Re: [PATCH] c/r: [signal 2/3] checkpoint/restart of rlimit

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Serge E. Hallyn" <serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
To: Oren Laadan <orenl-RdfvBDnrOixBDgjK7y7TUQ@public.gmane.org>
Cc: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org
Subject: Re: [PATCH] c/r: [signal 2/3] checkpoint/restart of rlimit
Date: Fri, 24 Jul 2009 09:22:35 -0500	[thread overview]
Message-ID: <20090724142235.GB6910@us.ibm.com> (raw)
In-Reply-To: <4A6910E5.4010605-RdfvBDnrOixBDgjK7y7TUQ@public.gmane.org>

Quoting Oren Laadan (orenl-RdfvBDnrOixBDgjK7y7TUQ@public.gmane.org):
> 
> 
> Serge E. Hallyn wrote:
> > Quoting Oren Laadan (orenl-RdfvBDnrOixBDgjK7y7TUQ@public.gmane.org):
> >> This patch adds checkpoint and restart of rlimit information
> >> that is part of shared signal_struct.
> > 
> > ...
> > 
> >>  static int restore_signal(struct ckpt_ctx *ctx)
> >>  {
> >>  	struct ckpt_hdr_signal *h;
> >> +	struct rlimit rlim;
> >> +	int i, ret;
> >>
> >>  	h = ckpt_read_obj_type(ctx, sizeof(*h), CKPT_HDR_SIGNAL);
> >>  	if (IS_ERR(h))
> >>  		return PTR_ERR(h);
> >>
> >> -	/* fill in later */
> >> -
> >> +	/* rlimit */
> >> +	for (i = 0; i < RLIM_NLIMITS; i++) {
> >> +		rlim.rlim_cur = h->rlim[i].rlim_cur;
> >> +		rlim.rlim_max = h->rlim[i].rlim_max;
> >> +		ret = do_setrlimit(i, &rlim);
> > 
> > ...
> >> +int do_setrlimit(unsigned int resource, struct rlimit *new_rlim)
> >>  {
> >> -	struct rlimit new_rlim, *old_rlim;
> >> +	struct rlimit *old_rlim;
> >>  	int retval;
> >>
> >> -	if (resource >= RLIM_NLIMITS)
> >> -		return -EINVAL;
> >> -	if (copy_from_user(&new_rlim, rlim, sizeof(*rlim)))
> >> -		return -EFAULT;
> >> -	if (new_rlim.rlim_cur > new_rlim.rlim_max)
> >> -		return -EINVAL;
> >>  	old_rlim = current->signal->rlim + resource;
> >> -	if ((new_rlim.rlim_max > old_rlim->rlim_max) &&
> >> +	if ((new_rlim->rlim_max > old_rlim->rlim_max) &&
> >>  	    !capable(CAP_SYS_RESOURCE))
> >>  		return -EPERM;
> >> -	if (resource == RLIMIT_NOFILE && new_rlim.rlim_max > sysctl_nr_open)
> >> +	if (resource == RLIMIT_NOFILE && new_rlim->rlim_max > sysctl_nr_open)
> >>  		return -EPERM;
> >>
> >> -	retval = security_task_setrlimit(resource, &new_rlim);
> >> +	retval = security_task_setrlimit(resource, new_rlim);
> >>  	if (retval)
> >>  		return retval;
> >>
> >> -	if (resource == RLIMIT_CPU && new_rlim.rlim_cur == 0) {
> >> +	if (resource == RLIMIT_CPU && new_rlim->rlim_cur == 0) {
> >>  		/*
> >>  		 * The caller is asking for an immediate RLIMIT_CPU
> >>  		 * expiry.  But we use the zero value to mean "it was
> >>  		 * never set".  So let's cheat and make it one second
> >>  		 * instead
> >>  		 */
> >> -		new_rlim.rlim_cur = 1;
> >> +		new_rlim->rlim_cur = 1;
> >>  	}
> >>
> >>  	task_lock(current->group_leader);
> >> -	*old_rlim = new_rlim;
> >> +	*old_rlim = *new_rlim;
> >>  	task_unlock(current->group_leader);
> >>
> >>  	if (resource != RLIMIT_CPU)
> >> @@ -1189,14 +1183,27 @@ SYSCALL_DEFINE2(setrlimit, unsigned int, resource, struct rlimit __user *, rlim)
> >>  	 * very long-standing error, and fixing it now risks breakage of
> >>  	 * applications, so we live with it
> >>  	 */
> >> -	if (new_rlim.rlim_cur == RLIM_INFINITY)
> >> +	if (new_rlim->rlim_cur == RLIM_INFINITY)
> >>  		goto out;
> >>
> >> -	update_rlimit_cpu(new_rlim.rlim_cur);
> >> +	update_rlimit_cpu(new_rlim->rlim_cur);
> >>  out:
> >>  	return 0;
> >>  }
> >>
> >> +SYSCALL_DEFINE2(setrlimit, unsigned int, resource, struct rlimit __user *, rlim)
> >> +{
> >> +	struct rlimit new_rlim;
> >> +
> >> +	if (resource >= RLIM_NLIMITS)
> >> +		return -EINVAL;
> >> +	if (copy_from_user(&new_rlim, rlim, sizeof(*rlim)))
> >> +		return -EFAULT;
> >> +	if (new_rlim.rlim_cur > new_rlim.rlim_max)
> >> +		return -EINVAL;
> > 
> > Should the above check go into do_setrlimit()?  No sense trusting
> > the data sent to sys_checkpoint() any more than the data sent to
> > sys_setrlimit().
> 
> You are very correct.
> 
> I wonder though: moving the first check will change the order of
> input sanitizing, which will change the syscall behavior on bad
> input. E.g, setrlimit(4096, NULL) used to return EINVAL but now
> will return EFAULT.
> 
> Not that I really care that much, but I've seen a similar case
> that confused LTP scripts into seeing the "wrong" error from a
> syscall and failing a test.

Heh, I could be wrong, but when you mess up 2 ways, I don't think the kernel
needs to guarantee which one you'll be warned about :)  Of course there are
cases where that is well-defined (i.e. DAC-before-MAC).  Maybe we should ask at
linux-api?

Putting the same check before both callers of do_setrlimit() isn't *that*
bad, and I suppose we can put a comment above do_setrlimit() saying that
that any new callers need to do that check themselves...

-serge

next prev parent reply	other threads:[~2009-07-24 14:22 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-07-23 14:48 [PATCH] c/r: [signal 1/3] blocked and template for shared signals Oren Laadan
     [not found] ` <1248360514-20710-1-git-send-email-orenl-RdfvBDnrOixBDgjK7y7TUQ@public.gmane.org>
2009-07-23 14:48   ` [PATCH] c/r: [signal 2/3] checkpoint/restart of rlimit Oren Laadan
     [not found]     ` <1248360514-20710-2-git-send-email-orenl-RdfvBDnrOixBDgjK7y7TUQ@public.gmane.org>
2009-07-23 22:28       ` Serge E. Hallyn
     [not found]         ` <20090723222825.GA23596-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-07-24  1:39           ` Oren Laadan
     [not found]             ` <4A6910E5.4010605-RdfvBDnrOixBDgjK7y7TUQ@public.gmane.org>
2009-07-24 14:22               ` Serge E. Hallyn [this message]
     [not found]                 ` <20090724142235.GB6910-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-07-24 17:11                   ` Oren Laadan
2009-07-24 20:04               ` Matt Helsley
2009-07-23 14:48   ` [PATCH] c/r: [signal 3/3] pending signals (private, shared) Oren Laadan
     [not found]     ` <1248360514-20710-3-git-send-email-orenl-RdfvBDnrOixBDgjK7y7TUQ@public.gmane.org>
2009-07-24 12:36       ` Louis Rilling
     [not found]         ` <20090724123629.GH11101-Hu8+6S1rdjywhHL9vcZdMVaTQe2KTcn/@public.gmane.org>
2009-07-24 12:59           ` Oren Laadan
2009-07-24 13:13       ` Louis Rilling

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20090724142235.GB6910@us.ibm.com \
    --to=serue-r/jw6+rmf7hqt0dzr+alfa@public.gmane.org \
    --cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
    --cc=orenl-RdfvBDnrOixBDgjK7y7TUQ@public.gmane.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.