[apparmor] [Branch ~apparmor-dev/apparmor/master] Rev 1770: Update apparmor's handling of rlimits for cpu limit and more natural units

Christian Boltz apparmor at cboltz.de
Sun Aug 14 12:17:43 UTC 2011 

Hello,

Am Samstag, 13. August 2011 schrieb John Johansen:
> On 08/12/2011 02:40 PM, Christian Boltz wrote:
> > Am Donnerstag, 11. August 2011 schrieb noreply at launchpad.net:
> >> revno: 1770
> >> committer: John Johansen<john.johansen at canonical.com>
> >> 
> >>    Update apparmor's handling of rlimits for cpu limit and more
> >> natural units
> > 
> > That looks like I'll have to update apparmor.vim ;-)
> 
> oops, I didn't mean for that one to go in yet, thats what I get for
> being in a rush and not thinking.  Its not a big deal I just meant
> to do a little more work on it and send it out for review first.

;-)

> >>    Allow for rlimit cpu to specified which is now supported by the
> >> kernel.
> >> 
> >>    Previously the rlimit units where limited to K, M, G and would
> >>    fail
> >> 
> >> when KB, MB, GB where used.  Allow for both,
> > 
> > The change for K, M, G is quite obvious - now KB, MB and GB are
> > allowed too in profiles.
> > 
> > Are lowercase k, m, g, kb, mb, gb and mixed case (kB, Mb) also
> > allowed?
> 
> not currently, that is one of the things I meant to ask about in
> review

I tend to say yes because at least kB looks more correct than KB, and 
allowing lowerkase only for k is the last thing I want ;-)

> >> also allow for units on
> >> lengths of time, by specifying "seconds", "minutes", "hours".. or
> > 
> > If I get it right, this only affects the (newly added) "rlimit
> > cpu", right? Can you give me some sample profile lines for "rlimit
> > cpu"?
> 
> set rlimit cpu <= 10,
> set rlimit cpu <= 10s,

Thanks, added on my ToDo list.

> >> any unique subset eg. "s", "sec", "m", "min", "h", "hour" ..
> 
> currently no, that is one of the things that actually should be
> fixed, right now you can do
> 
>    secon, minu, hou
> 
> which are all unnatural

> currently yes, the plan is no, just the common ones should be
> supported
> 
> s, sec, second, seconds

The restriction to common ones sounds like a very good idea ;-)

Maybe even s/m/h/d is enough - people reading apparmor profiles are most 
probably familiar with these abbreviations. OTOH, supporting some longer 
versions (sec, second, seconds) doesn't really hurt - well, except when 
reading the regex in apparmor.vim ;-)

> > Again, are uppercase or mixed-case words allowed? For example
> > Sec
> > secoND
> 
> currently no, the question is do we want to

I'd say no, lowercase is enough (and even correct english).


Regards,

Christian Boltz
-- 
Ein gutes Logo ist wie ein Butler:
Es ist immer da, wird aber nicht bemerkt.
[Ratti]

More information about the AppArmor mailing list