
TUNERLIMIT 0.1
===============

by Kevin Pulo, kev@pulo.com.au
http://www.kev.pulo.com.au/libsysconfcpus/
Copyright (c) 2009
Licensed under the GNU GPL v2 or higher, as per the COPYING file.


DESCRIPTION
-----------

tunerlimit is a preload library that allows some fine-tuning of when calls to
setrlimit(2) are allowed, and when they are "blocked".  This can be useful in
situations where, for example, SELinux policies cause programs to fail
completely when making trivial or idempotent calls to setrlimit().

I like to run gpg (GnuPG command line utility) in one of my procmail rules, so
that when I receive mail that is validly signed I can add a "whitelist" header
to the email.  When the host that receives mail was upgraded to use SELinux,
this was failing because gpg likes to call

    setrlimit(RLIMIT_CORE, {rlim_cur=0, rlim_max=0})

This makes perfect sense, since GnuPG doesn't want to accidentally dump any
sensitive information to disk in a core dump.  Unfortunately, SELinux was
configured to forbid such calls from the restricted procmail_t context, giving
rise to syslog entries like

    setroubleshoot: SELinux is preventing gpg (procmail_t) "setrlimit" to <Unknown> (procmail_t).

Running ulimit -c from the surrounding shell script confirmed that the current
core limit was indeed 0, and that gpg is just being extra precautious by
setting the hard limit to 0 as well.

I didn't want to change the policy to allow constrained processes access to
setrlimit(), since that might have unintended consequences for constrained
processes running as root.  So tunerlimit is the solution that addresses these
sorts of narrow problems.


INSTALLATION
------------

Standard autoconf process:  ./configure && make && make install


USAGE
-----

    tunerlimit [options] <program> [args...]

Valid options are:

    -v, --version   Display the tunerlimit version
    -h, --help      Display this help
    -d, --debug     Display debug info

  Which type of calls to block:
    -a, --all         Block all calls to setrlimit()
    -i, --idempotent  Block only idempotent calls to setrlimit() (default)

  Which resources to block:
    -r, --resources <list>  List which resources to block, where <list>
                            is a space or comma separated list of names.
                            Valid resource names are:
                              ALL (all resources)
                              NONE (no resources)
                              AS
                              CORE
                              CPU
                              DATA
                              FSIZE
                              LOCKS
                              MEMLOCK
                              MSGQUEUE
                              NICE
                              NOFILE
                              NPROC
                              RSS
                              RTPRIO
                              SIGPENDING
                              STACK

  What to return:
    -s, --success  Return success for blocked calls
    -f, --fail     Return indeterminate failure for blocked calls
    --fail-fault   Return EFAULT failure for blocked calls
    --fail-inval   Return EINVAL failure for blocked calls
    --fail-perm    Return EPERM failure for blocked calls (default)


EXAMPLEs
--------

$ test-rlimit 
...
$ tunerlimit test-rlimit 
...
$ tunerlimit --all test-rlimit 
...
$ tunerlimit --resources as,core,cpu test-rlimit 
...
$ 

Use --debug and/or strace(1) to follow when calls are being allowed and
disallowed.


LIMITATIONS
-----------

- Only dynamically linked binaries


FEEDBACK
--------

Comments, feature suggestions, bug reports, patches, etc are most
welcome, please send them to Kevin Pulo <kev@pulo.com.au>.


SEE ALSO
--------

setrlimit(2)
strace(1)


