[PATCH] RLIMIT_NPROC enforcement during execve() calls
From: Lorenzo Hernández García-Hierro
Date: Mon Apr 18 2005 - 12:42:19 EST
Enforces the RLIMIT_NPROC limit by adding an additional check for
execve(), as
such limit is checked only during fork() calls.
The patch is also available at:
http://pearls.tuxedo-es.org/patches/security/rlimit_nproc-enforcing-execve.patch
Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@xxxxxxx>
---
linux-2.6.11-lorenzo/fs/compat.c | 8 ++++++++
linux-2.6.11-lorenzo/fs/exec.c | 9 +++++++++
2 files changed, 17 insertions(+)
diff -puN fs/exec.c~rlimit_nproc-enforcing-execve fs/exec.c
--- linux-2.6.11/fs/exec.c~rlimit_nproc-enforcing-execve 2005-04-16
16:28:56.000000000 +0200
+++ linux-2.6.11-lorenzo/fs/exec.c 2005-04-16 19:26:47.000000000 +0200
@@ -1140,6 +1140,15 @@ int do_execve(char * filename,
if (IS_ERR(file))
goto out_kfree;
+ /* RLIMIT_NPROC enforcement */
+ if (current->user && (atomic_read(¤t->user->processes) >
+ current->signal->rlim[RLIMIT_NPROC].rlim_cur) &&
+ !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE)) {
+ allow_write_access(file);
+ fput(file);
+ return -EAGAIN;
+ }
+
sched_exec();
bprm->p = PAGE_SIZE*MAX_ARG_PAGES-sizeof(void *);
diff -puN fs/compat.c~rlimit_nproc-enforcing-execve fs/compat.c
--- linux-2.6.11/fs/compat.c~rlimit_nproc-enforcing-execve 2005-04-16
16:28:56.000000000 +0200
+++ linux-2.6.11-lorenzo/fs/compat.c 2005-04-16 19:26:58.000000000 +0200
@@ -1450,6 +1450,14 @@ int compat_do_execve(char * filename,
if (!bprm->mm)
goto out_file;
+ /* RLIMIT_NPROC enforcement */
+ retval = -EAGAIN;
+ if (current->user && (atomic_read(¤t->user->processes) >
+ current->signal->rlim[RLIMIT_NPROC].rlim_cur) &&
+ !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE)) {
+ goto out_file;
+ }
+
retval = init_new_context(current, bprm->mm);
if (retval < 0)
goto out_mm;
_
Cheers,
--
Lorenzo Hernández García-Hierro <lorenzo@xxxxxxx>
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]
Attachment:
signature.asc
Description: This is a digitally signed message part