On 11/01/2016 16:18, Janosch Frank wrote: > Setting the hard limit as a unprivileged user either returns an error > when it is higher than the current one or irreversibly sets it lower. > > Therefore we leave the hardlimit untouched as long as we don't need to > raise it as this needs CAP_SYS_RESOURCE. > > This gives admins the possibility to run the script as an unprivileged > user to increase security.
debugfs is usually privileged---but anyway, why not. Paolo > Signed-off-by: Janosch Frank <fran...@linux.vnet.ibm.com> > --- > scripts/kvm/kvm_stat | 14 +++++++++++--- > 1 file changed, 11 insertions(+), 3 deletions(-) > > diff --git a/scripts/kvm/kvm_stat b/scripts/kvm/kvm_stat > index e71fbef..bab831d 100755 > --- a/scripts/kvm/kvm_stat > +++ b/scripts/kvm/kvm_stat > @@ -434,11 +434,19 @@ class TracepointProvider(object): > > # The constant is needed as a buffer for python libs, std > # streams and other files that the script opens. > - rlimit = len(cpus) * len(self._fields) + 50 > + newlim = len(cpus) * len(self._fields) + 50 > try: > - resource.setrlimit(resource.RLIMIT_NOFILE, (rlimit, rlimit)) > + softlim_, hardlim = resource.getrlimit(resource.RLIMIT_NOFILE) > + > + if hardlim < newlim: > + # Now we need CAP_SYS_RESOURCE, to increase the hard limit. > + resource.setrlimit(resource.RLIMIT_NOFILE, (newlim, newlim)) > + else: > + # Raising the soft limit is sufficient. > + resource.setrlimit(resource.RLIMIT_NOFILE, (newlim, hardlim)) > + > except ValueError: > - sys.exit("NOFILE rlimit could not be raised to > {0}".format(rlimit)) > + sys.exit("NOFILE rlimit could not be raised to > {0}".format(newlim)) > > for cpu in cpus: > group = Group() >