Bug 2215525

Summary: fapolicyd needs to make sure the FD limit is never reached
Product: Red Hat Enterprise Linux 9 Reporter: Radovan Sroka <rsroka>
Component: fapolicydAssignee: Radovan Sroka <rsroka>
Status: CLOSED MIGRATED QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 9.2CC: dapospis, qe-baseos-security, qguo, rmetrich, sgrubb, tnagata
Target Milestone: rcKeywords: MigratedToJIRA, Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2181470 Environment:
Last Closed: 2023-06-16 12:03:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2181470    
Bug Blocks:    

Description Radovan Sroka 2023-06-16 11:19:49 UTC 
+++ This bug was initially created as a clone of Bug #2181470 +++

Description of problem:

Since the queue size (q_size) can be set to a large value, it's necessary for fapolicyd to ensure the current soft limit won't be reached, or else some undefined behavior may happen (I didn't check what would be the consequence yet).

By default, fapolicyd service use has a soft limit of 1024:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# cat /proc/1792/limits 
Limit                     Soft Limit           Hard Limit           Units     
[...]
Max open files            1024                 262144               files     
[...]
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Potentially, if a customer sets a larger q_size than RHEL's default (640), e.g. uses the default value from manpage (1024), it's possible the limit gets reached.

Version-Release number of selected component (if applicable):

fapolicyd-1.1.3-8.el8_7.1.x86_64

How reproducible:

N/A

--- Additional comment from Steve Grubb on 2023-03-24 16:07:28 UTC ---

NOFILE gets set to infinity: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/src/daemon/fapolicyd.c#L516

I don't think we have a problem here.

--- Additional comment from Steve Grubb on 2023-03-24 17:20:09 UTC ---

Actually...systemd is the problem. Anyone wanting more can add LimitNOFILE=16383  or whatever they want. I'll add this to the upstream service file. Also looks like systemd prohibits changing priority as well.

--- Additional comment from Takayuki Nagata on 2023-03-27 07:26:20 UTC ---

> Since the queue size (q_size) can be set to a large value, it's necessary for fapolicyd to ensure the current soft limit won't be reached, or else some undefined behavior may happen (I didn't check what would be the consequence yet).

I have just reviewed kernel code, and it appears to me that reading fanotify fd returns -EMFILE when fapolicyd's open files reach the limit. So the fapolicyd cannot get fanotify_event_metadata from the fd, but after closing open files, it will return the fanotify_event_metadata that cannot be returned before.
Comment 1 Radovan Sroka 2023-06-16 12:00:41 UTC 
This bug is going to be migrated.

Contact point for migration questions or issues: rsroka
Guidance for Bugzilla users to test their Jira account or create one if needed:

https://redhat.service-now.com/help?id=kb_article_view&sysparm_article=KB0016394
https://redhat.service-now.com/help?id=kb_article_view&sysparm_article=KB0016694
https://redhat.service-now.com/help?id=kb_article_view&sysparm_article=KB0016774
Comment 2 Radovan Sroka 2023-06-16 12:03:58 UTC 
The bugzilla has been migrated to Jira and is now available in the RHEL ticket, where it will continue its lifecycle.