[Qemu-devel] [PATCH v2 31/34] scripts/kvm/kvm_stat: Fix rlimit for unprivileged users

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: Janosch Frank <frankja@linux.vnet.ibm.com>
To: pbonzini@redhat.com
Cc: frankja@linux.vnet.ibm.com, qemu-devel@nongnu.org
Subject: [Qemu-devel] [PATCH v2 31/34] scripts/kvm/kvm_stat: Fix rlimit for unprivileged users
Date: Mon, 11 Jan 2016 16:18:01 +0100	[thread overview]
Message-ID: <1452525484-32309-32-git-send-email-frankja@linux.vnet.ibm.com> (raw)
In-Reply-To: <1452525484-32309-1-git-send-email-frankja@linux.vnet.ibm.com>

Setting the hard limit as a unprivileged user either returns an error
when it is higher than the current one or irreversibly sets it lower.

Therefore we leave the hardlimit untouched as long as we don't need to
raise it as this needs CAP_SYS_RESOURCE.

This gives admins the possibility to run the script as an unprivileged
user to increase security.

Signed-off-by: Janosch Frank <frankja@linux.vnet.ibm.com>
---
 scripts/kvm/kvm_stat | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/scripts/kvm/kvm_stat b/scripts/kvm/kvm_stat
index e71fbef..bab831d 100755
--- a/scripts/kvm/kvm_stat
+++ b/scripts/kvm/kvm_stat
@@ -434,11 +434,19 @@ class TracepointProvider(object):
 
         # The constant is needed as a buffer for python libs, std
         # streams and other files that the script opens.
-        rlimit = len(cpus) * len(self._fields) + 50
+        newlim = len(cpus) * len(self._fields) + 50
         try:
-            resource.setrlimit(resource.RLIMIT_NOFILE, (rlimit, rlimit))
+            softlim_, hardlim = resource.getrlimit(resource.RLIMIT_NOFILE)
+
+            if hardlim < newlim:
+                # Now we need CAP_SYS_RESOURCE, to increase the hard limit.
+                resource.setrlimit(resource.RLIMIT_NOFILE, (newlim, newlim))
+            else:
+                # Raising the soft limit is sufficient.
+                resource.setrlimit(resource.RLIMIT_NOFILE, (newlim, hardlim))
+
         except ValueError:
-            sys.exit("NOFILE rlimit could not be raised to {0}".format(rlimit))
+            sys.exit("NOFILE rlimit could not be raised to {0}".format(newlim))
 
         for cpu in cpus:
             group = Group()
-- 
2.3.0

next prev parent reply	other threads:[~2016-01-11 15:19 UTC|newest]

Thread overview: 37+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-01-11 15:17 [Qemu-devel] [PATCH v2 00/34] kvm_stat: Cleanup and fixup Janosch Frank
2016-01-11 15:17 ` [Qemu-devel] [PATCH v2 01/34] scripts/kvm/kvm_stat: Cleanup of multiple imports Janosch Frank
2016-01-11 15:17 ` [Qemu-devel] [PATCH v2 02/34] scripts/kvm/kvm_stat: Replaced os.listdir with os.walk Janosch Frank
2016-01-11 15:17 ` [Qemu-devel] [PATCH v2 03/34] scripts/kvm/kvm_stat: Make constants uppercase Janosch Frank
2016-01-11 15:17 ` [Qemu-devel] [PATCH v2 04/34] scripts/kvm/kvm_stat: Removed unneeded PERF constants Janosch Frank
2016-01-11 15:17 ` [Qemu-devel] [PATCH v2 05/34] scripts/kvm/kvm_stat: Mark globals in functions Janosch Frank
2016-01-11 15:17 ` [Qemu-devel] [PATCH v2 06/34] scripts/kvm/kvm_stat: Invert dictionaries Janosch Frank
2016-01-11 15:17 ` [Qemu-devel] [PATCH v2 07/34] scripts/kvm/kvm_stat: Cleanup of path variables Janosch Frank
2016-01-11 15:17 ` [Qemu-devel] [PATCH v2 08/34] scripts/kvm/kvm_stat: Improve debugfs access checking Janosch Frank
2016-01-11 15:17 ` [Qemu-devel] [PATCH v2 09/34] scripts/kvm/kvm_stat: Introduce main function Janosch Frank
2016-01-11 15:17 ` [Qemu-devel] [PATCH v2 10/34] scripts/kvm/kvm_stat: Fix spaces around keyword assignments Janosch Frank
2016-01-11 15:17 ` [Qemu-devel] [PATCH v2 11/34] scripts/kvm/kvm_stat: Rename variables that redefine globals Janosch Frank
2016-01-11 15:17 ` [Qemu-devel] [PATCH v2 12/34] scripts/kvm/kvm_stat: Moved DebugfsProvider Janosch Frank
2016-01-11 15:17 ` [Qemu-devel] [PATCH v2 13/34] scripts/kvm/kvm_stat: Fixup syscall error reporting Janosch Frank
2016-01-11 15:17 ` [Qemu-devel] [PATCH v2 14/34] scripts/kvm/kvm_stat: Set sensible no. files rlimit Janosch Frank
2016-01-11 15:17 ` [Qemu-devel] [PATCH v2 15/34] scripts/kvm/kvm_stat: Cleanup of platform detection Janosch Frank
2016-01-11 15:17 ` [Qemu-devel] [PATCH v2 16/34] scripts/kvm/kvm_stat: Make cpu detection a function Janosch Frank
2016-01-11 15:17 ` [Qemu-devel] [PATCH v2 17/34] scripts/kvm/kvm_stat: Rename _perf_event_open Janosch Frank
2016-01-11 15:17 ` [Qemu-devel] [PATCH v2 18/34] scripts/kvm/kvm_stat: Introduce properties for providers Janosch Frank
2016-01-11 15:17 ` [Qemu-devel] [PATCH v2 19/34] scripts/kvm/kvm_stat: Cleanup of TracepointProvider Janosch Frank
2016-01-11 15:17 ` [Qemu-devel] [PATCH v2 20/34] scripts/kvm/kvm_stat: Cleanup cpu list retrieval Janosch Frank
2016-01-11 15:17 ` [Qemu-devel] [PATCH v2 21/34] scripts/kvm/kvm_stat: Encapsulate filters variable Janosch Frank
2016-01-11 15:17 ` [Qemu-devel] [PATCH v2 22/34] scripts/kvm/kvm_stat: Cleanup of Stats class Janosch Frank
2016-01-11 15:17 ` [Qemu-devel] [PATCH v2 23/34] scripts/kvm/kvm_stat: Cleanup of Groups class Janosch Frank
2016-01-11 15:17 ` [Qemu-devel] [PATCH v2 24/34] scripts/kvm/kvm_stat: Cleanup of Event class Janosch Frank
2016-01-11 15:17 ` [Qemu-devel] [PATCH v2 25/34] scripts/kvm/kvm_stat: Group arch specific data Janosch Frank
2016-01-11 15:17 ` [Qemu-devel] [PATCH v2 26/34] scripts/kvm/kvm_stat: Remove unneeded X86_EXIT_REASONS Janosch Frank
2016-01-11 15:17 ` [Qemu-devel] [PATCH v2 27/34] scripts/kvm/kvm_stat: Make tui function a class Janosch Frank
2016-01-11 15:17 ` [Qemu-devel] [PATCH v2 28/34] scripts/kvm/kvm_stat: Fix output formatting Janosch Frank
2016-01-11 15:17 ` [Qemu-devel] [PATCH v2 29/34] scripts/kvm/kvm_stat: Cleanup and pre-init perf_event_attr Janosch Frank
2016-01-11 15:18 ` [Qemu-devel] [PATCH v2 30/34] scripts/kvm/kvm_stat: Read event values as u64 Janosch Frank
2016-01-11 15:18 ` Janosch Frank [this message]
2016-01-20 11:03   ` [Qemu-devel] [PATCH v2 31/34] scripts/kvm/kvm_stat: Fix rlimit for unprivileged users Paolo Bonzini
2016-01-11 15:18 ` [Qemu-devel] [PATCH v2 32/34] scripts/kvm/kvm_stat: Fixup filtering Janosch Frank
2016-01-11 15:18 ` [Qemu-devel] [PATCH v2 33/34] scripts/kvm/kvm_stat: Add interactive filtering Janosch Frank
2016-01-11 15:18 ` [Qemu-devel] [PATCH v2 34/34] scripts/kvm/kvm_stat: Add optparse description Janosch Frank
2016-01-20 11:08 ` [Qemu-devel] [PATCH v2 00/34] kvm_stat: Cleanup and fixup Paolo Bonzini

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:e71fbef dfblob:bab831d )
 OR (
bs:"[Qemu-devel] [PATCH v2 31/34] scripts/kvm/kvm_stat: Fix rlimit for unprivileged users" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1452525484-32309-32-git-send-email-frankja@linux.vnet.ibm.com \
    --to=frankja@linux.vnet.ibm.com \
    --cc=pbonzini@redhat.com \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).