tools/dm_depriv: Add first cut RLIMITs

author George Dunlap <george.dunlap@citrix.com>

Tue, 6 Nov 2018 15:41:25 +0000 (15:41 +0000)

committer George Dunlap <george.dunlap@citrix.com>

Tue, 6 Nov 2018 15:41:25 +0000 (15:41 +0000)
author George Dunlap <george.dunlap@citrix.com>
Tue, 6 Nov 2018 15:41:25 +0000 (15:41 +0000)
committer George Dunlap <george.dunlap@citrix.com>
Tue, 6 Nov 2018 15:41:25 +0000 (15:41 +0000)
diff --git a/docs/designs/qemu-deprivilege.md b/docs/designs/qemu-deprivilege.md

index 65754ba6eecf17771c8a019949dfc753ba3092b7..067cf2476277d079dadc8e6d80b4810552f93966 100644 (file)
--- a/docs/designs/qemu-deprivilege.md
+++ b/docs/designs/qemu-deprivilege.md
@@ -103,12 +103,6 @@ call:
  
  [qemu-namespaces]: https://lists.gnu.org/archive/html/qemu-devel/2017-10/msg04723.html
  
-# Restrictions / improvements still to do
-
-This lists potential restrictions still to do.  It is meant to be
-listed in order of ease of implementation, with low-hanging fruit
-first.
-
  ### Basic RLIMITs
  
  '''Description''': A number of limits on the resources that a given
@@ -135,6 +129,12 @@ are specified; this does not apply to QEMU running as a Xen DM.
  
  '''Tested''': Not tested
  
+# Restrictions / improvements still to do
+
+This lists potential restrictions still to do.  It is meant to be
+listed in order of ease of implementation, with low-hanging fruit
+first.
+
  ### Further RLIMITs
  
  RLIMIT_AS limits the total amount of memory; but this includes the
diff --git a/tools/libxl/libxl_linux.c b/tools/libxl/libxl_linux.c

index c7a345f4bb7a2217b54248ae4e3f98a8edea1fa6..921051c0e63db16653ed65c340372f72141467f1 100644 (file)
--- a/tools/libxl/libxl_linux.c
+++ b/tools/libxl/libxl_linux.c
@@ -12,11 +12,12 @@
   * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   * GNU Lesser General Public License for more details.
   */
- 
+
  #include "libxl_osdeps.h" /* must come before any other headers */
  
+#include <sys/resource.h>
  #include "libxl_internal.h"
- 
+
  int libxl__try_phy_backend(mode_t st_mode)
  {
      if (S_ISBLK(st_mode) || S_ISREG(st_mode)) {
@@ -307,9 +308,31 @@ int libxl__pci_topology_init(libxl__gc *gc,
      return err;
  }
  
+static struct {
+    int resource;
+    rlim_t limit;
+} rlimits[] = {
+#define RLIMIT_ENTRY(r, l) \
+    { .resource = r, .limit = l }
+    /* Big enough for log files, not big enough for a DoS */
+    RLIMIT_ENTRY(RLIMIT_FSIZE,    256*1024),
+
+    /* Shouldn't need any of these */
+    RLIMIT_ENTRY(RLIMIT_NPROC,    0),
+    RLIMIT_ENTRY(RLIMIT_CORE,     0),
+    RLIMIT_ENTRY(RLIMIT_MSGQUEUE, 0),
+    RLIMIT_ENTRY(RLIMIT_LOCKS,    0),
+    RLIMIT_ENTRY(RLIMIT_MEMLOCK,  0),
+
+    /* End-of-list marker */
+    RLIMIT_ENTRY(RLIMIT_NLIMITS,  0),
+#undef RLIMIT_ENTRY
+};
+
  int libxl__local_dm_preexec_restrict(libxl__gc *gc)
  {
      int r;
+    unsigned i;
  
      /* Unshare mount and IPC namespaces.  These are unused by QEMU. */
      r = unshare(CLONE_NEWNS | CLONE_NEWIPC);
@@ -318,6 +341,21 @@ int libxl__local_dm_preexec_restrict(libxl__gc *gc)
          return ERROR_FAIL;
      }
  
+    /* Set various "easy" rlimits */
+    for (i = 0; rlimits[i].resource != RLIMIT_NLIMITS; i++) {
+        struct rlimit rlim;
+
+        rlim.rlim_cur = rlim.rlim_max = rlimits[i].limit;
+
+        r = setrlimit(rlimits[i].resource, &rlim);
+        if (r < 0) {
+            LOGE(ERROR, "Setting rlimit %d to %llu failed\n",
+                                  rlimits[i].resource,
+                                  (unsigned long long)rlimits[i].limit);
+            return ERROR_FAIL;
+        }
+    }
+
      return 0;
  }
author	George Dunlap <george.dunlap@citrix.com>
	Tue, 6 Nov 2018 15:41:25 +0000 (15:41 +0000)
committer	George Dunlap <george.dunlap@citrix.com>
	Tue, 6 Nov 2018 15:41:25 +0000 (15:41 +0000)
docs/designs/qemu-deprivilege.md		patch \| blob \| blame \| history
tools/libxl/libxl_linux.c		patch \| blob \| blame \| history