Remove superfluous set_rlimit_as(RLIM64_INFINITY)

Address space limit is set to infinite by default.

PiperOrigin-RevId: 513755637
Change-Id: I42e79b21bc9b0f4b52e461994fef2ed104752957

sandboxed_api/sandbox.cc

@@ -188,9 +188,7 @@ absl::Status Sandbox::Init() {
       .limits()
       // Disable time limits.
       ->set_walltime_limit(absl::ZeroDuration())
-      .set_rlimit_cpu(RLIM64_INFINITY)
-      // Needed by the Scudo Allocator, and by various *SAN options.
-      .set_rlimit_as(RLIM64_INFINITY);
+      .set_rlimit_cpu(RLIM64_INFINITY);
 
   // Modify the executor, e.g. by setting custom limits and IPC.
   ModifyExecutor(executor.get());

sandboxed_api/sandbox2/examples/crc4/crc4sandbox.cc

@@ -113,12 +113,9 @@ int main(int argc, char* argv[]) {
       // of enabling sandboxing on its own).
       ->set_enable_sandbox_before_exec(false)
       .limits()
-      // Remove restrictions on the size of address-space of sandboxed
-      // processes.
-      ->set_rlimit_as(RLIM64_INFINITY)
       // Kill sandboxed processes with a signal (SIGXFSZ) if it writes more than
       // these many bytes to the file-system.
-      .set_rlimit_fsize(1024)
+      ->set_rlimit_fsize(1024)
       .set_rlimit_cpu(60)  // The CPU time limit in seconds.
       .set_walltime_limit(absl::Seconds(5));
 

sandboxed_api/sandbox2/examples/custom_fork/custom_fork_sandbox.cc

@@ -65,15 +65,10 @@ static int SandboxIteration(sandbox2::ForkClient* fork_client, int32_t i) {
   // Set limits as usual.
   executor
       ->limits()
-      // Remove restrictions on the size of address-space of sandboxed
-      // processes. Here, it's 1GiB.
-      ->set_rlimit_as(sapi::sanitizers::IsAny() ? RLIM64_INFINITY
-                                                : 1ULL << 30  // 1GiB
-                      )
       // Kill sandboxed processes with a signal (SIGXFSZ) if it writes more than
       // these many bytes to the file-system (including logs in prod, which
       // write to files STDOUT and STDERR).
-      .set_rlimit_fsize(1024 /* bytes */)
+      ->set_rlimit_fsize(1024 /* bytes */)
       // The CPU time limit.
       .set_rlimit_cpu(10 /* CPU-seconds */)
       .set_walltime_limit(absl::Seconds(5));

sandboxed_api/sandbox2/examples/network/network_sandbox.cc

@@ -199,12 +199,9 @@ int main(int argc, char* argv[]) {
 
   executor
       ->limits()
-      // Remove restrictions on the size of address-space of sandboxed
-      // processes.
-      ->set_rlimit_as(RLIM64_INFINITY)
       // Kill sandboxed processes with a signal (SIGXFSZ) if it writes more than
       // these many bytes to the file-system.
-      .set_rlimit_fsize(10000)
+      ->set_rlimit_fsize(10000)
       .set_rlimit_cpu(100)  // The CPU time limit in seconds
       .set_walltime_limit(absl::Seconds(100));
 

sandboxed_api/sandbox2/examples/network_proxy/networkproxy_sandbox.cc

@@ -152,12 +152,9 @@ int main(int argc, char* argv[]) {
       .set_cwd("/");
   executor
       ->limits()
-      // Remove restrictions on the size of address-space of sandboxed
-      // processes.
-      ->set_rlimit_as(RLIM64_INFINITY)
       // Kill sandboxed processes with a signal (SIGXFSZ) if it writes more than
       // these many bytes to the file-system.
-      .set_rlimit_fsize(10000)
+      ->set_rlimit_fsize(10000)
       // The CPU time limit in seconds.
       .set_rlimit_cpu(100)
       .set_walltime_limit(absl::Seconds(100));

sandboxed_api/sandbox2/examples/static/static_sandbox.cc

@@ -145,12 +145,9 @@ int main(int argc, char* argv[]) {
       // Note: 'true' is the default setting for this class.
       ->set_enable_sandbox_before_exec(true)
       .limits()
-      // Remove restrictions on the size of address-space of sandboxed
-      // processes.
-      ->set_rlimit_as(RLIM64_INFINITY)
       // Kill sandboxed processes with a signal (SIGXFSZ) if it writes more than
       // these many bytes to the file-system.
-      .set_rlimit_fsize(1024 * 1024)
+      ->set_rlimit_fsize(1024 * 1024)
       // The CPU time limit.
       .set_rlimit_cpu(60)
       .set_walltime_limit(absl::Seconds(30));

sandboxed_api/sandbox2/examples/tool/sandbox2tool.cc

@@ -144,12 +144,9 @@ int main(int argc, char* argv[]) {
 
   executor
       ->limits()
-      // Remove restrictions on the size of address-space of sandboxed
-      // processes.
-      ->set_rlimit_as(RLIM64_INFINITY)
       // Kill sandboxed processes with a signal (SIGXFSZ) if it writes more than
       // this to the file-system.
-      .set_rlimit_fsize(
+      ->set_rlimit_fsize(
           absl::GetFlag(FLAGS_sandbox2tool_file_size_creation_limit))
       // An arbitrary, but empirically safe value.
       .set_rlimit_nofile(1024U)

sandboxed_api/sandbox2/policybuilder_test.cc

@@ -172,9 +172,6 @@ std::string PolicyBuilderTest::Run(const std::vector<std::string>& args,
   }
 
   auto executor = std::make_unique<sandbox2::Executor>(args[0], args);
-  if constexpr (sapi::sanitizers::IsAny()) {
-    executor->limits()->set_rlimit_as(RLIM64_INFINITY);
-  }
   int fd1 = executor->ipc()->ReceiveFd(STDOUT_FILENO);
   sandbox2::Sandbox2 s2(std::move(executor), builder.BuildOrDie());
 

sandboxed_api/sandbox2/stack_trace.cc

@@ -175,10 +175,7 @@ absl::StatusOr<std::vector<std::string>> StackTracePeer::LaunchLibunwindSandbox(
   // non-public constructor.
   auto executor = absl::WrapUnique(new Executor(pid));
 
-  executor->limits()
-      ->set_rlimit_as(RLIM64_INFINITY)
-      .set_rlimit_cpu(10)
-      .set_walltime_limit(absl::Seconds(5));
+  executor->limits()->set_rlimit_cpu(10).set_walltime_limit(absl::Seconds(5));
 
   // Temporary directory used to provide files from /proc to the unwind sandbox.
   char unwind_temp_directory_template[] = "/tmp/.sandbox2_unwind_XXXXXX";