From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 3 May 2018 17:13:27 +0000 (+0200)
Subject: rlimit-util: introduce setrlimit_closest_all()
X-Git-Tag: v239~243^2~17
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=34a5df58da0bdc1a5ff81c563e73216943b1f96f;p=thirdparty%2Fsystemd.git

rlimit-util: introduce setrlimit_closest_all()

This new call applies all configured resource limits in one.
---

diff --git a/src/basic/rlimit-util.c b/src/basic/rlimit-util.c
index 7bae9f0ad0c..dccc4e60e1a 100644
--- a/src/basic/rlimit-util.c
+++ b/src/basic/rlimit-util.c
@@ -42,6 +42,32 @@ int setrlimit_closest(int resource, const struct rlimit *rlim) {
         return 0;
 }
 
+int setrlimit_closest_all(const struct rlimit *const *rlim, int *which_failed) {
+        int i, r;
+
+        assert(rlim);
+
+        /* On failure returns the limit's index that failed in *which_failed, but only if non-NULL */
+
+        for (i = 0; i < _RLIMIT_MAX; i++) {
+                if (!rlim[i])
+                        continue;
+
+                r = setrlimit_closest(i, rlim[i]);
+                if (r < 0) {
+                        if (which_failed)
+                                *which_failed = i;
+
+                        return r;
+                }
+        }
+
+        if (which_failed)
+                *which_failed = -1;
+
+        return 0;
+}
+
 static int rlimit_parse_u64(const char *val, rlim_t *ret) {
         uint64_t u;
         int r;
diff --git a/src/basic/rlimit-util.h b/src/basic/rlimit-util.h
index 067e040c61b..d50fd38c2e2 100644
--- a/src/basic/rlimit-util.h
+++ b/src/basic/rlimit-util.h
@@ -16,6 +16,7 @@ int rlimit_from_string(const char *s) _pure_;
 int rlimit_from_string_harder(const char *s) _pure_;
 
 int setrlimit_closest(int resource, const struct rlimit *rlim);
+int setrlimit_closest_all(const struct rlimit * const *rlim, int *which_failed);
 
 int rlimit_parse_one(int resource, const char *val, rlim_t *ret);
 int rlimit_parse(int resource, const char *val, struct rlimit *ret);
diff --git a/src/core/execute.c b/src/core/execute.c
index 3349bbaccbf..9781b7d9200 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -2727,7 +2727,7 @@ static int exec_child(
 #endif
         uid_t uid = UID_INVALID;
         gid_t gid = GID_INVALID;
-        int i, r, ngids = 0;
+        int r, ngids = 0;
         size_t n_fds;
         ExecDirectoryType dt;
         int secure_bits;
@@ -3167,17 +3167,12 @@ static int exec_child(
 
         if (needs_sandboxing) {
                 uint64_t bset;
+                int which_failed;
 
-                for (i = 0; i < _RLIMIT_MAX; i++) {
-
-                        if (!context->rlimit[i])
-                                continue;
-
-                        r = setrlimit_closest(i, context->rlimit[i]);
-                        if (r < 0) {
-                                *exit_status = EXIT_LIMITS;
-                                return log_unit_error_errno(unit, r, "Failed to adjust resource limit RLIMIT_%s: %m", rlimit_to_string(i));
-                        }
+                r = setrlimit_closest_all((const struct rlimit* const *) context->rlimit, &which_failed);
+                if (r < 0) {
+                        *exit_status = EXIT_LIMITS;
+                        return log_unit_error_errno(unit, r, "Failed to adjust resource limit RLIMIT_%s: %m", rlimit_to_string(which_failed));
                 }
 
                 /* Set the RTPRIO resource limit to 0, but only if nothing else was explicitly requested. */