068d851561
This uses the new 'prlimit' parameter for oslo.concurrency execute
method, to set an address space limit of 1GB and CPU time limit
of 2 seconds, when running qemu-img.
This is a re-implementation of the previously reverted commit
commit da217205f5
Author: Tristan Cacqueray <tdecacqu@redhat.com>
Date: Wed Aug 5 17:17:04 2015 +0000
virt: Use preexec_fn to ulimit qemu-img info call
Closes-Bug: #1449062
Change-Id: I135b5242af1bfdcb0ea09a6fcda21fc03a6fbe7d
8 lines
289 B
YAML
8 lines
289 B
YAML
---
|
|
security:
|
|
- The qemu-img tool now has resource limits applied
|
|
which prevent it from using more than 1GB of address
|
|
space or more than 2 seconds of CPU time. This provides
|
|
protection against denial of service attacks from
|
|
maliciously crafted or corrupted disk images.
|