[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen staging] tools/dm_depriv: Add first cut RLIMITs



commit ce2f42605888f18f63ff9fe0d45dd69ae83045bb
Author:     George Dunlap <george.dunlap@xxxxxxxxxx>
AuthorDate: Tue Nov 6 15:41:25 2018 +0000
Commit:     George Dunlap <george.dunlap@xxxxxxxxxx>
CommitDate: Tue Nov 6 15:41:25 2018 +0000

    tools/dm_depriv: Add first cut RLIMITs
    
    Limit the ability of a potentially compromised QEMU to consume system
    resources.  Key limits:
     - RLIMIT_FSIZE (file size): 256KiB
     - RLIMIT_NPROC (after uid changes to a unique uid)
    
    Probably unnecessary limits but why not:
     - RLIMIT_CORE: 0
     - RLIMIT_MSGQUEUE: 0
     - RLIMIT_LOCKS: 0
     - RLIMIT_MEMLOCK: 0
    
    NB that we do not yet set RLIMIT_AS (total virtual memory) or
    RLIMIT_NOFILES (number of open files), since these require more care
    and/or more coordination with QEMU to implement.
    
    Suggested-by: Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>
    Signed-off-by: George Dunlap <george.dunlap@xxxxxxxxxx>
    Acked-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
    ---
    Changes since v4:
    - Put global headers before local headers (sugg by Paul)
    - Move #undif inside the braces (sugg by Paul)
    
    Changes since v3:
    - Align RLIMIT_ENTRY list for easier reading
    - Fix wrong format string specifier
    - Get rid of some trailing whitespace
    
    Changes since v2:
    - Use a macro to define rlimit entries
    - Use RLIMIT_NLIMITS as an end-of-list marker, rather than -1
    - Various style clean-ups
    
    CC: Ian Jackson <ian.jackson@xxxxxxxxxx>
    CC: Wei Liu <wei.liu2@xxxxxxxxxx>
    CC: Anthony Perard <anthony.perard@xxxxxxxxxx>
---
 docs/designs/qemu-deprivilege.md | 12 ++++++------
 tools/libxl/libxl_linux.c        | 42 ++++++++++++++++++++++++++++++++++++++--
 2 files changed, 46 insertions(+), 8 deletions(-)

diff --git a/docs/designs/qemu-deprivilege.md b/docs/designs/qemu-deprivilege.md
index 65754ba6ee..067cf24762 100644
--- a/docs/designs/qemu-deprivilege.md
+++ b/docs/designs/qemu-deprivilege.md
@@ -103,12 +103,6 @@ call:
 
 [qemu-namespaces]: 
https://lists.gnu.org/archive/html/qemu-devel/2017-10/msg04723.html
 
-# Restrictions / improvements still to do
-
-This lists potential restrictions still to do.  It is meant to be
-listed in order of ease of implementation, with low-hanging fruit
-first.
-
 ### Basic RLIMITs
 
 '''Description''': A number of limits on the resources that a given
@@ -135,6 +129,12 @@ are specified; this does not apply to QEMU running as a 
Xen DM.
 
 '''Tested''': Not tested
 
+# Restrictions / improvements still to do
+
+This lists potential restrictions still to do.  It is meant to be
+listed in order of ease of implementation, with low-hanging fruit
+first.
+
 ### Further RLIMITs
 
 RLIMIT_AS limits the total amount of memory; but this includes the
diff --git a/tools/libxl/libxl_linux.c b/tools/libxl/libxl_linux.c
index c7a345f4bb..921051c0e6 100644
--- a/tools/libxl/libxl_linux.c
+++ b/tools/libxl/libxl_linux.c
@@ -12,11 +12,12 @@
  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  * GNU Lesser General Public License for more details.
  */
- 
+
 #include "libxl_osdeps.h" /* must come before any other headers */
 
+#include <sys/resource.h>
 #include "libxl_internal.h"
- 
+
 int libxl__try_phy_backend(mode_t st_mode)
 {
     if (S_ISBLK(st_mode) || S_ISREG(st_mode)) {
@@ -307,9 +308,31 @@ int libxl__pci_topology_init(libxl__gc *gc,
     return err;
 }
 
+static struct {
+    int resource;
+    rlim_t limit;
+} rlimits[] = {
+#define RLIMIT_ENTRY(r, l) \
+    { .resource = r, .limit = l }
+    /* Big enough for log files, not big enough for a DoS */
+    RLIMIT_ENTRY(RLIMIT_FSIZE,    256*1024),
+
+    /* Shouldn't need any of these */
+    RLIMIT_ENTRY(RLIMIT_NPROC,    0),
+    RLIMIT_ENTRY(RLIMIT_CORE,     0),
+    RLIMIT_ENTRY(RLIMIT_MSGQUEUE, 0),
+    RLIMIT_ENTRY(RLIMIT_LOCKS,    0),
+    RLIMIT_ENTRY(RLIMIT_MEMLOCK,  0),
+
+    /* End-of-list marker */
+    RLIMIT_ENTRY(RLIMIT_NLIMITS,  0),
+#undef RLIMIT_ENTRY
+};
+
 int libxl__local_dm_preexec_restrict(libxl__gc *gc)
 {
     int r;
+    unsigned i;
 
     /* Unshare mount and IPC namespaces.  These are unused by QEMU. */
     r = unshare(CLONE_NEWNS | CLONE_NEWIPC);
@@ -318,6 +341,21 @@ int libxl__local_dm_preexec_restrict(libxl__gc *gc)
         return ERROR_FAIL;
     }
 
+    /* Set various "easy" rlimits */
+    for (i = 0; rlimits[i].resource != RLIMIT_NLIMITS; i++) {
+        struct rlimit rlim;
+
+        rlim.rlim_cur = rlim.rlim_max = rlimits[i].limit;
+
+        r = setrlimit(rlimits[i].resource, &rlim);
+        if (r < 0) {
+            LOGE(ERROR, "Setting rlimit %d to %llu failed\n",
+                                  rlimits[i].resource,
+                                  (unsigned long long)rlimits[i].limit);
+            return ERROR_FAIL;
+        }
+    }
+
     return 0;
 }
 
--
generated by git-patchbot for /home/xen/git/xen.git#staging

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/xen-changelog

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.