Enforces the RLIMIT_NPROC limit by adding an additional check for execve(), as such limit is checked only during fork() calls.
The patch is also available at: http://pearls.tuxedo-es.org/patches/security/rlimit_nproc-enforcing-execve.patch Signed-off-by: Lorenzo Hernandez Garcia-Hierro <[EMAIL PROTECTED]> --- linux-2.6.11-lorenzo/fs/compat.c | 8 ++++++++ linux-2.6.11-lorenzo/fs/exec.c | 9 +++++++++ 2 files changed, 17 insertions(+) diff -puN fs/exec.c~rlimit_nproc-enforcing-execve fs/exec.c --- linux-2.6.11/fs/exec.c~rlimit_nproc-enforcing-execve 2005-04-16 16:28:56.000000000 +0200 +++ linux-2.6.11-lorenzo/fs/exec.c 2005-04-16 19:26:47.000000000 +0200 @@ -1140,6 +1140,15 @@ int do_execve(char * filename, if (IS_ERR(file)) goto out_kfree; + /* RLIMIT_NPROC enforcement */ + if (current->user && (atomic_read(¤t->user->processes) > + current->signal->rlim[RLIMIT_NPROC].rlim_cur) && + !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE)) { + allow_write_access(file); + fput(file); + return -EAGAIN; + } + sched_exec(); bprm->p = PAGE_SIZE*MAX_ARG_PAGES-sizeof(void *); diff -puN fs/compat.c~rlimit_nproc-enforcing-execve fs/compat.c --- linux-2.6.11/fs/compat.c~rlimit_nproc-enforcing-execve 2005-04-16 16:28:56.000000000 +0200 +++ linux-2.6.11-lorenzo/fs/compat.c 2005-04-16 19:26:58.000000000 +0200 @@ -1450,6 +1450,14 @@ int compat_do_execve(char * filename, if (!bprm->mm) goto out_file; + /* RLIMIT_NPROC enforcement */ + retval = -EAGAIN; + if (current->user && (atomic_read(¤t->user->processes) > + current->signal->rlim[RLIMIT_NPROC].rlim_cur) && + !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE)) { + goto out_file; + } + retval = init_new_context(current, bprm->mm); if (retval < 0) goto out_mm; _ Cheers, -- Lorenzo Hernández García-Hierro <[EMAIL PROTECTED]> [1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]
signature.asc
Description: This is a digitally signed message part
