068d851561
This uses the new 'prlimit' parameter for oslo.concurrency execute method, to set an address space limit of 1GB and CPU time limit of 2 seconds, when running qemu-img. This is a re-implementation of the previously reverted commit commit da217205f53f9a38a573fb151898fbbeae41021d Author: Tristan Cacqueray <tdecacqu@redhat.com> Date: Wed Aug 5 17:17:04 2015 +0000 virt: Use preexec_fn to ulimit qemu-img info call Closes-Bug: #1449062 Change-Id: I135b5242af1bfdcb0ea09a6fcda21fc03a6fbe7d
8 lines
289 B
YAML
8 lines
289 B
YAML
---
|
|
security:
|
|
- The qemu-img tool now has resource limits applied
|
|
which prevent it from using more than 1GB of address
|
|
space or more than 2 seconds of CPU time. This provides
|
|
protection against denial of service attacks from
|
|
maliciously crafted or corrupted disk images.
|