Skip to content

Commit

Permalink
Make all soft resource limits into hard limits
Browse files Browse the repository at this point in the history
  • Loading branch information
rocallahan committed Sep 29, 2017
1 parent c856934 commit 9770d61
Showing 1 changed file with 19 additions and 0 deletions.
19 changes: 19 additions & 0 deletions platform/linux/namespace.rs
Original file line number Diff line number Diff line change
Expand Up @@ -247,6 +247,23 @@ unsafe fn handle_error<T>(result: io::Result<T>, pipe: RawFd) -> T {
}
}

/// Make all soft limits hard limits so the sandboxed child cannot increase them.
fn harden_limits() -> io::Result<()> {
for resource in 0..libc::RLIMIT_NLIMITS {
let mut limit = libc::rlimit { rlim_cur: 0, rlim_max: 0 };
if unsafe { libc::getrlimit(resource, &mut limit as *mut libc::rlimit) } != 0 {
return Err(io::Error::last_os_error());
}
if limit.rlim_cur != libc::RLIM_INFINITY && limit.rlim.max != limit.rlim.cur {
limit.rlim_max = limit.rlim_cur;
if unsafe { libc::setrlimit(resource, &limit as *const libc::rlimit) } != 0 {
return Err(io::Error::last_os_error());
}
}
}
Ok(())
}

/// Spawns a child process in a new namespace.
///
/// This function is quite tricky. Hic sunt dracones!
Expand Down Expand Up @@ -290,6 +307,8 @@ pub fn start(profile: &Profile, command: &mut Command) -> io::Result<Process> {
}
};
if forked == 0 {
handle_error(harden_limits(), pipe_fds[1]);

handle_error(command.inner.before_sandbox(&[pipe_fds[1]]), pipe_fds[1]);
// Set up our user and PID namespaces. The PID namespace won't actually come into
// effect until the next fork(), because PIDs are immutable.
Expand Down

0 comments on commit 9770d61

Please sign in to comment.