From: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue, 9 Aug 2022 16:32:26 +0000 (+0000)
Subject: cgroup: Add option to control the amount of PIDs
X-Git-Tag: 0.9.28~535
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d3b93302a71459454d068da5d894c29e558025bc;p=pakfire.git

cgroup: Add option to control the amount of PIDs

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/src/libpakfire/cgroup.c b/src/libpakfire/cgroup.c
index def656c8b..00d7f96e8 100644
--- a/src/libpakfire/cgroup.c
+++ b/src/libpakfire/cgroup.c
@@ -697,3 +697,25 @@ int pakfire_cgroup_set_memory_limit(struct pakfire_cgroup* cgroup, size_t mem) {
 
 	return r;
 }
+
+// PIDs
+
+int pakfire_cgroup_set_pid_limit(struct pakfire_cgroup* cgroup, size_t limit) {
+	int r;
+
+	// Enable PID controller
+	r = pakfire_cgroup_enable_controllers(cgroup, PAKFIRE_CGROUP_CONTROLLER_PIDS);
+	if (r)
+		return r;
+
+	DEBUG(cgroup->pakfire, "%s: Setting PID limit to %zu\n",
+		pakfire_cgroup_name(cgroup), limit);
+
+	// Set value
+	r = pakfire_cgroup_write(cgroup, "pids.max", "%zu\n", limit);
+	if (r)
+		ERROR(cgroup->pakfire, "%s: Could not set PID limit: %m\n",
+			pakfire_cgroup_name(cgroup));
+
+	return r;
+}
diff --git a/src/libpakfire/include/pakfire/cgroup.h b/src/libpakfire/include/pakfire/cgroup.h
index 1d5251afd..b16aebad7 100644
--- a/src/libpakfire/include/pakfire/cgroup.h
+++ b/src/libpakfire/include/pakfire/cgroup.h
@@ -50,6 +50,9 @@ int pakfire_cgroup_fd(struct pakfire_cgroup* cgroup);
 int pakfire_cgroup_set_guaranteed_memory(struct pakfire_cgroup* cgroup, size_t mem);
 int pakfire_cgroup_set_memory_limit(struct pakfire_cgroup* cgroup, size_t mem);
 
+// PIDs
+int pakfire_cgroup_set_pid_limit(struct pakfire_cgroup* cgroup, size_t limit);
+
 #endif /* PAKFIRE_PRIVATE */
 
 #endif /* PAKFIRE_CGROUP_H */
diff --git a/tests/libpakfire/jail.c b/tests/libpakfire/jail.c
index b701a6346..aec50e2c8 100644
--- a/tests/libpakfire/jail.c
+++ b/tests/libpakfire/jail.c
@@ -197,6 +197,44 @@ FAIL:
 	return r;
 }
 
+static int test_pid_limit(const struct test* t) {
+	struct pakfire_cgroup* cgroup = NULL;
+	struct pakfire_jail* jail = NULL;
+	int r = EXIT_FAILURE;
+
+	const char* argv[] = {
+		"/command", "fork-bomb", NULL,
+	};
+
+	// Create cgroup
+	ASSERT_SUCCESS(pakfire_cgroup_open(&cgroup, t->pakfire, "pakfire-test", 0));
+
+	// Create jail
+	ASSERT_SUCCESS(pakfire_jail_create(&jail, t->pakfire, 0));
+
+	// Connect jail to the cgroup
+	ASSERT_SUCCESS(pakfire_jail_set_cgroup(jail, cgroup));
+
+	// Set a PID limit of 100 processes
+	ASSERT_SUCCESS(pakfire_cgroup_set_pid_limit(cgroup, 100));
+
+	// Try to fork as many processes as possible
+	ASSERT_FAILURE(pakfire_jail_exec(jail, argv, NULL));
+
+	// Success
+	r = EXIT_SUCCESS;
+
+FAIL:
+	if (jail)
+		pakfire_jail_unref(jail);
+	if (cgroup) {
+		pakfire_cgroup_destroy(cgroup);
+		pakfire_cgroup_unref(cgroup);
+	}
+
+	return r;
+}
+
 int main(int argc, const char* argv[]) {
 	testsuite_add_test(test_create);
 	testsuite_add_test(test_env);
@@ -204,6 +242,7 @@ int main(int argc, const char* argv[]) {
 	testsuite_add_test(test_launch_into_cgroup);
 	testsuite_add_test(test_nice);
 	testsuite_add_test(test_memory_limit);
+	testsuite_add_test(test_pid_limit);
 
 	return testsuite_run(argc, argv);
 }