From 69f0b28f6a434831f7b81fdea656da275b4eb068 Mon Sep 17 00:00:00 2001 From: David King Date: Wed, 7 Feb 2018 14:37:24 +0000 Subject: [PATCH 1/2] bus: raise fd limits before dropping privs Startup ordering was changed in #92832 to ensure that SELinux audit messages could be sent. As a side effect, the raising of file descriptor limits was moved to after the dropping of root privileges, resulting in the limit change always failing. Move the raise_file_descriptor_limit() call to ensure that it is called before dropping root privileges. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=105165 Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1529044 [smcv: Call raise_file_descriptor_limit() even if !context->user] Reviewed-by: Simon McVittie --- bus/bus.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/bus/bus.c b/bus/bus.c index a6f8db47..abb2ea2f 100644 --- a/bus/bus.c +++ b/bus/bus.c @@ -738,8 +738,6 @@ process_config_postinit (BusContext *context, DBusHashTable *service_context_table; DBusList *watched_dirs = NULL; - raise_file_descriptor_limit (context); - service_context_table = bus_config_parser_steal_service_context_table (parser); if (!bus_registry_set_service_context_table (context->registry, service_context_table)) @@ -971,6 +969,11 @@ bus_context_new (const DBusString *config_file, !_dbus_pipe_is_stdout_or_stderr (print_pid_pipe)) _dbus_pipe_close (print_pid_pipe, NULL); + /* Raise the file descriptor limits before dropping the privileges + * required to do so. + */ + raise_file_descriptor_limit (context); + /* Here we change our credentials if required, * as soon as we've set up our sockets and pidfile. * This must be done before initializing LSMs, so that the netlink -- 2.16.1