diff options
author | netblue30 <netblue30@protonmail.com> | 2022-05-20 08:08:34 -0400 |
---|---|---|
committer | netblue30 <netblue30@protonmail.com> | 2022-05-20 08:08:34 -0400 |
commit | 7c5fcbf3d17d771f1420264b4fc5c43ade38e726 (patch) | |
tree | ed90ec0fb7417a61aab50ddc08d8357133c43d64 | |
parent | onionshare-gui.profile: fix breakage (diff) | |
download | firejail-7c5fcbf3d17d771f1420264b4fc5c43ade38e726.tar.gz firejail-7c5fcbf3d17d771f1420264b4fc5c43ade38e726.tar.zst firejail-7c5fcbf3d17d771f1420264b4fc5c43ade38e726.zip |
--oom (#5122)
-rw-r--r-- | README.md | 12 | ||||
-rw-r--r-- | src/firejail/firejail.h | 3 | ||||
-rw-r--r-- | src/firejail/main.c | 11 | ||||
-rw-r--r-- | src/firejail/usage.c | 1 | ||||
-rw-r--r-- | src/man/firejail.txt | 11 |
5 files changed, 34 insertions, 4 deletions
@@ -221,6 +221,18 @@ Milestone page: https://github.com/netblue30/firejail/milestone/1 | |||
221 | $ firejail --private --tab | 221 | $ firejail --private --tab |
222 | ``` | 222 | ``` |
223 | 223 | ||
224 | ### Kernel OutOfMemory-killer | ||
225 | ````` | ||
226 | --oom=value | ||
227 | Configure kernel's OutOfMemory-killer score for this sandbox. | ||
228 | The acceptable score values are between 0 and 1000 for regular | ||
229 | users, and -1000 to 1000 for root. For more information on OOM | ||
230 | kernel feature see man choom. | ||
231 | |||
232 | Example: | ||
233 | $ firejail --oom=300 firefox | ||
234 | ````` | ||
235 | |||
224 | ### Profile Statistics | 236 | ### Profile Statistics |
225 | 237 | ||
226 | A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory. | 238 | A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory. |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index de11b438d..38408b534 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -922,4 +922,7 @@ void selinux_relabel_path(const char *path, const char *inside_path); | |||
922 | // ids.c | 922 | // ids.c |
923 | void run_ids(int argc, char **argv); | 923 | void run_ids(int argc, char **argv); |
924 | 924 | ||
925 | // oom.c | ||
926 | void oom_set(const char *oom_string); | ||
927 | |||
925 | #endif | 928 | #endif |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 1d90b9fc5..1bcec667e 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1031,10 +1031,6 @@ int main(int argc, char **argv, char **envp) { | |||
1031 | 1031 | ||
1032 | // sanity check for arguments | 1032 | // sanity check for arguments |
1033 | for (i = 0; i < argc; i++) { | 1033 | for (i = 0; i < argc; i++) { |
1034 | // if (*argv[i] == 0) { // see #4395 - bug reported by Debian | ||
1035 | // fprintf(stderr, "Error: too short arguments: argv[%d] is empty\n", i); | ||
1036 | // exit(1); | ||
1037 | // } | ||
1038 | if (strlen(argv[i]) >= MAX_ARG_LEN) { | 1034 | if (strlen(argv[i]) >= MAX_ARG_LEN) { |
1039 | fprintf(stderr, "Error: too long arguments: argv[%d] len (%zu) >= MAX_ARG_LEN (%d)\n", i, strlen(argv[i]), MAX_ARG_LEN); | 1035 | fprintf(stderr, "Error: too long arguments: argv[%d] len (%zu) >= MAX_ARG_LEN (%d)\n", i, strlen(argv[i]), MAX_ARG_LEN); |
1040 | exit(1); | 1036 | exit(1); |
@@ -1280,6 +1276,10 @@ int main(int argc, char **argv, char **envp) { | |||
1280 | if (checkcfg(CFG_FORCE_NONEWPRIVS)) | 1276 | if (checkcfg(CFG_FORCE_NONEWPRIVS)) |
1281 | arg_nonewprivs = 1; | 1277 | arg_nonewprivs = 1; |
1282 | 1278 | ||
1279 | // check oom | ||
1280 | if ((i = check_arg(argc, argv, "--oom=", 0)) != 0) | ||
1281 | oom_set(argv[i] + 6); | ||
1282 | |||
1283 | // parse arguments | 1283 | // parse arguments |
1284 | for (i = 1; i < argc; i++) { | 1284 | for (i = 1; i < argc; i++) { |
1285 | run_cmd_and_exit(i, argc, argv); // will exit if the command is recognized | 1285 | run_cmd_and_exit(i, argc, argv); // will exit if the command is recognized |
@@ -2719,6 +2719,9 @@ int main(int argc, char **argv, char **envp) { | |||
2719 | else if (strcmp(argv[i], "--appimage") == 0) { | 2719 | else if (strcmp(argv[i], "--appimage") == 0) { |
2720 | // already handled | 2720 | // already handled |
2721 | } | 2721 | } |
2722 | else if (strncmp(argv[i], "--oom=", 6) == 0) { | ||
2723 | // already handled | ||
2724 | } | ||
2722 | else if (strcmp(argv[i], "--shell=none") == 0) { | 2725 | else if (strcmp(argv[i], "--shell=none") == 0) { |
2723 | arg_shell_none = 1; | 2726 | arg_shell_none = 1; |
2724 | if (cfg.shell) { | 2727 | if (cfg.shell) { |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 2dd913b5e..7a545982b 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -173,6 +173,7 @@ static char *usage_str = | |||
173 | " --novideo - disable video devices.\n" | 173 | " --novideo - disable video devices.\n" |
174 | " --nou2f - disable U2F devices.\n" | 174 | " --nou2f - disable U2F devices.\n" |
175 | " --nowhitelist=filename - disable whitelist for file or directory.\n" | 175 | " --nowhitelist=filename - disable whitelist for file or directory.\n" |
176 | " --oom=value - configure OutOfMemory killer for the sandbox\n" | ||
176 | #ifdef HAVE_OUTPUT | 177 | #ifdef HAVE_OUTPUT |
177 | " --output=logfile - stdout logging and log rotation.\n" | 178 | " --output=logfile - stdout logging and log rotation.\n" |
178 | " --output-stderr=logfile - stdout and stderr logging and log rotation.\n" | 179 | " --output-stderr=logfile - stdout and stderr logging and log rotation.\n" |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index cf80ab25c..366a4e061 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1783,6 +1783,17 @@ Disable video devices. | |||
1783 | \fB\-\-nowhitelist=dirname_or_filename | 1783 | \fB\-\-nowhitelist=dirname_or_filename |
1784 | Disable whitelist for this directory or file. | 1784 | Disable whitelist for this directory or file. |
1785 | 1785 | ||
1786 | .TP | ||
1787 | \fB\-\-oom=value | ||
1788 | Configure kernel's OutOfMemory-killer score for this sandbox. The acceptable score values are between 0 and 1000 | ||
1789 | for regular users, and -1000 to 1000 for root. For more information on OOM kernel feature see \fBman choom\fR. | ||
1790 | .br | ||
1791 | |||
1792 | .br | ||
1793 | Example: | ||
1794 | .br | ||
1795 | $ firejail \-\-oom=300 firefox | ||
1796 | |||
1786 | #ifdef HAVE_OUTPUT | 1797 | #ifdef HAVE_OUTPUT |
1787 | .TP | 1798 | .TP |
1788 | \fB\-\-output=logfile | 1799 | \fB\-\-output=logfile |