On 10/26/2018 03:02 PM, Ian Jackson wrote: > George Dunlap writes ("[PATCH 4/5] tools/dm_depriv: Add first cut RLIMITs"): >> Limit the ability of a potentially compromised QEMU to consume system >> resources. Key limits: >> - RLIMIT_FSIZE (file size): 256KiB >> - RLIMIT_NPROC (after uid changes to a unique uid) > > Thanks. > >> +static struct { >> + int resource; >> + rlim_t limit; >> +} rlimits[] = { >> +#define RLIMIT_ENTRY(r, l) \ >> + { .resource = r, .limit = l } >> + /* Big enough for log files, not big enough for a DoS */ >> + RLIMIT_ENTRY(RLIMIT_FSIZE, 256*1024), >> + >> + /* Shouldn't need any of these */ >> + RLIMIT_ENTRY(RLIMIT_NPROC, 0), >> + RLIMIT_ENTRY(RLIMIT_CORE, 0), >> + RLIMIT_ENTRY(RLIMIT_MSGQUEUE, 0), >> + RLIMIT_ENTRY(RLIMIT_LOCKS, 0), >> + RLIMIT_ENTRY(RLIMIT_MEMLOCK, 0), > > I would have justified the values so this looked more tabular.
Sure. > >> + /* Set various "easy" rlimits */ >> + for (i = 0; rlimits[i].resource != RLIMIT_NLIMITS; i++) { >> + struct rlimit rlim; >> + >> + rlim.rlim_cur = rlim.rlim_max = rlimits[i].limit; >> + >> + r = setrlimit(rlimits[i].resource, &rlim); >> + if (r < 0) { >> + LOGE(ERROR, "Setting rlimit %d to %lld failed\n", >> + rlimits[i].resource, >> + (unsigned long long)rlimits[i].limit); > > I think you mean %llu not %lld. With that last point changed, > > Acked-by: Ian Jackson <ian.jack...@eu.citrix.com> Thanks. -George _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel