# # Copyright (c) 1999, 2008, Oracle and/or its affiliates. All rights reserved. # Copyright (c) 2014 Racktop Systems. # # # Project.pm provides the bootstrap for the Sun::Solaris::Project module, and # also functions for reading, validating and writing out project(4) format # files. # ################################################################################ require 5.0010; use strict; use warnings; use locale; use Errno; use Fcntl; use File::Basename; use POSIX qw(locale_h limits_h); package Sun::Solaris::Project; our $VERSION = '1.9'; use XSLoader; XSLoader::load(__PACKAGE__, $VERSION); our (@EXPORT_OK, %EXPORT_TAGS); my @constants = qw(MAXPROJID PROJNAME_MAX PROJF_PATH PROJECT_BUFSZ SETPROJ_ERR_TASK SETPROJ_ERR_POOL); my @syscalls = qw(getprojid); my @libcalls = qw(setproject activeprojects getprojent setprojent endprojent getprojbyname getprojbyid getdefaultproj fgetprojent inproj getprojidbyname); my @private = qw(projf_read projf_write projf_validate projent_parse projent_parse_name projent_validate_unique_name projent_parse_projid projent_validate_unique_id projent_parse_comment projent_parse_users projent_parse_groups projent_parse_attributes projent_validate projent_validate_projid projent_values_equal projent_values2string); @EXPORT_OK = (@constants, @syscalls, @libcalls, @private); %EXPORT_TAGS = (CONSTANTS => \@constants, SYSCALLS => \@syscalls, LIBCALLS => \@libcalls, PRIVATE => \@private, ALL => \@EXPORT_OK); use base qw(Exporter); use Sun::Solaris::Utils qw(gettext); # # Set up default rules for validating rctls. # These rules are not global-flag specific, but instead # are the total set of allowable values on all rctls. # use Config; our $MaxNum = &RCTL_MAX_VALUE; our %RctlRules; my %rules; our %SigNo; my $j; my $name; foreach $name (split(' ', $Config{sig_name})) { $SigNo{$name} = $j; $j++; } %rules = ( 'privs' => [ qw(basic privileged priv) ], 'actions' => [ qw(none deny sig) ], 'signals' => [ qw(ABRT XRES HUP STOP TERM KILL XFSZ XCPU), $SigNo{'ABRT'}, $SigNo{'XRES'}, $SigNo{'HUP'}, $SigNo{'STOP'}, $SigNo{'TERM'}, $SigNo{'KILL'}, $SigNo{'XFSZ'}, $SigNo{'XCPU'} ], 'max' => $MaxNum ); $RctlRules{'__DEFAULT__'} = \%rules; # # projf_combine_errors(errorA, errorlistB) # # Concatenates a single error with a list of errors. Each error in the new # list will have a status matching the status of errorA. # # Example: # # projf_combine_errors( # [ 5, "Error on line %d, 10 ], # [ [ 3, "Invalid Value %s", "foo" ], # [ 6, "Duplicate Value %s", "bar" ] # ]); # # would return the list ref: # # [ [ 5, "Error on line %d: Invalid Value %s", 10, "foo" ], # [ 5, "Error on line %d: Duplicate Value %s", 10, "bar" ] # ] # # This function is used when a fuction wants to add more information to # a list of errors returned by another function. # sub projf_combine_errors { my ($error1, $errorlist) = @_; my $error2; my $newerror; my @newerrorlist; my ($err1, $fmt1, @args1); my ($err2, $fmt2, @args2); ($err1, $fmt1, @args1) = @$error1; foreach $error2 (@$errorlist) { ($err2, $fmt2, @args2) = @$error2; $newerror = [ $err1, $fmt1 . ', ' . $fmt2, @args1, @args2]; push(@newerrorlist, $newerror); } return (\@newerrorlist); } # # projf_read(filename, flags) # # Reads and parses a project(4) file, and returns a list of projent hashes. # # Inputs: # filename - file to read # flags - hash ref of flags # # If flags contains key "validate", the project file entries will also be # validated for run-time correctness If so, the flags ref is forwarded to # projf_validate(). # # Return Value: # # Returns a ref to a list of projent hashes. See projent_parse() for a # description of a projent hash. # sub projf_read { my ($fh, $flags) = @_; my @projents; my $projent; my $linenum = 0; my ($projname, $projid, $comment, $users, $groups, $attributes); my ($ret, $ref); my @errs; my ($line, $origline, $next, @projf); while (defined($line = <$fh>)) { $linenum++; $origline = $line; # Remove any line continuations and trailing newline. $line =~ s/\\\n//g; chomp($line); if (length($line) > (&PROJECT_BUFSZ - 2)) { push(@errs, [5, gettext('Parse error on line %d, line too long'), $linenum]); } ($ret, $ref) = projent_parse($line, {}); if ($ret != 0) { $ref = projf_combine_errors( [5, gettext('Parse error on line %d'), $linenum], $ref); push(@errs, @$ref); next; } $projent = $ref; # # Cache original line to save original format if it is # not changed. # $projent->{'line'} = $origline; $projent->{'modified'} = 'false'; $projent->{'linenum'} = $linenum; push(@projents, $projent); } if (defined($flags->{'validate'}) && ($flags->{'validate'} eq 'true')) { ($ret, $ref) = projf_validate(\@projents, $flags); if ($ret != 0) { push(@errs, @$ref); } } if (@errs) { return (1, \@errs); } else { return (0, \@projents); } } # # projf_write(filehandle, projent list) # # Write a list of projent hashes to a file handle. # projent's with key "modified" => false will be # written using the "line" key. projent's with # key "modified" => "true" will be written by # constructing a new line based on their "name" # "projid", "comment", "userlist", "grouplist" # and "attributelist" keys. # sub projf_write { my ($fh, $projents) = @_; my $projent; my $string; foreach $projent (@$projents) { if ($projent->{'modified'} eq 'false') { $string = $projent->{'line'}; } else { $string = projent_2string($projent) . "\n"; } print $fh "$string"; } } # # projent_parse(line) # # Functions for parsing the project file lines into projent hashes. # # Returns a number and a ref, one of: # # (0, ref to projent hash) # (non-zero, ref to list of errors) # # Flag can be: # allowspaces: allow spaces between user and group names. # allowunits : allow units (K, M, etc), on rctl values. # # A projent hash contains the keys: # # "name" - string name of project # "projid" - numeric id of project # "comment" - comment string # "users" - , seperated user list string # "userlist" - list ref to list of user name strings # "groups" - , seperated group list string # "grouplist" - list ref to liset of group name strings # "attributes" - ; seperated attribute list string # "attributelist" - list ref to list of attribute refs # (see projent_parse_attributes() for attribute ref) # sub projent_parse { my ($line, $flags) = @_; my $projent = {}; my ($ret, $ref); my @errs; my ($projname, $projid, $comment, $users, $groups, $attributes); # # Split fields of project line. split() is not used because # we must enforce that there are 6 fields. # ($projname, $projid, $comment, $users, $groups, $attributes) = $line =~ /^([^:]*):([^:]*):([^:]*):([^:]*):([^:]*):([^:]*)$/; # If there is not a complete match, nothing will be defined; if (!defined($projname)) { push(@errs, [5, gettext( 'Incorrect number of fields. Should have 5 ":"\'s.')]); # Get as many fields as we can. ($projname, $projid, $comment, $users, $groups, $attributes) = split(/:/, $line); } if (defined($projname)) { $projent->{'name'} = $projname; ($ret, $ref) = projent_parse_name($projname); if ($ret != 0) { push(@errs, @$ref); } } if (defined($projid)) { $projent->{'projid'} = $projid; ($ret, $ref) = projent_parse_projid($projid); if ($ret != 0) { push(@errs, @$ref); } } if (defined($comment)) { $projent->{'comment'} = $comment; ($ret, $ref) = projent_parse_comment($comment); if ($ret != 0) { push(@errs, @$ref); } } if (defined($users)) { $projent->{'users'} = $users; ($ret, $ref) = projent_parse_users($users, $flags); if ($ret != 0) { push(@errs, @$ref); } else { $projent->{'userlist'} = $ref; } } if (defined($groups)) { $projent->{'groups'} = $groups; ($ret, $ref) = projent_parse_groups($groups, $flags); if ($ret != 0) { push(@errs, @$ref); } else { $projent->{'grouplist'} = $ref; } } if (defined($attributes)) { $projent->{'attributes'} = $attributes; ($ret, $ref) = projent_parse_attributes($attributes, $flags); if ($ret != 0) { push(@errs, @$ref); } else { $projent->{'attributelist'} = $ref; } } if (@errs) { return (1, \@errs); } else { return (0, $projent); } } # # Project name syntax checking. # sub projent_parse_name { my @err; my ($projname) = @_; if (!($projname =~ /^[[:alpha:]][[:alnum:]_.-]*$/)) { push(@err, ([3, gettext( 'Invalid project name "%s", contains invalid characters'), $projname])); return (1, \@err); } if (length($projname) > &PROJNAME_MAX) { push(@err, ([3, gettext( 'Invalid project name "%s", name too long'), $projname])); return (1, \@err); } return (0, $projname); } # # Projid syntax checking. # sub projent_parse_projid { my @err; my ($projid) = @_; # verify projid is a positive number, and less than UID_MAX if (!($projid =~ /^\d+$/)) { push(@err, [3, gettext('Invalid projid "%s"'), $projid]); return (1, \@err); } elsif ($projid > POSIX::INT_MAX) { push(@err, [3, gettext('Invalid projid "%s": must be <= '. POSIX::INT_MAX), $projid]); return (1, \@err); } else { return (0, $projid); } } # # Project comment syntax checking. # sub projent_parse_comment { my ($comment) = @_; # no restrictions on comments return (0, $comment); } # # projent_parse_users(string, flags) # # Parses "," seperated list of users, and returns list ref to a list of # user names. If flags contains key "allowspaces", then spaces are # allowed between user names and ","'s. # sub projent_parse_users { my ($users, $flags) = @_; my @err; my $user; my $pattern; my @userlist; if (exists($flags->{'allowspaces'})) { $pattern = '\s*,\s*'; } else { $pattern = ','; } @userlist = split(/$pattern/, $users); # Return empty list if there are no users. if (!(@userlist)) { return (0, \@userlist); } # Verify each user name is the correct format for a valid user name. foreach $user (@userlist) { # Allow for wildcards. if ($user eq '*' || $user eq '!*') { next; } # Allow for ! operator, usernames must begin with alpha-num, # and contain alpha-num, '_', digits, '.', or '-'. if (!($user =~ /^!?[[:alpha:]][[:alnum:]_.-]*$/)) { push(@err, [3, gettext('Invalid user name "%s"'), $user]); next; } } if (@err) { return (1,\ @err); } else { return (0, \@userlist); } } # # projent_parse_groups(string, flags) # # Parses "," seperated list of groups, and returns list ref to a list of # groups names. If flags contains key "allowspaces", then spaces are # allowed between group names and ","'s. # sub projent_parse_groups { my ($groups, $flags) = @_; my @err; my $group; my $pattern; my @grouplist; if (exists($flags->{'allowspaces'})) { $pattern = '\s*,\s*'; } else { $pattern = ','; } @grouplist = split(/$pattern/, $groups); # Return empty list if there are no groups. if (!(@grouplist)) { return (0, \@grouplist); } # Verify each group is the correct format for a valid group name. foreach $group (@grouplist) { # Allow for wildcards. if ($group eq '*' || $group eq '!*') { next; } # Allow for ! operator, groupnames can contain only alpha # characters and digits. if (!($group =~ /^!?[[:alnum:]]+$/)) { push(@err, [3, gettext('Invalid group name "%s"'), $group]); next; } } if (@err) { return (1,\ @err); } else { return (0, \@grouplist); } } # # projent_tokenize_attribute_values(values) # # Values is the right hand side of a name=values attribute/values pair. # This function splits the values string into a list of tokens. Tokens are # valid string values and the characters ( ) , # sub projent_tokenize_attribute_values { # # This seperates the attribute string into higher level tokens # for parsing. # my $prev; my $cur; my $next; my $token; my @tokens; my @newtokens; my @err; # Seperate tokens delimited by "(", ")", and ",". @tokens = split(/([,()])/, $_[0], -1); # Get rid of blanks @newtokens = grep($_ ne '', @tokens); foreach $token (@newtokens) { if (!($token =~ /^[(),]$/ || $token =~ /^[[:alnum:]_.\/=+-]*$/)) { push(@err, [3, gettext( 'Invalid Character at or near "%s"'), $token]); } } if (@err) { return (1, \@err); } else { return (0, \@newtokens); } } # # projent_parse_attribute_values(values) # # Values is the right hand side of a name=values attribute/values pair. # This function parses the values string into a list of values. Each value # can be either a scalar value, or a ref to another list of values. # A ref to the list of values is returned. # sub projent_parse_attribute_values { # # For some reason attribute values can be lists of values and # sublists, which are scoped using ()'s. All values and sublists # are delimited by ","'s. Empty values are lists are permitted. # This function returns a reference to a list of values, each of # which can be a scalar value, or a reference to a sublist. Sublists # can contain both scalar values and references to furthur sublists. # my ($values) = @_; my $tokens; my @usedtokens; my $token; my $prev = ''; my $parendepth = 0; my @valuestack; my @err; my ($ret, $ref); my $line; push (@valuestack, []); ($ret, $ref) = projent_tokenize_attribute_values($values); if ($ret != 0) { return ($ret, $ref); } $tokens = $ref; foreach $token (@$tokens) { push(@usedtokens, $token); if ($token eq ',') { if ($prev eq ',' || $prev eq '(' || $prev eq '') { push(@{$valuestack[$#valuestack]}, ''); } $prev = ','; next; } if ($token eq '(') { if (!($prev eq '(' || $prev eq ',' || $prev eq '')) { $line = join('', @usedtokens); push(@err, [3, gettext( '"%s" <- "(" unexpected'), $line]); return (1, \@err); } $parendepth++; my $arrayref = []; push(@{$valuestack[$#valuestack]}, $arrayref); push(@valuestack, $arrayref); $prev = '('; next; } if ($token eq ')') { if ($parendepth <= 0) { $line = join('', @usedtokens); push(@err, [3, gettext( '"%s" <- ")" unexpected'), $line]); return (1, \@err); } if ($prev eq ',' || $prev eq '(') { push(@{$valuestack[$#valuestack]}, ''); } $parendepth--; pop @valuestack; $prev = ')'; next; } if (!($prev eq ',' || $prev eq '(' || $prev eq '')) { $line = join('', @usedtokens); push(@err, [3, gettext( '"%s" <- "%s" unexpected'), $line, $token]); return (1, \@err); } push(@{$valuestack[$#valuestack]}, $token); $prev = $token; next; } if ($parendepth != 0) { push(@err, [3, gettext( '"%s" <- ")" missing'), $values]); return (1, \@err); } if ($prev eq ',' || $prev eq '') { push(@{$valuestack[$#valuestack]}, ''); } return (0, $valuestack[0]); } # # projent_parse_attribute("name=values", $flags) # # $flags is a hash ref. # Valid flags keys: # 'allowunits' - allows numeric values to be scaled on certain attributes # # Returns a hash ref with keys: # # "name" - name of attribute # "values" - ref to list of values. # Each value can be a scalar value, or a ref to # a sub-list of values. # sub projent_parse_attribute { my ($string, $flags) = @_; my $attribute = {}; my ($name, $stock, $values); my ($ret, $ref); my @err; my $scale; my $num; my $modifier; my $unit; my $tuple; my $rules; my $rctlmax; my $rctlflags; # pattern for matching stock symbols. my $stockp = '[[:upper:]]{1,5}(?:.[[:upper:]]{1,5})?,'; # Match attribute with no value. ($name, $stock) = $string =~ /^(($stockp)?[[:alpha:]][[:alnum:]_.-]*)$/; if ($name) { $attribute->{'name'} = $name; return (0, $attribute); } # Match attribute with value list. ($name, $stock, $values) = $string =~ /^(($stockp)?[[:alpha:]][[:alnum:]_.-]*)=(.*)$/; if ($name) { $attribute->{'name'} = $name; if (!defined($values)) { $values = ''; } ($ret, $ref) = projent_parse_attribute_values($values); if ($ret != 0) { $ref = projf_combine_errors( [3, gettext('Invalid value on attribute "%s"'), $name], $ref); push(@err, @$ref); return ($ret, \@err) } # Scale attributes than can be scaled. if (exists($flags->{"allowunits"})) { if ($name eq 'rcap.max-rss' && defined($ref->[0]) && !ref($ref->[0])) { $scale = 'bytes'; ($num, $modifier, $unit) = projent_val2num($ref->[0], $scale); if (!defined($num)) { if (defined($unit)) { push(@err, [3, gettext( 'rcap.max-rss has invalid '. 'unit "%s"'), $unit]); } else { push(@err, [3, gettext( 'rcap.max-rss has invalid '. 'value "%s"'), $ref->[0]]); } } elsif ($num eq "OVERFLOW") { push(@err, [3, gettext( 'rcap.max-rss value '. '"%s" exceeds maximum value "%s"'), $ref->[0], $MaxNum]); } else { $ref->[0] = $num; } } # Check hashed cache of rctl rules. $rules = $RctlRules{$name}; if (!defined($rules)) { # # See if this is an resource control name, if so # cache rules. # ($rctlmax, $rctlflags) = rctl_get_info($name); if (defined($rctlmax)) { $rules = proj_getrctlrules( $rctlmax, $rctlflags); if (defined($rules)) { $RctlRules{$name} = $rules; } else { $RctlRules{$name} = "NOT AN RCTL"; } } } # Scale values if this is an rctl. if (defined ($rules) && ref($rules)) { $flags->{'type'} = $rules->{'type'}; foreach $tuple (@$ref) { # Skip if tuple this is not a list. if (!ref($tuple)) { next; } # Skip if second element is not scalar. if (!defined($tuple->[1]) || ref($tuple->[1])) { next; } ($num, $modifier, $unit) = projent_val2num($tuple->[1], $flags->{'type'}); if (!defined($num)) { if (defined($unit)) { push(@err, [3, gettext( 'rctl %s has '. 'invalid unit '. '"%s"'),$name, $unit]); } else { push(@err, [3, gettext( 'rctl %s has '. 'invalid value '. '"%s"'), $name, $tuple->[1]]); } } elsif ($num eq "OVERFLOW") { push(@err, [3, gettext( 'rctl %s value "%s" '. 'exceeds maximum value "%s"'), $name, $tuple->[1], $MaxNum]); } else { $tuple->[1] = $num; } } } } $attribute->{'values'} = $ref; if (@err) { return (1, \@err); } else { return (0, $attribute); } } else { # Attribute did not match name[=value,value...] push(@err, [3, gettext('Invalid attribute "%s"'), $string]); return (1, \@err); } } # # projent_parse_attributes("; seperated list of name=values pairs"); # # Returns a list of attribute references, as returned by # projent_parse_attribute(). # sub projent_parse_attributes { my ($attributes, $flags) = @_; my @attributelist; my @attributestrings; my $attributestring; my $attribute; my ($ret, $ref); my @errs; # Split up attributes by ";"'s. @attributestrings = split(/;/, $attributes); # If no attributes, return empty list. if (!@attributestrings) { return (0, \@attributelist); } foreach $attributestring (@attributestrings) { ($ret, $ref) = projent_parse_attribute($attributestring, $flags); if ($ret != 0) { push(@errs, @$ref); } else { push(@attributelist, $ref); } } if (@errs) { return (1, \@errs); } else { return (0, \@attributelist); } } # # projent_values_equal(list A, list B) # # Given two references to lists of attribute values (as returned by # projent_parse_attribute_values()), returns 1 if they are identical # lists or 0 if they are not. # # XXX sub projent_values_equal; sub projent_values_equal { my ($x, $y) = @_; my $itema; my $itemb; my $index = 0; if (ref($x) && ref($y)) { if (scalar(@$x) != scalar(@$y)) { return (0); } else { foreach $itema (@$x) { $itemb = $y->[$index++]; if (!projent_values_equal($itema, $itemb)) { return (0); } } return (1); } } elsif ((!ref($x) && (!ref($y)))) { return ($x eq $y); } else { return (0); } } # # Converts a list of values to a , seperated string, enclosing sublists # in ()'s. # sub projent_values2string { my ($values) = @_; my $string; my $value; my @valuelist; if (!defined($values)) { return (''); } if (!ref($values)) { return ($values); } foreach $value (@$values) { if (ref($value)) { push(@valuelist, '(' . projent_values2string($value) . ')'); } else { push(@valuelist, $value); } } $string = join(',', @valuelist) ; if (!defined($string)) { $string = ''; } return ($string); } # # Converts a ref to an attribute hash with keys "name", and "values" to # a string in the form "name=value,value...". # sub projent_attribute2string { my ($attribute) = @_; my $string; $string = $attribute->{'name'}; if (ref($attribute->{'values'}) && @{$attribute->{'values'}}) { $string = $string . '=' . projent_values2string(($attribute->{'values'})); } return ($string); } # # Converts a ref to a projent hash (as returned by projent_parse()) to # a project(4) database entry line. # sub projent_2string { my ($projent) = @_; my @attributestrings; my $attribute; foreach $attribute (@{$projent->{'attributelist'}}) { push(@attributestrings, projent_attribute2string($attribute)); } return (join(':', ($projent->{'name'}, $projent->{'projid'}, $projent->{'comment'}, join(',', @{$projent->{'userlist'}}), join(',', @{$projent->{'grouplist'}}), join(';', @attributestrings)))); } # # projf_validate(ref to list of projents hashes, flags) # # For each projent hash ref in the list, checks that users, groups, and pools # exists, and that known attributes are valid. Attributes matching rctl names # are verified to have valid values given that rctl's global flags and max # value. # # Valid flag keys: # # "res" - allow reserved project ids 0-99 # "dup" - allow duplicate project ids # sub projf_validate { my ($projents, $flags) = @_; my $projent; my $ret; my $ref; my @err; my %idhash; my %namehash; my %seenids; my %seennames; # check for unique project names foreach $projent (@$projents) { my @lineerr; $seennames{$projent->{'name'}}++; $seenids{$projent->{'projid'}}++; if ($seennames{$projent->{'name'}} > 1) { push(@lineerr, [4, gettext( 'Duplicate project name "%s"'), $projent->{'name'}]); } if (!defined($flags->{'dup'})) { if ($seenids{$projent->{'projid'}} > 1) { push(@lineerr, [4, gettext( 'Duplicate projid "%s"'), $projent->{'projid'}]); } } ($ret, $ref) = projent_validate($projent, $flags); if ($ret != 0) { push(@lineerr, @$ref); } if (@lineerr) { $ref = projf_combine_errors([5, gettext( 'Validation error on line %d'), $projent->{'linenum'}], \@lineerr); push(@err, @$ref); } } if (@err) { return (1, \@err); } else { return (0, $projents); } } # # projent_validate_unique_id( # ref to projent hash, ref to list of projent hashes) # # Verifies that projid of the projent hash only exists once in the list of # projent hashes. # sub projent_validate_unique_id { my ($projent, $projf, $idhash) = @_; my @err; my $ret = 0; my $projid = $projent->{'projid'}; if (scalar(grep($_->{'projid'} eq $projid, @$projf)) > 1) { $ret = 1; push(@err, [4, gettext('Duplicate projid "%s"'), $projid]); } return ($ret, \@err); } # # projent_validate_unique_id( # ref to projent hash, ref to list of projent hashes) # # Verifies that project name of the projent hash only exists once in the list # of projent hashes. # # If the seconds argument is a hash ref, it is treated # sub projent_validate_unique_name { my ($projent, $projf, $namehash) = @_; my $ret = 0; my @err; my $pname = $projent->{'name'}; if (scalar(grep($_->{'name'} eq $pname, @$projf)) > 1) { $ret = 1; push(@err, [9, gettext('Duplicate project name "%s"'), $pname]); } return ($ret, \@err); } # # projent_validate(ref to projents hash, flags) # # Checks that users, groups, and pools exists, and that known attributes # are valid. Attributes matching rctl names are verified to have valid # values given that rctl's global flags and max value. # # Valid flag keys: # # "allowspaces" - user and group list are allowed to contain whitespace # "res" - allow reserved project ids 0-99 # sub projent_validate { my ($projent, $flags) = @_; my $ret = 0; my $ref; my @err; ($ret, $ref) = projent_validate_name($projent->{'name'}, $flags); if ($ret != 0) { push(@err, @$ref); } ($ret, $ref) = projent_validate_projid($projent->{'projid'}, $flags); if ($ret != 0) { push(@err, @$ref); } ($ret, $ref) = projent_validate_comment($projent->{'comment'}, $flags); if ($ret != 0) { push(@err, @$ref); } ($ret, $ref) = projent_validate_users($projent->{'userlist'}, $flags); if ($ret != 0) { push(@err, @$ref); } ($ret, $ref) = projent_validate_groups($projent->{'grouplist'}, $flags); if ($ret != 0) { push(@err, @$ref); } ($ret, $ref) = projent_validate_attributes( $projent->{'attributelist'}, $flags); if ($ret != 0) { push(@err, @$ref); } my $string = projent_2string($projent); if (length($string) > (&PROJECT_BUFSZ - 2)) { push(@err, [3, gettext('projent line too long')]); } if (@err) { return (1, \@err); } else { return (0, $projent); } } # # projent_validate_name(name, flags) # # does nothing, as any parse-able project name is valid # sub projent_validate_name { my ($name, $flags) = @_; my @err; return (0, \@err); } # # projent_validate_projid(projid, flags) # # Validates that projid is within the valid range of numbers. # Valid flag keys: # "res" - allow reserved projid's 0-99 # sub projent_validate_projid { my ($projid, $flags) = @_; my @err; my $ret = 0; my $minprojid; if (defined($flags->{'res'})) { $minprojid = 0; } else { $minprojid = 100; } if ($projid < $minprojid) { $ret = 1; push(@err, [3, gettext('Invalid projid "%s": '. 'must be >= 100'), $projid]); } return ($ret, \@err); } # # projent_validate_comment(name, flags) # # Does nothing, as any parse-able comment is valid. # sub projent_validate_comment { my ($comment, $flags) = @_; my @err; return (0, \@err); } # # projent_validate_users(ref to list of user names, flags) # # Verifies that each username is either a valid glob, such # as * or !*, or is an existing user. flags is unused. # Also validates that there are no duplicates. # sub projent_validate_users { my ($users, $flags) = @_; my @err; my $ret = 0; my $user; my $username; foreach $user (@$users) { if ($user eq '*' || $user eq '!*') { next; } $username = $user; $username =~ s/^!//; if (!defined(getpwnam($username))) { $ret = 1; push(@err, [6, gettext('User "%s" does not exist'), $username]); } } my %seen; my @dups = grep($seen{$_}++ == 1, @$users); if (@dups) { $ret = 1; push(@err, [3, gettext('Duplicate user names "%s"'), join(',', @dups)]); } return ($ret, \@err) } # # projent_validate_groups(ref to list of group names, flags) # # Verifies that each groupname is either a valid glob, such # as * or !*, or is an existing group. flags is unused. # Also validates that there are no duplicates. # sub projent_validate_groups { my ($groups, $flags) = @_; my @err; my $ret = 0; my $group; my $groupname; foreach $group (@$groups) { if ($group eq '*' || $group eq '!*') { next; } $groupname = $group; $groupname =~ s/^!//; if (!defined(getgrnam($groupname))) { $ret = 1; push(@err, [6, gettext('Group "%s" does not exist'), $groupname]); } } my %seen; my @dups = grep($seen{$_}++ == 1, @$groups); if (@dups) { $ret = 1; push(@err, [3, gettext('Duplicate group names "%s"'), join(',', @dups)]); } return ($ret, \@err) } # # projent_validate_attribute(attribute hash ref, flags) # # Verifies that if the attribute's name is a known attribute or # resource control, that it contains a valid value. # flags is unused. # sub projent_validate_attribute { my ($attribute, $flags) = @_; my $name = $attribute->{'name'}; my $values = $attribute->{'values'}; my $value; my @errs; my $ret = 0; my $result; my $ref; if (defined($values)) { $value = $values->[0]; } if ($name eq 'task.final') { if (defined($values)) { $ret = 1; push(@errs, [3, gettext( 'task.final should not have value')]); } # Need to rcap.max-rss needs to be a number } elsif ($name eq 'rcap.max-rss') { if (!defined($values)) { $ret = 1; push(@errs, [3, gettext( 'rcap.max-rss missing value')]); } elsif (scalar(@$values) != 1) { $ret = 1; push(@errs, [3, gettext( 'rcap.max-rss should have single value')]); } if (!defined($value) || ref($value)) { $ret = 1; push(@errs, [3, gettext( 'rcap.max-rss has invalid value "%s"'), projent_values2string($values)]);; } elsif ($value !~ /^\d+$/) { $ret = 1; push(@errs, [3, gettext( 'rcap.max-rss is not an integer value: "%s"'), projent_values2string($values)]);; } elsif ($value > $MaxNum) { $ret = 1; push(@errs, [3, gettext( 'rcap.max-rss too large')]); } } elsif ($name eq 'project.pool') { if (!defined($values)) { $ret = 1; push(@errs, [3, gettext( 'project.pool missing value')]); } elsif (scalar(@$values) != 1) { $ret = 1; push(@errs, [3, gettext( 'project.pool should have single value')]); } elsif (!defined($value) || ref($value)) { $ret = 1; push(@errs, [3, gettext( 'project.pool has invalid value "%s'), projent_values2string($values)]);; } elsif (!($value =~ /^[[:alpha:]][[:alnum:]_.-]*$/)) { $ret = 1; push(@errs, [3, gettext( 'project.pool: invalid pool name "%s"'), $value]); # Pool must exist. } elsif (pool_exists($value) != 0) { $ret = 1; push(@errs, [6, gettext( 'project.pool: pools not enabled or pool does '. 'not exist: "%s"'), $value]); } } else { my $rctlmax; my $rctlflags; my $rules; # # See if rctl rules exist for this attribute. If so, it # is an rctl and is checked for valid values. # # check hashed cache of rctl rules. $rules = $RctlRules{$name}; if (!defined($rules)) { # # See if this is an resource control name, if so # cache rules. # ($rctlmax, $rctlflags) = rctl_get_info($name); if (defined($rctlmax)) { $rules = proj_getrctlrules( $rctlmax, $rctlflags); if (defined($rules)) { $RctlRules{$name} = $rules; } else { $RctlRules{$name} = "NOT AN RCTL"; } } } # If rules are defined, this is a resource control. if (defined($rules) && ref($rules)) { ($result, $ref) = projent_validate_rctl($attribute, $flags); if ($result != 0) { $ret = 1; push(@errs, @$ref); } } } return ($ret, \@errs); } # # projent_validate_attributes(ref to attribute list, flags) # # Validates all attributes in list of attribute references using # projent_validate_attribute. flags is unused. # flags is unused. # sub projent_validate_attributes { my ($attributes, $flags) = @_; my @err; my $ret = 0; my $result = 0; my $ref; my $attribute; foreach $attribute (@$attributes) { ($ret, $ref) = projent_validate_attribute($attribute, $flags); if ($ret != 0) { $result = $ret; push(@err, @$ref); } } my %seen; my @dups = grep($seen{$_}++ == 1, map { $_->{'name'} } @$attributes); if (@dups) { $result = 1; push(@err, [3, gettext('Duplicate attributes "%s"'), join(',', @dups)]); } return ($result, \@err); } # # projent_getrctlrules(max value, global flags) # # given an rctls max value and global flags, returns a ref to a hash # of rctl rules that is used by projent_validate_rctl to validate an # rctl's values. # sub proj_getrctlrules { my ($max, $flags) = @_; my $signals; my $rctl; $rctl = {}; $signals = [ qw(ABRT XRES HUP STOP TERM KILL), $SigNo{'ABRT'}, $SigNo{'XRES'}, $SigNo{'HUP'}, $SigNo{'STOP'}, $SigNo{'TERM'}, $SigNo{'KILL'} ]; $rctl->{'max'} = $max; if ($flags & &RCTL_GLOBAL_BYTES) { $rctl->{'type'} = 'bytes'; } elsif ($flags & &RCTL_GLOBAL_SECONDS) { $rctl->{'type'} = 'seconds'; } elsif ($flags & &RCTL_GLOBAL_COUNT) { $rctl->{'type'} = 'count'; } else { $rctl->{'type'} = 'unknown'; } if ($flags & &RCTL_GLOBAL_NOBASIC) { $rctl->{'privs'} = ['privileged', 'priv']; } else { $rctl->{'privs'} = ['basic', 'privileged', 'priv']; } if ($flags & &RCTL_GLOBAL_DENY_ALWAYS) { $rctl->{'actions'} = ['deny']; } elsif ($flags & &RCTL_GLOBAL_DENY_NEVER) { $rctl->{'actions'} = ['none']; } else { $rctl->{'actions'} = ['none', 'deny']; } if ($flags & &RCTL_GLOBAL_SIGNAL_NEVER) { $rctl->{'signals'} = []; } else { push(@{$rctl->{'actions'}}, 'sig'); if ($flags & &RCTL_GLOBAL_CPU_TIME) { push(@$signals, 'XCPU', '30'); } if ($flags & &RCTL_GLOBAL_FILE_SIZE) { push(@$signals, 'XFSZ', '31'); } $rctl->{'signals'} = $signals; } return ($rctl); } # # projent_val2num(scaled value, "seconds" | "count" | "bytes") # # converts an integer or scaled value to an integer value. # returns (integer value, modifier character, unit character. # # On failure, integer value is undefined. If the original # scaled value is a plain integer, modifier character and # unit character will be undefined. # sub projent_val2num { my ($val, $type) = @_; my %scaleM = ( k => 1000, m => 1000000, g => 1000000000, t => 1000000000000, p => 1000000000000000, e => 1000000000000000000); my %scaleB = ( k => 1024, m => 1048576, g => 1073741824, t => 1099511627776, p => 1125899906842624, e => 1152921504606846976); my $scale; my $base; my ($num, $modifier, $unit); my $mul; my $string; my $i; my $undefined; my $exp_unit; ($num, $modifier, $unit) = $val =~ /^(\d+(?:\.\d+)?)(?i:([kmgtpe])?([bs])?)$/; # No numeric match. if (!defined($num)) { return ($undefined, $undefined, $undefined); } # Decimal number with no scaling modifier. if (!defined($modifier) && $num =~ /^\d+\.\d+/) { return ($undefined, $undefined, $undefined); } if ($type eq 'bytes') { $exp_unit = 'b'; $scale = \%scaleB; } elsif ($type eq 'seconds') { $exp_unit = 's'; $scale = \%scaleM; } else { $scale = \%scaleM; } if (defined($unit)) { $unit = lc($unit); } # So not succeed if unit is incorrect. if (!defined($exp_unit) && defined($unit)) { return ($undefined, $modifier, $unit); } if (defined($unit) && $unit ne $exp_unit) { return ($undefined, $modifier, $unit); } if (defined($modifier)) { $modifier = lc($modifier); $mul = $scale->{$modifier}; $num = $num * $mul; } # check for integer overflow. if ($num > $MaxNum) { return ("OVERFLOW", $modifier, $unit); } # # Trim numbers that are decimal equivalent to the maximum value # to the maximum integer value. # if ($num == $MaxNum) { $num = $MaxNum;; } elsif ($num < $MaxNum) { # convert any decimal numbers to an integer $num = int($num); } return ($num, $modifier, $unit); } # # projent_validate_rctl(ref to rctl attribute hash, flags) # # verifies that the given rctl hash with keys "name" and # "values" contains valid values for the given name. # flags is unused. # sub projent_validate_rctl { my ($rctl, $flags) = @_; my $allrules; my $rules; my $name; my $values; my $value; my $valuestring; my $ret = 0; my @err; my $priv; my $val; my @actions; my $action; my $signal; my $sigstring; # Full signal string on right hand of signal=SIGXXX. my $signame; # Signal number or XXX part of SIGXXX. my $siglist; my $nonecount; my $denycount; my $sigcount; $name = $rctl->{'name'}; $values = $rctl->{'values'}; # # Get the default rules for all rctls, and the specific rules for # this rctl. # $allrules = $RctlRules{'__DEFAULT__'}; $rules = $RctlRules{$name}; if (!defined($rules) || !ref($rules)) { $rules = $allrules; } # Allow for no rctl values on rctl. if (!defined($values)) { return (0, \@err); } # If values exist, make sure it is a list. if (!ref($values)) { push(@err, [3, gettext( 'rctl "%s" missing value'), $name]); return (1, \@err); } foreach $value (@$values) { # Each value should be a list. if (!ref($value)) { $ret = 1; push(@err, [3, gettext( 'rctl "%s" value "%s" should be in ()\'s'), $name, $value]); next; } ($priv, $val, @actions) = @$value; if (!@actions) { $ret = 1; $valuestring = projent_values2string([$value]); push(@err, [3, gettext( 'rctl "%s" value missing action "%s"'), $name, $valuestring]); } if (!defined($priv)) { $ret = 1; push(@err, [3, gettext( 'rctl "%s" value missing privilege "%s"'), $name, $valuestring]); } elsif (ref($priv)) { $ret = 1; $valuestring = projent_values2string([$priv]); push(@err, [3, gettext( 'rctl "%s" invalid privilege "%s"'), $name, $valuestring]); } else { if (!(grep /^$priv$/, @{$allrules->{'privs'}})) { $ret = 1; push(@err, [3, gettext( 'rctl "%s" unknown privilege "%s"'), $name, $priv]); } elsif (!(grep /^$priv$/, @{$rules->{'privs'}})) { $ret = 1; push(@err, [3, gettext( 'rctl "%s" privilege not allowed '. '"%s"'), $name, $priv]); } } if (!defined($val)) { $ret = 1; push(@err, [3, gettext( 'rctl "%s" missing value'), $name]); } elsif (ref($val)) { $ret = 1; $valuestring = projent_values2string([$val]); push(@err, [3, gettext( 'rctl "%s" invalid value "%s"'), $name, $valuestring]); } else { if ($val !~ /^\d+$/) { $ret = 1; push(@err, [3, gettext( 'rctl "%s" value "%s" is not '. 'an integer'), $name, $val]); } elsif ($val > $rules->{'max'}) { $ret = 1; push(@err, [3, gettext( 'rctl "%s" value "%s" exceeds '. 'system limit'), $name, $val]); } } $nonecount = 0; $denycount = 0; $sigcount = 0; foreach $action (@actions) { if (ref($action)) { $ret = 1; $valuestring = projent_values2string([$action]); push(@err, [3, gettext( 'rctl "%s" invalid action "%s"'), $name, $valuestring]); next; } if ($action =~ /^sig(nal)?(=.*)?$/) { $signal = $action; $action = 'sig'; } if (!(grep /^$action$/, @{$allrules->{'actions'}})) { $ret = 1; push(@err, [3, gettext( 'rctl "%s" unknown action "%s"'), $name, $action]); next; } elsif (!(grep /^$action$/, @{$rules->{'actions'}})) { $ret = 1; push(@err, [3, gettext( 'rctl "%s" action not allowed "%s"'), $name, $action]); next; } if ($action eq 'none') { if ($nonecount >= 1) { $ret = 1; push(@err, [3, gettext( 'rctl "%s" duplicate action '. 'none'), $name]); } $nonecount++; next; } if ($action eq 'deny') { if ($denycount >= 1) { $ret = 1; push(@err, [3, gettext( 'rctl "%s" duplicate action '. 'deny'), $name]); } $denycount++; next; } # action must be signal if ($sigcount >= 1) { $ret = 1; push(@err, [3, gettext( 'rctl "%s" duplicate action sig'), $name]); } $sigcount++; # # Make sure signal is correct format, one of: # sig=## # signal=## # sig=SIGXXX # signal=SIGXXX # sig=XXX # signal=SIGXXX # ($sigstring) = $signal =~ /^ (?:signal|sig)= (\d+| (?:SIG)?[[:upper:]]+(?:[+-][123])? ) $/x; if (!defined($sigstring)) { $ret = 1; push(@err, [3, gettext( 'rctl "%s" invalid signal "%s"'), $name, $signal]); next; } $signame = $sigstring; $signame =~ s/SIG//; # Make sure specific signal is allowed. $siglist = $allrules->{'signals'}; if (!(grep /^$signame$/, @$siglist)) { $ret = 1; push(@err, [3, gettext( 'rctl "%s" invalid signal "%s"'), $name, $signal]); next; } $siglist = $rules->{'signals'}; if (!(grep /^$signame$/, @$siglist)) { $ret = 1; push(@err, [3, gettext( 'rctl "%s" signal not allowed "%s"'), $name, $signal]); next; } } if ($nonecount && ($denycount || $sigcount)) { $ret = 1; push(@err, [3, gettext( 'rctl "%s" action "none" specified with '. 'other actions'), $name]); } } if (@err) { return ($ret, \@err); } else { return ($ret, \@err); } } 1;