summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJanosch Frank <frankja@linux.vnet.ibm.com>2016-01-11 16:18:01 +0100
committerPaolo Bonzini <pbonzini@redhat.com>2016-01-26 15:58:13 +0100
commit1cd55f9dc7debdad0d54f4fad8617527433b4c4b (patch)
treece50477c78671051c3dc317bd404befb5739dc8b
parentd8e44802f8ae320a454644fb010ef06f3ac8fb06 (diff)
downloadqemu-1cd55f9dc7debdad0d54f4fad8617527433b4c4b.zip
scripts/kvm/kvm_stat: Fix rlimit for unprivileged users
Setting the hard limit as a unprivileged user either returns an error when it is higher than the current one or irreversibly sets it lower. Therefore we leave the hardlimit untouched as long as we don't need to raise it as this needs CAP_SYS_RESOURCE. This gives admins the possibility to run the script as an unprivileged user to increase security. Signed-off-by: Janosch Frank <frankja@linux.vnet.ibm.com> Message-Id: <1452525484-32309-32-git-send-email-frankja@linux.vnet.ibm.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-rwxr-xr-xscripts/kvm/kvm_stat14
1 files changed, 11 insertions, 3 deletions
diff --git a/scripts/kvm/kvm_stat b/scripts/kvm/kvm_stat
index 611f82ad2a..2a1842e33e 100755
--- a/scripts/kvm/kvm_stat
+++ b/scripts/kvm/kvm_stat
@@ -434,11 +434,19 @@ class TracepointProvider(object):
# The constant is needed as a buffer for python libs, std
# streams and other files that the script opens.
- rlimit = len(cpus) * len(self._fields) + 50
+ newlim = len(cpus) * len(self._fields) + 50
try:
- resource.setrlimit(resource.RLIMIT_NOFILE, (rlimit, rlimit))
+ softlim_, hardlim = resource.getrlimit(resource.RLIMIT_NOFILE)
+
+ if hardlim < newlim:
+ # Now we need CAP_SYS_RESOURCE, to increase the hard limit.
+ resource.setrlimit(resource.RLIMIT_NOFILE, (newlim, newlim))
+ else:
+ # Raising the soft limit is sufficient.
+ resource.setrlimit(resource.RLIMIT_NOFILE, (newlim, hardlim))
+
except ValueError:
- sys.exit("NOFILE rlimit could not be raised to {0}".format(rlimit))
+ sys.exit("NOFILE rlimit could not be raised to {0}".format(newlim))
for cpu in cpus:
group = Group()