blob: 99971cee5bfe8727e5e454989b1e1a0ab88b5c45 [file] [log] [blame]
# Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
AUTHOR = "Chromium OS Team"
NAME = "platform_OSLimits"
PURPOSE = "Verify some kernel settings."
Fail if we find unexpected values for resource limits:
- Max open files
- Max processes
or unexpected values for sysctls:
- fs/file-max
- fs/leases-enable
- fs/nr_open
- kernel/kptr_restrict
- kernel/ngroups_max
- kernel/panic
- kernel/pid_max
- kernel/randomize_va_space
- kernel/suid_dumpable
- kernel/sysrq
- kernel/threads-max
- net/ipv4/tcp_syncookies
- vm/mmap_min_addr
SUITE = "bvt, smoke"
TEST_CATEGORY = "Functional"
TEST_CLASS = "platform"
TEST_TYPE = "client"
DOC = """
Verifies various system level limits and settings.
The resources being verified are:
- Max open files: the maximum number of file descriptors a process can open.
- Max processes: the maximum number of processes that can be created for
the real user id of the calling process.
The sysctls being verified are:
- fs/file-max: maximum number of file handles that the kernel will allocate.
The default value is usually about 10% of RAM in kilobytes.
- fs/leases-enable:
- 0: no leases on files allowed.
- 1: leases are allowed to be established on a file.
- fs/nr_open: the maximum number of file handles a process can allocate.
file-max cannot exceed this value.
- kernel/kptr_restrict: do not expose kernel addresses to userspace.
- kernel/ngroups_max: the number a groups a user may belong to.
- kernel/panic: number of seconds the kernel postpones rebooting when the
system experiences a kernel panic. 0 disables automatic rebooting.
- kernel/pid_max: the maximum value of a pid before it wraps.
- kernel/randomize_va_space:
- 0: no ASLR for userspace processes.
- 1: ASLR for stack and mmap (and exec if built PIE).
- 2: same as above except also randomize brk location.
- kernel/suid_dumpable:
- 0: core dump not produced for a process with changed cred.
- 1: all processes core dump when possible.
- 2: binary which is not normally dumped is dumped ro by root.
- kernel/sysrq: Activates the System Request Key when anything other than 0.
- kernel/threads-max: Maximum threads on system.
- net/ipv4/tcp_syncookies: make sure weird inbound TCP flooding is safe.
- vm/mmap_min_addr: make sure low memory cannot be allocated.