[apparmor] [patch] parser: add rttime rlimit support [v2] (was Re: [patch 13/18] parser: add rttime rlimit support)
John Johansen
john.johansen at canonical.com
Fri Jan 24 10:25:59 UTC 2014
On 01/17/2014 12:00 AM, Steve Beattie wrote:
> On Fri, Jan 17, 2014 at 12:45:27AM +0100, Christian Boltz wrote:
>> Am Donnerstag, 16. Januar 2014 schrieb Steve Beattie:
>>> This patch adds support for the rttime rlimit (aka RLIMIT_RTTIME),
>>> available since the 2.6.25 kernel, according to the getrlimit(2)
>>> man page; see that man page for more details on this rlimit.
>>> An acceptance test is also added.
>>
>>> Index: b/parser/tst/simple_tests/rlimits/ok_rlimit_18.sd
>>> ===================================================================
>>
>>> +profile rlimit {
>>> + set rlimit rttime <= 60minutes,
>>> +}
>>
>> Does this also need an addition for apparmor.vim.in?
>
> Yes, it does. In the course of reviewing what was correct formatting for
> rttime and other rlimits, I discovered that the units for rttime is
> measured in microseconds, not seconds like RLIMIT_CPU. Updated patch
> follows that addresses both issues:
>
> Subject: parser: add rttime rlimit support [v2]
>
> This patch adds support for the rttime rlimit (aka RLIMIT_RTTIME),
> available since the 2.6.25 kernel, according to the getrlimit(2)
> man page; see that man page for more details on this rlimit.
> An acceptance test is also added, as well as an update to the
> apparmor.vim input template.
>
> While reviewing to see what made sense in apparmor.vim for the rttime
> rlimit, I discovered that RLIMIT_RTTIME's units are microseconds, not
> seconds like RLIMIT_CPU (according to the setrlimit(2) manpage). This
> necessitated not sharing the case switch with RLIMIT_CPU. I didn't add
> a keyword for microseconds, but I did for milliseconds. I also don't
> accept any unit larger than minutes, as it didn't seem appropriate
> (and even minutes felt... gratuitous). I would appreciate feedback
> on what keywords would be useful here.
>
> Patch History:
> v1: initial submission
> v2: - add apparmor.vim support for rttime keyword
> - adjust RLIMIT_TIME value assignment due to its units being
> microseconds, not seconds, and add milliseconds keyword.
>
> Signed-off-by: Steve Beattie <steve at nxnw.org>
Acked-by: John Johansen <john.johansen at canonical.com>
> ---
> parser/parser_misc.c | 3 +++
> parser/parser_yacc.y | 17 +++++++++++++++++
> parser/tst/simple_tests/rlimits/ok_rlimit_18.sd | 7 +++++++
> utils/vim/apparmor.vim.in | 3 ++-
> 4 files changed, 29 insertions(+), 1 deletion(-)
>
> Index: b/parser/parser_misc.c
> ===================================================================
> --- a/parser/parser_misc.c
> +++ b/parser/parser_misc.c
> @@ -175,6 +175,9 @@ static struct keyword_table rlimit_table
> #ifdef RLIMIT_RTPRIO
> {"rtprio", RLIMIT_RTPRIO},
> #endif
> +#ifdef RLIMIT_RTTIME
> + {"rttime", RLIMIT_RTTIME},
> +#endif
> /* terminate */
> {NULL, 0}
> };
> Index: b/parser/parser_yacc.y
> ===================================================================
> --- a/parser/parser_yacc.y
> +++ b/parser/parser_yacc.y
> @@ -754,6 +754,7 @@ rules: rules TOK_SET TOK_RLIMIT TOK_ID T
> value = RLIM_INFINITY;
> } else {
> const char *seconds = "seconds";
> + const char *milliseconds = "ms";
> const char *minutes = "minutes";
> const char *hours = "hours";
> const char *days = "days";
> @@ -778,6 +779,22 @@ rules: rules TOK_SET TOK_RLIMIT TOK_ID T
> } else {
> yyerror("RLIMIT '%s' invalid value %s\n", $4, $6);
> }
> + break;
> + case RLIMIT_RTTIME:
> + /* RTTIME is measured in microseconds */
> + if (!end || $6 == end || tmp < 0)
> + yyerror("RLIMIT '%s' invalid value %s\n", $4, $6);
> + if (*end == '\0') {
> + value = tmp;
> + } else if (strstr(milliseconds, end) == milliseconds) {
> + value = tmp * 1000;
> + } else if (strstr(seconds, end) == seconds) {
> + value = tmp * 1000 * 1000;
> + } else if (strstr(minutes, end) == minutes) {
> + value = tmp * 1000 * 1000 * 60;
> + } else {
> + yyerror("RLIMIT '%s' invalid value %s\n", $4, $6);
> + }
> break;
> case RLIMIT_NOFILE:
> case RLIMIT_NPROC:
> Index: b/parser/tst/simple_tests/rlimits/ok_rlimit_18.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/rlimits/ok_rlimit_18.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION simple realtime time rlimit test
> +#=EXRESULT PASS
> +
> +profile rlimit {
> + set rlimit rttime <= 60minutes,
> +}
> Index: b/utils/vim/apparmor.vim.in
> ===================================================================
> --- a/utils/vim/apparmor.vim.in
> +++ b/utils/vim/apparmor.vim.in
> @@ -160,7 +160,8 @@ syn match sdRLimit /\v^\s*set\s+rlimit\s
> syn match sdRLimit /\v^\s*set\s+rlimit\s+(fsize|data|stack|core|rss|as|memlock|msgqueue)\s+\<\=\s+[0-9]+([KMG]B)?@@EOL@@/ contains=sdComment
> syn match sdRLimit /\v^\s*set\s+rlimit\s+nice\s+\<\=\s+(-1?[0-9]|-20|1?[0-9])@@EOL@@/ contains=sdComment
> syn match sdRLimit /\v^\s*set\s+rlimit\s+cpu\s+\<\=\s+[0-9]+(seconds|minutes|hours|days)?@@EOL@@/ contains=sdComment
> -syn match sdRLimit /\v^\s*set\s+rlimit\s+(cpu|nofile|nproc|rtprio|locks|sigpending|fsize|data|stack|core|rss|as|memlock|msgqueue|nice)\s+\<\=\s+infinity@@EOL@@/ contains=sdComment
> +syn match sdRLimit /\v^\s*set\s+rlimit\s+rttime\s+\<\=\s+[0-9]+(ms|seconds|minutes)?@@EOL@@/ contains=sdComment
> +syn match sdRLimit /\v^\s*set\s+rlimit\s+(cpu|rttime|nofile|nproc|rtprio|locks|sigpending|fsize|data|stack|core|rss|as|memlock|msgqueue|nice)\s+\<\=\s+infinity@@EOL@@/ contains=sdComment
>
> " link rules
> syn match sdEntryW /\v^\s+@@auditdenyowner@@link\s+(subset\s+)?@@FILENAME@@\s+-\>\s+@@FILENAME@@@@EOL@@/ contains=sdGlob
>
>
>
More information about the AppArmor
mailing list