5 files changed, 47 insertions, 8 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 1da70fd54..87a42fc8b 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -486,6 +486,7 @@ int macro_id(const char *name);
 // util.c
+long long unsigned parse_arg_size(char * str);
 void errLogExit(char* fmt, ...) __attribute__((noreturn));
 void fwarning(char* fmt, ...);
 void fmessage(char* fmt, ...);
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 31694558d..2dfa19ec2 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1488,8 +1488,11 @@ int main(int argc, char **argv, char **envp) {
                        arg_rlimit_nproc = 1;
                }
                else if (strncmp(argv[i], "--rlimit-fsize=", 15) == 0) {
-                        check_unsigned(argv[i] + 15, "Error: invalid rlimit");
+                        cfg.rlimit_fsize = parse_arg_size(argv[i] + 15);
-                        sscanf(argv[i] + 15, "%llu", &cfg.rlimit_fsize);
+                        if ( cfg.rlimit_fsize == 0 ) {
+                                perror("Error: given rlimit-size is invalid. use only non-negative numbers and k,m,g suffix for size");
+                                exit(1);
+                        }
                        arg_rlimit_fsize = 1;
                }
                else if (strncmp(argv[i], "--rlimit-sigpending=", 20) == 0) {
@@ -1498,8 +1501,11 @@ int main(int argc, char **argv, char **envp) {
                        arg_rlimit_sigpending = 1;
                }
                else if (strncmp(argv[i], "--rlimit-as=", 12) == 0) {
-                        check_unsigned(argv[i] + 12, "Error: invalid rlimit");
+                        cfg.rlimit_as = parse_arg_size(argv[i] + 12);
-                        sscanf(argv[i] + 12, "%llu", &cfg.rlimit_as);
+                        if ( cfg.rlimit_as == 0 ) {
+                                perror("Error: given rlimit-as is invalid. use only non-negative numbers and k,m,g suffix for size");
+                                exit(1);
+                        }
                        arg_rlimit_as = 1;
                }
                else if (strncmp(argv[i], "--ipc-namespace", 15) == 0)
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 38e94c074..e7e7bdfc2 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -1492,8 +1492,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                        arg_rlimit_nproc = 1;
                }
                else if (strncmp(ptr, "rlimit-fsize ", 13) == 0) {
-                        check_unsigned(ptr + 13, "Error: invalid rlimit in profile file: ");
+                        cfg.rlimit_fsize = parse_arg_size(ptr + 13);
-                        sscanf(ptr + 13, "%llu", &cfg.rlimit_fsize);
+                        if ( cfg.rlimit_fsize == 0 ) {
+                                perror("Error: invalid rlimit-fsize in profile file. use only non-negative numbers and k,m,g suffix for size");
+                                exit(1);
+                        }
                        arg_rlimit_fsize = 1;
                }
                else if (strncmp(ptr, "rlimit-sigpending ", 18) == 0) {
@@ -1502,8 +1505,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                        arg_rlimit_sigpending = 1;
                }
                else if (strncmp(ptr, "rlimit-as ", 10) == 0) {
-                        check_unsigned(ptr + 10, "Error: invalid rlimit in profile file: ");
+                        cfg.rlimit_as = parse_arg_size(ptr + 10);
-                        sscanf(ptr + 10, "%llu", &cfg.rlimit_as);
+                        if ( cfg.rlimit_as == 0 ){
+                                perror("Error: invalid rlimit-as size in profile file. use only non-negative numbers and k,m,g suffix for size");
+                                exit(1);
+                        }
                        arg_rlimit_as = 1;
                }
                else {
diff --git a/src/firejail/util.c b/src/firejail/util.c
index b15b719b7..05c5f26d8 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -31,6 +31,9 @@
 #include <sys/wait.h>
 #include <limits.h>
+#include <string.h>
+#include <ctype.h>
 #include <fcntl.h>
 #ifndef O_PATH
 #define O_PATH 010000000
@@ -46,6 +49,27 @@
 #define EMPTY_STRING ("")
+long long unsigned parse_arg_size (char * str) {
+        long long unsigned result = 0;
+        int len = strlen(str);
+        sscanf(str,"%llu",&result);
+        char suffix = *(str + len - 1);
+        if (!isdigit(suffix)) {
+                if ( suffix == 'k' ) { 
+                        result *= 1024;
+                } else if ( suffix == 'm' ) { 
+                        result *= 1024*1024;
+                } else if ( suffix == 'g' ) { 
+                        result *= 1024*1024*1024;
+                } else {
+                        return 0;
+                }
+        }
+        return result;
+}
 // send the error to /var/log/auth.log and exit after a small delay
 void errLogExit(char* fmt, ...) {
        va_list args;
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index f4a549b05..9308eecf4 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -2129,6 +2129,7 @@ $ firejail --read-only=~/test --read-write=~/test/a
 .TP
 \fB\-\-rlimit-as=number
 Set the maximum size of the process's virtual memory (address space) in bytes.
+you can use kilobyte(k),megabyte(m) and gigabyte(g) for size suffix. ( they works on base 1024 )
 .TP
 \fB\-\-rlimit-cpu=number
@@ -2142,6 +2143,7 @@ track of CPU seconds for each process independently.
 .TP
 \fB\-\-rlimit-fsize=number
 Set the maximum file size that can be created by a process.
+you can use kilobyte(k),megabyte(m) and gigabyte(g) for size suffix. ( they works on base 1024 )
 .TP
 \fB\-\-rlimit-nofile=number
 Set the maximum number of files that can be opened by a process.