diff options
| author |  Clayton Williams <worldofclayton@gmail.com> | 2017-10-13 06:55:39 -0400 |
|---|---|---|
| committer | Clayton Williams <worldofclayton@gmail.com> | 2017-10-13 06:55:39 -0400 |
| commit | caefb79291a37d45072c8957ab37b7e7578cf1ac (patch) | |
| tree | 70ea092936061374e22b016fe82ab5c18f84ac74 /src | |
| parent | relnotes and testing (diff) | |
| download | firejail-caefb79291a37d45072c8957ab37b7e7578cf1ac.tar.gz firejail-caefb79291a37d45072c8957ab37b7e7578cf1ac.tar.zst firejail-caefb79291a37d45072c8957ab37b7e7578cf1ac.zip | |
RLIMIT_AS
Diffstat (limited to 'src')
| -rw-r--r-- | src/firejail/firejail.h | 2 | ||||
| -rw-r--r-- | src/firejail/main.c | 1 | ||||
| -rw-r--r-- | src/firejail/profile.c | 5 | ||||
| -rw-r--r-- | src/firejail/rlimit.c | 12 |
4 files changed, 20 insertions, 0 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index bea195f36..b9eb68fb0 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
| @@ -249,6 +249,7 @@ typedef struct config_t { | |||
| 249 | long long unsigned rlimit_nproc; | 249 | long long unsigned rlimit_nproc; |
| 250 | long long unsigned rlimit_fsize; | 250 | long long unsigned rlimit_fsize; |
| 251 | long long unsigned rlimit_sigpending; | 251 | long long unsigned rlimit_sigpending; |
| 252 | long long unsigned rlimit_as; | ||
| 252 | 253 | ||
| 253 | // cpu affinity, nice and control groups | 254 | // cpu affinity, nice and control groups |
| 254 | uint32_t cpus; | 255 | uint32_t cpus; |
| @@ -324,6 +325,7 @@ extern int arg_rlimit_nofile; // rlimit nofile | |||
| 324 | extern int arg_rlimit_nproc; // rlimit nproc | 325 | extern int arg_rlimit_nproc; // rlimit nproc |
| 325 | extern int arg_rlimit_fsize; // rlimit fsize | 326 | extern int arg_rlimit_fsize; // rlimit fsize |
| 326 | extern int arg_rlimit_sigpending;// rlimit sigpending | 327 | extern int arg_rlimit_sigpending;// rlimit sigpending |
| 328 | extern int arg_rlimit_as; //rlimit as | ||
| 327 | extern int arg_nogroups; // disable supplementary groups | 329 | extern int arg_nogroups; // disable supplementary groups |
| 328 | extern int arg_nonewprivs; // set the NO_NEW_PRIVS prctl | 330 | extern int arg_nonewprivs; // set the NO_NEW_PRIVS prctl |
| 329 | extern int arg_noroot; // create a new user namespace and disable root user | 331 | extern int arg_noroot; // create a new user namespace and disable root user |
diff --git a/src/firejail/main.c b/src/firejail/main.c index c9edcec29..54cbf1526 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
| @@ -71,6 +71,7 @@ int arg_rlimit_nofile = 0; // rlimit nofile | |||
| 71 | int arg_rlimit_nproc = 0; // rlimit nproc | 71 | int arg_rlimit_nproc = 0; // rlimit nproc |
| 72 | int arg_rlimit_fsize = 0; // rlimit fsize | 72 | int arg_rlimit_fsize = 0; // rlimit fsize |
| 73 | int arg_rlimit_sigpending = 0; // rlimit fsize | 73 | int arg_rlimit_sigpending = 0; // rlimit fsize |
| 74 | int arg_rlimit_as = 0; // rlimit as | ||
| 74 | int arg_nogroups = 0; // disable supplementary groups | 75 | int arg_nogroups = 0; // disable supplementary groups |
| 75 | int arg_nonewprivs = 0; // set the NO_NEW_PRIVS prctl | 76 | int arg_nonewprivs = 0; // set the NO_NEW_PRIVS prctl |
| 76 | int arg_noroot = 0; // create a new user namespace and disable root user | 77 | int arg_noroot = 0; // create a new user namespace and disable root user |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 6880bcaa7..789a8b060 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
| @@ -1036,6 +1036,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
| 1036 | sscanf(ptr + 18, "%llu", &cfg.rlimit_sigpending); | 1036 | sscanf(ptr + 18, "%llu", &cfg.rlimit_sigpending); |
| 1037 | arg_rlimit_sigpending = 1; | 1037 | arg_rlimit_sigpending = 1; |
| 1038 | } | 1038 | } |
| 1039 | else if (strncmp(ptr, "rlimit-as ", 10) == 0) { | ||
| 1040 | check_unsigned(ptr + 10, "Error: invalid rlimit in profile file: "); | ||
| 1041 | sscanf(ptr + 10, "%llu", &cfg.rlimit_as); | ||
| 1042 | arg_rlimit_as = 1; | ||
| 1043 | } | ||
| 1039 | else { | 1044 | else { |
| 1040 | fprintf(stderr, "Invalid rlimit option on line %d\n", lineno); | 1045 | fprintf(stderr, "Invalid rlimit option on line %d\n", lineno); |
| 1041 | exit(1); | 1046 | exit(1); |
diff --git a/src/firejail/rlimit.c b/src/firejail/rlimit.c index 99127673e..ec5fb3791 100644 --- a/src/firejail/rlimit.c +++ b/src/firejail/rlimit.c | |||
| @@ -71,4 +71,16 @@ void set_rlimits(void) { | |||
| 71 | if (arg_debug) | 71 | if (arg_debug) |
| 72 | printf("Config rlimit: maximum number of signals pending %llu\n", cfg.rlimit_sigpending); | 72 | printf("Config rlimit: maximum number of signals pending %llu\n", cfg.rlimit_sigpending); |
| 73 | } | 73 | } |
| 74 | |||
| 75 | if (arg_rlimit_as) { | ||
| 76 | rl.rlim_cur = (rlim_t) cfg.rlimit_as; | ||
| 77 | rl.rlim_max = (rlim_t) cfg.rlimit_as; | ||
| 78 | #ifdef HAVE_GCOV | ||
| 79 | __gcov_dump(); | ||
| 80 | #endif | ||
| 81 | if (setrlimit(RLIMIT_AS, &rl) == -1) | ||
| 82 | errExit("setrlimit"); | ||
| 83 | if (arg_debug) | ||
| 84 | printf("Config rlimit: maximum virtual memory %llu\n", cfg.rlimit_as); | ||
| 85 | } | ||
| 74 | } | 86 | } |