From 5ee09312da788ebd91184c2be0591da32fbf8e41 Mon Sep 17 00:00:00 2001 From: startx2017 Date: Sun, 15 Oct 2017 09:00:31 -0400 Subject: merge --rlimit-as --- src/firejail/main.c | 7 ++++++- src/firejail/rlimit.c | 2 +- src/firejail/usage.c | 2 ++ src/man/firejail-profile.txt | 3 +++ src/man/firejail.txt | 4 ++++ 5 files changed, 16 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/firejail/main.c b/src/firejail/main.c index 458bba6f6..584d0c293 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -71,7 +71,7 @@ int arg_rlimit_nofile = 0; // rlimit nofile int arg_rlimit_nproc = 0; // rlimit nproc int arg_rlimit_fsize = 0; // rlimit fsize int arg_rlimit_sigpending = 0; // rlimit fsize -int arg_rlimit_as = 0; // rlimit as +int arg_rlimit_as = 0; // rlimit as int arg_nogroups = 0; // disable supplementary groups int arg_nonewprivs = 0; // set the NO_NEW_PRIVS prctl int arg_noroot = 0; // create a new user namespace and disable root user @@ -1271,6 +1271,11 @@ int main(int argc, char **argv) { sscanf(argv[i] + 20, "%llu", &cfg.rlimit_sigpending); arg_rlimit_sigpending = 1; } + else if (strncmp(argv[i], "--rlimit-as=", 12) == 0) { + check_unsigned(argv[i] + 12, "Error: invalid rlimit"); + sscanf(argv[i] + 12, "%llu", &cfg.rlimit_as); + arg_rlimit_as = 1; + } else if (strncmp(argv[i], "--ipc-namespace", 15) == 0) arg_ipc = 1; else if (strncmp(argv[i], "--cpu=", 6) == 0) diff --git a/src/firejail/rlimit.c b/src/firejail/rlimit.c index ec5fb3791..e5720a22b 100644 --- a/src/firejail/rlimit.c +++ b/src/firejail/rlimit.c @@ -78,7 +78,7 @@ void set_rlimits(void) { #ifdef HAVE_GCOV __gcov_dump(); #endif - if (setrlimit(RLIMIT_AS, &rl) == -1) + if (setrlimit(RLIMIT_AS, &rl) == -1) errExit("setrlimit"); if (arg_debug) printf("Config rlimit: maximum virtual memory %llu\n", cfg.rlimit_as); diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 28b5cc8a4..f3b3aace5 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -169,6 +169,8 @@ void usage(void) { printf(" --quiet - turn off Firejail's output.\n"); printf(" --read-only=filename - set directory or file read-only..\n"); printf(" --read-write=filename - set directory or file read-write.\n"); + printf(" --rlimit-as=number - set the maximum size of the process's virtual memory\n"); + printf("\t(address space) in bytes.\n"); printf(" --rlimit-fsize=number - set the maximum file size that can be created\n"); printf("\tby a process.\n"); printf(" --rlimit-nofile=number - set the maximum number of files that can be\n"); diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 5825d3427..185420ba4 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -381,6 +381,9 @@ place the sandbox in an existing control group. Examples: +.TP +\fBrlimit-as 123456789012 +Set he maximum size of the process's virtual memory to 123456789012 bytes. .TP \fBrlimit-fsize 1024 Set the maximum file size that can be created by a process to 1024 bytes. diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 54a332e7f..7ba09ba8a 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1539,6 +1539,10 @@ $ touch ~/test/a $ firejail --read-only=~/test --read-write=~/test/a +.TP +\fB\-\-rlimit-as=number +Set the maximum size of the process's virtual memory (address space) in bytes. + .TP \fB\-\-rlimit-fsize=number Set the maximum file size that can be created by a process. -- cgit v1.2.3-54-g00ecf