Date: Thu, 6 Nov 2025 23:11:56 GMT From: Colin Percival <cperciva@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: 76fb5c23dcca - releng/15.0 - setcred(): Fix RACCT resource accounting on credentials change Message-ID: <202511062311.5A6NBulc010548@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch releng/15.0 has been updated by cperciva: URL: https://cgit.FreeBSD.org/src/commit/?id=76fb5c23dcca4696d3682bec2dd0e60d81c6db1e commit 76fb5c23dcca4696d3682bec2dd0e60d81c6db1e Author: Olivier Certner <olce@FreeBSD.org> AuthorDate: 2025-10-29 17:07:59 +0000 Commit: Colin Percival <cperciva@FreeBSD.org> CommitDate: 2025-11-06 23:11:10 +0000 setcred(): Fix RACCT resource accounting on credentials change When credentials are changed, we need to adjust the sum of resources associated to the initial and new process' user IDs (and old and new login classes and jails, but setcred() does not change them) for them to stay consistent. Approved by: re (cperciva) PR: 290352 MFC after: 3 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D53457 (cherry picked from commit 2be5127c4a31bacac9b4158395bfa844f6033626) (cherry picked from commit 2e76660cb71dc113a4f4e0eb05eb190d7fc99e7f) --- sys/kern/kern_prot.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c index df725cfebd97..3c145851b683 100644 --- a/sys/kern/kern_prot.c +++ b/sys/kern/kern_prot.c @@ -696,7 +696,7 @@ kern_setcred(struct thread *const td, const u_int flags, gid_t *groups = NULL; gid_t smallgroups[CRED_SMALLGROUPS_NB]; int error; - bool cred_set; + bool cred_set = false; /* Bail out on unrecognized flags. */ if (flags & ~SETCREDF_MASK) @@ -839,17 +839,32 @@ kern_setcred(struct thread *const td, const u_int flags, if (cred_set) { setsugid(p); to_free_cred = old_cred; +#ifdef RACCT + racct_proc_ucred_changed(p, old_cred, new_cred); +#endif +#ifdef RCTL + crhold(new_cred); +#endif MPASS(error == 0); } else error = EAGAIN; unlock_finish: PROC_UNLOCK(p); + /* * Part 3: After releasing the process lock, we perform cleanups and * finishing operations. */ +#ifdef RCTL + if (cred_set) { + rctl_proc_ucred_changed(p, new_cred); + /* Paired with the crhold() just above. */ + crfree(new_cred); + } +#endif + #ifdef MAC if (mac_set_proc_data != NULL) mac_set_proc_finish(td, proc_label_set, mac_set_proc_data);help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202511062311.5A6NBulc010548>