is not yet implemented.
diff --git a/usr.bin/protect/protect.c b/usr.bin/protect/protect.c
new file mode 100644
index 0000000..ba15aa6
--- /dev/null
+++ b/usr.bin/protect/protect.c
@@ -0,0 +1,122 @@
+/*-
+ * Copyright (c) 2013 Advanced Computing Technologies LLC
+ * Written by: John H. Baldwin <jhb@FreeBSD.org>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+__FBSDID("$FreeBSD$");
+
+#include <sys/procctl.h>
+#include <sys/types.h>
+#include <sys/mman.h>
+#include <err.h>
+#include <errno.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+static void
+usage(void)
+{
+
+	fprintf(stderr, "usage: protect [-i] command\n");
+	fprintf(stderr, "       protect [-cdi] -g pgrp | -p pid\n");
+	exit(1);
+}
+
+static id_t
+parse_id(char *id)
+{
+	static bool first = true;
+	long value;
+	char *ch;
+
+	if (!first) {
+		warnx("only one -g or -p flag is permitted");
+		usage();
+	}
+	value = strtol(id, &ch, 0);
+	if (*ch != '\0') {
+		warnx("invalid process id");
+		usage();
+	}
+	return (value);
+}
+
+int
+main(int argc, char *argv[])
+{
+	idtype_t idtype;
+	id_t id;
+	int ch, flags;
+	bool descend, inherit, idset;
+
+	idtype = P_PID;
+	id = getpid();
+	flags = PPROT_SET;
+	descend = inherit = idset = false;
+	while ((ch = getopt(argc, argv, "cdig:p:")) != -1)
+		switch (ch) {
+		case 'c':
+			flags = PPROT_CLEAR;
+			break;
+		case 'd':
+			descend = true;
+			break;
+		case 'i':
+			inherit = true;
+			break;
+		case 'g':
+			idtype = P_PGID;
+			id = parse_id(optarg);
+			idset = true;
+			break;
+		case 'p':
+			idtype = P_PID;
+			id = parse_id(optarg);
+			idset = true;
+			break;
+		}
+	argc -= optind;
+	argv += optind;
+
+	if ((idset && argc != 0) || (!idset && (argc == 0 || descend)))
+		usage();
+
+	if (descend)
+		flags |= PPROT_DESCEND;
+	if (inherit)
+		flags |= PPROT_INHERIT;
+	if (procctl(idtype, id, PROC_SPROTECT, &flags) == -1)
+		err(1, "procctl");
+
+	if (argc != 0) {
+		errno = 0;
+		execvp(*argv, argv);
+		err(errno == ENOENT ? 127 : 126, "%s", *argv);
+	}
+	return (0);
+}
diff --git a/usr.bin/truss/syscall.h b/usr.bin/truss/syscall.h
index ce7d2e9..b0d3461 100644
--- a/usr.bin/truss/syscall.h
+++ b/usr.bin/truss/syscall.h
@@ -40,7 +40,7 @@ enum Argtype { None = 1, Hex, Octal, Int, Name, Ptr, Stat, Ioctl, Quad,
 	Fd_set, Sigaction, Fcntl, Mprot, Mmapflags, Whence, Readlinkres,
 	Umtx, Sigset, Sigprocmask, Kevent, Sockdomain, Socktype, Open,
 	Fcntlflag, Rusage, BinString, Shutdown, Resource, Rlimit, Timeval2,
-	Pathconf, Rforkflags, ExitStatus, Waitoptions, Idtype };
+	Pathconf, Rforkflags, ExitStatus, Waitoptions, Idtype, Procctl };
 
 #define	ARG_MASK	0xff
 #define	OUT	0x100
diff --git a/usr.bin/truss/syscalls.c b/usr.bin/truss/syscalls.c
index 5369dec..06c2511 100644
--- a/usr.bin/truss/syscalls.c
+++ b/usr.bin/truss/syscalls.c
@@ -41,6 +41,7 @@ static const char rcsid[] =
 
 #include <sys/types.h>
 #include <sys/mman.h>
+#include <sys/procctl.h>
 #include <sys/ptrace.h>
 #include <sys/socket.h>
 #include <sys/time.h>
@@ -270,6 +271,8 @@ static struct syscall syscalls[] = {
 	{ .name = "wait6", .ret_type = 1, .nargs = 6,
 	  .args = { { Idtype, 0 }, { Int, 1 }, { ExitStatus | OUT, 2 },
 		    { Waitoptions, 3 }, { Rusage | OUT, 4 }, { Ptr, 5 } } },
+	{ .name = "procctl", .ret_type = 1, .nargs = 4,
+	  .args = { { Idtype, 0 }, { Int, 1 }, { Procctl, 2 }, { Ptr, 3 } } },
 	{ .name = 0 },
 };
 
@@ -399,6 +402,10 @@ static struct xlat idtype_arg[] = {
 	X(P_CTID) X(P_CPUID) X(P_PSETID) XEND
 };
 
+static struct xlat procctl_arg[] = {
+	X(PROC_SPROTECT) XEND
+};
+
 #undef X
 #undef XEND
 
@@ -1198,6 +1205,9 @@ print_arg(struct syscall_args *sc, unsigned long *args, long retval,
 	case Idtype:
 		tmp = strdup(xlookup(idtype_arg, args[sc->offset]));
 		break;
+	case Procctl:
+		tmp = strdup(xlookup(procctl_arg, args[sc->offset]));
+		break;
 	default:
 		errx(1, "Invalid argument type %d\n", sc->type & ARG_MASK);
 	}