[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 22/25] virtiofsd: set maximum RLIMIT_NOFILE limit
|
From: |
Dr. David Alan Gilbert (git) |
|
Subject: |
[PATCH 22/25] virtiofsd: set maximum RLIMIT_NOFILE limit |
|
Date: |
Thu, 24 Oct 2019 12:27:15 +0100 |
From: Stefan Hajnoczi <address@hidden>
virtiofsd can exceed the default open file descriptor limit easily on
most systems. Take advantage of the fact that it runs as root to set up
the maximum open file descriptor limit allowed on the system (the
nr_open sysctl).
Signed-off-by: Stefan Hajnoczi <address@hidden>
---
contrib/virtiofsd/passthrough_ll.c | 34 ++++++++++++++++++++++++++++++
1 file changed, 34 insertions(+)
diff --git a/contrib/virtiofsd/passthrough_ll.c
b/contrib/virtiofsd/passthrough_ll.c
index fe46b25fb6..25f7ad854a 100644
--- a/contrib/virtiofsd/passthrough_ll.c
+++ b/contrib/virtiofsd/passthrough_ll.c
@@ -53,9 +53,11 @@
#include <sys/xattr.h>
#include <sys/capability.h>
#include <sys/mount.h>
+#include <sys/resource.h>
#include <sys/types.h>
#include <sys/wait.h>
+#include <glib.h>
#include "passthrough_helpers.h"
#include "seccomp.h"
@@ -2110,6 +2112,36 @@ static void setup_sandbox(struct lo_data *lo)
setup_seccomp();
}
+/* Raise the maximum number of open file descriptors to the system limit */
+static void setup_nofile_rlimit(void)
+{
+ gchar *nr_open = NULL;
+ struct rlimit rlim;
+ long long max;
+
+ if (!g_file_get_contents("/proc/sys/fs/nr_open", &nr_open, NULL, NULL))
{
+ fuse_log(FUSE_LOG_ERR, "unable to read /proc/sys/fs/nr_open\n");
+ exit(1);
+ }
+
+ errno = 0;
+ max = strtoll(nr_open, NULL, 0);
+ if (errno) {
+ fuse_log(FUSE_LOG_ERR, "strtoll(%s): %m\n", nr_open);
+ exit(1);
+ }
+
+ rlim.rlim_cur = max;
+ rlim.rlim_max = max;
+
+ if (setrlimit(RLIMIT_NOFILE, &rlim) < 0) {
+ fuse_log(FUSE_LOG_ERR, "setrlimit(RLIMIT_NOFILE): %m\n");
+ exit(1);
+ }
+
+ g_free(nr_open);
+}
+
int main(int argc, char *argv[])
{
struct fuse_args args = FUSE_ARGS_INIT(argc, argv);
@@ -2125,6 +2157,8 @@ int main(int argc, char *argv[])
/* Don't mask creation mode, kernel already did that */
umask(0);
+ setup_nofile_rlimit();
+
pthread_mutex_init(&lo.mutex, NULL);
lo.root.next = lo.root.prev = &lo.root;
lo.root.fd = -1;
--
2.23.0
- [PATCH 12/25] virtiofsd: check input buffer size in fuse_lowlevel.c ops, (continued)
- [PATCH 12/25] virtiofsd: check input buffer size in fuse_lowlevel.c ops, Dr. David Alan Gilbert (git), 2019/10/24
- [PATCH 15/25] virtiofsd: use /proc/self/fd/ O_PATH file descriptor, Dr. David Alan Gilbert (git), 2019/10/24
- [PATCH 13/25] virtiofsd: prevent ".." escape in lo_do_lookup(), Dr. David Alan Gilbert (git), 2019/10/24
- [PATCH 14/25] virtiofsd: prevent ".." escape in lo_do_readdir(), Dr. David Alan Gilbert (git), 2019/10/24
- [PATCH 16/25] virtiofsd: sandbox mount namespace, Dr. David Alan Gilbert (git), 2019/10/24
- [PATCH 17/25] virtiofsd: move to an empty network namespace, Dr. David Alan Gilbert (git), 2019/10/24
- [PATCH 18/25] virtiofsd: move to a new pid namespace, Dr. David Alan Gilbert (git), 2019/10/24
- [PATCH 19/25] virtiofsd: add seccomp whitelist, Dr. David Alan Gilbert (git), 2019/10/24
- [PATCH 20/25] virtiofsd: Parse flag FUSE_WRITE_KILL_PRIV, Dr. David Alan Gilbert (git), 2019/10/24
- [PATCH 21/25] virtiofsd: Drop CAP_FSETID if client asked for it, Dr. David Alan Gilbert (git), 2019/10/24
- [PATCH 22/25] virtiofsd: set maximum RLIMIT_NOFILE limit,
Dr. David Alan Gilbert (git) <=
- [PATCH 23/25] virtiofsd: add security guide document, Dr. David Alan Gilbert (git), 2019/10/24
- [PATCH 24/25] virtiofsd: add --syslog command-line option, Dr. David Alan Gilbert (git), 2019/10/24
- [PATCH 25/25] virtiofsd: print log only when priority is high enough, Dr. David Alan Gilbert (git), 2019/10/24