From: Timo Sirainen <tss@iki.fi>
Date: Wed, 9 Nov 2011 16:30:27 +0000 (+0200)
Subject: restrict_process_size() API changes.
X-Git-Tag: 2.1.rc1~92
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9ebd0c59de5f8240c0dbc58773fe5679391199db;p=thirdparty%2Fdovecot%2Fcore.git

restrict_process_size() API changes.
---

diff --git a/src/lib/restrict-process-size.c b/src/lib/restrict-process-size.c
index 75a11275cf..7a7178b966 100644
--- a/src/lib/restrict-process-size.c
+++ b/src/lib/restrict-process-size.c
@@ -5,48 +5,47 @@
 
 #include <unistd.h>
 
-void restrict_process_size(unsigned int size ATTR_UNUSED,
-			   unsigned int max_processes ATTR_UNUSED)
+void restrict_process_size(rlim_t bytes)
 {
-#ifdef HAVE_SETRLIMIT
 	struct rlimit rlim;
 
-#ifdef HAVE_RLIMIT_NPROC
-	if (max_processes < INT_MAX) {
-		rlim.rlim_max = rlim.rlim_cur = max_processes;
-		if (setrlimit(RLIMIT_NPROC, &rlim) < 0)
-			i_fatal("setrlimit(RLIMIT_NPROC, %u): %m", size);
+	rlim.rlim_max = rlim.rlim_cur = bytes;
+	if (setrlimit(RLIMIT_DATA, &rlim) < 0) {
+		i_fatal("setrlimit(RLIMIT_DATA, %llu): %m",
+			(unsigned long long)bytes);
 	}
-#endif
-
-	if (size > 0 && size < INT_MAX/1024/1024) {
-		rlim.rlim_max = rlim.rlim_cur = size*1024*1024;
-
-		if (setrlimit(RLIMIT_DATA, &rlim) < 0)
-			i_fatal("setrlimit(RLIMIT_DATA, %u): %m", size);
 
 #ifdef HAVE_RLIMIT_AS
-		if (setrlimit(RLIMIT_AS, &rlim) < 0)
-			i_fatal("setrlimit(RLIMIT_AS, %u): %m", size);
-#endif
+	if (setrlimit(RLIMIT_AS, &rlim) < 0) {
+		i_fatal("setrlimit(RLIMIT_AS, %llu): %m",
+			(unsigned long long)bytes);
 	}
-#else
-	if (size != 0) {
-		i_warning("Can't restrict process size: "
-			  "setrlimit() not supported by system. "
-			  "Set the limit to 0 to hide this warning.");
+#endif
+}
+
+void restrict_process_count(rlim_t count ATTR_UNUSED)
+{
+#ifdef HAVE_RLIMIT_NPROC
+	struct rlimit rlim;
+
+	rlim.rlim_max = rlim.rlim_cur = count;
+	if (setrlimit(RLIMIT_NPROC, &rlim) < 0) {
+		i_fatal("setrlimit(RLIMIT_NPROC, %llu): %m",
+			(unsigned long long)count);
 	}
 #endif
 }
 
-void restrict_fd_limit(unsigned int count)
+void restrict_fd_limit(rlim_t count)
 {
 #ifdef HAVE_SETRLIMIT
 	struct rlimit rlim;
 
 	rlim.rlim_cur = rlim.rlim_max = count;
-	if (setrlimit(RLIMIT_NOFILE, &rlim) < 0)
-		i_error("setrlimit(RLIMIT_NOFILE, %u): %m", count);
+	if (setrlimit(RLIMIT_NOFILE, &rlim) < 0) {
+		i_error("setrlimit(RLIMIT_NOFILE, %llu): %m",
+			(unsigned long long)count);
+	}
 #endif
 }
 
@@ -65,3 +64,19 @@ int restrict_get_core_limit(rlim_t *limit_r)
 	return -1;
 #endif
 }
+
+int restrict_get_process_limit(rlim_t *limit_r)
+{
+#ifdef HAVE_RLIMIT_NPROC
+	struct rlimit rlim;
+
+	if (getrlimit(RLIMIT_NPROC, &rlim) < 0) {
+		i_error("getrlimit(RLIMIT_NPROC) failed: %m");
+		return -1;
+	}
+	*limit_r = rlim.rlim_cur;
+	return 0;
+#else
+	return -1;
+#endif
+}
diff --git a/src/lib/restrict-process-size.h b/src/lib/restrict-process-size.h
index 1e60a69cfa..d4d71b0e03 100644
--- a/src/lib/restrict-process-size.h
+++ b/src/lib/restrict-process-size.h
@@ -6,13 +6,16 @@
 #  include <sys/resource.h>
 #endif
 
-/* Restrict max. process size. The size is in megabytes, setting it to
-   (unsigned int)-1 sets it unlimited. */
-void restrict_process_size(unsigned int size, unsigned int max_processes);
+/* Restrict max. process size. */
+void restrict_process_size(rlim_t bytes);
+/* Restrict max. number of processes. */
+void restrict_process_count(rlim_t count);
 /* Set fd limit to count. */
-void restrict_fd_limit(unsigned int count);
+void restrict_fd_limit(rlim_t count);
 
 /* Get the core dump size limit. Returns 0 if ok, -1 if lookup failed. */
 int restrict_get_core_limit(rlim_t *limit_r);
+/* Get the process count limit. Returns 0 if ok, -1 if lookup failed. */
+int restrict_get_process_limit(rlim_t *limit_r);
 
 #endif
diff --git a/src/login-common/main.c b/src/login-common/main.c
index cbedde2f0e..9ec87994a8 100644
--- a/src/login-common/main.c
+++ b/src/login-common/main.c
@@ -291,7 +291,7 @@ static void main_preinit(bool allow_core_dumps)
 static void main_init(const char *login_socket)
 {
 	/* make sure we can't fork() */
-	restrict_process_size((unsigned int)-1, 1);
+	restrict_process_count(1);
 
 	if (restrict_access_get_current_chroot() == NULL) {
 		if (chdir("login") < 0)
diff --git a/src/master/service-process.c b/src/master/service-process.c
index 5131f3beff..41dc31b134 100644
--- a/src/master/service-process.c
+++ b/src/master/service-process.c
@@ -157,7 +157,7 @@ drop_privileges(struct service *service)
 	unsigned int len;
 
 	if (service->vsz_limit != 0)
-		restrict_process_size(service->vsz_limit/1024/1024, -1U);
+		restrict_process_size(service->vsz_limit);
 
 	restrict_access_init(&rset);
 	rset.uid = service->uid;