[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen staging] tools/dm_depriv: Add first cut RLIMITs
commit ce2f42605888f18f63ff9fe0d45dd69ae83045bb Author: George Dunlap <george.dunlap@xxxxxxxxxx> AuthorDate: Tue Nov 6 15:41:25 2018 +0000 Commit: George Dunlap <george.dunlap@xxxxxxxxxx> CommitDate: Tue Nov 6 15:41:25 2018 +0000 tools/dm_depriv: Add first cut RLIMITs Limit the ability of a potentially compromised QEMU to consume system resources. Key limits: - RLIMIT_FSIZE (file size): 256KiB - RLIMIT_NPROC (after uid changes to a unique uid) Probably unnecessary limits but why not: - RLIMIT_CORE: 0 - RLIMIT_MSGQUEUE: 0 - RLIMIT_LOCKS: 0 - RLIMIT_MEMLOCK: 0 NB that we do not yet set RLIMIT_AS (total virtual memory) or RLIMIT_NOFILES (number of open files), since these require more care and/or more coordination with QEMU to implement. Suggested-by: Ross Lagerwall <ross.lagerwall@xxxxxxxxxx> Signed-off-by: George Dunlap <george.dunlap@xxxxxxxxxx> Acked-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx> --- Changes since v4: - Put global headers before local headers (sugg by Paul) - Move #undif inside the braces (sugg by Paul) Changes since v3: - Align RLIMIT_ENTRY list for easier reading - Fix wrong format string specifier - Get rid of some trailing whitespace Changes since v2: - Use a macro to define rlimit entries - Use RLIMIT_NLIMITS as an end-of-list marker, rather than -1 - Various style clean-ups CC: Ian Jackson <ian.jackson@xxxxxxxxxx> CC: Wei Liu <wei.liu2@xxxxxxxxxx> CC: Anthony Perard <anthony.perard@xxxxxxxxxx> --- docs/designs/qemu-deprivilege.md | 12 ++++++------ tools/libxl/libxl_linux.c | 42 ++++++++++++++++++++++++++++++++++++++-- 2 files changed, 46 insertions(+), 8 deletions(-) diff --git a/docs/designs/qemu-deprivilege.md b/docs/designs/qemu-deprivilege.md index 65754ba6ee..067cf24762 100644 --- a/docs/designs/qemu-deprivilege.md +++ b/docs/designs/qemu-deprivilege.md @@ -103,12 +103,6 @@ call: [qemu-namespaces]: https://lists.gnu.org/archive/html/qemu-devel/2017-10/msg04723.html -# Restrictions / improvements still to do - -This lists potential restrictions still to do. It is meant to be -listed in order of ease of implementation, with low-hanging fruit -first. - ### Basic RLIMITs '''Description''': A number of limits on the resources that a given @@ -135,6 +129,12 @@ are specified; this does not apply to QEMU running as a Xen DM. '''Tested''': Not tested +# Restrictions / improvements still to do + +This lists potential restrictions still to do. It is meant to be +listed in order of ease of implementation, with low-hanging fruit +first. + ### Further RLIMITs RLIMIT_AS limits the total amount of memory; but this includes the diff --git a/tools/libxl/libxl_linux.c b/tools/libxl/libxl_linux.c index c7a345f4bb..921051c0e6 100644 --- a/tools/libxl/libxl_linux.c +++ b/tools/libxl/libxl_linux.c @@ -12,11 +12,12 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU Lesser General Public License for more details. */ - + #include "libxl_osdeps.h" /* must come before any other headers */ +#include <sys/resource.h> #include "libxl_internal.h" - + int libxl__try_phy_backend(mode_t st_mode) { if (S_ISBLK(st_mode) || S_ISREG(st_mode)) { @@ -307,9 +308,31 @@ int libxl__pci_topology_init(libxl__gc *gc, return err; } +static struct { + int resource; + rlim_t limit; +} rlimits[] = { +#define RLIMIT_ENTRY(r, l) \ + { .resource = r, .limit = l } + /* Big enough for log files, not big enough for a DoS */ + RLIMIT_ENTRY(RLIMIT_FSIZE, 256*1024), + + /* Shouldn't need any of these */ + RLIMIT_ENTRY(RLIMIT_NPROC, 0), + RLIMIT_ENTRY(RLIMIT_CORE, 0), + RLIMIT_ENTRY(RLIMIT_MSGQUEUE, 0), + RLIMIT_ENTRY(RLIMIT_LOCKS, 0), + RLIMIT_ENTRY(RLIMIT_MEMLOCK, 0), + + /* End-of-list marker */ + RLIMIT_ENTRY(RLIMIT_NLIMITS, 0), +#undef RLIMIT_ENTRY +}; + int libxl__local_dm_preexec_restrict(libxl__gc *gc) { int r; + unsigned i; /* Unshare mount and IPC namespaces. These are unused by QEMU. */ r = unshare(CLONE_NEWNS | CLONE_NEWIPC); @@ -318,6 +341,21 @@ int libxl__local_dm_preexec_restrict(libxl__gc *gc) return ERROR_FAIL; } + /* Set various "easy" rlimits */ + for (i = 0; rlimits[i].resource != RLIMIT_NLIMITS; i++) { + struct rlimit rlim; + + rlim.rlim_cur = rlim.rlim_max = rlimits[i].limit; + + r = setrlimit(rlimits[i].resource, &rlim); + if (r < 0) { + LOGE(ERROR, "Setting rlimit %d to %llu failed\n", + rlimits[i].resource, + (unsigned long long)rlimits[i].limit); + return ERROR_FAIL; + } + } + return 0; } -- generated by git-patchbot for /home/xen/git/xen.git#staging _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/xen-changelog
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |