diff options
-rw-r--r-- | README | 2 | ||||
-rw-r--r-- | src/firejail/main.c | 7 | ||||
-rw-r--r-- | src/firejail/rlimit.c | 2 | ||||
-rw-r--r-- | src/firejail/usage.c | 2 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 3 | ||||
-rw-r--r-- | src/man/firejail.txt | 4 | ||||
-rwxr-xr-x | test/environment/rlimit-profile.exp | 4 | ||||
-rwxr-xr-x | test/environment/rlimit.exp | 8 | ||||
-rw-r--r-- | test/environment/rlimit.profile | 1 |
9 files changed, 29 insertions, 4 deletions
@@ -123,6 +123,8 @@ chiraag-nataraj (https://github.com/chiraag-nataraj) | |||
123 | Christian Stadelmann (https://github.com/genodeftest) | 123 | Christian Stadelmann (https://github.com/genodeftest) |
124 | - profile fixes | 124 | - profile fixes |
125 | - evolution profile fix | 125 | - evolution profile fix |
126 | Clayton Williams (https://github.com/gosre) | ||
127 | - addition of RLIMIT_AS | ||
126 | curiosity-seeker (https://github.com/curiosity-seeker) | 128 | curiosity-seeker (https://github.com/curiosity-seeker) |
127 | - tightening unbound and dnscrypt-proxy profiles | 129 | - tightening unbound and dnscrypt-proxy profiles |
128 | - correct and tighten QuiteRss profile | 130 | - correct and tighten QuiteRss profile |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 458bba6f6..584d0c293 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -71,7 +71,7 @@ int arg_rlimit_nofile = 0; // rlimit nofile | |||
71 | int arg_rlimit_nproc = 0; // rlimit nproc | 71 | int arg_rlimit_nproc = 0; // rlimit nproc |
72 | int arg_rlimit_fsize = 0; // rlimit fsize | 72 | int arg_rlimit_fsize = 0; // rlimit fsize |
73 | int arg_rlimit_sigpending = 0; // rlimit fsize | 73 | int arg_rlimit_sigpending = 0; // rlimit fsize |
74 | int arg_rlimit_as = 0; // rlimit as | 74 | int arg_rlimit_as = 0; // rlimit as |
75 | int arg_nogroups = 0; // disable supplementary groups | 75 | int arg_nogroups = 0; // disable supplementary groups |
76 | int arg_nonewprivs = 0; // set the NO_NEW_PRIVS prctl | 76 | int arg_nonewprivs = 0; // set the NO_NEW_PRIVS prctl |
77 | int arg_noroot = 0; // create a new user namespace and disable root user | 77 | int arg_noroot = 0; // create a new user namespace and disable root user |
@@ -1271,6 +1271,11 @@ int main(int argc, char **argv) { | |||
1271 | sscanf(argv[i] + 20, "%llu", &cfg.rlimit_sigpending); | 1271 | sscanf(argv[i] + 20, "%llu", &cfg.rlimit_sigpending); |
1272 | arg_rlimit_sigpending = 1; | 1272 | arg_rlimit_sigpending = 1; |
1273 | } | 1273 | } |
1274 | else if (strncmp(argv[i], "--rlimit-as=", 12) == 0) { | ||
1275 | check_unsigned(argv[i] + 12, "Error: invalid rlimit"); | ||
1276 | sscanf(argv[i] + 12, "%llu", &cfg.rlimit_as); | ||
1277 | arg_rlimit_as = 1; | ||
1278 | } | ||
1274 | else if (strncmp(argv[i], "--ipc-namespace", 15) == 0) | 1279 | else if (strncmp(argv[i], "--ipc-namespace", 15) == 0) |
1275 | arg_ipc = 1; | 1280 | arg_ipc = 1; |
1276 | else if (strncmp(argv[i], "--cpu=", 6) == 0) | 1281 | else if (strncmp(argv[i], "--cpu=", 6) == 0) |
diff --git a/src/firejail/rlimit.c b/src/firejail/rlimit.c index ec5fb3791..e5720a22b 100644 --- a/src/firejail/rlimit.c +++ b/src/firejail/rlimit.c | |||
@@ -78,7 +78,7 @@ void set_rlimits(void) { | |||
78 | #ifdef HAVE_GCOV | 78 | #ifdef HAVE_GCOV |
79 | __gcov_dump(); | 79 | __gcov_dump(); |
80 | #endif | 80 | #endif |
81 | if (setrlimit(RLIMIT_AS, &rl) == -1) | 81 | if (setrlimit(RLIMIT_AS, &rl) == -1) |
82 | errExit("setrlimit"); | 82 | errExit("setrlimit"); |
83 | if (arg_debug) | 83 | if (arg_debug) |
84 | printf("Config rlimit: maximum virtual memory %llu\n", cfg.rlimit_as); | 84 | printf("Config rlimit: maximum virtual memory %llu\n", cfg.rlimit_as); |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 28b5cc8a4..f3b3aace5 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -169,6 +169,8 @@ void usage(void) { | |||
169 | printf(" --quiet - turn off Firejail's output.\n"); | 169 | printf(" --quiet - turn off Firejail's output.\n"); |
170 | printf(" --read-only=filename - set directory or file read-only..\n"); | 170 | printf(" --read-only=filename - set directory or file read-only..\n"); |
171 | printf(" --read-write=filename - set directory or file read-write.\n"); | 171 | printf(" --read-write=filename - set directory or file read-write.\n"); |
172 | printf(" --rlimit-as=number - set the maximum size of the process's virtual memory\n"); | ||
173 | printf("\t(address space) in bytes.\n"); | ||
172 | printf(" --rlimit-fsize=number - set the maximum file size that can be created\n"); | 174 | printf(" --rlimit-fsize=number - set the maximum file size that can be created\n"); |
173 | printf("\tby a process.\n"); | 175 | printf("\tby a process.\n"); |
174 | printf(" --rlimit-nofile=number - set the maximum number of files that can be\n"); | 176 | printf(" --rlimit-nofile=number - set the maximum number of files that can be\n"); |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 5825d3427..185420ba4 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -382,6 +382,9 @@ place the sandbox in an existing control group. | |||
382 | Examples: | 382 | Examples: |
383 | 383 | ||
384 | .TP | 384 | .TP |
385 | \fBrlimit-as 123456789012 | ||
386 | Set he maximum size of the process's virtual memory to 123456789012 bytes. | ||
387 | .TP | ||
385 | \fBrlimit-fsize 1024 | 388 | \fBrlimit-fsize 1024 |
386 | Set the maximum file size that can be created by a process to 1024 bytes. | 389 | Set the maximum file size that can be created by a process to 1024 bytes. |
387 | .TP | 390 | .TP |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 54a332e7f..7ba09ba8a 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1540,6 +1540,10 @@ $ firejail --read-only=~/test --read-write=~/test/a | |||
1540 | 1540 | ||
1541 | 1541 | ||
1542 | .TP | 1542 | .TP |
1543 | \fB\-\-rlimit-as=number | ||
1544 | Set the maximum size of the process's virtual memory (address space) in bytes. | ||
1545 | |||
1546 | .TP | ||
1543 | \fB\-\-rlimit-fsize=number | 1547 | \fB\-\-rlimit-fsize=number |
1544 | Set the maximum file size that can be created by a process. | 1548 | Set the maximum file size that can be created by a process. |
1545 | .TP | 1549 | .TP |
diff --git a/test/environment/rlimit-profile.exp b/test/environment/rlimit-profile.exp index a9e54a405..43d6a3ee0 100755 --- a/test/environment/rlimit-profile.exp +++ b/test/environment/rlimit-profile.exp | |||
@@ -27,6 +27,10 @@ expect { | |||
27 | } | 27 | } |
28 | expect { | 28 | expect { |
29 | timeout {puts "TESTING ERROR 1.4\n";exit} | 29 | timeout {puts "TESTING ERROR 1.4\n";exit} |
30 | "Max address space 123456789012 123456789012" | ||
31 | } | ||
32 | expect { | ||
33 | timeout {puts "TESTING ERROR 1.5\n";exit} | ||
30 | "Max pending signals 200 200" | 34 | "Max pending signals 200 200" |
31 | } | 35 | } |
32 | after 100 | 36 | after 100 |
diff --git a/test/environment/rlimit.exp b/test/environment/rlimit.exp index ecbe2a3b7..38cdc3eea 100755 --- a/test/environment/rlimit.exp +++ b/test/environment/rlimit.exp | |||
@@ -5,7 +5,7 @@ cd /home | |||
5 | spawn $env(SHELL) | 5 | spawn $env(SHELL) |
6 | match_max 100000 | 6 | match_max 100000 |
7 | 7 | ||
8 | send -- "firejail --rlimit-fsize=1024 --rlimit-nproc=1000 --rlimit-nofile=500 --rlimit-sigpending=200\r" | 8 | send -- "firejail --rlimit-fsize=1024 --rlimit-nproc=1000 --rlimit-nofile=500 --rlimit-sigpending=200 --rlimit-as=123456789012\r" |
9 | expect { | 9 | expect { |
10 | timeout {puts "TESTING ERROR 0\n";exit} | 10 | timeout {puts "TESTING ERROR 0\n";exit} |
11 | "Child process initialized" | 11 | "Child process initialized" |
@@ -27,10 +27,14 @@ expect { | |||
27 | } | 27 | } |
28 | expect { | 28 | expect { |
29 | timeout {puts "TESTING ERROR 1.4\n";exit} | 29 | timeout {puts "TESTING ERROR 1.4\n";exit} |
30 | "Max pending signals 200 200" | 30 | "Max address space 123456789012 123456789012" |
31 | } | 31 | } |
32 | expect { | 32 | expect { |
33 | timeout {puts "TESTING ERROR 1.5\n";exit} | 33 | timeout {puts "TESTING ERROR 1.5\n";exit} |
34 | "Max pending signals 200 200" | ||
35 | } | ||
36 | expect { | ||
37 | timeout {puts "TESTING ERROR 1.6\n";exit} | ||
34 | "home" | 38 | "home" |
35 | } | 39 | } |
36 | after 100 | 40 | after 100 |
diff --git a/test/environment/rlimit.profile b/test/environment/rlimit.profile index 88fc9ff31..a57471604 100644 --- a/test/environment/rlimit.profile +++ b/test/environment/rlimit.profile | |||
@@ -2,3 +2,4 @@ | |||
2 | rlimit-nproc 1000 | 2 | rlimit-nproc 1000 |
3 | rlimit-nofile 500 | 3 | rlimit-nofile 500 |
4 | rlimit-sigpending 200 | 4 | rlimit-sigpending 200 |
5 | rlimit-as 123456789012 | ||