linux.rs: Set open file limits for all devices

The virtio-fs device opens a lot of fds and needs to have a pretty high
open file limit.  In order for this to be successful on Chrome OS, the
parent process (concierge) also needs to have a very high open file
limit.  This unfortunately has the side-effect of raising the open file
limit for _all_ crosvm devices.

Deal with this by setting the open file limit back down to a reasonable
value (1024) for all devices that use `create_base_minijail`.  This was
the value of the open file limit for concierge before the increase.

BUG=b:142344095
TEST=Check /proc/<pid>/limits for various crosvm device processes and
     see that they have the proper value for "Max open files".

Change-Id: I87e3fe62fe22e68bff5ba5b60d85d39060a111dd
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1939527
Tested-by: Chirantan Ekbote <chirantan@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Auto-Submit: Chirantan Ekbote <chirantan@chromium.org>
Commit-Queue: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Reviewed-by: Stephen Barber <smbarber@chromium.org>

1 files changed, 3 insertions, 0 deletions

diff --git a/src/linux.rs b/src/linux.rs
index c0344b1..a3df995 100644
--- a/src/linux.rs
+++ b/src/linux.rs
@@ -314,6 +314,9 @@ fn create_base_minijail(
     j.enter_pivot_root(root).map_err(Error::DevicePivotRoot)?;
     // Run in an empty network namespace.
     j.namespace_net();
+    // Most devices don't need to open many fds.
+    j.set_rlimit(libc::RLIMIT_NOFILE, 1024, 1024)
+        .map_err(Error::SettingMaxOpenFiles)?;
     // Apply the block device seccomp policy.
     j.no_new_privs();
     // Use TSYNC only for the side effect of it using SECCOMP_RET_TRAP, which will correctly kill