/dev/kev

tunerlimit

LD_PRELOAD library to control access to setrlimit(2)

Description
tunerlimit is a preload library that allows some fine-tuning of when calls to setrlimit(2) are allowed, and when they are "blocked". This can be useful in situations where, for example, SELinux policies cause programs to fail completely when making trivial or idempotent calls to setrlimit().

I like to run gpg (GnuPG command line utility) in one of my procmail rules, so that when I receive mail that is validly signed I can add a "whitelist" header to the email. When the host that receives mail was upgraded to use SELinux, this was failing because gpg likes to call

    setrlimit(RLIMIT_CORE, {rlim_cur=0, rlim_max=0})
This makes perfect sense, since GnuPG doesn't want to accidentally dump any sensitive information to disk in a core dump. Unfortunately, SELinux was configured to forbid such calls from the restricted procmail_t context, giving rise to syslog entries like
    setroubleshoot: SELinux is preventing gpg (procmail_t) "setrlimit" to <Unknown> (procmail_t).
Running ulimit -c from the surrounding shell script confirmed that the current core limit was indeed 0, and that gpg is just being extra precautious by setting the hard limit to 0 as well.

I didn't want to change the policy to allow constrained processes access to setrlimit(), since that might have unintended consequences for constrained processes running as root. So tunerlimit is the solution that addresses these sorts of narrow problems.

Downloads

Installation
Standard autoconf process: ./configure && make && make install

Usage
    tunerlimit [options] <program> [args...]

Valid options are:

    -v, --version   Display the tunerlimit version
    -h, --help      Display this help
    -d, --debug     Display debug info

  Which type of calls to block:
    -a, --all         Block all calls to setrlimit()
    -i, --idempotent  Block only idempotent calls to setrlimit() (default)

  Which resources to block:
    -r, --resources <list>  List which resources to block, where <list>
                            is a space or comma separated list of names.
                            Valid resource names are:
                              ALL (all resources)
                              NONE (no resources)
                              AS
                              CORE
                              CPU
                              DATA
                              FSIZE
                              LOCKS
                              MEMLOCK
                              MSGQUEUE
                              NICE
                              NOFILE
                              NPROC
                              RSS
                              RTPRIO
                              SIGPENDING
                              STACK

  What to return:
    -s, --success  Return success for blocked calls
    -f, --fail     Return indeterminate failure for blocked calls
    --fail-fault   Return EFAULT failure for blocked calls
    --fail-inval   Return EINVAL failure for blocked calls
    --fail-perm    Return EPERM failure for blocked calls (default)

Examples
  • tunerlimit test-rlimit
  • tunerlimit --all test-rlimit
  • tunerlimit --resources as,core,cpu test-rlimit


Last updated: Monday, 23 February, 2009.
Copyright © 1994-2018, Kevin Pulo, kev at pulo dot com dot au
Public key fingerprint: 94A4 D2B6 85E6 A46A 5330 74F3 199C 4F85 563D C85F