Re: setrlimit failure on aarch64 (was: Interesting failure on aarch64)
Werner Koch via Gnupg-users wrote:
> On Fri, 20 Dec 2019 11:22, Konstantin Ryabitsev said:
>
>> On x86_64 this succeeds, but when I tried building on aarch64, that step
> [...]
>> gpg: Fatal: can't disable core dumps: Operation not permitted
>
> setrlimit returns an unexpected error code:
>
> if (getrlimit (RLIMIT_CORE, ))
> limit.rlim_max = 0;
> limit.rlim_cur = 0;
> if( !setrlimit (RLIMIT_CORE, ) )
> return 0;
> if( errno != EINVAL && errno != ENOSYS )
> log_fatal (_("can't disable core dumps: %s\n"), strerror(errno) );
>
> This is the first time I see a report that EPERM is returned.
The getrlimit call also fails, according to strace:
getrlimit(RLIMIT_CORE, 0xeb2acf88) = -1 EPERM (Operation not permitted)
setrlimit(RLIMIT_CORE, {rlim_cur=0, rlim_max=0}) = -1 EPERM (Operation not
permitted)
I don't have access to an aarch64 host running RHEL 7
directly, so my only testing is via the mock command from an
aarch74 Fedora 31 host.
Mock can use two styles of container, an old-style chroot or
new-style systemd-nspawn. Using chroot succeeds, while
systemd-nspawn fails.
I tested with CAP_SYS_RESOURCE added to the capability list
in the systemd-nspawn call, without success. From my
reading, that should work (thought shouldn't be needed as
we're not trying to raise the limit).
So it seems like a bug either in systemd-nspawn or a lower
level component like glibc or the kernel with RHEL 7 on
aarch64, as you suggested.
--
Todd
signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
setrlimit failure on aarch64 (was: Interesting failure on aarch64)
On Fri, 20 Dec 2019 11:22, Konstantin Ryabitsev said:
> On x86_64 this succeeds, but when I tried building on aarch64, that step
[...]
> gpg: Fatal: can't disable core dumps: Operation not permitted
setrlimit returns an unexpected error code:
if (getrlimit (RLIMIT_CORE, ))
limit.rlim_max = 0;
limit.rlim_cur = 0;
if( !setrlimit (RLIMIT_CORE, ) )
return 0;
if( errno != EINVAL && errno != ENOSYS )
log_fatal (_("can't disable core dumps: %s\n"), strerror(errno) );
This is the first time I see a report that EPERM is returned. Disabling
core dumps is an easy and not to invasive security feature. The man gae
for setrlimit mentions this:
EPERM An unprivileged process tried to raise the hard limit; the
CAP_SYS_RESOURCE capability is required to do this.
EPERM The caller tried to increase the hard RLIMIT_NOFILE
limit above the maximum defined by
/proc/sys/fs/nr_open (see proc(5))
We are not increasing the limit so we should not see this error. For
the linux specific prlimit, which we do not use, there is an additional
erro code reason:
EPERM (prlimit()) The calling process did not have permission to
set limits for the process specified by pid.
Next step would be look into glibc and then into aarch64 kernel specific
implementation details of setrlimit.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
