diff options
author | George Dunlap <george.dunlap@citrix.com> | 2018-11-06 15:41:25 +0000 |
---|---|---|
committer | George Dunlap <george.dunlap@citrix.com> | 2018-11-06 15:41:25 +0000 |
commit | ce2f42605888f18f63ff9fe0d45dd69ae83045bb (patch) | |
tree | a648392eff24f74485a5829c31695a7f10290d82 /docs/designs | |
parent | 371a23e65db5eb3a80a148586aeb551d4d0015f1 (diff) |
tools/dm_depriv: Add first cut RLIMITs
Limit the ability of a potentially compromised QEMU to consume system
resources. Key limits:
- RLIMIT_FSIZE (file size): 256KiB
- RLIMIT_NPROC (after uid changes to a unique uid)
Probably unnecessary limits but why not:
- RLIMIT_CORE: 0
- RLIMIT_MSGQUEUE: 0
- RLIMIT_LOCKS: 0
- RLIMIT_MEMLOCK: 0
NB that we do not yet set RLIMIT_AS (total virtual memory) or
RLIMIT_NOFILES (number of open files), since these require more care
and/or more coordination with QEMU to implement.
Suggested-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Signed-off-by: George Dunlap <george.dunlap@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
---
Changes since v4:
- Put global headers before local headers (sugg by Paul)
- Move #undif inside the braces (sugg by Paul)
Changes since v3:
- Align RLIMIT_ENTRY list for easier reading
- Fix wrong format string specifier
- Get rid of some trailing whitespace
Changes since v2:
- Use a macro to define rlimit entries
- Use RLIMIT_NLIMITS as an end-of-list marker, rather than -1
- Various style clean-ups
CC: Ian Jackson <ian.jackson@citrix.com>
CC: Wei Liu <wei.liu2@citrix.com>
CC: Anthony Perard <anthony.perard@citrix.com>
Diffstat (limited to 'docs/designs')
-rw-r--r-- | docs/designs/qemu-deprivilege.md | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/docs/designs/qemu-deprivilege.md b/docs/designs/qemu-deprivilege.md index 65754ba6ee..067cf24762 100644 --- a/docs/designs/qemu-deprivilege.md +++ b/docs/designs/qemu-deprivilege.md @@ -103,12 +103,6 @@ call: [qemu-namespaces]: https://lists.gnu.org/archive/html/qemu-devel/2017-10/msg04723.html -# Restrictions / improvements still to do - -This lists potential restrictions still to do. It is meant to be -listed in order of ease of implementation, with low-hanging fruit -first. - ### Basic RLIMITs '''Description''': A number of limits on the resources that a given @@ -135,6 +129,12 @@ are specified; this does not apply to QEMU running as a Xen DM. '''Tested''': Not tested +# Restrictions / improvements still to do + +This lists potential restrictions still to do. It is meant to be +listed in order of ease of implementation, with low-hanging fruit +first. + ### Further RLIMITs RLIMIT_AS limits the total amount of memory; but this includes the |