[Qemu-devel] [PULL 37/49] scripts/kvm/kvm_stat: Fix rlimit for unprivileged users

[Paolo Bonzini]

From: Janosch Frank <address@hidden>

Setting the hard limit as a unprivileged user either returns an error
when it is higher than the current one or irreversibly sets it lower.

Therefore we leave the hardlimit untouched as long as we don't need to
raise it as this needs CAP_SYS_RESOURCE.

This gives admins the possibility to run the script as an unprivileged
user to increase security.

Signed-off-by: Janosch Frank <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
---
 scripts/kvm/kvm_stat | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/scripts/kvm/kvm_stat b/scripts/kvm/kvm_stat
index 611f82a..2a1842e 100755
--- a/scripts/kvm/kvm_stat
+++ b/scripts/kvm/kvm_stat
@@ -434,11 +434,19 @@ class TracepointProvider(object):
 
         # The constant is needed as a buffer for python libs, std
         # streams and other files that the script opens.
-        rlimit = len(cpus) * len(self._fields) + 50
+        newlim = len(cpus) * len(self._fields) + 50
         try:
-            resource.setrlimit(resource.RLIMIT_NOFILE, (rlimit, rlimit))
+            softlim_, hardlim = resource.getrlimit(resource.RLIMIT_NOFILE)
+
+            if hardlim < newlim:
+                # Now we need CAP_SYS_RESOURCE, to increase the hard limit.
+                resource.setrlimit(resource.RLIMIT_NOFILE, (newlim, newlim))
+            else:
+                # Raising the soft limit is sufficient.
+                resource.setrlimit(resource.RLIMIT_NOFILE, (newlim, hardlim))
+
         except ValueError:
-            sys.exit("NOFILE rlimit could not be raised to {0}".format(rlimit))
+            sys.exit("NOFILE rlimit could not be raised to {0}".format(newlim))
 
         for cpu in cpus:
             group = Group()
-- 
1.8.3.1