# Copyright (c) 2012 The Chromium OS Authors. All rights reserved. # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. AUTHOR = "Chromium OS Team" NAME = "platform_OSLimits" PURPOSE = "Verify some kernel settings." CRITERIA = """ Fail if we find unexpected values for resource limits: - Max open files - Max processes or unexpected values for sysctls: - fs/file-max - fs/leases-enable - fs/nr_open - kernel/kptr_restrict - kernel/ngroups_max - kernel/panic - kernel/pid_max - kernel/randomize_va_space - kernel/suid_dumpable - kernel/sysrq - kernel/threads-max - net/ipv4/tcp_syncookies - vm/mmap_min_addr """ ATTRIBUTES = "suite:bvt-inline, suite:smoke" SUITE = "bvt-inline, smoke" TIME = "SHORT" TEST_CATEGORY = "Functional" TEST_CLASS = "platform" TEST_TYPE = "client" JOB_RETRIES = 2 DOC = """ Verifies various system level limits and settings. The resources being verified are: - Max open files: the maximum number of file descriptors a process can open. - Max processes: the maximum number of processes that can be created for the real user id of the calling process. The sysctls being verified are: - fs/file-max: maximum number of file handles that the kernel will allocate. The default value is usually about 10% of RAM in kilobytes. - fs/leases-enable: - 0: no leases on files allowed. - 1: leases are allowed to be established on a file. - fs/nr_open: the maximum number of file handles a process can allocate. file-max cannot exceed this value. - kernel/kptr_restrict: do not expose kernel addresses to userspace. - kernel/ngroups_max: the number a groups a user may belong to. - kernel/panic: number of seconds the kernel postpones rebooting when the system experiences a kernel panic. 0 disables automatic rebooting. - kernel/pid_max: the maximum value of a pid before it wraps. - kernel/randomize_va_space: - 0: no ASLR for userspace processes. - 1: ASLR for stack and mmap (and exec if built PIE). - 2: same as above except also randomize brk location. - kernel/suid_dumpable: - 0: core dump not produced for a process with changed cred. - 1: all processes core dump when possible. - 2: binary which is not normally dumped is dumped ro by root. - kernel/sysrq: Activates the System Request Key when anything other than 0. - kernel/threads-max: Maximum threads on system. - net/ipv4/tcp_syncookies: make sure weird inbound TCP flooding is safe. - vm/mmap_min_addr: make sure low memory cannot be allocated. """ job.run_test('platform_OSLimits')