| |
@@ -1,149 +0,0 @@
|
| |
- changeset 12288:1064b906ca68
|
| |
-
|
| |
- Ignore a failure to restore the RLIMIT_CORE resource limit.
|
| |
- Linux containers don't allow RLIMIT_CORE to be set back to RLIM_INFINITY
|
| |
- if we set the limit to zero, even for root. This is not a problem
|
| |
- outside the container.
|
| |
- author Todd C. Miller <Todd.Miller@sudo.ws>
|
| |
- date Sat, 14 Mar 2020 11:13:55 -0600
|
| |
- parents 72ca06a294b4
|
| |
- children 40629e6fd692
|
| |
- files src/limits.c
|
| |
- diffstat 1 files changed, 61 insertions(+), 10 deletions(-) [+]
|
| |
- line wrap: on
|
| |
- line diff
|
| |
-
|
| |
- --- a/src/limits.c Thu Mar 12 17:39:56 2020 -0600
|
| |
- +++ b/src/limits.c Sat Mar 14 11:13:55 2020 -0600
|
| |
- @@ -114,13 +114,21 @@
|
| |
-
|
| |
- if (getrlimit(RLIMIT_CORE, &corelimit) == -1)
|
| |
- sudo_warn("getrlimit(RLIMIT_CORE)");
|
| |
- + sudo_debug_printf(SUDO_DEBUG_INFO, "RLIMIT_CORE [%lld, %lld] -> [0, 0]",
|
| |
- + (long long)corelimit.rlim_cur, (long long)corelimit.rlim_max);
|
| |
- if (setrlimit(RLIMIT_CORE, &rl) == -1)
|
| |
- sudo_warn("setrlimit(RLIMIT_CORE)");
|
| |
- #ifdef __linux__
|
| |
- /* On Linux, also set PR_SET_DUMPABLE to zero (reset by execve). */
|
| |
- - if ((dumpflag = prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) == -1)
|
| |
- + if ((dumpflag = prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) == -1) {
|
| |
- + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
|
| |
- + "prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)");
|
| |
- dumpflag = 0;
|
| |
- - (void) prctl(PR_SET_DUMPABLE, 0, 0, 0, 0);
|
| |
- + }
|
| |
- + if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) == -1) {
|
| |
- + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
|
| |
- + "prctl(PR_SET_DUMPABLE, %d, 0, 0, 0)", dumpflag);
|
| |
- + }
|
| |
- #endif /* __linux__ */
|
| |
- coredump_disabled = true;
|
| |
-
|
| |
- @@ -136,10 +144,20 @@
|
| |
- debug_decl(restore_coredump, SUDO_DEBUG_UTIL);
|
| |
-
|
| |
- if (coredump_disabled) {
|
| |
- - if (setrlimit(RLIMIT_CORE, &corelimit) == -1)
|
| |
- - sudo_warn("setrlimit(RLIMIT_CORE)");
|
| |
- + /*
|
| |
- + * Linux containers don't allow RLIMIT_CORE to be set back to
|
| |
- + * RLIM_INFINITY if we set the limit to zero, even for root.
|
| |
- + */
|
| |
- + if (setrlimit(RLIMIT_CORE, &corelimit) == -1) {
|
| |
- + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
|
| |
- + "setrlimit(RLIMIT_CORE, [%lld, %lld])",
|
| |
- + (long long)corelimit.rlim_cur, (long long)corelimit.rlim_max);
|
| |
- + }
|
| |
- #ifdef __linux__
|
| |
- - (void) prctl(PR_SET_DUMPABLE, dumpflag, 0, 0, 0);
|
| |
- + if (prctl(PR_SET_DUMPABLE, dumpflag, 0, 0, 0) == -1) {
|
| |
- + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
|
| |
- + "prctl(PR_SET_DUMPABLE, %d, 0, 0, 0)", dumpflag);
|
| |
- + }
|
| |
- #endif /* __linux__ */
|
| |
- }
|
| |
- debug_return;
|
| |
- @@ -162,8 +180,14 @@
|
| |
-
|
| |
- if (getrlimit(RLIMIT_NPROC, &nproclimit) != 0)
|
| |
- sudo_warn("getrlimit(RLIMIT_NPROC)");
|
| |
- + sudo_debug_printf(SUDO_DEBUG_INFO, "RLIMIT_NPROC [%lld, %lld] -> [inf, inf]",
|
| |
- + (long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max);
|
| |
- if (setrlimit(RLIMIT_NPROC, &rl) == -1) {
|
| |
- rl.rlim_cur = rl.rlim_max = nproclimit.rlim_max;
|
| |
- + sudo_debug_printf(SUDO_DEBUG_INFO,
|
| |
- + "RLIMIT_NPROC [%lld, %lld] -> [%lld, %lld]",
|
| |
- + (long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max,
|
| |
- + (long long)rl.rlim_cur, (long long)rl.rlim_max);
|
| |
- if (setrlimit(RLIMIT_NPROC, &rl) != 0)
|
| |
- sudo_warn("setrlimit(RLIMIT_NPROC)");
|
| |
- }
|
| |
- @@ -180,8 +204,11 @@
|
| |
- #ifdef __linux__
|
| |
- debug_decl(restore_nproc, SUDO_DEBUG_UTIL);
|
| |
-
|
| |
- - if (setrlimit(RLIMIT_NPROC, &nproclimit) != 0)
|
| |
- - sudo_warn("setrlimit(RLIMIT_NPROC)");
|
| |
- + if (setrlimit(RLIMIT_NPROC, &nproclimit) != 0) {
|
| |
- + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
|
| |
- + "setrlimit(RLIMIT_NPROC, [%lld, %lld])",
|
| |
- + (long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max);
|
| |
- + }
|
| |
-
|
| |
- debug_return;
|
| |
- #endif /* __linux__ */
|
| |
- @@ -203,6 +230,11 @@
|
| |
- struct saved_limit *lim = &saved_limits[idx];
|
| |
- if (getrlimit(lim->resource, &lim->oldlimit) == -1)
|
| |
- continue;
|
| |
- + sudo_debug_printf(SUDO_DEBUG_INFO,
|
| |
- + "getrlimit(lim->name) -> [%lld, %lld]",
|
| |
- + (long long)lim->oldlimit.rlim_cur,
|
| |
- + (long long)lim->oldlimit.rlim_max);
|
| |
- +
|
| |
- lim->saved = true;
|
| |
- if (lim->newlimit.rlim_cur != RLIM_INFINITY) {
|
| |
- /* Don't reduce the soft resource limit. */
|
| |
- @@ -217,13 +249,28 @@
|
| |
- lim->newlimit.rlim_max = lim->oldlimit.rlim_max;
|
| |
- }
|
| |
- if ((rc = setrlimit(lim->resource, &lim->newlimit)) == -1) {
|
| |
- - if (lim->fallback != NULL)
|
| |
- - rc = setrlimit(lim->resource, lim->fallback);
|
| |
- + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
|
| |
- + "setrlimit(%s, [%lld, %lld])", lim->name,
|
| |
- + (long long)lim->newlimit.rlim_cur,
|
| |
- + (long long)lim->newlimit.rlim_max);
|
| |
- + if (lim->fallback != NULL) {
|
| |
- + if ((rc = setrlimit(lim->resource, lim->fallback)) == -1) {
|
| |
- + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
|
| |
- + "setrlimit(%s, [%lld, %lld])", lim->name,
|
| |
- + (long long)lim->fallback->rlim_cur,
|
| |
- + (long long)lim->fallback->rlim_max);
|
| |
- + }
|
| |
- + }
|
| |
- if (rc == -1) {
|
| |
- /* Try setting new rlim_cur to old rlim_max. */
|
| |
- lim->newlimit.rlim_cur = lim->oldlimit.rlim_max;
|
| |
- lim->newlimit.rlim_max = lim->oldlimit.rlim_max;
|
| |
- - rc = setrlimit(lim->resource, &lim->newlimit);
|
| |
- + if ((rc = setrlimit(lim->resource, &lim->newlimit)) == -1) {
|
| |
- + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
|
| |
- + "setrlimit(%s, [%lld, %lld])", lim->name,
|
| |
- + (long long)lim->newlimit.rlim_cur,
|
| |
- + (long long)lim->newlimit.rlim_max);
|
| |
- + }
|
| |
- }
|
| |
- if (rc == -1)
|
| |
- sudo_warn("setrlimit(%s)", lim->name);
|
| |
- @@ -254,6 +301,10 @@
|
| |
- if (rc != -1 || errno != EINVAL)
|
| |
- break;
|
| |
-
|
| |
- + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
|
| |
- + "setrlimit(%s, [%lld, %lld])", lim->name,
|
| |
- + (long long)rl.rlim_cur, (long long)rl.rlim_max);
|
| |
- +
|
| |
- /*
|
| |
- * Soft limit could be lower than current resource usage.
|
| |
- * This can be an issue on NetBSD with RLIMIT_STACK and ASLR.
|
| |
Resolves: rhbz#1848788
- fix rpmlint warnings
Resolves: rhbz#1817139