main: bump RLIMIT_NOFILE for the root user substantially

On current kernels BPF_MAP_TYPE_LPM_TRIE bpf maps are charged against RLIMIT_MEMLOCK even for privileged users that have CAP_IPC_LOCK. Given that mlock() generally ignores RLIMIT_MEMLOCK if CAP_IPC_LOCK is set this appears to be an oversight in the kernel. Either way, until that's fixed, let's just bump RLIMIT_MEMLOCK for the root user considerably, as the default is quite limiting, and doesn't permit us to create more than a few TRIE maps.
2024-07-21 10:17:21 +00:00 · 2017-09-21 19:43:07 +02:00 · 2017-09-21 19:43:07 +02:00 · fb3ae275cb
parent c4ad3f43ef
commit fb3ae275cb
1 changed files with 26 additions and 2 deletions
--- a/src/core/main.c
+++ b/src/core/main.c
@ -1205,6 +1205,26 @@ static int bump_rlimit_nofile(struct rlimit *saved_rlimit) {
        return 0;
 }

+static int bump_rlimit_memlock(struct rlimit *saved_rlimit) {
+        int r;
+
+        assert(saved_rlimit);
+        assert(getuid() == 0);
+
+        /* BPF_MAP_TYPE_LPM_TRIE bpf maps are charged against RLIMIT_MEMLOCK, even though we have CAP_IPC_LOCK which
+         * should normally disable such checks. We need them to implement IPAccessAllow= and IPAccessDeny=, hence let's
+         * bump the value high enough for the root user. */
+
+        if (getrlimit(RLIMIT_MEMLOCK, saved_rlimit) < 0)
+                return log_warning_errno(errno, "Reading RLIMIT_MEMLOCK failed, ignoring: %m");
+
+        r = setrlimit_closest(RLIMIT_MEMLOCK, &RLIMIT_MAKE_CONST(1024ULL*1024ULL*16ULL));
+        if (r < 0)
+                return log_warning_errno(r, "Setting RLIMIT_MEMLOCK failed, ignoring: %m");
+
+        return 0;
+}
+
 static void test_usr(void) {

        /* Check that /usr is not a separate fs */
@ -1388,7 +1408,7 @@ int main(int argc, char *argv[]) {
        bool queue_default_job = false;
        bool empty_etc = false;
        char *switch_root_dir = NULL, *switch_root_init = NULL;
-        struct rlimit saved_rlimit_nofile = RLIMIT_MAKE_CONST(0);
+        struct rlimit saved_rlimit_nofile = RLIMIT_MAKE_CONST(0), saved_rlimit_memlock = RLIMIT_MAKE_CONST((rlim_t) -1);
        const char *error_message = NULL;

 #ifdef HAVE_SYSV_COMPAT
@ -1815,9 +1835,11 @@ int main(int argc, char *argv[]) {
                        if (prctl(PR_SET_CHILD_SUBREAPER, 1) < 0)
                                log_warning_errno(errno, "Failed to make us a subreaper: %m");

-                if (arg_system)
+                if (arg_system) {
                        /* Bump up RLIMIT_NOFILE for systemd itself */
                        (void) bump_rlimit_nofile(&saved_rlimit_nofile);
+                        (void) bump_rlimit_memlock(&saved_rlimit_memlock);
+                }
        }

        r = manager_new(arg_system ? UNIT_FILE_SYSTEM : UNIT_FILE_USER,
@ -2051,6 +2073,8 @@ finish:
                 * its child processes */
                if (saved_rlimit_nofile.rlim_cur > 0)
                        (void) setrlimit(RLIMIT_NOFILE, &saved_rlimit_nofile);
+                if (saved_rlimit_memlock.rlim_cur != (rlim_t) -1)
+                        (void) setrlimit(RLIMIT_MEMLOCK, &saved_rlimit_memlock);

                if (switch_root_dir) {
                        /* Kill all remaining processes from the