cgroup: Add option to control the amount of PIDs

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/src/libpakfire/cgroup.c b/src/libpakfire/cgroup.c
index def656c8b2a8bd3ce111eba3434636b97d98a132..00d7f96e89d94d146dcfeb5f08ce7e4b9bd54ca9 100644 (file)
--- a/src/libpakfire/cgroup.c
+++ b/src/libpakfire/cgroup.c
@@ -697,3 +697,25 @@ int pakfire_cgroup_set_memory_limit(struct pakfire_cgroup* cgroup, size_t mem) {
 
        return r;
 }
+
+// PIDs
+
+int pakfire_cgroup_set_pid_limit(struct pakfire_cgroup* cgroup, size_t limit) {
+       int r;
+
+       // Enable PID controller
+       r = pakfire_cgroup_enable_controllers(cgroup, PAKFIRE_CGROUP_CONTROLLER_PIDS);
+       if (r)
+               return r;
+
+       DEBUG(cgroup->pakfire, "%s: Setting PID limit to %zu\n",
+               pakfire_cgroup_name(cgroup), limit);
+
+       // Set value
+       r = pakfire_cgroup_write(cgroup, "pids.max", "%zu\n", limit);
+       if (r)
+               ERROR(cgroup->pakfire, "%s: Could not set PID limit: %m\n",
+                       pakfire_cgroup_name(cgroup));
+
+       return r;
+}

diff --git a/src/libpakfire/include/pakfire/cgroup.h b/src/libpakfire/include/pakfire/cgroup.h
index 1d5251afdac8611456b2bff27fafad2541bd18f2..b16aebad75eeace0415762237c68c139f1fb4a6d 100644 (file)
--- a/src/libpakfire/include/pakfire/cgroup.h
+++ b/src/libpakfire/include/pakfire/cgroup.h
@@ -50,6 +50,9 @@ int pakfire_cgroup_fd(struct pakfire_cgroup* cgroup);
 int pakfire_cgroup_set_guaranteed_memory(struct pakfire_cgroup* cgroup, size_t mem);
 int pakfire_cgroup_set_memory_limit(struct pakfire_cgroup* cgroup, size_t mem);
 
+// PIDs
+int pakfire_cgroup_set_pid_limit(struct pakfire_cgroup* cgroup, size_t limit);
+
 #endif /* PAKFIRE_PRIVATE */
 
 #endif /* PAKFIRE_CGROUP_H */

diff --git a/tests/libpakfire/jail.c b/tests/libpakfire/jail.c
index b701a6346f8c70126c33cc94a8b89af9eddbe99c..aec50e2c8adf03d1c5afc1bdffbbe26421975053 100644 (file)
--- a/tests/libpakfire/jail.c
+++ b/tests/libpakfire/jail.c
@@ -197,6 +197,44 @@ FAIL:
        return r;
 }
 
+static int test_pid_limit(const struct test* t) {
+       struct pakfire_cgroup* cgroup = NULL;
+       struct pakfire_jail* jail = NULL;
+       int r = EXIT_FAILURE;
+
+       const char* argv[] = {
+               "/command", "fork-bomb", NULL,
+       };
+
+       // Create cgroup
+       ASSERT_SUCCESS(pakfire_cgroup_open(&cgroup, t->pakfire, "pakfire-test", 0));
+
+       // Create jail
+       ASSERT_SUCCESS(pakfire_jail_create(&jail, t->pakfire, 0));
+
+       // Connect jail to the cgroup
+       ASSERT_SUCCESS(pakfire_jail_set_cgroup(jail, cgroup));
+
+       // Set a PID limit of 100 processes
+       ASSERT_SUCCESS(pakfire_cgroup_set_pid_limit(cgroup, 100));
+
+       // Try to fork as many processes as possible
+       ASSERT_FAILURE(pakfire_jail_exec(jail, argv, NULL));
+
+       // Success
+       r = EXIT_SUCCESS;
+
+FAIL:
+       if (jail)
+               pakfire_jail_unref(jail);
+       if (cgroup) {
+               pakfire_cgroup_destroy(cgroup);
+               pakfire_cgroup_unref(cgroup);
+       }
+
+       return r;
+}
+
 int main(int argc, const char* argv[]) {
        testsuite_add_test(test_create);
        testsuite_add_test(test_env);
@@ -204,6 +242,7 @@ int main(int argc, const char* argv[]) {
        testsuite_add_test(test_launch_into_cgroup);
        testsuite_add_test(test_nice);
        testsuite_add_test(test_memory_limit);
+       testsuite_add_test(test_pid_limit);
 
        return testsuite_run(argc, argv);
 }