diff options
-rw-r--r-- | src/firejail/firejail.h | 2 | ||||
-rw-r--r-- | src/firejail/main.c | 1 | ||||
-rw-r--r-- | src/firejail/profile.c | 5 | ||||
-rw-r--r-- | src/firejail/rlimit.c | 12 |
4 files changed, 20 insertions, 0 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index e64bde857..e10a5d346 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -249,6 +249,7 @@ typedef struct config_t { | |||
249 | long long unsigned rlimit_nproc; | 249 | long long unsigned rlimit_nproc; |
250 | long long unsigned rlimit_fsize; | 250 | long long unsigned rlimit_fsize; |
251 | long long unsigned rlimit_sigpending; | 251 | long long unsigned rlimit_sigpending; |
252 | long long unsigned rlimit_as; | ||
252 | 253 | ||
253 | // cpu affinity, nice and control groups | 254 | // cpu affinity, nice and control groups |
254 | uint32_t cpus; | 255 | uint32_t cpus; |
@@ -324,6 +325,7 @@ extern int arg_rlimit_nofile; // rlimit nofile | |||
324 | extern int arg_rlimit_nproc; // rlimit nproc | 325 | extern int arg_rlimit_nproc; // rlimit nproc |
325 | extern int arg_rlimit_fsize; // rlimit fsize | 326 | extern int arg_rlimit_fsize; // rlimit fsize |
326 | extern int arg_rlimit_sigpending;// rlimit sigpending | 327 | extern int arg_rlimit_sigpending;// rlimit sigpending |
328 | extern int arg_rlimit_as; //rlimit as | ||
327 | extern int arg_nogroups; // disable supplementary groups | 329 | extern int arg_nogroups; // disable supplementary groups |
328 | extern int arg_nonewprivs; // set the NO_NEW_PRIVS prctl | 330 | extern int arg_nonewprivs; // set the NO_NEW_PRIVS prctl |
329 | extern int arg_noroot; // create a new user namespace and disable root user | 331 | extern int arg_noroot; // create a new user namespace and disable root user |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 9f963d203..458bba6f6 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -71,6 +71,7 @@ int arg_rlimit_nofile = 0; // rlimit nofile | |||
71 | int arg_rlimit_nproc = 0; // rlimit nproc | 71 | int arg_rlimit_nproc = 0; // rlimit nproc |
72 | int arg_rlimit_fsize = 0; // rlimit fsize | 72 | int arg_rlimit_fsize = 0; // rlimit fsize |
73 | int arg_rlimit_sigpending = 0; // rlimit fsize | 73 | int arg_rlimit_sigpending = 0; // rlimit fsize |
74 | int arg_rlimit_as = 0; // rlimit as | ||
74 | int arg_nogroups = 0; // disable supplementary groups | 75 | int arg_nogroups = 0; // disable supplementary groups |
75 | int arg_nonewprivs = 0; // set the NO_NEW_PRIVS prctl | 76 | int arg_nonewprivs = 0; // set the NO_NEW_PRIVS prctl |
76 | int arg_noroot = 0; // create a new user namespace and disable root user | 77 | int arg_noroot = 0; // create a new user namespace and disable root user |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 8aabac6fa..a1c94579c 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -1036,6 +1036,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1036 | sscanf(ptr + 18, "%llu", &cfg.rlimit_sigpending); | 1036 | sscanf(ptr + 18, "%llu", &cfg.rlimit_sigpending); |
1037 | arg_rlimit_sigpending = 1; | 1037 | arg_rlimit_sigpending = 1; |
1038 | } | 1038 | } |
1039 | else if (strncmp(ptr, "rlimit-as ", 10) == 0) { | ||
1040 | check_unsigned(ptr + 10, "Error: invalid rlimit in profile file: "); | ||
1041 | sscanf(ptr + 10, "%llu", &cfg.rlimit_as); | ||
1042 | arg_rlimit_as = 1; | ||
1043 | } | ||
1039 | else { | 1044 | else { |
1040 | fprintf(stderr, "Invalid rlimit option on line %d\n", lineno); | 1045 | fprintf(stderr, "Invalid rlimit option on line %d\n", lineno); |
1041 | exit(1); | 1046 | exit(1); |
diff --git a/src/firejail/rlimit.c b/src/firejail/rlimit.c index 99127673e..ec5fb3791 100644 --- a/src/firejail/rlimit.c +++ b/src/firejail/rlimit.c | |||
@@ -71,4 +71,16 @@ void set_rlimits(void) { | |||
71 | if (arg_debug) | 71 | if (arg_debug) |
72 | printf("Config rlimit: maximum number of signals pending %llu\n", cfg.rlimit_sigpending); | 72 | printf("Config rlimit: maximum number of signals pending %llu\n", cfg.rlimit_sigpending); |
73 | } | 73 | } |
74 | |||
75 | if (arg_rlimit_as) { | ||
76 | rl.rlim_cur = (rlim_t) cfg.rlimit_as; | ||
77 | rl.rlim_max = (rlim_t) cfg.rlimit_as; | ||
78 | #ifdef HAVE_GCOV | ||
79 | __gcov_dump(); | ||
80 | #endif | ||
81 | if (setrlimit(RLIMIT_AS, &rl) == -1) | ||
82 | errExit("setrlimit"); | ||
83 | if (arg_debug) | ||
84 | printf("Config rlimit: maximum virtual memory %llu\n", cfg.rlimit_as); | ||
85 | } | ||
74 | } | 86 | } |