Index: head/usr.bin/rctl/rctl.8 =================================================================== --- head/usr.bin/rctl/rctl.8 (revision 291446) +++ head/usr.bin/rctl/rctl.8 (revision 291447) @@ -1,289 +1,289 @@ .\"- .\" Copyright (c) 2009 Edward Tomasz Napierala .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR THE VOICES IN HIS HEAD BE .\" LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR .\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF .\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS .\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN .\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" .\" $FreeBSD$ .\" -.Dd November 5, 2015 +.Dd November 29, 2015 .Dt RCTL 8 .Os .Sh NAME .Nm rctl .Nd display and update resource limits database .Sh SYNOPSIS .Nm .Op Fl h .Op Fl n -.Op Ar filter +.Op Ar filter Ar ... .Nm .Fl a -.Ar rule +.Ar rule Ar ... .Nm .Fl l .Op Fl h .Op Fl n -.Ar filter +.Ar filter Ar ... .Nm .Fl r -.Ar filter +.Ar filter Ar ... .Nm .Fl u .Op Fl h -.Ar filter +.Ar filter Ar ... .Pp .Nm requires the kernel to be compiled with: .Bd -ragged -offset indent .Cd "options RACCT" .Cd "options RCTL" .Ed .Sh DESCRIPTION When called without options, the .Nm command writes currently defined RCTL rules to standard output. .Pp If a .Ar filter argument is specified, only rules matching the filter are displayed. The options are as follows: .Bl -tag -width indent .It Fl a Ar rule Add .Ar rule to the RCTL database. .It Fl l Ar filter Display rules applicable to the process defined by .Ar filter . Note that this is different from showing the rules when called without any options, as it shows not just the rules with subject equal to that of process, but also rules for the user, jail, and login class applicable to the process. .It Fl r Ar filter Remove rules matching .Ar filter from the RCTL database. .It Fl u Ar filter Display resource usage for a subject .Po .Sy process , .Sy user , .Sy loginclass or .Sy jail .Pc matching the .Ar filter . .It Fl h "Human-readable" output. Use unit suffixes: Byte, Kilobyte, Megabyte, Gigabyte, Terabyte and Petabyte. .It Fl n Display user IDs numerically rather than converting them to a user name. .El .Pp Modifying rules affects all currently running and future processes matching the rule. .Sh RULE SYNTAX Syntax for a rule is subject:subject-id:resource:action=amount/per. .Pp .Bl -tag -width "subject-id" -compact -offset indent .It subject defines the kind of entity the rule applies to. It can be either .Sy process , .Sy user , .Sy loginclass , or .Sy jail . .It subject-id identifies the .Em subject . It can be a process ID, user name, numerical user ID, login class name from .Xr login.conf 5 , or jail name. .It resource identifies the resource the rule controls. See the .Sx RESOURCES section below for details. .It action defines what will happen when a process exceeds the allowed .Em amount . See the .Sx ACTIONS section below for details. .It amount defines how much of the resource a process can use before the defined .Em action triggers. Resources which limit bytes may use prefixes from .Xr expand_number 3 . .It per defines what entity the .Em amount gets accounted for. For example, rule "loginclass:users:vmem:deny=100M/process" means that each process of any user belonging to login class "users" may allocate up to 100MB of virtual memory. Rule "loginclass:users:vmem:deny=100M/user" would mean that for each user belonging to the login class "users", the sum of virtual memory allocated by all the processes of that user will not exceed 100MB. Rule "loginclass:users:vmem:deny=100M/loginclass" would mean that the sum of virtual memory allocated by all processes of all users belonging to that login class will not exceed 100MB. .El .Pp A valid rule has all those fields specified, except for .Em per , which defaults to the value of .Em subject . .Pp A filter is a rule for which one of more fields other than .Em per is left empty. For example, a filter that matches every rule could be written as ":::=/", or, in short, ":". A filter that matches all the login classes would be "loginclass:". A filter that matches all defined rules for .Sy maxproc resource would be "::maxproc". .Sh SUBJECTS .Bl -column -offset 3n "pseudoterminals" ".Sy username or numerical User ID" .It Em subject Ta Em subject-id .It Sy process Ta numerical Process ID .It Sy user Ta user name or numerical User ID .It Sy loginclass Ta login class from .Xr login.conf 5 .It Sy jail Ta jail name .El .Sh RESOURCES .Bl -column -offset 3n "pseudoterminals" .It Em resource .It Sy cputime Ta "CPU time, in seconds" .It Sy datasize Ta "data size, in bytes" .It Sy stacksize Ta "stack size, in bytes" .It Sy coredumpsize Ta "core dump size, in bytes" .It Sy memoryuse Ta "resident set size, in bytes" .It Sy memorylocked Ta "locked memory, in bytes" .It Sy maxproc Ta "number of processes" .It Sy openfiles Ta "file descriptor table size" .It Sy vmemoryuse Ta "address space limit, in bytes" .It Sy pseudoterminals Ta "number of PTYs" .It Sy swapuse Ta "swap space that may be reserved or used, in bytes" .It Sy nthr Ta "number of threads" .It Sy msgqqueued Ta "number of queued SysV messages" .It Sy msgqsize Ta "SysV message queue size, in bytes" .It Sy nmsgq Ta "number of SysV message queues" .It Sy nsem Ta "number of SysV semaphores" .It Sy nsemop Ta "number of SysV semaphores modified in a single semop(2) call" .It Sy nshm Ta "number of SysV shared memory segments" .It Sy shmsize Ta "SysV shared memory size, in bytes" .It Sy wallclock Ta "wallclock time, in seconds" .It Sy pcpu Ta "%CPU, in percents of a single CPU core" .El .Sh ACTIONS .Bl -column -offset 3n "pseudoterminals" .It Em action .It Sy deny Ta deny the allocation; not supported for .Sy cputime and .Sy wallclock .It Sy log Ta "log a warning to the console" .It Sy devctl Ta "send notification to" .Xr devd 8 using .Sy system = "RCTL", .Sy subsystem = "rule", .Sy type = "matched" .It sig* e.g. .Sy sigterm ; send a signal to the offending process. See .Xr signal 3 for a list of supported signals .El .Pp Not all actions are supported for all resources. Attempting to add a rule with an action not supported by a given resource will result in error. .Sh LOADER TUNABLES Tunables can be set at the .Xr loader 8 prompt, or .Xr loader.conf 5 . .Bl -tag -width indent .It Va kern.racct.enable: No 1 Enable .Nm . This defaults to 1, unless .Cd "options RACCT_DEFAULT_TO_DISABLED" is set in the kernel configuration file. .El .Sh EXIT STATUS .Ex -std .Sh EXAMPLES Prevent user "joe" from allocating more than 1GB of virtual memory: .Dl Nm Fl a Ar user:joe:vmemoryuse:deny=1g .Pp Remove all RCTL rules: .Dl Nm Fl r Ar \&: .Pp Display resource usage information for jail named "www": .Dl Nm Fl hu Ar jail:www .Pp Display all the rules applicable to process with PID 512: .Dl Nm Fl l Ar process:512 .Pp Display all rules: .Dl Nm .Pp Display all rules matching user "joe": .Dl Nm Ar user:joe .Pp Display all rules matching login classes: .Dl Nm Ar loginclass: .Sh SEE ALSO .Xr rctl.conf 5 .Sh HISTORY The .Nm command appeared in .Fx 9.0 . .Sh AUTHORS .An -nosplit The .Nm was developed by .An Edward Tomasz Napierala Aq Mt trasz@FreeBSD.org under sponsorship from the FreeBSD Foundation. .Sh BUGS Limiting .Sy memoryuse may kill the machine due to thrashing. Index: head/usr.bin/rctl/rctl.c =================================================================== --- head/usr.bin/rctl/rctl.c (revision 291446) +++ head/usr.bin/rctl/rctl.c (revision 291447) @@ -1,580 +1,623 @@ /*- * Copyright (c) 2010 The FreeBSD Foundation * All rights reserved. * * This software was developed by Edward Tomasz Napierala under sponsorship * from the FreeBSD Foundation. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * $FreeBSD$ */ #include __FBSDID("$FreeBSD$"); #include #include #include #include #include #include #include #include #include #include #include +#include #include #include #include #include #define RCTL_DEFAULT_BUFSIZE 128 * 1024 -static id_t -parse_user(const char *s) +static int +parse_user(const char *s, id_t *uidp) { - id_t id; char *end; struct passwd *pwd; pwd = getpwnam(s); - if (pwd != NULL) - return (pwd->pw_uid); + if (pwd != NULL) { + *uidp = pwd->pw_uid; + return (0); + } - if (!isnumber(s[0])) - errx(1, "uknown user '%s'", s); + if (!isnumber(s[0])) { + warnx("uknown user '%s'", s); + return (1); + } - id = strtod(s, &end); - if ((size_t)(end - s) != strlen(s)) - errx(1, "trailing characters after numerical id"); + *uidp = strtod(s, &end); + if ((size_t)(end - s) != strlen(s)) { + warnx("trailing characters after numerical id"); + return (1); + } - return (id); + return (0); } -static id_t -parse_group(const char *s) +static int +parse_group(const char *s, id_t *gidp) { - id_t id; char *end; struct group *grp; grp = getgrnam(s); - if (grp != NULL) - return (grp->gr_gid); + if (grp != NULL) { + *gidp = grp->gr_gid; + return (0); + } - if (!isnumber(s[0])) - errx(1, "uknown group '%s'", s); + if (!isnumber(s[0])) { + warnx("uknown group '%s'", s); + return (1); + } - id = strtod(s, &end); - if ((size_t)(end - s) != strlen(s)) - errx(1, "trailing characters after numerical id"); + *gidp = strtod(s, &end); + if ((size_t)(end - s) != strlen(s)) { + warnx("trailing characters after numerical id"); + return (1); + } - return (id); + return (0); } /* - * This routine replaces user/group name with numeric id. + * Replace human-readable number with its expanded form. */ static char * -resolve_ids(char *rule) -{ - id_t id; - const char *subject, *textid, *rest; - char *resolved; - - subject = strsep(&rule, ":"); - textid = strsep(&rule, ":"); - if (textid == NULL) - errx(1, "error in rule specification -- no subject"); - if (rule != NULL) - rest = rule; - else - rest = ""; - - if (strcasecmp(subject, "u") == 0) - subject = "user"; - else if (strcasecmp(subject, "g") == 0) - subject = "group"; - else if (strcasecmp(subject, "p") == 0) - subject = "process"; - else if (strcasecmp(subject, "l") == 0 || - strcasecmp(subject, "c") == 0 || - strcasecmp(subject, "class") == 0) - subject = "loginclass"; - else if (strcasecmp(subject, "j") == 0) - subject = "jail"; - - if (strcasecmp(subject, "user") == 0 && strlen(textid) > 0) { - id = parse_user(textid); - asprintf(&resolved, "%s:%d:%s", subject, (int)id, rest); - } else if (strcasecmp(subject, "group") == 0 && strlen(textid) > 0) { - id = parse_group(textid); - asprintf(&resolved, "%s:%d:%s", subject, (int)id, rest); - } else - asprintf(&resolved, "%s:%s:%s", subject, textid, rest); - - if (resolved == NULL) - err(1, "asprintf"); - - return (resolved); -} - -/* - * This routine replaces "human-readable" number with its expanded form. - */ -static char * expand_amount(char *rule) { uint64_t num; const char *subject, *subject_id, *resource, *action, *amount, *per; char *copy, *expanded; copy = strdup(rule); - if (copy == NULL) - err(1, "strdup"); + if (copy == NULL) { + warn("strdup"); + return (NULL); + } subject = strsep(©, ":"); subject_id = strsep(©, ":"); resource = strsep(©, ":"); action = strsep(©, "=/"); amount = strsep(©, "/"); per = copy; if (amount == NULL || strlen(amount) == 0) { free(copy); return (rule); } assert(subject != NULL); assert(subject_id != NULL); assert(resource != NULL); assert(action != NULL); - if (expand_number(amount, &num)) - err(1, "expand_number"); + if (expand_number(amount, &num)) { + warnx("invalid numeric value '%s'", amount); + free(copy); + return (NULL); + } if (per == NULL) asprintf(&expanded, "%s:%s:%s:%s=%ju", subject, subject_id, resource, action, (uintmax_t)num); else asprintf(&expanded, "%s:%s:%s:%s=%ju/%s", subject, subject_id, resource, action, (uintmax_t)num, per); - if (expanded == NULL) - err(1, "asprintf"); + if (expanded == NULL) { + warn("asprintf"); + free(copy); + return (NULL); + } return (expanded); } + static char * +expand_rule(char *rule, bool resolve_ids) +{ + id_t id; + const char *subject, *textid, *rest; + char *resolved; + int error; + + subject = strsep(&rule, ":"); + textid = strsep(&rule, ":"); + if (textid == NULL) { + warnx("error in rule specification -- no subject"); + return (NULL); + } + if (rule != NULL) + rest = rule; + else + rest = ""; + + if (strcasecmp(subject, "u") == 0) + subject = "user"; + else if (strcasecmp(subject, "g") == 0) + subject = "group"; + else if (strcasecmp(subject, "p") == 0) + subject = "process"; + else if (strcasecmp(subject, "l") == 0 || + strcasecmp(subject, "c") == 0 || + strcasecmp(subject, "class") == 0) + subject = "loginclass"; + else if (strcasecmp(subject, "j") == 0) + subject = "jail"; + + if (resolve_ids && + strcasecmp(subject, "user") == 0 && strlen(textid) > 0) { + error = parse_user(textid, &id); + if (error != 0) + return (NULL); + asprintf(&resolved, "%s:%d:%s", subject, (int)id, rest); + } else if (resolve_ids && + strcasecmp(subject, "group") == 0 && strlen(textid) > 0) { + error = parse_group(textid, &id); + if (error != 0) + return (NULL); + asprintf(&resolved, "%s:%d:%s", subject, (int)id, rest); + } else { + asprintf(&resolved, "%s:%s:%s", subject, textid, rest); + } + + if (resolved == NULL) { + warn("asprintf"); + return (NULL); + } + + return (expand_amount(resolved)); +} + +static char * humanize_ids(char *rule) { id_t id; struct passwd *pwd; struct group *grp; const char *subject, *textid, *rest; char *end, *humanized; subject = strsep(&rule, ":"); textid = strsep(&rule, ":"); if (textid == NULL) errx(1, "rule passed from the kernel didn't contain subject"); if (rule != NULL) rest = rule; else rest = ""; /* Replace numerical user and group ids with names. */ if (strcasecmp(subject, "user") == 0) { id = strtod(textid, &end); if ((size_t)(end - textid) != strlen(textid)) errx(1, "malformed uid '%s'", textid); pwd = getpwuid(id); if (pwd != NULL) textid = pwd->pw_name; } else if (strcasecmp(subject, "group") == 0) { id = strtod(textid, &end); if ((size_t)(end - textid) != strlen(textid)) errx(1, "malformed gid '%s'", textid); grp = getgrgid(id); if (grp != NULL) textid = grp->gr_name; } asprintf(&humanized, "%s:%s:%s", subject, textid, rest); if (humanized == NULL) err(1, "asprintf"); return (humanized); } static int str2int64(const char *str, int64_t *value) { char *end; if (str == NULL) return (EINVAL); *value = strtoul(str, &end, 10); if ((size_t)(end - str) != strlen(str)) return (EINVAL); return (0); } static char * humanize_amount(char *rule) { int64_t num; const char *subject, *subject_id, *resource, *action, *amount, *per; char *copy, *humanized, buf[6]; copy = strdup(rule); if (copy == NULL) err(1, "strdup"); subject = strsep(©, ":"); subject_id = strsep(©, ":"); resource = strsep(©, ":"); action = strsep(©, "=/"); amount = strsep(©, "/"); per = copy; if (amount == NULL || strlen(amount) == 0 || str2int64(amount, &num) != 0) { free(copy); return (rule); } assert(subject != NULL); assert(subject_id != NULL); assert(resource != NULL); assert(action != NULL); if (humanize_number(buf, sizeof(buf), num, "", HN_AUTOSCALE, HN_DECIMAL | HN_NOSPACE) == -1) err(1, "humanize_number"); if (per == NULL) asprintf(&humanized, "%s:%s:%s:%s=%s", subject, subject_id, resource, action, buf); else asprintf(&humanized, "%s:%s:%s:%s=%s/%s", subject, subject_id, resource, action, buf, per); if (humanized == NULL) err(1, "asprintf"); return (humanized); } /* * Print rules, one per line. */ static void print_rules(char *rules, int hflag, int nflag) { char *rule; while ((rule = strsep(&rules, ",")) != NULL) { if (rule[0] == '\0') break; /* XXX */ if (nflag == 0) rule = humanize_ids(rule); if (hflag) rule = humanize_amount(rule); printf("%s\n", rule); } } static void enosys(void) { int error, racct_enable; size_t racct_enable_len; racct_enable_len = sizeof(racct_enable); error = sysctlbyname("kern.racct.enable", &racct_enable, &racct_enable_len, NULL, 0); if (error != 0) { if (errno == ENOENT) errx(1, "RACCT/RCTL support not present in kernel; see rctl(8) for details"); err(1, "sysctlbyname"); } if (racct_enable == 0) errx(1, "RACCT/RCTL present, but disabled; enable using kern.racct.enable=1 tunable"); } -static void -add_rule(char *rule) +static int +add_rule(const char *rule) { int error; error = rctl_add_rule(rule, strlen(rule) + 1, NULL, 0); if (error != 0) { if (errno == ENOSYS) enosys(); - err(1, "rctl_add_rule"); + warn("rctl_add_rule"); } - free(rule); + + return (error); } -static void -show_limits(char *filter, int hflag, int nflag) +static int +show_limits(const char *filter, int hflag, int nflag) { int error; char *outbuf = NULL; size_t outbuflen = RCTL_DEFAULT_BUFSIZE / 4; do { outbuflen *= 4; outbuf = realloc(outbuf, outbuflen); if (outbuf == NULL) err(1, "realloc"); error = rctl_get_limits(filter, strlen(filter) + 1, outbuf, outbuflen); if (error && errno != ERANGE) { if (errno == ENOSYS) enosys(); - err(1, "rctl_get_limits"); + warn("rctl_get_limits"); } } while (error && errno == ERANGE); print_rules(outbuf, hflag, nflag); - free(filter); free(outbuf); + + return (error); } -static void -remove_rule(char *filter) +static int +remove_rule(const char *filter) { int error; error = rctl_remove_rule(filter, strlen(filter) + 1, NULL, 0); if (error != 0) { if (errno == ENOSYS) enosys(); - err(1, "rctl_remove_rule"); + warn("rctl_remove_rule"); } - free(filter); + + return (error); } static char * humanize_usage_amount(char *usage) { int64_t num; const char *resource, *amount; char *copy, *humanized, buf[6]; copy = strdup(usage); if (copy == NULL) err(1, "strdup"); resource = strsep(©, "="); amount = copy; assert(resource != NULL); assert(amount != NULL); if (str2int64(amount, &num) != 0 || humanize_number(buf, sizeof(buf), num, "", HN_AUTOSCALE, HN_DECIMAL | HN_NOSPACE) == -1) { free(copy); return (usage); } asprintf(&humanized, "%s=%s", resource, buf); if (humanized == NULL) err(1, "asprintf"); return (humanized); } /* * Query the kernel about a resource usage and print it out. */ -static void -show_usage(char *filter, int hflag) +static int +show_usage(const char *filter, int hflag) { int error; char *outbuf = NULL, *tmp; size_t outbuflen = RCTL_DEFAULT_BUFSIZE / 4; do { outbuflen *= 4; outbuf = realloc(outbuf, outbuflen); if (outbuf == NULL) err(1, "realloc"); error = rctl_get_racct(filter, strlen(filter) + 1, outbuf, outbuflen); if (error && errno != ERANGE) { if (errno == ENOSYS) enosys(); - err(1, "rctl_get_racct"); + warn("rctl_get_racct"); } } while (error && errno == ERANGE); while ((tmp = strsep(&outbuf, ",")) != NULL) { if (tmp[0] == '\0') break; /* XXX */ if (hflag) tmp = humanize_usage_amount(tmp); printf("%s\n", tmp); } - free(filter); free(outbuf); + + return (error); } /* * Query the kernel about resource limit rules and print them out. */ -static void -show_rules(char *filter, int hflag, int nflag) +static int +show_rules(const char *filter, int hflag, int nflag) { int error; char *outbuf = NULL; size_t filterlen, outbuflen = RCTL_DEFAULT_BUFSIZE / 4; if (filter != NULL) filterlen = strlen(filter) + 1; else filterlen = 0; do { outbuflen *= 4; outbuf = realloc(outbuf, outbuflen); if (outbuf == NULL) err(1, "realloc"); error = rctl_get_rules(filter, filterlen, outbuf, outbuflen); if (error && errno != ERANGE) { if (errno == ENOSYS) enosys(); - err(1, "rctl_get_rules"); + warn("rctl_get_rules"); } } while (error && errno == ERANGE); print_rules(outbuf, hflag, nflag); free(outbuf); + + return (error); } static void usage(void) { fprintf(stderr, "usage: rctl [ -h ] [-a rule | -l filter | -r filter " "| -u filter | filter]\n"); exit(1); } int main(int argc __unused, char **argv __unused) { int ch, aflag = 0, hflag = 0, nflag = 0, lflag = 0, rflag = 0, uflag = 0; char *rule = NULL; + int i, cumulated_error; - while ((ch = getopt(argc, argv, "a:hl:nr:u:")) != -1) { + while ((ch = getopt(argc, argv, "ahlnru")) != -1) { switch (ch) { case 'a': aflag = 1; - rule = strdup(optarg); break; case 'h': hflag = 1; break; case 'l': lflag = 1; - rule = strdup(optarg); break; case 'n': nflag = 1; break; case 'r': rflag = 1; - rule = strdup(optarg); break; case 'u': uflag = 1; - rule = strdup(optarg); break; case '?': default: usage(); } } argc -= optind; argv += optind; + + if (aflag + lflag + rflag + uflag > 1) + errx(1, "at most one of -a, -l, -r, or -u may be specified"); - if (argc > 1) - usage(); - - if (rule == NULL) { - if (argc == 1) - rule = strdup(argv[0]); - else + if (argc == 0) { + if (aflag + lflag + rflag + uflag == 0) { rule = strdup("::"); + show_rules(rule, hflag, nflag); + + return (0); + } + + usage(); } - if (aflag + lflag + rflag + uflag + argc > 1) - errx(1, "only one flag or argument may be specified " - "at the same time"); + cumulated_error = 0; - rule = resolve_ids(rule); - rule = expand_amount(rule); + for (i = 0; i < argc; i++) { + rule = argv[i]; - if (aflag) { - add_rule(rule); - return (0); - } + /* + * Skip resolving if passed -n _and_ -a. Ignore -n otherwise, + * so we can still do "rctl -n u:root" and see the rules without + * resolving the UID. + */ + if (aflag != 0 && nflag != 0) + rule = expand_rule(rule, false); + else + rule = expand_rule(rule, true); - if (lflag) { - show_limits(rule, hflag, nflag); - return (0); - } + if (rule == NULL) { + cumulated_error++; + continue; + } - if (rflag) { - remove_rule(rule); - return (0); - } + if (aflag) { + cumulated_error += add_rule(rule); + } else if (lflag) { + cumulated_error += show_limits(rule, hflag, nflag); + } else if (rflag) { + cumulated_error += remove_rule(rule); + } else if (uflag) { + cumulated_error += show_usage(rule, hflag); + } else { + cumulated_error += show_rules(rule, hflag, nflag); + } - if (uflag) { - show_usage(rule, hflag); - return (0); + free(rule); } - show_rules(rule, hflag, nflag); - return (0); + return (cumulated_error); }