changeset 12288:1064b906ca68 Ignore a failure to restore the RLIMIT_CORE resource limit. Linux containers don't allow RLIMIT_CORE to be set back to RLIM_INFINITY if we set the limit to zero, even for root. This is not a problem outside the container. author Todd C. Miller date Sat, 14 Mar 2020 11:13:55 -0600 parents 72ca06a294b4 children 40629e6fd692 files src/limits.c diffstat 1 files changed, 61 insertions(+), 10 deletions(-) [+] line wrap: on line diff --- a/src/limits.c Thu Mar 12 17:39:56 2020 -0600 +++ b/src/limits.c Sat Mar 14 11:13:55 2020 -0600 @@ -114,13 +114,21 @@ if (getrlimit(RLIMIT_CORE, &corelimit) == -1) sudo_warn("getrlimit(RLIMIT_CORE)"); + sudo_debug_printf(SUDO_DEBUG_INFO, "RLIMIT_CORE [%lld, %lld] -> [0, 0]", + (long long)corelimit.rlim_cur, (long long)corelimit.rlim_max); if (setrlimit(RLIMIT_CORE, &rl) == -1) sudo_warn("setrlimit(RLIMIT_CORE)"); #ifdef __linux__ /* On Linux, also set PR_SET_DUMPABLE to zero (reset by execve). */ - if ((dumpflag = prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) == -1) + if ((dumpflag = prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) == -1) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, + "prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)"); dumpflag = 0; - (void) prctl(PR_SET_DUMPABLE, 0, 0, 0, 0); + } + if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) == -1) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, + "prctl(PR_SET_DUMPABLE, %d, 0, 0, 0)", dumpflag); + } #endif /* __linux__ */ coredump_disabled = true; @@ -136,10 +144,20 @@ debug_decl(restore_coredump, SUDO_DEBUG_UTIL); if (coredump_disabled) { - if (setrlimit(RLIMIT_CORE, &corelimit) == -1) - sudo_warn("setrlimit(RLIMIT_CORE)"); + /* + * Linux containers don't allow RLIMIT_CORE to be set back to + * RLIM_INFINITY if we set the limit to zero, even for root. + */ + if (setrlimit(RLIMIT_CORE, &corelimit) == -1) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, + "setrlimit(RLIMIT_CORE, [%lld, %lld])", + (long long)corelimit.rlim_cur, (long long)corelimit.rlim_max); + } #ifdef __linux__ - (void) prctl(PR_SET_DUMPABLE, dumpflag, 0, 0, 0); + if (prctl(PR_SET_DUMPABLE, dumpflag, 0, 0, 0) == -1) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, + "prctl(PR_SET_DUMPABLE, %d, 0, 0, 0)", dumpflag); + } #endif /* __linux__ */ } debug_return; @@ -162,8 +180,14 @@ if (getrlimit(RLIMIT_NPROC, &nproclimit) != 0) sudo_warn("getrlimit(RLIMIT_NPROC)"); + sudo_debug_printf(SUDO_DEBUG_INFO, "RLIMIT_NPROC [%lld, %lld] -> [inf, inf]", + (long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max); if (setrlimit(RLIMIT_NPROC, &rl) == -1) { rl.rlim_cur = rl.rlim_max = nproclimit.rlim_max; + sudo_debug_printf(SUDO_DEBUG_INFO, + "RLIMIT_NPROC [%lld, %lld] -> [%lld, %lld]", + (long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max, + (long long)rl.rlim_cur, (long long)rl.rlim_max); if (setrlimit(RLIMIT_NPROC, &rl) != 0) sudo_warn("setrlimit(RLIMIT_NPROC)"); } @@ -180,8 +204,11 @@ #ifdef __linux__ debug_decl(restore_nproc, SUDO_DEBUG_UTIL); - if (setrlimit(RLIMIT_NPROC, &nproclimit) != 0) - sudo_warn("setrlimit(RLIMIT_NPROC)"); + if (setrlimit(RLIMIT_NPROC, &nproclimit) != 0) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, + "setrlimit(RLIMIT_NPROC, [%lld, %lld])", + (long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max); + } debug_return; #endif /* __linux__ */ @@ -203,6 +230,11 @@ struct saved_limit *lim = &saved_limits[idx]; if (getrlimit(lim->resource, &lim->oldlimit) == -1) continue; + sudo_debug_printf(SUDO_DEBUG_INFO, + "getrlimit(lim->name) -> [%lld, %lld]", + (long long)lim->oldlimit.rlim_cur, + (long long)lim->oldlimit.rlim_max); + lim->saved = true; if (lim->newlimit.rlim_cur != RLIM_INFINITY) { /* Don't reduce the soft resource limit. */ @@ -217,13 +249,28 @@ lim->newlimit.rlim_max = lim->oldlimit.rlim_max; } if ((rc = setrlimit(lim->resource, &lim->newlimit)) == -1) { - if (lim->fallback != NULL) - rc = setrlimit(lim->resource, lim->fallback); + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, + "setrlimit(%s, [%lld, %lld])", lim->name, + (long long)lim->newlimit.rlim_cur, + (long long)lim->newlimit.rlim_max); + if (lim->fallback != NULL) { + if ((rc = setrlimit(lim->resource, lim->fallback)) == -1) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, + "setrlimit(%s, [%lld, %lld])", lim->name, + (long long)lim->fallback->rlim_cur, + (long long)lim->fallback->rlim_max); + } + } if (rc == -1) { /* Try setting new rlim_cur to old rlim_max. */ lim->newlimit.rlim_cur = lim->oldlimit.rlim_max; lim->newlimit.rlim_max = lim->oldlimit.rlim_max; - rc = setrlimit(lim->resource, &lim->newlimit); + if ((rc = setrlimit(lim->resource, &lim->newlimit)) == -1) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, + "setrlimit(%s, [%lld, %lld])", lim->name, + (long long)lim->newlimit.rlim_cur, + (long long)lim->newlimit.rlim_max); + } } if (rc == -1) sudo_warn("setrlimit(%s)", lim->name); @@ -254,6 +301,10 @@ if (rc != -1 || errno != EINVAL) break; + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, + "setrlimit(%s, [%lld, %lld])", lim->name, + (long long)rl.rlim_cur, (long long)rl.rlim_max); + /* * Soft limit could be lower than current resource usage. * This can be an issue on NetBSD with RLIMIT_STACK and ASLR.