upstream patch for setrlimit(RLIMIT_CORE) rootless container warnings (#1773148)

2020-03-26 18:53:44 +08:00 · 2020-03-26 18:53:44 +08:00 · 72a557140c
parent 5d1ef1f39f
commit 72a557140c
2 changed files with 154 additions and 2 deletions
--- a/sudo-1.9-RLIMIT_CORE.patch
+++ b/sudo-1.9-RLIMIT_CORE.patch
@ -0,0 +1,149 @@
+ changeset 12288:1064b906ca68
+
+Ignore a failure to restore the RLIMIT_CORE resource limit.
+Linux containers don't allow RLIMIT_CORE to be set back to RLIM_INFINITY
+if we set the limit to zero, even for root.  This is not a problem
+outside the container.
+author 	Todd C. Miller <Todd.Miller@sudo.ws>
+date 	Sat, 14 Mar 2020 11:13:55 -0600
+parents 	72ca06a294b4
+children 	40629e6fd692
+files 	src/limits.c
+diffstat 	1 files changed, 61 insertions(+), 10 deletions(-) [+]
+line wrap: on
+ line diff
+
+--- a/src/limits.c	Thu Mar 12 17:39:56 2020 -0600
+++ b/src/limits.c	Sat Mar 14 11:13:55 2020 -0600
+@@ -114,13 +114,21 @@
+
+     if (getrlimit(RLIMIT_CORE, &corelimit) == -1)
+ 	sudo_warn("getrlimit(RLIMIT_CORE)");
+    sudo_debug_printf(SUDO_DEBUG_INFO, "RLIMIT_CORE [%lld, %lld] -> [0, 0]",
+	(long long)corelimit.rlim_cur, (long long)corelimit.rlim_max);
+     if (setrlimit(RLIMIT_CORE, &rl) == -1)
+ 	sudo_warn("setrlimit(RLIMIT_CORE)");
+ #ifdef __linux__
+     /* On Linux, also set PR_SET_DUMPABLE to zero (reset by execve). */
+-    if ((dumpflag = prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) == -1)
+    if ((dumpflag = prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) == -1) {
+	sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
+	    "prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)");
+ 	dumpflag = 0;
+-    (void) prctl(PR_SET_DUMPABLE, 0, 0, 0, 0);
+    }
+    if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) == -1) {
+	sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
+	    "prctl(PR_SET_DUMPABLE, %d, 0, 0, 0)", dumpflag);
+    }
+ #endif /* __linux__ */
+     coredump_disabled = true;
+
+@@ -136,10 +144,20 @@
+     debug_decl(restore_coredump, SUDO_DEBUG_UTIL);
+
+     if (coredump_disabled) {
+-	if (setrlimit(RLIMIT_CORE, &corelimit) == -1)
+-	    sudo_warn("setrlimit(RLIMIT_CORE)");
+	/*
+	 * Linux containers don't allow RLIMIT_CORE to be set back to
+	 * RLIM_INFINITY if we set the limit to zero, even for root.
+	 */
+	if (setrlimit(RLIMIT_CORE, &corelimit) == -1) {
+	    sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
+		"setrlimit(RLIMIT_CORE, [%lld, %lld])",
+		(long long)corelimit.rlim_cur, (long long)corelimit.rlim_max);
+	}
+ #ifdef __linux__
+-	(void) prctl(PR_SET_DUMPABLE, dumpflag, 0, 0, 0);
+	if (prctl(PR_SET_DUMPABLE, dumpflag, 0, 0, 0) == -1) {
+	    sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
+		"prctl(PR_SET_DUMPABLE, %d, 0, 0, 0)", dumpflag);
+	}
+ #endif /* __linux__ */
+     }
+     debug_return;
+@@ -162,8 +180,14 @@
+
+     if (getrlimit(RLIMIT_NPROC, &nproclimit) != 0)
+ 	sudo_warn("getrlimit(RLIMIT_NPROC)");
+    sudo_debug_printf(SUDO_DEBUG_INFO, "RLIMIT_NPROC [%lld, %lld] -> [inf, inf]",
+	(long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max);
+     if (setrlimit(RLIMIT_NPROC, &rl) == -1) {
+ 	rl.rlim_cur = rl.rlim_max = nproclimit.rlim_max;
+	sudo_debug_printf(SUDO_DEBUG_INFO,
+	    "RLIMIT_NPROC [%lld, %lld] -> [%lld, %lld]",
+	    (long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max,
+	    (long long)rl.rlim_cur, (long long)rl.rlim_max);
+ 	if (setrlimit(RLIMIT_NPROC, &rl) != 0)
+ 	    sudo_warn("setrlimit(RLIMIT_NPROC)");
+     }
+@@ -180,8 +204,11 @@
+ #ifdef __linux__
+     debug_decl(restore_nproc, SUDO_DEBUG_UTIL);
+
+-    if (setrlimit(RLIMIT_NPROC, &nproclimit) != 0)
+-	sudo_warn("setrlimit(RLIMIT_NPROC)");
+    if (setrlimit(RLIMIT_NPROC, &nproclimit) != 0) {
+	sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
+	    "setrlimit(RLIMIT_NPROC, [%lld, %lld])",
+	    (long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max);
+    }
+
+     debug_return;
+ #endif /* __linux__ */
+@@ -203,6 +230,11 @@
+ 	struct saved_limit *lim = &saved_limits[idx];
+ 	if (getrlimit(lim->resource, &lim->oldlimit) == -1)
+ 	    continue;
+	sudo_debug_printf(SUDO_DEBUG_INFO,
+	    "getrlimit(lim->name) -> [%lld, %lld]",
+	    (long long)lim->oldlimit.rlim_cur,
+	    (long long)lim->oldlimit.rlim_max);
+
+ 	lim->saved = true;
+ 	if (lim->newlimit.rlim_cur != RLIM_INFINITY) {
+ 	    /* Don't reduce the soft resource limit. */
+@@ -217,13 +249,28 @@
+ 		lim->newlimit.rlim_max = lim->oldlimit.rlim_max;
+ 	}
+ 	if ((rc = setrlimit(lim->resource, &lim->newlimit)) == -1) {
+-	    if (lim->fallback != NULL)
+-		rc = setrlimit(lim->resource, lim->fallback);
+	    sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
+		"setrlimit(%s, [%lld, %lld])", lim->name,
+		(long long)lim->newlimit.rlim_cur,
+		(long long)lim->newlimit.rlim_max);
+	    if (lim->fallback != NULL) {
+		if ((rc = setrlimit(lim->resource, lim->fallback)) == -1) {
+		    sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
+			"setrlimit(%s, [%lld, %lld])", lim->name,
+			(long long)lim->fallback->rlim_cur,
+			(long long)lim->fallback->rlim_max);
+		}
+	    }
+ 	    if (rc == -1) {
+ 		/* Try setting new rlim_cur to old rlim_max. */
+ 		lim->newlimit.rlim_cur = lim->oldlimit.rlim_max;
+ 		lim->newlimit.rlim_max = lim->oldlimit.rlim_max;
+-		rc = setrlimit(lim->resource, &lim->newlimit);
+		if ((rc = setrlimit(lim->resource, &lim->newlimit)) == -1) {
+		    sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
+			"setrlimit(%s, [%lld, %lld])", lim->name,
+			(long long)lim->newlimit.rlim_cur,
+			(long long)lim->newlimit.rlim_max);
+		}
+ 	    }
+ 	    if (rc == -1)
+ 		sudo_warn("setrlimit(%s)", lim->name);
+@@ -254,6 +301,10 @@
+ 		if (rc != -1 || errno != EINVAL)
+ 		    break;
+
+		sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
+		    "setrlimit(%s, [%lld, %lld])", lim->name,
+		    (long long)rl.rlim_cur, (long long)rl.rlim_max);
+
+ 		/*
+ 		 * Soft limit could be lower than current resource usage.
+ 		 * This can be an issue on NetBSD with RLIMIT_STACK and ASLR.
--- a/sudo.spec
+++ b/sudo.spec
@ -27,6 +27,8 @@ BuildRequires: zlib-devel

 # don't strip
 Patch1: sudo-1.6.7p5-strip.patch
+# https://www.sudo.ws/repos/sudo/rev/1064b906ca68
+Patch2: sudo-1.9-RLIMIT_CORE.patch

 %description
 Sudo (superuser do) allows a system administrator to give certain
@ -51,6 +53,7 @@ plugins that use %{name}.
 %setup -q -n %{name}-%{upstream_version}

 %patch1 -p1 -b .strip
+%patch2 -p1 -b .orig

 %build
 # Remove bundled copy of zlib
@ -205,6 +208,8 @@ EOF
 * Wed Mar 25 2020 Attila Lakatos <alakatos@redhat.com> - 1.9.0-0.1.b4
 - update to latest development version 1.9.0b4
 Resolves: rhbz#1816593
+- setrlimit(RLIMIT_CORE): Operation not permitted warning message fix
+Resolves: rhbz#1773148

 * Mon Feb 24 2020 Attila Lakatos <alakatos@redhat.com> - 1.9.0-0.1.b1
 - update to latest development version 1.9.0b1
@ -219,8 +224,6 @@ Resolves: rhbz#1786709
 - attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user
 Resolves: rhbz#1786705
 - fixes CVE-2019-19232
- setrlimit(RLIMIT_CORE): Operation not permitted warning message fix
-Resolves: rhbz#1773148

 * Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.29-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild