rlimit: avoid performing the test and setting limit if its infinite#2032
rlimit: avoid performing the test and setting limit if its infinite#2032RonFed wants to merge 1 commit into
Conversation
Signed-off-by: Ron Federman <ron@odigos.io>
d6d33b8 to
f8894bb
Compare
|
@RonFed What problem does this solve? This defeats the purpose of the probe. Rlimit being set to infinity doesn't mean the kernel has memcg accounting. |
The main motivation is to avoid |
|
Okay, but your proposed fix still disables the probe, which is not what you'd want under any circumstance. There's also no guarantee that code running in between the probe and the first BPF() syscall doesn't lower rlimit. The import side effect of package Your program should tolerate errors from |
Can you please elaborate on that? As I understand it, the memcg probing is an internal detail which is used to determine whether we need to remove the limit or not - "is the kernel using memcg` is not part of the api of this package - so if we reach the same end conclusion (not raising the limit) without requiring extra capabilities, it sounds ok to me.
This is always correct, no? regardless of the suggested addition?
I see your point, and it is doable - but wouldn't it be nice if the library would identify the situation where |
Internal APIs should also do what they say on the tin, hence my pushback on disabling the probe. It will return a false positive if rlimit is set to infinite already.
My point is that the user can only be 'sure' of an infinite rlimit as soon as they've called RemoveMemlock() explicitly, since that triggers an action on their behalf. There may be other probes that try to fudge rlimit in a similar manner, or something may leave rlimit in an inconsistent state. What you're suggesting introduces an extra possibility for a TOCTOU error. Bail out when infinite, and make RemoveMemlock do nothing, even if something could've lowered the rlimit in the meantime. The import side effect is specifically designed in a way to reduce the likelihood of a false positive probe conclusion. Bailing out when infinite doesn't provide the same guarantees.
Unexpected means we bubble up to the user since we can't conclude anything. EPERM means the probe can't run, so the user will need to decide what to do with the error. If you run in an environment where setrlimit is not permitted, you'll obviously have to tolerate EPERM as well. The library should not make that assumption. All in all, I only see one solution if you want to go to greater lengths to hide the error: another getrlimit() at the start of RemoveMemlock, and returning nil if infinite. That would mean get -> set -> bpf() -> set in init() and get -> set in RemoveMemlock(). I think that's even worse. 🙂 Better to ask for forgiveness than permission, since the latter always incurs TOCTOU risk. |
If the current
rlimitis infinity, raising it will be a no-op, so we can skip the init test and the later potentialrlimitsyscall to raise it to infinity.