mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2025-11-12 13:30:15 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions
pipewire/src/modules/module-rt/20-pw-defaults.conf.in
Niklāvs Koļesņikovs 5e0bfa0beb
RLIMITs: add support for generating limits.d files 
This commit implements generating /etc/security/limits.d/20-pw-defaults.conf and
/etc/security/limits.d/25-pw-rlimits.conf files. The numbering is arbitrary and
may very well warrant being in the reverse order, however `man 5 limits.conf`
does not appear to specify the parsing order or even say exactly how multiples
matches will resolve, so the value can be adjusted later, if required.

The actual limit values, the match rule and even whether each file is to be
installed can be changed via the build system before compilation. Likewise
the files can be modified or (re)moved during distro package building phase.

The 20-pw-defaults.conf should only be installed on legacy systems lacking both
a modern kernel and up to date systemd, because all it does is set the current
Linux default. Accordingly its not installed by default.

Signed-off-by: Niklāvs Koļesņikovs <89q1r14hd@relay.firefox.com>
2023-02-14 17:37:59 +02:00

20 lines
1.1 KiB
Text
Raw Blame History

# This file was installed by PipeWire project for buffer locking to always work
# Required to memlock audio buffers for all client types
#
# This will match all PAM users i.e. those going through the login procedure but
# it should not get applied to system daemons, since they are run bypassing PAM.
#
# While at first glance this might appear very relevant, in fact abusing this
# can at most allow for either more rapid OOM or enhance malicious system memory
# thrashing while evading systemd-oomd limits that are based on the requirement
# that swap utilization must be high before issues arise. As such it's perfectly
# reasonable to just set a limit where each client can lock a few megabytes with
# nearly no impact on regular systems. Meanwhile malicious attackers can OOM
# just as they could. And instead tooling for OOM and resource abuse should be
# improved, if such denial of service attacks are a serious consideration at all.
#
# Starting with Linux 5.16 or systemd v253 the default is 8192 which is plenty
# good enough and this file should not be installed on such systems.
#
* - memlock @PAM_MEMLOCK@
Reference in a new issue View git blame Copy permalink