merge --rlimit-as

9 files changed, 29 insertions, 4 deletions

diff --git a/README b/README
index 15c7ae69e..7c4309b8f 100644
--- a/README
+++ b/README
@@ -123,6 +123,8 @@ chiraag-nataraj (https://github.com/chiraag-nataraj)
 Christian Stadelmann (https://github.com/genodeftest)
         - profile fixes
         - evolution profile fix
+Clayton Williams (https://github.com/gosre)
+        - addition of RLIMIT_AS
 curiosity-seeker (https://github.com/curiosity-seeker)
         - tightening unbound and dnscrypt-proxy profiles
         - correct and tighten QuiteRss profile
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 458bba6f6..584d0c293 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -71,7 +71,7 @@ int arg_rlimit_nofile = 0;			// rlimit nofile
 int arg_rlimit_nproc = 0;                       // rlimit nproc
 int arg_rlimit_fsize = 0;                               // rlimit fsize
 int arg_rlimit_sigpending = 0;                  // rlimit fsize
-int arg_rlimit_as = 0;                                  // rlimit as
+int arg_rlimit_as = 0;                          // rlimit as
 int arg_nogroups = 0;                           // disable supplementary groups
 int arg_nonewprivs = 0;                 // set the NO_NEW_PRIVS prctl
 int arg_noroot = 0;                             // create a new user namespace and disable root user
@@ -1271,6 +1271,11 @@ int main(int argc, char **argv) {
                         sscanf(argv[i] + 20, "%llu", &cfg.rlimit_sigpending);
                         arg_rlimit_sigpending = 1;
                 }
+                else if (strncmp(argv[i], "--rlimit-as=", 12) == 0) {
+                        check_unsigned(argv[i] + 12, "Error: invalid rlimit");
+                        sscanf(argv[i] + 12, "%llu", &cfg.rlimit_as);
+                        arg_rlimit_as = 1;
+                }
                 else if (strncmp(argv[i], "--ipc-namespace", 15) == 0)
                         arg_ipc = 1;
                 else if (strncmp(argv[i], "--cpu=", 6) == 0)
diff --git a/src/firejail/rlimit.c b/src/firejail/rlimit.c
index ec5fb3791..e5720a22b 100644
--- a/src/firejail/rlimit.c
+++ b/src/firejail/rlimit.c
@@ -78,7 +78,7 @@ void set_rlimits(void) {
 #ifdef HAVE_GCOV
                 __gcov_dump();
 #endif
-        if (setrlimit(RLIMIT_AS, &rl) == -1)
+                if (setrlimit(RLIMIT_AS, &rl) == -1)
                         errExit("setrlimit");
                 if (arg_debug)
                         printf("Config rlimit: maximum virtual memory %llu\n", cfg.rlimit_as);
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 28b5cc8a4..f3b3aace5 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -169,6 +169,8 @@ void usage(void) {
         printf("    --quiet - turn off Firejail's output.\n");
         printf("    --read-only=filename - set directory or file read-only..\n");
         printf("    --read-write=filename - set directory or file read-write.\n");
+        printf("    --rlimit-as=number - set the maximum size of the process's virtual memory\n");
+        printf("\t(address space) in bytes.\n");
         printf("    --rlimit-fsize=number - set the maximum file size that can be created\n");
         printf("\tby a process.\n");
         printf("    --rlimit-nofile=number - set the maximum number of files that can be\n");
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 5825d3427..185420ba4 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -382,6 +382,9 @@ place the sandbox in an existing control group.
 Examples:
 
 .TP
+\fBrlimit-as 123456789012
+Set he maximum size of the process's virtual memory to 123456789012 bytes.
+.TP
 \fBrlimit-fsize 1024
 Set the maximum file size that can be created by a process to 1024 bytes.
 .TP
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 54a332e7f..7ba09ba8a 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1540,6 +1540,10 @@ $ firejail --read-only=~/test --read-write=~/test/a
 
 
 .TP
+\fB\-\-rlimit-as=number
+Set the maximum size of the process's virtual memory (address space) in bytes.
+
+.TP
 \fB\-\-rlimit-fsize=number
 Set the maximum file size that can be created by a process.
 .TP
diff --git a/test/environment/rlimit-profile.exp b/test/environment/rlimit-profile.exp
index a9e54a405..43d6a3ee0 100755
--- a/test/environment/rlimit-profile.exp
+++ b/test/environment/rlimit-profile.exp
@@ -27,6 +27,10 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1.4\n";exit}
+        "Max address space         123456789012         123456789012"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.5\n";exit}
         "Max pending signals       200                  200"
 }
 after 100
diff --git a/test/environment/rlimit.exp b/test/environment/rlimit.exp
index ecbe2a3b7..38cdc3eea 100755
--- a/test/environment/rlimit.exp
+++ b/test/environment/rlimit.exp
@@ -5,7 +5,7 @@ cd /home
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --rlimit-fsize=1024 --rlimit-nproc=1000 --rlimit-nofile=500 --rlimit-sigpending=200\r"
+send -- "firejail --rlimit-fsize=1024 --rlimit-nproc=1000 --rlimit-nofile=500 --rlimit-sigpending=200 --rlimit-as=123456789012\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "Child process initialized"
@@ -27,10 +27,14 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1.4\n";exit}
-        "Max pending signals       200                  200"
+        "Max address space         123456789012         123456789012"
 }
 expect {
         timeout {puts "TESTING ERROR 1.5\n";exit}
+        "Max pending signals       200                  200"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.6\n";exit}
         "home"
 }
 after 100
diff --git a/test/environment/rlimit.profile b/test/environment/rlimit.profile
index 88fc9ff31..a57471604 100644
--- a/test/environment/rlimit.profile
+++ b/test/environment/rlimit.profile
@@ -2,3 +2,4 @@
 rlimit-nproc 1000
         rlimit-nofile   500
 rlimit-sigpending       200
+rlimit-as 123456789012