[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH v2 31/34] scripts/kvm/kvm_stat: Fix rlimit for u
From: |
Paolo Bonzini |
Subject: |
Re: [Qemu-devel] [PATCH v2 31/34] scripts/kvm/kvm_stat: Fix rlimit for unprivileged users |
Date: |
Wed, 20 Jan 2016 12:03:16 +0100 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.0 |
On 11/01/2016 16:18, Janosch Frank wrote:
> Setting the hard limit as a unprivileged user either returns an error
> when it is higher than the current one or irreversibly sets it lower.
>
> Therefore we leave the hardlimit untouched as long as we don't need to
> raise it as this needs CAP_SYS_RESOURCE.
>
> This gives admins the possibility to run the script as an unprivileged
> user to increase security.
debugfs is usually privileged---but anyway, why not.
Paolo
> Signed-off-by: Janosch Frank <address@hidden>
> ---
> scripts/kvm/kvm_stat | 14 +++++++++++---
> 1 file changed, 11 insertions(+), 3 deletions(-)
>
> diff --git a/scripts/kvm/kvm_stat b/scripts/kvm/kvm_stat
> index e71fbef..bab831d 100755
> --- a/scripts/kvm/kvm_stat
> +++ b/scripts/kvm/kvm_stat
> @@ -434,11 +434,19 @@ class TracepointProvider(object):
>
> # The constant is needed as a buffer for python libs, std
> # streams and other files that the script opens.
> - rlimit = len(cpus) * len(self._fields) + 50
> + newlim = len(cpus) * len(self._fields) + 50
> try:
> - resource.setrlimit(resource.RLIMIT_NOFILE, (rlimit, rlimit))
> + softlim_, hardlim = resource.getrlimit(resource.RLIMIT_NOFILE)
> +
> + if hardlim < newlim:
> + # Now we need CAP_SYS_RESOURCE, to increase the hard limit.
> + resource.setrlimit(resource.RLIMIT_NOFILE, (newlim, newlim))
> + else:
> + # Raising the soft limit is sufficient.
> + resource.setrlimit(resource.RLIMIT_NOFILE, (newlim, hardlim))
> +
> except ValueError:
> - sys.exit("NOFILE rlimit could not be raised to
> {0}".format(rlimit))
> + sys.exit("NOFILE rlimit could not be raised to
> {0}".format(newlim))
>
> for cpu in cpus:
> group = Group()
>
- [Qemu-devel] [PATCH v2 04/34] scripts/kvm/kvm_stat: Removed unneeded PERF constants, (continued)
- [Qemu-devel] [PATCH v2 04/34] scripts/kvm/kvm_stat: Removed unneeded PERF constants, Janosch Frank, 2016/01/11
- [Qemu-devel] [PATCH v2 02/34] scripts/kvm/kvm_stat: Replaced os.listdir with os.walk, Janosch Frank, 2016/01/11
- [Qemu-devel] [PATCH v2 08/34] scripts/kvm/kvm_stat: Improve debugfs access checking, Janosch Frank, 2016/01/11
- [Qemu-devel] [PATCH v2 29/34] scripts/kvm/kvm_stat: Cleanup and pre-init perf_event_attr, Janosch Frank, 2016/01/11
- [Qemu-devel] [PATCH v2 03/34] scripts/kvm/kvm_stat: Make constants uppercase, Janosch Frank, 2016/01/11
- [Qemu-devel] [PATCH v2 06/34] scripts/kvm/kvm_stat: Invert dictionaries, Janosch Frank, 2016/01/11
- [Qemu-devel] [PATCH v2 10/34] scripts/kvm/kvm_stat: Fix spaces around keyword assignments, Janosch Frank, 2016/01/11
- [Qemu-devel] [PATCH v2 22/34] scripts/kvm/kvm_stat: Cleanup of Stats class, Janosch Frank, 2016/01/11
- [Qemu-devel] [PATCH v2 30/34] scripts/kvm/kvm_stat: Read event values as u64, Janosch Frank, 2016/01/11
- [Qemu-devel] [PATCH v2 31/34] scripts/kvm/kvm_stat: Fix rlimit for unprivileged users, Janosch Frank, 2016/01/11
- Re: [Qemu-devel] [PATCH v2 31/34] scripts/kvm/kvm_stat: Fix rlimit for unprivileged users,
Paolo Bonzini <=
- [Qemu-devel] [PATCH v2 13/34] scripts/kvm/kvm_stat: Fixup syscall error reporting, Janosch Frank, 2016/01/11
- [Qemu-devel] [PATCH v2 05/34] scripts/kvm/kvm_stat: Mark globals in functions, Janosch Frank, 2016/01/11
- [Qemu-devel] [PATCH v2 14/34] scripts/kvm/kvm_stat: Set sensible no. files rlimit, Janosch Frank, 2016/01/11
- [Qemu-devel] [PATCH v2 24/34] scripts/kvm/kvm_stat: Cleanup of Event class, Janosch Frank, 2016/01/11
- [Qemu-devel] [PATCH v2 20/34] scripts/kvm/kvm_stat: Cleanup cpu list retrieval, Janosch Frank, 2016/01/11
- [Qemu-devel] [PATCH v2 34/34] scripts/kvm/kvm_stat: Add optparse description, Janosch Frank, 2016/01/11
- [Qemu-devel] [PATCH v2 21/34] scripts/kvm/kvm_stat: Encapsulate filters variable, Janosch Frank, 2016/01/11
- [Qemu-devel] [PATCH v2 27/34] scripts/kvm/kvm_stat: Make tui function a class, Janosch Frank, 2016/01/11
- [Qemu-devel] [PATCH v2 28/34] scripts/kvm/kvm_stat: Fix output formatting, Janosch Frank, 2016/01/11
- [Qemu-devel] [PATCH v2 32/34] scripts/kvm/kvm_stat: Fixup filtering, Janosch Frank, 2016/01/11