9 files changed, 71 insertions, 9 deletions

diff --git a/README b/README
index 15c7ae69e..7c4309b8f 100644
--- a/README
+++ b/README
@@ -123,6 +123,8 @@ chiraag-nataraj (https://github.com/chiraag-nataraj)
 Christian Stadelmann (https://github.com/genodeftest)
         - profile fixes
         - evolution profile fix
+Clayton Williams (https://github.com/gosre)
+        - addition of RLIMIT_AS
 curiosity-seeker (https://github.com/curiosity-seeker)
         - tightening unbound and dnscrypt-proxy profiles
         - correct and tighten QuiteRss profile
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 458bba6f6..584d0c293 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -71,7 +71,7 @@ int arg_rlimit_nofile = 0;			// rlimit nofile
 int arg_rlimit_nproc = 0;                       // rlimit nproc
 int arg_rlimit_fsize = 0;                               // rlimit fsize
 int arg_rlimit_sigpending = 0;                  // rlimit fsize
-int arg_rlimit_as = 0;                                  // rlimit as
+int arg_rlimit_as = 0;                          // rlimit as
 int arg_nogroups = 0;                           // disable supplementary groups
 int arg_nonewprivs = 0;                 // set the NO_NEW_PRIVS prctl
 int arg_noroot = 0;                             // create a new user namespace and disable root user
@@ -1271,6 +1271,11 @@ int main(int argc, char **argv) {
                         sscanf(argv[i] + 20, "%llu", &cfg.rlimit_sigpending);
                         arg_rlimit_sigpending = 1;
                 }
+                else if (strncmp(argv[i], "--rlimit-as=", 12) == 0) {
+                        check_unsigned(argv[i] + 12, "Error: invalid rlimit");
+                        sscanf(argv[i] + 12, "%llu", &cfg.rlimit_as);
+                        arg_rlimit_as = 1;
+                }
                 else if (strncmp(argv[i], "--ipc-namespace", 15) == 0)
                         arg_ipc = 1;
                 else if (strncmp(argv[i], "--cpu=", 6) == 0)
diff --git a/src/firejail/rlimit.c b/src/firejail/rlimit.c
index ec5fb3791..e5720a22b 100644
--- a/src/firejail/rlimit.c
+++ b/src/firejail/rlimit.c
@@ -78,7 +78,7 @@ void set_rlimits(void) {
 #ifdef HAVE_GCOV
                 __gcov_dump();
 #endif
-        if (setrlimit(RLIMIT_AS, &rl) == -1)
+                if (setrlimit(RLIMIT_AS, &rl) == -1)
                         errExit("setrlimit");
                 if (arg_debug)
                         printf("Config rlimit: maximum virtual memory %llu\n", cfg.rlimit_as);
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 28b5cc8a4..f3b3aace5 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -169,6 +169,8 @@ void usage(void) {
         printf("    --quiet - turn off Firejail's output.\n");
         printf("    --read-only=filename - set directory or file read-only..\n");
         printf("    --read-write=filename - set directory or file read-write.\n");
+        printf("    --rlimit-as=number - set the maximum size of the process's virtual memory\n");
+        printf("\t(address space) in bytes.\n");
         printf("    --rlimit-fsize=number - set the maximum file size that can be created\n");
         printf("\tby a process.\n");
         printf("    --rlimit-nofile=number - set the maximum number of files that can be\n");
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 5825d3427..185420ba4 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -382,6 +382,9 @@ place the sandbox in an existing control group.
 Examples:
 
 .TP
+\fBrlimit-as 123456789012
+Set he maximum size of the process's virtual memory to 123456789012 bytes.
+.TP
 \fBrlimit-fsize 1024
 Set the maximum file size that can be created by a process to 1024 bytes.
 .TP
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 20f2b7f8c..7ba09ba8a 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -140,7 +140,7 @@ Example:
 # firejail \-\-bind=/config/etc/passwd,/etc/passwd
 .TP
 \fB\-\-blacklist=dirname_or_filename
-Blacklist directory or file.
+Blacklist directory or file. File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
 .br
 
 .br
@@ -1009,7 +1009,7 @@ Example:
 $ firejail \-\-nodvd
 .TP
 \fB\-\-noexec=dirname_or_filename
-Remount directory or file noexec, nodev and nosuid.
+Remount directory or file noexec, nodev and nosuid. File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
 .br
 
 .br
@@ -1275,7 +1275,8 @@ $ firejail \-\-private-home=.mozilla firefox
 Build a new /bin in a temporary filesystem, and copy the programs in the list.
 If no listed file is found, /bin directory will be empty.
 The same directory is also bind-mounted over /sbin, /usr/bin, /usr/sbin and /usr/local/bin.
-All modifications are discarded when the sandbox is closed.
+All modifications are discarded when the sandbox is closed. File globbing is supported,
+see \fBFILE GLOBBING\fR section for more details.
 .br
 
 .br
@@ -1505,7 +1506,7 @@ Put a file in sandbox container, see \fBFILE TRANSFER\fR section for more detail
 Turn off Firejail's output.
 .TP
 \fB\-\-read-only=dirname_or_filename
-Set directory or file read-only.
+Set directory or file read-only. File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
 .br
 
 .br
@@ -1526,7 +1527,8 @@ $ firejail --whitelist=~/work --read-only=~ --read-only=~/work
 .TP
 \fB\-\-read-write=dirname_or_filename
 Set directory or file read-write. Only files or directories belonging to the current user are allowed for
-this operation. Example:
+this operation. File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
+Example:
 .br
 
 .br
@@ -1538,6 +1540,10 @@ $ firejail --read-only=~/test --read-write=~/test/a
 
 
 .TP
+\fB\-\-rlimit-as=number
+Set the maximum size of the process's virtual memory (address space) in bytes.
+
+.TP
 \fB\-\-rlimit-fsize=number
 Set the maximum file size that can be created by a process.
 .TP
@@ -1833,6 +1839,7 @@ $ firejail \-\-shutdown=3272
 .TP
 \fB\-\-tmpfs=dirname
 Mount a tmpfs filesystem on directory dirname. This option is available only when running the sandbox as root.
+File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
 .br
 
 .br
@@ -2234,6 +2241,40 @@ $ firejail --tree
 
 We provide a tool that automates all this integration, please see \fBman 1 firecfg\fR for more details.
 
+.SH FILE GLOBBING
+.TP
+Globbing is the operation that expands a wildcard pattern into the list of pathnames matching the pattern. Matching is defined by:
+.br
+
+.br
+- '?' matches any character
+.br
+- '*' matches any string
+.br
+- '[' denotes a range of characters
+.br
+.TP
+The gobing feature is implemented using glibc glob command. For more information on the wildcard syntax see man 7 glob.
+.br
+
+.br
+.TP
+The following command line options are supported: \-\-blacklist, \-\-private-bin, \-\-noexec, \-\-read-only, \-\-read-write, and \-\-tmpfs.
+.br
+
+.br
+.TP
+Examples:
+.br
+
+.br
+$ firejail --private-bin=sh,bash,python*
+.br
+$ firejail --blacklist=~/dir[1234]
+.br
+$ firejail --read-only=~/dir[1-4]
+.br
+
 .SH APPARMOR
 .TP
 AppArmor support is disabled by default at compile time. Use --enable-apparmor configuration option to enable it:
diff --git a/test/environment/rlimit-profile.exp b/test/environment/rlimit-profile.exp
index a9e54a405..43d6a3ee0 100755
--- a/test/environment/rlimit-profile.exp
+++ b/test/environment/rlimit-profile.exp
@@ -27,6 +27,10 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1.4\n";exit}
+        "Max address space         123456789012         123456789012"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.5\n";exit}
         "Max pending signals       200                  200"
 }
 after 100
diff --git a/test/environment/rlimit.exp b/test/environment/rlimit.exp
index ecbe2a3b7..38cdc3eea 100755
--- a/test/environment/rlimit.exp
+++ b/test/environment/rlimit.exp
@@ -5,7 +5,7 @@ cd /home
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --rlimit-fsize=1024 --rlimit-nproc=1000 --rlimit-nofile=500 --rlimit-sigpending=200\r"
+send -- "firejail --rlimit-fsize=1024 --rlimit-nproc=1000 --rlimit-nofile=500 --rlimit-sigpending=200 --rlimit-as=123456789012\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "Child process initialized"
@@ -27,10 +27,14 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1.4\n";exit}
-        "Max pending signals       200                  200"
+        "Max address space         123456789012         123456789012"
 }
 expect {
         timeout {puts "TESTING ERROR 1.5\n";exit}
+        "Max pending signals       200                  200"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.6\n";exit}
         "home"
 }
 after 100
diff --git a/test/environment/rlimit.profile b/test/environment/rlimit.profile
index 88fc9ff31..a57471604 100644
--- a/test/environment/rlimit.profile
+++ b/test/environment/rlimit.profile
@@ -2,3 +2,4 @@
 rlimit-nproc 1000
         rlimit-nofile   500
 rlimit-sigpending       200
+rlimit-as 123456789012