From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:44254) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1a706n-0003I2-Fn for qemu-devel@nongnu.org; Thu, 10 Dec 2015 07:14:07 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1a706l-0003pX-Ff for qemu-devel@nongnu.org; Thu, 10 Dec 2015 07:14:05 -0500 Received: from e06smtp06.uk.ibm.com ([195.75.94.102]:43627) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1a706l-0003ot-6m for qemu-devel@nongnu.org; Thu, 10 Dec 2015 07:14:03 -0500 Received: from localhost by e06smtp06.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 10 Dec 2015 12:14:02 -0000 Received: from b06cxnps3075.portsmouth.uk.ibm.com (d06relay10.portsmouth.uk.ibm.com [9.149.109.195]) by d06dlp03.portsmouth.uk.ibm.com (Postfix) with ESMTP id C0F391B08067 for ; Thu, 10 Dec 2015 12:14:29 +0000 (GMT) Received: from d06av06.portsmouth.uk.ibm.com (d06av06.portsmouth.uk.ibm.com [9.149.37.217]) by b06cxnps3075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id tBACE0u046727254 for ; Thu, 10 Dec 2015 12:14:00 GMT Received: from d06av06.portsmouth.uk.ibm.com (localhost [127.0.0.1]) by d06av06.portsmouth.uk.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with ESMTP id tBACDxdi025569 for ; Thu, 10 Dec 2015 05:13:59 -0700 From: Janosch Frank Date: Thu, 10 Dec 2015 13:13:02 +0100 Message-Id: <1449749584-23214-33-git-send-email-frankja@linux.vnet.ibm.com> In-Reply-To: <1449749584-23214-1-git-send-email-frankja@linux.vnet.ibm.com> References: <1449749584-23214-1-git-send-email-frankja@linux.vnet.ibm.com> Subject: [Qemu-devel] [PATCH 32/34] scripts/kvm/kvm_stat: Fix rlimit for unprivileged users List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Cc: cornelia.huck@de.ibm.com, frankja@linux.vnet.ibm.com Setting the hard limit as a unprivileged user either returns an error when it is higher than the current one or irreversibly sets it lower. Therefore we leave the hardlimit untouched as long as we don't need to raise it as this needs CAP_SYS_RESOURCE. This gives admins the possibility to run the script as an unprivileged user to increase security. --- scripts/kvm/kvm_stat | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/scripts/kvm/kvm_stat b/scripts/kvm/kvm_stat index ee4cf31..616ecb4 100755 --- a/scripts/kvm/kvm_stat +++ b/scripts/kvm/kvm_stat @@ -413,11 +413,19 @@ class TracepointProvider(object): # The constant is needed as a buffer for python libs, std # streams and other files that the script opens. - rlimit = len(cpus) * len(self._fields) + 50 + newlim = len(cpus) * len(self._fields) + 50 try: - resource.setrlimit(resource.RLIMIT_NOFILE, (rlimit, rlimit)) + softlim_, hardlim = resource.getrlimit(resource.RLIMIT_NOFILE) + + if hardlim < newlim: + # Now we need CAP_SYS_RESOURCE, to increase the hard limit. + resource.setrlimit(resource.RLIMIT_NOFILE, (newlim, newlim)) + else: + # Raising the soft limit is sufficient. + resource.setrlimit(resource.RLIMIT_NOFILE, (newlim, hardlim)) + except ValueError: - sys.exit("NOFILE rlimit could not be raised to {0}".format(rlimit)) + sys.exit("NOFILE rlimit could not be raised to {0}".format(newlim)) for cpu in cpus: group = Group() -- 2.3.0