(#1006) Add setrlimit to scoped functions

- `sshd` use the function which impacts our library
criblio · Jun 27, 2022 · a022041 · a022041
1 parent f2fe58c
commit a022041
Show file tree

Hide file tree

Showing 3 changed files with 42 additions and 0 deletions.
diff --git a/src/fn.c b/src/fn.c
@@ -342,6 +342,7 @@ initFn(void)
     GETADDR(g_fn.opendir, "opendir");
     GETADDR(g_fn.closedir, "closedir");
     GETADDR(g_fn.readdir, "readdir");
+    GETADDR(g_fn.setrlimit, "setrlimit");
 #ifdef __STATX__
     GETADDR(g_fn.statx, "statx");
 #endif

diff --git a/src/fn.h b/src/fn.h
@@ -20,6 +20,7 @@
 #include <unistd.h>
 #include <arpa/nameser.h>
 #include <dirent.h>
+#include <sys/resource.h>
 
 #ifdef __linux__
 #ifndef io_context_t
@@ -248,6 +249,7 @@ typedef struct {
     DIR *(*opendir)(const char *);
     int (*closedir)(DIR *);
     struct dirent *(*readdir)(DIR *);
+    int (*setrlimit)(__rlimit_resource_t, const struct rlimit *);
 #endif // __linux__
 
 #if defined(__linux__) && defined(__STATX__)

diff --git a/src/wrap.c b/src/wrap.c
@@ -373,6 +373,8 @@ findSymbol(struct dl_phdr_info *info, size_t size, void *data)
 
 #endif // __linux__
 
+#define APPSCOPE_NPROC (2U)
+
 /*
  * This would appear to be extraneous. However, the function closedir()
  * is defined using the __nonnull function attribute, which results in
@@ -3564,6 +3566,43 @@ _exit(int status)
 
 #endif // __linux__
 
+EXPORTON int
+setrlimit(__rlimit_resource_t resource, const struct rlimit *rlim)
+{
+    WRAP_CHECK(setrlimit, -1);
+
+    /*
+    * Setting value to 0 prevents file creation, we want to prevent
+    * it regarding the fact that destination path can point to file.
+    */
+    if ((resource == RLIMIT_FSIZE) && ((rlim->rlim_cur == 0) || (rlim->rlim_max == 0))) {
+        scopeLog(CFG_LOG_DEBUG, "setrlimit: RLIMIT_FSIZE with limit=0 prevents file creation - opt out from setrlimit.");
+        return 0;
+    } else if (resource == RLIMIT_NPROC) {
+
+        /*
+        * Increase the request limit on the number of extant thread,
+        * including those managed by the AppScope.
+        */
+        struct rlimit *local_rlimit =(struct rlimit *)rlim;
+
+        /*
+        * The code below prevent overflow with AppScope process limit adjustement:
+        * rlim_t is a unsigned type.
+        */
+        if (local_rlimit->rlim_cur <= (rlim_t)(RLIM_INFINITY - APPSCOPE_NPROC)) {
+            local_rlimit->rlim_cur += APPSCOPE_NPROC;
+        }
+
+        if (local_rlimit->rlim_max <= (rlim_t)(RLIM_INFINITY - APPSCOPE_NPROC)) {
+            local_rlimit->rlim_max += APPSCOPE_NPROC;
+        }
+        return g_fn.setrlimit(resource, (const struct rlimit *)local_rlimit);
+    }
+
+    return g_fn.setrlimit(resource, rlim);
+}
+
 EXPORTON int
 close(int fd)
 {