[PATCH] RLIMIT_NPROC enforcement during execve() calls

Enforces the RLIMIT_NPROC limit by adding an additional check for
execve(), as
such limit is checked only during fork() calls.

The patch is also available at:
http://pearls.tuxedo-es.org/patches/security/rlimit_nproc-enforcing-execve.patch

Signed-off-by: Lorenzo Hernandez Garcia-Hierro <[email protected]>
---

 linux-2.6.11-lorenzo/fs/compat.c |    8 ++++++++
 linux-2.6.11-lorenzo/fs/exec.c   |    9 +++++++++
 2 files changed, 17 insertions(+)

diff -puN fs/exec.c~rlimit_nproc-enforcing-execve fs/exec.c
--- linux-2.6.11/fs/exec.c~rlimit_nproc-enforcing-execve	2005-04-16
16:28:56.000000000 +0200
+++ linux-2.6.11-lorenzo/fs/exec.c	2005-04-16 19:26:47.000000000 +0200
@@ -1140,6 +1140,15 @@ int do_execve(char * filename,
 	if (IS_ERR(file))
 		goto out_kfree;
 
+	/* RLIMIT_NPROC enforcement */
+	if (current->user && (atomic_read(&current->user->processes) >
+	     current->signal->rlim[RLIMIT_NPROC].rlim_cur) &&
+	    !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE)) {
+		allow_write_access(file);
+		fput(file);
+		return -EAGAIN;
+	}
+
 	sched_exec();
 
 	bprm->p = PAGE_SIZE*MAX_ARG_PAGES-sizeof(void *);
diff -puN fs/compat.c~rlimit_nproc-enforcing-execve fs/compat.c
--- linux-2.6.11/fs/compat.c~rlimit_nproc-enforcing-execve	2005-04-16
16:28:56.000000000 +0200
+++ linux-2.6.11-lorenzo/fs/compat.c	2005-04-16 19:26:58.000000000 +0200
@@ -1450,6 +1450,14 @@ int compat_do_execve(char * filename,
 	if (!bprm->mm)
 		goto out_file;
 
+	/* RLIMIT_NPROC enforcement */
+	retval = -EAGAIN;
+	if (current->user && (atomic_read(&current->user->processes) >
+	     current->signal->rlim[RLIMIT_NPROC].rlim_cur) &&
+	    !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE)) {
+		goto out_file;
+	}
+
 	retval = init_new_context(current, bprm->mm);
 	if (retval < 0)
 		goto out_mm;
_

Cheers,
-- 
Lorenzo Hernández García-Hierro <[email protected]> 
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]

Attachment: signature.asc
Description: This is a digitally signed message part

Follow-Ups:
- Re: [PATCH] RLIMIT_NPROC enforcement during execve() calls
  - From: Christoph Hellwig <[email protected]>

Prev by Date: Re: [openib-general] Re: [PATCH][RFC][0/4] InfiniBand userspace verbs implementation
Next by Date: Re: [PATCH] RLIMIT_NPROC enforcement during execve() calls
Previous by thread: [PATCH 2.6.11.7 1/2] USB HID: Patch for Cherry CyMotion Linux keyboard
Next by thread: Re: [PATCH] RLIMIT_NPROC enforcement during execve() calls
Index(es):
- Date
- Thread

[Index of Archives] [Kernel Newbies] [Netfilter] [Bugtraq] [Photo] [Stuff] [Gimp] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Video 4 Linux] [Linux for the blind] [Linux Resources]