Project classification semantics

Edit online

Project classification semantics are used to classify and assign projects.

For every exec(), initp(), setuid(), and setgid() subroutine, the process will be reclassified using the project assignment rules to determine if the current project assignment should be changed. If a project assignment rule is not loaded, or if a rule cannot be successfully applied, then the current project identifier is used.

The default project system identifier is zero (0). It is applied to the base system processes before accounting is enabled and it may be used to signify general system overhead. After it is assigned, a project is inherited from the parent process to the child process using the fork() kernel service and creatp() kernel service.

The use of the application filter varies between the initp() kernel service and the exec() subroutine. In the former, the command name of the kernel process that is being started is used to perform the classification. The command name is visible through the ps command. In the latter, classification is performed using the FID (inode + device number) of the executable, with the FID of the fully qualified path name that is specified by the policy. Only FIDs that can be computed at policy load time are accommodated.

If a process is classified through a rule that explicitly names an application, then that project identifier should be applied to the process and its children, because the intent is to label a block of work. This implies that subsequent exec(), setgid(), and setuid() subroutines in the process, as well as its children, do not perform project reclassification. Internally, these processes are identified with a sticky bit that indicates they were classified through a rule that explicitly named an application. The sticky bit is visible through the ps -P command.

The following is an example of the output after you run the ps -P command. The asterisk (*) preceding the dev project indicates it has a sticky bit attached to it:

UID    GID    PID    TTY    TIME    PROJECT    SUBPROJ    CMD
0      0      16922  pts/1  0:00    *dev       0          ps
0      0      19206  pts/1  0:00    *dev       0          acctras
0      0      22286  pts/1  0:00    *dev       0          ksh

When you load a new policy file, all of the processes in the system are reclassified, except those with a sticky bit. Processes with a sticky bit cannot be changed.

When a different project identifier is assigned to a process, a process accounting record is written to the acct file, so that the use of resources by a project may be accurately reported. Whenever this occurs, the accounting statistics for the process are reset to zero.