[ssh_x509] poll and OS limits summary

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Fri Mar 4 20:24:51 EET 2022


Hello,

Next patch is almost ready. It will includes following related to poll:
- one optimization (use "packed" array with poll file descriptors in server_accept_loop()) and
- one enhancement (allow 64-bits time compatible ppoll system call in secure secure computing mode) for new kernels on 32-bit system.

Remarks according Open Group specification:
- number of file descriptors poll argument cannot exceed OPEN_MAX file limit;
- unexpected behavior if RLIMIT_NOFILE to less than the highest currently open file descriptor +1.

Unfortunately some inherited sandbox implementations sets maximum number of open files limit to zero.
Switch to poll requires NOFILE limit to be increased.


Let summarize current status in PKIX-SSH.

Sandbox implementations capsicum, darwin, rlimit, and seccomp_filter sets OS-limits. PKIX-SSH release 13.3 unify management of limits.

Let review used limits one by one.

- RLIMIT_FSIZE
Configure script checks "if setrlimit RLIMIT_FSIZE works". Test requires program execution and so does not work in cross-compilation case. In PKIX-SSH script is changed to use cache variable - ssh_cv_rlimit_fsize_work. Variable could be used to disable limits.
Set to zero if enabled.


- RLIMIT_NPROC
Configure script performs standartd checks whether symbol is declared. So variable name is ac_cv_have_decl_RLIMIT_NPROC.
Set to zero if enabled.


- RLIMIT_NOFILE

Configuration test "if select works with descriptor rlimit" is related to issue as test sets limit to zero. As result on POSIX compatible OS-ses where select is based on poll test fail.
To avoid limitation of this broken test now in PKIX-SSH is used cache variable.
If needed you could set ssh_cv_select_rlimit_nofile_zero to yes.
Note that if test pass you could enable rlimit sandbox. This looks useful on UNIX-ses where does not exist suitable sandbox and now could be activated.
Remark: Switch to poll obsolete test and test will be removed in the future.

Configuration test "if setrlimit(RLIMIT_NOFILE,{0,0}) works" is another one that may prevent use of rlimit sandbox. Test looks harmless and is expected to pass. Now it is useless, see below.
In PKIX-SSH it is controlled by cash variable ssh_cv_setrlimit_nofile_zero.

Definition SANDBOX_SKIP_RLIMIT_NOFILE.
Now in PKIX-SSH configuration script stop to define it for FreeBSD. This is because in all sandboxes code set limit to one and root reason is not applicable.

Another FreeBSD related point here is capsicum sandbox. On ancient FreeBSD release 9/10 ppoll is not enabled in capsicum. So capsicum is excluded for those releases. If needed could be activated rlimit.

To ensure POSIX conformance limit is set to one in all sandboxes. This makes configure test to zero limits useless. Perhaps test will be changed to test for {1,1}.

Regard,
Roumen Petrov




More information about the ssh_x509 mailing list