diff options
-rw-r--r-- | src/firejail/firejail.h | 2 | ||||
-rw-r--r-- | src/firejail/main.c | 6 | ||||
-rw-r--r-- | src/firejail/profile.c | 5 | ||||
-rw-r--r-- | src/firejail/rlimit.c | 12 | ||||
-rw-r--r-- | src/firejail/usage.c | 1 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 3 | ||||
-rw-r--r-- | src/man/firejail.txt | 9 |
7 files changed, 38 insertions, 0 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 008f4ad08..1b399ba10 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -249,6 +249,7 @@ typedef struct config_t { | |||
249 | char *protocol; // protocol list | 249 | char *protocol; // protocol list |
250 | 250 | ||
251 | // rlimits | 251 | // rlimits |
252 | long long unsigned rlimit_cpu; | ||
252 | long long unsigned rlimit_nofile; | 253 | long long unsigned rlimit_nofile; |
253 | long long unsigned rlimit_nproc; | 254 | long long unsigned rlimit_nproc; |
254 | long long unsigned rlimit_fsize; | 255 | long long unsigned rlimit_fsize; |
@@ -324,6 +325,7 @@ extern char *arg_caps_list; // optional caps list | |||
324 | 325 | ||
325 | extern int arg_trace; // syscall tracing support | 326 | extern int arg_trace; // syscall tracing support |
326 | extern int arg_tracelog; // blacklist tracing support | 327 | extern int arg_tracelog; // blacklist tracing support |
328 | extern int arg_rlimit_cpu; // rlimit cpu | ||
327 | extern int arg_rlimit_nofile; // rlimit nofile | 329 | extern int arg_rlimit_nofile; // rlimit nofile |
328 | extern int arg_rlimit_nproc; // rlimit nproc | 330 | extern int arg_rlimit_nproc; // rlimit nproc |
329 | extern int arg_rlimit_fsize; // rlimit fsize | 331 | extern int arg_rlimit_fsize; // rlimit fsize |
diff --git a/src/firejail/main.c b/src/firejail/main.c index fef333601..04900d6f9 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -67,6 +67,7 @@ char *arg_caps_list = NULL; // optional caps list | |||
67 | 67 | ||
68 | int arg_trace = 0; // syscall tracing support | 68 | int arg_trace = 0; // syscall tracing support |
69 | int arg_tracelog = 0; // blacklist tracing support | 69 | int arg_tracelog = 0; // blacklist tracing support |
70 | int arg_rlimit_cpu = 0; // rlimit max cpu time | ||
70 | int arg_rlimit_nofile = 0; // rlimit nofile | 71 | int arg_rlimit_nofile = 0; // rlimit nofile |
71 | int arg_rlimit_nproc = 0; // rlimit nproc | 72 | int arg_rlimit_nproc = 0; // rlimit nproc |
72 | int arg_rlimit_fsize = 0; // rlimit fsize | 73 | int arg_rlimit_fsize = 0; // rlimit fsize |
@@ -1259,6 +1260,11 @@ int main(int argc, char **argv) { | |||
1259 | arg_trace = 1; | 1260 | arg_trace = 1; |
1260 | else if (strcmp(argv[i], "--tracelog") == 0) | 1261 | else if (strcmp(argv[i], "--tracelog") == 0) |
1261 | arg_tracelog = 1; | 1262 | arg_tracelog = 1; |
1263 | else if (strncmp(argv[i], "--rlimit-cpu=", 13) == 0) { | ||
1264 | check_unsigned(argv[i] + 13, "Error: invalid rlimit"); | ||
1265 | sscanf(argv[i] + 13, "%llu", &cfg.rlimit_cpu); | ||
1266 | arg_rlimit_cpu = 1; | ||
1267 | } | ||
1262 | else if (strncmp(argv[i], "--rlimit-nofile=", 16) == 0) { | 1268 | else if (strncmp(argv[i], "--rlimit-nofile=", 16) == 0) { |
1263 | check_unsigned(argv[i] + 16, "Error: invalid rlimit"); | 1269 | check_unsigned(argv[i] + 16, "Error: invalid rlimit"); |
1264 | sscanf(argv[i] + 16, "%llu", &cfg.rlimit_nofile); | 1270 | sscanf(argv[i] + 16, "%llu", &cfg.rlimit_nofile); |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 622306c22..9f49d7405 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -1022,6 +1022,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1022 | sscanf(ptr + 14, "%llu", &cfg.rlimit_nofile); | 1022 | sscanf(ptr + 14, "%llu", &cfg.rlimit_nofile); |
1023 | arg_rlimit_nofile = 1; | 1023 | arg_rlimit_nofile = 1; |
1024 | } | 1024 | } |
1025 | else if (strncmp(ptr, "rlimit-cpu ", 11) == 0) { | ||
1026 | check_unsigned(ptr + 11, "Error: invalid rlimit in profile file: "); | ||
1027 | sscanf(ptr + 11, "%llu", &cfg.rlimit_cpu); | ||
1028 | arg_rlimit_cpu = 1; | ||
1029 | } | ||
1025 | else if (strncmp(ptr, "rlimit-nproc ", 13) == 0) { | 1030 | else if (strncmp(ptr, "rlimit-nproc ", 13) == 0) { |
1026 | check_unsigned(ptr + 13, "Error: invalid rlimit in profile file: "); | 1031 | check_unsigned(ptr + 13, "Error: invalid rlimit in profile file: "); |
1027 | sscanf(ptr + 13, "%llu", &cfg.rlimit_nproc); | 1032 | sscanf(ptr + 13, "%llu", &cfg.rlimit_nproc); |
diff --git a/src/firejail/rlimit.c b/src/firejail/rlimit.c index e5720a22b..7206c2cce 100644 --- a/src/firejail/rlimit.c +++ b/src/firejail/rlimit.c | |||
@@ -24,6 +24,18 @@ | |||
24 | void set_rlimits(void) { | 24 | void set_rlimits(void) { |
25 | // resource limits | 25 | // resource limits |
26 | struct rlimit rl; | 26 | struct rlimit rl; |
27 | if (arg_rlimit_cpu) { | ||
28 | rl.rlim_cur = (rlim_t) cfg.rlimit_cpu; | ||
29 | rl.rlim_max = (rlim_t) cfg.rlimit_cpu; | ||
30 | #ifdef HAVE_GCOV | ||
31 | __gcov_dump(); | ||
32 | #endif | ||
33 | if (setrlimit(RLIMIT_CPU, &rl) == -1) | ||
34 | errExit("setrlimit"); | ||
35 | if (arg_debug) | ||
36 | printf("Config rlimit: max cpu time %llu\n", cfg.rlimit_cpu); | ||
37 | } | ||
38 | |||
27 | if (arg_rlimit_nofile) { | 39 | if (arg_rlimit_nofile) { |
28 | rl.rlim_cur = (rlim_t) cfg.rlimit_nofile; | 40 | rl.rlim_cur = (rlim_t) cfg.rlimit_nofile; |
29 | rl.rlim_max = (rlim_t) cfg.rlimit_nofile; | 41 | rl.rlim_max = (rlim_t) cfg.rlimit_nofile; |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 567d3134e..4222d4d1c 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -172,6 +172,7 @@ void usage(void) { | |||
172 | printf(" --read-write=filename - set directory or file read-write.\n"); | 172 | printf(" --read-write=filename - set directory or file read-write.\n"); |
173 | printf(" --rlimit-as=number - set the maximum size of the process's virtual memory\n"); | 173 | printf(" --rlimit-as=number - set the maximum size of the process's virtual memory\n"); |
174 | printf("\t(address space) in bytes.\n"); | 174 | printf("\t(address space) in bytes.\n"); |
175 | printf(" --rlimit-cpu=number - set the maximum CPU time in seconds.\n"); | ||
175 | printf(" --rlimit-fsize=number - set the maximum file size that can be created\n"); | 176 | printf(" --rlimit-fsize=number - set the maximum file size that can be created\n"); |
176 | printf("\tby a process.\n"); | 177 | printf("\tby a process.\n"); |
177 | printf(" --rlimit-nofile=number - set the maximum number of files that can be\n"); | 178 | printf(" --rlimit-nofile=number - set the maximum number of files that can be\n"); |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 185420ba4..808fc7440 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -385,6 +385,9 @@ Examples: | |||
385 | \fBrlimit-as 123456789012 | 385 | \fBrlimit-as 123456789012 |
386 | Set he maximum size of the process's virtual memory to 123456789012 bytes. | 386 | Set he maximum size of the process's virtual memory to 123456789012 bytes. |
387 | .TP | 387 | .TP |
388 | \fBrlimit-cpu 123 | ||
389 | Set he maximum CPU time in seconds. | ||
390 | .TP | ||
388 | \fBrlimit-fsize 1024 | 391 | \fBrlimit-fsize 1024 |
389 | Set the maximum file size that can be created by a process to 1024 bytes. | 392 | Set the maximum file size that can be created by a process to 1024 bytes. |
390 | .TP | 393 | .TP |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 2303a8bbd..d2e04675d 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1547,6 +1547,15 @@ $ firejail --read-only=~/test --read-write=~/test/a | |||
1547 | Set the maximum size of the process's virtual memory (address space) in bytes. | 1547 | Set the maximum size of the process's virtual memory (address space) in bytes. |
1548 | 1548 | ||
1549 | .TP | 1549 | .TP |
1550 | \fB\-\-rlimit-cpu=number | ||
1551 | Set the maximum limit, in seconds, for the amount of CPU time each | ||
1552 | sandboxed process can consume. When the limit is reached, the processes are killed. | ||
1553 | |||
1554 | The CPU limit is a limit on CPU seconds rather than elapsed time. CPU seconds is basically how many seconds | ||
1555 | the CPU has been in use and does not necessarily directly relate to the elapsed time. Linux kernel keeps | ||
1556 | track of CPU seconds for each process independently. | ||
1557 | |||
1558 | .TP | ||
1550 | \fB\-\-rlimit-fsize=number | 1559 | \fB\-\-rlimit-fsize=number |
1551 | Set the maximum file size that can be created by a process. | 1560 | Set the maximum file size that can be created by a process. |
1552 | .TP | 1561 | .TP |