common/Seccomp.cpp | 105 ++++++++++++++++++----------------------------------- 1 file changed, 37 insertions(+), 68 deletions(-)
New commits: commit b656cc160073893bc6c1d4898b9943e538e2a411 Author: Aron Budea <aron.bu...@collabora.com> Date: Tue Nov 14 18:26:33 2017 +0100 rlimits: Friendlier and more precise logging of numbers Unlimited settings were logged as huge numbers. In two cases settings were logged via LOG_SYS (and as errors) instead of LOG_INF. Change-Id: I1da493c0126ecf9d2382956ac1e60e57988696ee Reviewed-on: https://gerrit.libreoffice.org/44731 Reviewed-by: Jan Holesovsky <ke...@collabora.com> Tested-by: Jan Holesovsky <ke...@collabora.com> (cherry picked from commit f6ec965dffdab41df9fb58d58661026b5fd406f0) Reviewed-on: https://gerrit.libreoffice.org/45174 Reviewed-by: Aron Budea <aron.bu...@collabora.com> Tested-by: Aron Budea <aron.bu...@collabora.com> diff --git a/common/Seccomp.cpp b/common/Seccomp.cpp index 09a53cdc..e49c4d5e 100644 --- a/common/Seccomp.cpp +++ b/common/Seccomp.cpp @@ -228,91 +228,60 @@ bool lockdown(Type type) namespace Rlimit { +void setRLimit(rlim_t confLim, int resource, const std::string &resourceText, const std::string &unitText) +{ + rlim_t lim = confLim; + if (lim <= 0) + lim = RLIM_INFINITY; + const std::string limTextWithUnit((lim == RLIM_INFINITY) ? "unlimited" : std::to_string(lim) + " " + unitText); + if (resource != RLIMIT_FSIZE && resource != RLIMIT_NOFILE) + { + /* FIXME Currently the RLIMIT_FSIZE handling is non-ideal, and can + * lead to crashes of the kit processes due to not handling signal + * 25 gracefully. Let's disable for now before there's a more + * concrete plan. + * Similar issues with RLIMIT_NOFILE + */ + rlimit rlim = { lim, lim }; + if (setrlimit(resource, &rlim) != 0) + LOG_SYS("Failed to set " << resourceText << " to " << limTextWithUnit << "."); + if (getrlimit(resource, &rlim) == 0) + { + const std::string setLimTextWithUnit((rlim.rlim_max == RLIM_INFINITY) ? "unlimited" : std::to_string(rlim.rlim_max) + " " + unitText); + LOG_INF(resourceText << " is " << setLimTextWithUnit << " after setting it to " << limTextWithUnit << "."); + } + else + LOG_SYS("Failed to get " << resourceText << "."); + } + else + LOG_INF("Ignored setting " << resourceText << " to " << limTextWithUnit << "."); +} + bool handleSetrlimitCommand(const std::vector<std::string>& tokens) { if (tokens.size() == 3 && tokens[0] == "setconfig") { if (tokens[1] == "limit_virt_mem_mb") { - rlim_t lim = std::stoi(tokens[2]) * 1024 * 1024; - if (lim <= 0) - lim = RLIM_INFINITY; - - rlimit rlim = { lim, lim }; - if (setrlimit(RLIMIT_AS, &rlim) != 0) - LOG_SYS("Failed to set RLIMIT_AS to " << lim << " bytes."); - - if (getrlimit(RLIMIT_AS, &rlim) == 0) - LOG_INF("RLIMIT_AS is " << rlim.rlim_max << " bytes after setting it to " << lim << " bytes."); - else - LOG_SYS("Failed to get RLIMIT_AS."); - - return true; + setRLimit(std::stoi(tokens[2]) * 1024 * 1024, RLIMIT_AS, "RLIMIT_AS", "bytes"); } else if (tokens[1] == "limit_stack_mem_kb") { - rlim_t lim = std::stoi(tokens[2]) * 1024; - if (lim <= 0) - lim = RLIM_INFINITY; - - rlimit rlim = { lim, lim }; - if (setrlimit(RLIMIT_STACK, &rlim) != 0) - LOG_SYS("Failed to set RLIMIT_STACK to " << lim << " bytes."); - - if (getrlimit(RLIMIT_STACK, &rlim) == 0) - LOG_INF("RLIMIT_STACK is " << rlim.rlim_max << " bytes after setting it to " << lim << " bytes."); - else - LOG_SYS("Failed to get RLIMIT_STACK."); - - return true; + setRLimit(std::stoi(tokens[2]) * 1024, RLIMIT_STACK, "RLIMIT_STACK", "bytes"); } else if (tokens[1] == "limit_file_size_mb") { - rlim_t lim = std::stoi(tokens[2]) * 1024 * 1024; - if (lim <= 0) - lim = RLIM_INFINITY; - - /* FIXME Currently the RLIMIT_FSIZE handling is non-ideal, and can - * lead to crashes of the kit processes due to not handling signal - * 25 gracefully. Let's disable for now before there's a more - * concrete plan. - rlimit rlim = { lim, lim }; - if (setrlimit(RLIMIT_FSIZE, &rlim) != 0) - LOG_SYS("Failed to set RLIMIT_FSIZE to " << lim << " bytes."); - - if (getrlimit(RLIMIT_FSIZE, &rlim) == 0) - LOG_INF("RLIMIT_FSIZE is " << rlim.rlim_max << " bytes after setting it to " << lim << " bytes."); - else - LOG_SYS("Failed to get RLIMIT_FSIZE."); - */ - LOG_SYS("Ignored setting RLIMIT_FSIZE to " << lim << " bytes."); - - return true; + setRLimit(std::stoi(tokens[2]) * 1024 * 1024, RLIMIT_FSIZE, "RLIMIT_FSIZE", "bytes"); } else if (tokens[1] == "limit_num_open_files") { - rlim_t lim = std::stoi(tokens[2]); - if (lim <= 0) - lim = RLIM_INFINITY; - - /* FIXME Currently the RLIMIT_ is non-ideal, and can lead to - * problems. Let's disable for now before there's a more - * concrete plan. - rlimit rlim = { lim, lim }; - if (setrlimit(RLIMIT_NOFILE, &rlim) != 0) - LOG_SYS("Failed to set RLIMIT_NOFILE to " << lim << " files."); - - if (getrlimit(RLIMIT_NOFILE, &rlim) == 0) - LOG_INF("RLIMIT_NOFILE is " << rlim.rlim_max << " files after setting it to " << lim << " files."); - else - LOG_SYS("Failed to get RLIMIT_NOFILE."); - */ - LOG_SYS("Ignored setting RLIMIT_NOFILE to " << lim << " files."); - - return true; + setRLimit(std::stoi(tokens[2]), RLIMIT_NOFILE, "RLIMIT_NOFILE", "files"); } - } + else + return false; + return true; + } return false; } _______________________________________________ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits