From 9bb81e1ed3e9bca4606d5d002a2efaa5d2726f73 Mon Sep 17 00:00:00 2001
From: Steve Beattie <sbeattie@ubuntu.com>
Date: Fri, 24 Jan 2014 11:06:31 -0800
Subject: [PATCH] parser: add rttime rlimit support

This patch adds support for the rttime rlimit (aka RLIMIT_RTTIME),
available since the 2.6.25 kernel, according to the getrlimit(2)
man page; see that man page for more details on this rlimit.
An acceptance test is also added, as well as an update to the
apparmor.vim input template.

While reviewing to see what made sense in apparmor.vim for the rttime
rlimit, I discovered that RLIMIT_RTTIME's units are microseconds, not
seconds like RLIMIT_CPU (according to the setrlimit(2) manpage). This
necessitated not sharing the case switch with RLIMIT_CPU. I didn't add
a keyword for microseconds, but I did for milliseconds. I also don't
accept any unit larger than minutes, as it didn't seem appropriate
(and even minutes felt... gratuitous). I would appreciate feedback
on what keywords would be useful here.

Patch History:
  v1: initial submission
  v2: - add apparmor.vim support for rttime keyword
      - adjust RLIMIT_TIME value assignment due to its units being
	microseconds, not seconds, and add milliseconds keyword.

Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
---
 parser/parser_misc.c                            |  3 +++
 parser/parser_yacc.y                            | 17 +++++++++++++++++
 parser/tst/simple_tests/rlimits/ok_rlimit_18.sd |  7 +++++++
 utils/vim/apparmor.vim.in                       |  3 ++-
 4 files changed, 29 insertions(+), 1 deletion(-)
 create mode 100644 parser/tst/simple_tests/rlimits/ok_rlimit_18.sd

diff --git a/parser/parser_misc.c b/parser/parser_misc.c
index 101ef2a22..2dfb1bb6b 100644
--- a/parser/parser_misc.c
+++ b/parser/parser_misc.c
@@ -174,6 +174,9 @@ static struct keyword_table rlimit_table[] = {
 #endif
 #ifdef RLIMIT_RTPRIO
 	{"rtprio",		RLIMIT_RTPRIO},
+#endif
+#ifdef RLIMIT_RTTIME
+	{"rttime",		RLIMIT_RTTIME},
 #endif
 	/* terminate */
 	{NULL, 0}
diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y
index f17658c4c..498533d54 100644
--- a/parser/parser_yacc.y
+++ b/parser/parser_yacc.y
@@ -754,6 +754,7 @@ rules: rules TOK_SET TOK_RLIMIT TOK_ID TOK_LE TOK_VALUE TOK_END_OF_RULE
 			value = RLIM_INFINITY;
 		} else {
 			const char *seconds = "seconds";
+			const char *milliseconds = "ms";
 			const char *minutes = "minutes";
 			const char *hours = "hours";
 			const char *days = "days";
@@ -779,6 +780,22 @@ rules: rules TOK_SET TOK_RLIMIT TOK_ID TOK_LE TOK_VALUE TOK_END_OF_RULE
 					yyerror("RLIMIT '%s' invalid value %s\n", $4, $6);
 				}
 				break;
+			case RLIMIT_RTTIME:
+				/* RTTIME is measured in microseconds */
+				if (!end || $6 == end || tmp < 0)
+					yyerror("RLIMIT '%s' invalid value %s\n", $4, $6);
+				if (*end == '\0') {
+					value = tmp;
+				} else if (strstr(milliseconds, end) == milliseconds) {
+					value = tmp * 1000;
+				} else if (strstr(seconds, end) == seconds) {
+					value = tmp * 1000 * 1000;
+				} else if (strstr(minutes, end) == minutes) {
+					value = tmp * 1000 * 1000 * 60;
+				} else {
+					yyerror("RLIMIT '%s' invalid value %s\n", $4, $6);
+				}
+				break;
 			case RLIMIT_NOFILE:
 			case RLIMIT_NPROC:
 			case RLIMIT_LOCKS:
diff --git a/parser/tst/simple_tests/rlimits/ok_rlimit_18.sd b/parser/tst/simple_tests/rlimits/ok_rlimit_18.sd
new file mode 100644
index 000000000..f2747f10d
--- /dev/null
+++ b/parser/tst/simple_tests/rlimits/ok_rlimit_18.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION simple realtime time rlimit test
+#=EXRESULT PASS
+
+profile rlimit {
+  set rlimit rttime <= 60minutes,
+}
diff --git a/utils/vim/apparmor.vim.in b/utils/vim/apparmor.vim.in
index 00df1c993..f03970f37 100644
--- a/utils/vim/apparmor.vim.in
+++ b/utils/vim/apparmor.vim.in
@@ -160,7 +160,8 @@ syn match sdRLimit /\v^\s*set\s+rlimit\s+(locks|sigpending)\s+\<\=\s+[0-9]+@@EOL
 syn match sdRLimit /\v^\s*set\s+rlimit\s+(fsize|data|stack|core|rss|as|memlock|msgqueue)\s+\<\=\s+[0-9]+([KMG]B)?@@EOL@@/ contains=sdComment
 syn match sdRLimit /\v^\s*set\s+rlimit\s+nice\s+\<\=\s+(-1?[0-9]|-20|1?[0-9])@@EOL@@/ contains=sdComment
 syn match sdRLimit /\v^\s*set\s+rlimit\s+cpu\s+\<\=\s+[0-9]+(seconds|minutes|hours|days)?@@EOL@@/ contains=sdComment
-syn match sdRLimit /\v^\s*set\s+rlimit\s+(cpu|nofile|nproc|rtprio|locks|sigpending|fsize|data|stack|core|rss|as|memlock|msgqueue|nice)\s+\<\=\s+infinity@@EOL@@/ contains=sdComment
+syn match sdRLimit /\v^\s*set\s+rlimit\s+rttime\s+\<\=\s+[0-9]+(ms|seconds|minutes)?@@EOL@@/ contains=sdComment
+syn match sdRLimit /\v^\s*set\s+rlimit\s+(cpu|rttime|nofile|nproc|rtprio|locks|sigpending|fsize|data|stack|core|rss|as|memlock|msgqueue|nice)\s+\<\=\s+infinity@@EOL@@/ contains=sdComment
 
 " link rules
 syn match sdEntryW /\v^\s+@@auditdenyowner@@link\s+(subset\s+)?@@FILENAME@@\s+-\>\s+@@FILENAME@@@@EOL@@/ contains=sdGlob