aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorLibravatar netblue30 <netblue30@yahoo.com>2017-03-28 08:44:07 -0400
committerLibravatar netblue30 <netblue30@yahoo.com>2017-03-28 08:44:07 -0400
commit671ba2b8ef43edd74b32267f22f053cb510b2bde (patch)
treef63d1f0849d3a1e067b0b814d122f436559ffe0c /src
parentMerge pull request #1164 from startx2017/master (diff)
downloadfirejail-671ba2b8ef43edd74b32267f22f053cb510b2bde.tar.gz
firejail-671ba2b8ef43edd74b32267f22f053cb510b2bde.tar.zst
firejail-671ba2b8ef43edd74b32267f22f053cb510b2bde.zip
fix rlimits - bug #1168
Diffstat (limited to 'src')
-rw-r--r--src/firejail/firejail.h10
-rw-r--r--src/firejail/main.c28
-rw-r--r--src/firejail/profile.c28
-rw-r--r--src/firejail/util.c8
4 files changed, 24 insertions, 50 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 75e5feaff..a981c8759 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -234,10 +234,10 @@ typedef struct config_t {
234 char *protocol; // protocol list 234 char *protocol; // protocol list
235 235
236 // rlimits 236 // rlimits
237 unsigned rlimit_nofile; 237 long long unsigned rlimit_nofile;
238 unsigned rlimit_nproc; 238 long long unsigned rlimit_nproc;
239 unsigned rlimit_fsize; 239 long long unsigned rlimit_fsize;
240 unsigned rlimit_sigpending; 240 long long unsigned rlimit_sigpending;
241 241
242 // cpu affinity, nice and control groups 242 // cpu affinity, nice and control groups
243 uint32_t cpus; 243 uint32_t cpus;
@@ -462,7 +462,7 @@ int is_dir(const char *fname);
462int is_link(const char *fname); 462int is_link(const char *fname);
463char *line_remove_spaces(const char *buf); 463char *line_remove_spaces(const char *buf);
464char *split_comma(char *str); 464char *split_comma(char *str);
465int not_unsigned(const char *str); 465void check_unsigned(const char *str, const char *msg);
466int find_child(pid_t parent, pid_t *child); 466int find_child(pid_t parent, pid_t *child);
467void check_private_dir(void); 467void check_private_dir(void);
468void update_map(char *mapping, char *map_file); 468void update_map(char *mapping, char *map_file);
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 843dc2f3a..216488287 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1162,35 +1162,23 @@ int main(int argc, char **argv) {
1162 else if (strcmp(argv[i], "--tracelog") == 0) 1162 else if (strcmp(argv[i], "--tracelog") == 0)
1163 arg_tracelog = 1; 1163 arg_tracelog = 1;
1164 else if (strncmp(argv[i], "--rlimit-nofile=", 16) == 0) { 1164 else if (strncmp(argv[i], "--rlimit-nofile=", 16) == 0) {
1165 if (not_unsigned(argv[i] + 16)) { 1165 check_unsigned(argv[i] + 16, "Error: invalid rlimit");
1166 fprintf(stderr, "Error: invalid rlimt nofile\n"); 1166 sscanf(argv[i] + 16, "%llu", &cfg.rlimit_nofile);
1167 exit(1);
1168 }
1169 sscanf(argv[i] + 16, "%u", &cfg.rlimit_nofile);
1170 arg_rlimit_nofile = 1; 1167 arg_rlimit_nofile = 1;
1171 } 1168 }
1172 else if (strncmp(argv[i], "--rlimit-nproc=", 15) == 0) { 1169 else if (strncmp(argv[i], "--rlimit-nproc=", 15) == 0) {
1173 if (not_unsigned(argv[i] + 15)) { 1170 check_unsigned(argv[i] + 15, "Error: invalid rlimit");
1174 fprintf(stderr, "Error: invalid rlimt nproc\n"); 1171 sscanf(argv[i] + 15, "%llu", &cfg.rlimit_nproc);
1175 exit(1);
1176 }
1177 sscanf(argv[i] + 15, "%u", &cfg.rlimit_nproc);
1178 arg_rlimit_nproc = 1; 1172 arg_rlimit_nproc = 1;
1179 } 1173 }
1180 else if (strncmp(argv[i], "--rlimit-fsize=", 15) == 0) { 1174 else if (strncmp(argv[i], "--rlimit-fsize=", 15) == 0) {
1181 if (not_unsigned(argv[i] + 15)) { 1175 check_unsigned(argv[i] + 15, "Error: invalid rlimit");
1182 fprintf(stderr, "Error: invalid rlimt fsize\n"); 1176 sscanf(argv[i] + 15, "%llu", &cfg.rlimit_fsize);
1183 exit(1);
1184 }
1185 sscanf(argv[i] + 15, "%u", &cfg.rlimit_fsize);
1186 arg_rlimit_fsize = 1; 1177 arg_rlimit_fsize = 1;
1187 } 1178 }
1188 else if (strncmp(argv[i], "--rlimit-sigpending=", 20) == 0) { 1179 else if (strncmp(argv[i], "--rlimit-sigpending=", 20) == 0) {
1189 if (not_unsigned(argv[i] + 20)) { 1180 check_unsigned(argv[i] + 20, "Error: invalid rlimit");
1190 fprintf(stderr, "Error: invalid rlimt sigpending\n"); 1181 sscanf(argv[i] + 20, "%llu", &cfg.rlimit_sigpending);
1191 exit(1);
1192 }
1193 sscanf(argv[i] + 20, "%u", &cfg.rlimit_sigpending);
1194 arg_rlimit_sigpending = 1; 1182 arg_rlimit_sigpending = 1;
1195 } 1183 }
1196 else if (strncmp(argv[i], "--ipc-namespace", 15) == 0) 1184 else if (strncmp(argv[i], "--ipc-namespace", 15) == 0)
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 993acf2aa..8f98fd397 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -875,38 +875,26 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
875 if (strncmp(ptr, "rlimit", 6) == 0) { 875 if (strncmp(ptr, "rlimit", 6) == 0) {
876 if (strncmp(ptr, "rlimit-nofile ", 14) == 0) { 876 if (strncmp(ptr, "rlimit-nofile ", 14) == 0) {
877 ptr += 14; 877 ptr += 14;
878 if (not_unsigned(ptr)) { 878 check_unsigned(ptr + 14, "Error: invalid rlimit in profile file: ");
879 fprintf(stderr, "Invalid rlimit option on line %d\n", lineno); 879 sscanf(ptr, "%llu", &cfg.rlimit_nofile);
880 exit(1);
881 }
882 sscanf(ptr, "%u", &cfg.rlimit_nofile);
883 arg_rlimit_nofile = 1; 880 arg_rlimit_nofile = 1;
884 } 881 }
885 else if (strncmp(ptr, "rlimit-nproc ", 13) == 0) { 882 else if (strncmp(ptr, "rlimit-nproc ", 13) == 0) {
886 ptr += 13; 883 ptr += 13;
887 if (not_unsigned(ptr)) { 884 check_unsigned(ptr + 13, "Error: invalid rlimit in profile file: ");
888 fprintf(stderr, "Invalid rlimit option on line %d\n", lineno); 885 sscanf(ptr, "%llu", &cfg.rlimit_nproc);
889 exit(1);
890 }
891 sscanf(ptr, "%u", &cfg.rlimit_nproc);
892 arg_rlimit_nproc = 1; 886 arg_rlimit_nproc = 1;
893 } 887 }
894 else if (strncmp(ptr, "rlimit-fsize ", 13) == 0) { 888 else if (strncmp(ptr, "rlimit-fsize ", 13) == 0) {
895 ptr += 13; 889 ptr += 13;
896 if (not_unsigned(ptr)) { 890 check_unsigned(ptr + 13, "Error: invalid rlimit in profile file: ");
897 fprintf(stderr, "Invalid rlimit option on line %d\n", lineno); 891 sscanf(ptr, "%llu", &cfg.rlimit_fsize);
898 exit(1);
899 }
900 sscanf(ptr, "%u", &cfg.rlimit_fsize);
901 arg_rlimit_fsize = 1; 892 arg_rlimit_fsize = 1;
902 } 893 }
903 else if (strncmp(ptr, "rlimit-sigpending ", 18) == 0) { 894 else if (strncmp(ptr, "rlimit-sigpending ", 18) == 0) {
904 ptr += 18; 895 ptr += 18;
905 if (not_unsigned(ptr)) { 896 check_unsigned(ptr + 18, "Error: invalid rlimit in profile file: ");
906 fprintf(stderr, "Invalid rlimit option on line %d\n", lineno); 897 sscanf(ptr, "%llu", &cfg.rlimit_sigpending);
907 exit(1);
908 }
909 sscanf(ptr, "%u", &cfg.rlimit_sigpending);
910 arg_rlimit_sigpending = 1; 898 arg_rlimit_sigpending = 1;
911 } 899 }
912 else { 900 else {
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 9b9308670..93eabec65 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -419,20 +419,18 @@ char *split_comma(char *str) {
419} 419}
420 420
421 421
422int not_unsigned(const char *str) { 422void check_unsigned(const char *str, const char *msg) {
423 EUID_ASSERT(); 423 EUID_ASSERT();
424 424
425 int rv = 0; 425 int rv = 0;
426 const char *ptr = str; 426 const char *ptr = str;
427 while (*ptr != ' ' && *ptr != '\t' && *ptr != '\0') { 427 while (*ptr != ' ' && *ptr != '\t' && *ptr != '\0') {
428 if (!isdigit(*ptr)) { 428 if (!isdigit(*ptr)) {
429 rv = 1; 429 fprintf(stderr, "%s %s\n", msg, str);
430 break; 430 exit(1);
431 } 431 }
432 ptr++; 432 ptr++;
433 } 433 }
434
435 return rv;
436} 434}
437 435
438 436
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-18 03:36:26 +0000