[apparmor] [patch] parser: add rttime rlimit support [v2] (was Re: [patch 13/18] parser: add rttime rlimit support)

Steve Beattie steve at nxnw.org
Fri Jan 17 08:00:08 UTC 2014


On Fri, Jan 17, 2014 at 12:45:27AM +0100, Christian Boltz wrote:
> Am Donnerstag, 16. Januar 2014 schrieb Steve Beattie:
> > This patch adds support for the rttime rlimit (aka RLIMIT_RTTIME),
> > available since the 2.6.25 kernel, according to the getrlimit(2)
> > man page; see that man page for more details on this rlimit.
> > An acceptance test is also added.
> 
> > Index: b/parser/tst/simple_tests/rlimits/ok_rlimit_18.sd
> > ===================================================================
> 
> > +profile rlimit {
> > +  set rlimit rttime <= 60minutes,
> > +}
> 
> Does this also need an addition for apparmor.vim.in?

Yes, it does. In the course of reviewing what was correct formatting for
rttime and other rlimits, I discovered that the units for rttime is
measured in microseconds, not seconds like RLIMIT_CPU. Updated patch
follows that addresses both issues:

Subject: parser: add rttime rlimit support [v2]

This patch adds support for the rttime rlimit (aka RLIMIT_RTTIME),
available since the 2.6.25 kernel, according to the getrlimit(2)
man page; see that man page for more details on this rlimit.
An acceptance test is also added, as well as an update to the
apparmor.vim input template.

While reviewing to see what made sense in apparmor.vim for the rttime
rlimit, I discovered that RLIMIT_RTTIME's units are microseconds, not
seconds like RLIMIT_CPU (according to the setrlimit(2) manpage). This
necessitated not sharing the case switch with RLIMIT_CPU. I didn't add
a keyword for microseconds, but I did for milliseconds. I also don't
accept any unit larger than minutes, as it didn't seem appropriate
(and even minutes felt... gratuitous). I would appreciate feedback
on what keywords would be useful here.

Patch History:
  v1: initial submission
  v2: - add apparmor.vim support for rttime keyword
      - adjust RLIMIT_TIME value assignment due to its units being
	microseconds, not seconds, and add milliseconds keyword.

Signed-off-by: Steve Beattie <steve at nxnw.org>
---
 parser/parser_misc.c                            |    3 +++
 parser/parser_yacc.y                            |   17 +++++++++++++++++
 parser/tst/simple_tests/rlimits/ok_rlimit_18.sd |    7 +++++++
 utils/vim/apparmor.vim.in                       |    3 ++-
 4 files changed, 29 insertions(+), 1 deletion(-)

Index: b/parser/parser_misc.c
===================================================================
--- a/parser/parser_misc.c
+++ b/parser/parser_misc.c
@@ -175,6 +175,9 @@ static struct keyword_table rlimit_table
 #ifdef RLIMIT_RTPRIO
 	{"rtprio",		RLIMIT_RTPRIO},
 #endif
+#ifdef RLIMIT_RTTIME
+	{"rttime",		RLIMIT_RTTIME},
+#endif
 	/* terminate */
 	{NULL, 0}
 };
Index: b/parser/parser_yacc.y
===================================================================
--- a/parser/parser_yacc.y
+++ b/parser/parser_yacc.y
@@ -754,6 +754,7 @@ rules: rules TOK_SET TOK_RLIMIT TOK_ID T
 			value = RLIM_INFINITY;
 		} else {
 			const char *seconds = "seconds";
+			const char *milliseconds = "ms";
 			const char *minutes = "minutes";
 			const char *hours = "hours";
 			const char *days = "days";
@@ -778,6 +779,22 @@ rules: rules TOK_SET TOK_RLIMIT TOK_ID T
 				} else {
 					yyerror("RLIMIT '%s' invalid value %s\n", $4, $6);
 				}
+				break;
+			case RLIMIT_RTTIME:
+				/* RTTIME is measured in microseconds */
+				if (!end || $6 == end || tmp < 0)
+					yyerror("RLIMIT '%s' invalid value %s\n", $4, $6);
+				if (*end == '\0') {
+					value = tmp;
+				} else if (strstr(milliseconds, end) == milliseconds) {
+					value = tmp * 1000;
+				} else if (strstr(seconds, end) == seconds) {
+					value = tmp * 1000 * 1000;
+				} else if (strstr(minutes, end) == minutes) {
+					value = tmp * 1000 * 1000 * 60;
+				} else {
+					yyerror("RLIMIT '%s' invalid value %s\n", $4, $6);
+				}
 				break;
 			case RLIMIT_NOFILE:
 			case RLIMIT_NPROC:
Index: b/parser/tst/simple_tests/rlimits/ok_rlimit_18.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/rlimits/ok_rlimit_18.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION simple realtime time rlimit test
+#=EXRESULT PASS
+
+profile rlimit {
+  set rlimit rttime <= 60minutes,
+}
Index: b/utils/vim/apparmor.vim.in
===================================================================
--- a/utils/vim/apparmor.vim.in
+++ b/utils/vim/apparmor.vim.in
@@ -160,7 +160,8 @@ syn match sdRLimit /\v^\s*set\s+rlimit\s
 syn match sdRLimit /\v^\s*set\s+rlimit\s+(fsize|data|stack|core|rss|as|memlock|msgqueue)\s+\<\=\s+[0-9]+([KMG]B)?@@EOL@@/ contains=sdComment
 syn match sdRLimit /\v^\s*set\s+rlimit\s+nice\s+\<\=\s+(-1?[0-9]|-20|1?[0-9])@@EOL@@/ contains=sdComment
 syn match sdRLimit /\v^\s*set\s+rlimit\s+cpu\s+\<\=\s+[0-9]+(seconds|minutes|hours|days)?@@EOL@@/ contains=sdComment
-syn match sdRLimit /\v^\s*set\s+rlimit\s+(cpu|nofile|nproc|rtprio|locks|sigpending|fsize|data|stack|core|rss|as|memlock|msgqueue|nice)\s+\<\=\s+infinity@@EOL@@/ contains=sdComment
+syn match sdRLimit /\v^\s*set\s+rlimit\s+rttime\s+\<\=\s+[0-9]+(ms|seconds|minutes)?@@EOL@@/ contains=sdComment
+syn match sdRLimit /\v^\s*set\s+rlimit\s+(cpu|rttime|nofile|nproc|rtprio|locks|sigpending|fsize|data|stack|core|rss|as|memlock|msgqueue|nice)\s+\<\=\s+infinity@@EOL@@/ contains=sdComment
 
 " link rules
 syn match sdEntryW /\v^\s+@@auditdenyowner@@link\s+(subset\s+)?@@FILENAME@@\s+-\>\s+@@FILENAME@@@@EOL@@/ contains=sdGlob

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140117/fa420bd1/attachment-0001.pgp>


More information about the AppArmor mailing list