Re: [Qemu-devel] [PATCH v2 31/34] scripts/kvm/kvm_stat: Fix rlimit for unprivileged users

[Paolo Bonzini]

On 11/01/2016 16:18, Janosch Frank wrote:
> Setting the hard limit as a unprivileged user either returns an error
> when it is higher than the current one or irreversibly sets it lower.
> 
> Therefore we leave the hardlimit untouched as long as we don't need to
> raise it as this needs CAP_SYS_RESOURCE.
> 
> This gives admins the possibility to run the script as an unprivileged
> user to increase security.

debugfs is usually privileged---but anyway, why not.

Paolo

> Signed-off-by: Janosch Frank <address@hidden>
> ---
>  scripts/kvm/kvm_stat | 14 +++++++++++---
>  1 file changed, 11 insertions(+), 3 deletions(-)
> 
> diff --git a/scripts/kvm/kvm_stat b/scripts/kvm/kvm_stat
> index e71fbef..bab831d 100755
> --- a/scripts/kvm/kvm_stat
> +++ b/scripts/kvm/kvm_stat
> @@ -434,11 +434,19 @@ class TracepointProvider(object):
>  
>          # The constant is needed as a buffer for python libs, std
>          # streams and other files that the script opens.
> -        rlimit = len(cpus) * len(self._fields) + 50
> +        newlim = len(cpus) * len(self._fields) + 50
>          try:
> -            resource.setrlimit(resource.RLIMIT_NOFILE, (rlimit, rlimit))
> +            softlim_, hardlim = resource.getrlimit(resource.RLIMIT_NOFILE)
> +
> +            if hardlim < newlim:
> +                # Now we need CAP_SYS_RESOURCE, to increase the hard limit.
> +                resource.setrlimit(resource.RLIMIT_NOFILE, (newlim, newlim))
> +            else:
> +                # Raising the soft limit is sufficient.
> +                resource.setrlimit(resource.RLIMIT_NOFILE, (newlim, hardlim))
> +
>          except ValueError:
> -            sys.exit("NOFILE rlimit could not be raised to 
> {0}".format(rlimit))
> +            sys.exit("NOFILE rlimit could not be raised to 
> {0}".format(newlim))
>  
>          for cpu in cpus:
>              group = Group()
>