mirror of
https://github.com/google/sandboxed-api.git
synced 2024-03-22 13:11:30 +08:00
Remove superfluous set_rlimit_as(RLIM64_INFINITY)
Address space limit is set to infinite by default. PiperOrigin-RevId: 513755637 Change-Id: I42e79b21bc9b0f4b52e461994fef2ed104752957
This commit is contained in:
parent
cd945565f5
commit
6827dc0059
|
@ -188,9 +188,7 @@ absl::Status Sandbox::Init() {
|
||||||
.limits()
|
.limits()
|
||||||
// Disable time limits.
|
// Disable time limits.
|
||||||
->set_walltime_limit(absl::ZeroDuration())
|
->set_walltime_limit(absl::ZeroDuration())
|
||||||
.set_rlimit_cpu(RLIM64_INFINITY)
|
.set_rlimit_cpu(RLIM64_INFINITY);
|
||||||
// Needed by the Scudo Allocator, and by various *SAN options.
|
|
||||||
.set_rlimit_as(RLIM64_INFINITY);
|
|
||||||
|
|
||||||
// Modify the executor, e.g. by setting custom limits and IPC.
|
// Modify the executor, e.g. by setting custom limits and IPC.
|
||||||
ModifyExecutor(executor.get());
|
ModifyExecutor(executor.get());
|
||||||
|
|
|
@ -113,12 +113,9 @@ int main(int argc, char* argv[]) {
|
||||||
// of enabling sandboxing on its own).
|
// of enabling sandboxing on its own).
|
||||||
->set_enable_sandbox_before_exec(false)
|
->set_enable_sandbox_before_exec(false)
|
||||||
.limits()
|
.limits()
|
||||||
// Remove restrictions on the size of address-space of sandboxed
|
|
||||||
// processes.
|
|
||||||
->set_rlimit_as(RLIM64_INFINITY)
|
|
||||||
// Kill sandboxed processes with a signal (SIGXFSZ) if it writes more than
|
// Kill sandboxed processes with a signal (SIGXFSZ) if it writes more than
|
||||||
// these many bytes to the file-system.
|
// these many bytes to the file-system.
|
||||||
.set_rlimit_fsize(1024)
|
->set_rlimit_fsize(1024)
|
||||||
.set_rlimit_cpu(60) // The CPU time limit in seconds.
|
.set_rlimit_cpu(60) // The CPU time limit in seconds.
|
||||||
.set_walltime_limit(absl::Seconds(5));
|
.set_walltime_limit(absl::Seconds(5));
|
||||||
|
|
||||||
|
|
|
@ -65,15 +65,10 @@ static int SandboxIteration(sandbox2::ForkClient* fork_client, int32_t i) {
|
||||||
// Set limits as usual.
|
// Set limits as usual.
|
||||||
executor
|
executor
|
||||||
->limits()
|
->limits()
|
||||||
// Remove restrictions on the size of address-space of sandboxed
|
|
||||||
// processes. Here, it's 1GiB.
|
|
||||||
->set_rlimit_as(sapi::sanitizers::IsAny() ? RLIM64_INFINITY
|
|
||||||
: 1ULL << 30 // 1GiB
|
|
||||||
)
|
|
||||||
// Kill sandboxed processes with a signal (SIGXFSZ) if it writes more than
|
// Kill sandboxed processes with a signal (SIGXFSZ) if it writes more than
|
||||||
// these many bytes to the file-system (including logs in prod, which
|
// these many bytes to the file-system (including logs in prod, which
|
||||||
// write to files STDOUT and STDERR).
|
// write to files STDOUT and STDERR).
|
||||||
.set_rlimit_fsize(1024 /* bytes */)
|
->set_rlimit_fsize(1024 /* bytes */)
|
||||||
// The CPU time limit.
|
// The CPU time limit.
|
||||||
.set_rlimit_cpu(10 /* CPU-seconds */)
|
.set_rlimit_cpu(10 /* CPU-seconds */)
|
||||||
.set_walltime_limit(absl::Seconds(5));
|
.set_walltime_limit(absl::Seconds(5));
|
||||||
|
|
|
@ -199,12 +199,9 @@ int main(int argc, char* argv[]) {
|
||||||
|
|
||||||
executor
|
executor
|
||||||
->limits()
|
->limits()
|
||||||
// Remove restrictions on the size of address-space of sandboxed
|
|
||||||
// processes.
|
|
||||||
->set_rlimit_as(RLIM64_INFINITY)
|
|
||||||
// Kill sandboxed processes with a signal (SIGXFSZ) if it writes more than
|
// Kill sandboxed processes with a signal (SIGXFSZ) if it writes more than
|
||||||
// these many bytes to the file-system.
|
// these many bytes to the file-system.
|
||||||
.set_rlimit_fsize(10000)
|
->set_rlimit_fsize(10000)
|
||||||
.set_rlimit_cpu(100) // The CPU time limit in seconds
|
.set_rlimit_cpu(100) // The CPU time limit in seconds
|
||||||
.set_walltime_limit(absl::Seconds(100));
|
.set_walltime_limit(absl::Seconds(100));
|
||||||
|
|
||||||
|
|
|
@ -152,12 +152,9 @@ int main(int argc, char* argv[]) {
|
||||||
.set_cwd("/");
|
.set_cwd("/");
|
||||||
executor
|
executor
|
||||||
->limits()
|
->limits()
|
||||||
// Remove restrictions on the size of address-space of sandboxed
|
|
||||||
// processes.
|
|
||||||
->set_rlimit_as(RLIM64_INFINITY)
|
|
||||||
// Kill sandboxed processes with a signal (SIGXFSZ) if it writes more than
|
// Kill sandboxed processes with a signal (SIGXFSZ) if it writes more than
|
||||||
// these many bytes to the file-system.
|
// these many bytes to the file-system.
|
||||||
.set_rlimit_fsize(10000)
|
->set_rlimit_fsize(10000)
|
||||||
// The CPU time limit in seconds.
|
// The CPU time limit in seconds.
|
||||||
.set_rlimit_cpu(100)
|
.set_rlimit_cpu(100)
|
||||||
.set_walltime_limit(absl::Seconds(100));
|
.set_walltime_limit(absl::Seconds(100));
|
||||||
|
|
|
@ -145,12 +145,9 @@ int main(int argc, char* argv[]) {
|
||||||
// Note: 'true' is the default setting for this class.
|
// Note: 'true' is the default setting for this class.
|
||||||
->set_enable_sandbox_before_exec(true)
|
->set_enable_sandbox_before_exec(true)
|
||||||
.limits()
|
.limits()
|
||||||
// Remove restrictions on the size of address-space of sandboxed
|
|
||||||
// processes.
|
|
||||||
->set_rlimit_as(RLIM64_INFINITY)
|
|
||||||
// Kill sandboxed processes with a signal (SIGXFSZ) if it writes more than
|
// Kill sandboxed processes with a signal (SIGXFSZ) if it writes more than
|
||||||
// these many bytes to the file-system.
|
// these many bytes to the file-system.
|
||||||
.set_rlimit_fsize(1024 * 1024)
|
->set_rlimit_fsize(1024 * 1024)
|
||||||
// The CPU time limit.
|
// The CPU time limit.
|
||||||
.set_rlimit_cpu(60)
|
.set_rlimit_cpu(60)
|
||||||
.set_walltime_limit(absl::Seconds(30));
|
.set_walltime_limit(absl::Seconds(30));
|
||||||
|
|
|
@ -144,12 +144,9 @@ int main(int argc, char* argv[]) {
|
||||||
|
|
||||||
executor
|
executor
|
||||||
->limits()
|
->limits()
|
||||||
// Remove restrictions on the size of address-space of sandboxed
|
|
||||||
// processes.
|
|
||||||
->set_rlimit_as(RLIM64_INFINITY)
|
|
||||||
// Kill sandboxed processes with a signal (SIGXFSZ) if it writes more than
|
// Kill sandboxed processes with a signal (SIGXFSZ) if it writes more than
|
||||||
// this to the file-system.
|
// this to the file-system.
|
||||||
.set_rlimit_fsize(
|
->set_rlimit_fsize(
|
||||||
absl::GetFlag(FLAGS_sandbox2tool_file_size_creation_limit))
|
absl::GetFlag(FLAGS_sandbox2tool_file_size_creation_limit))
|
||||||
// An arbitrary, but empirically safe value.
|
// An arbitrary, but empirically safe value.
|
||||||
.set_rlimit_nofile(1024U)
|
.set_rlimit_nofile(1024U)
|
||||||
|
|
|
@ -172,9 +172,6 @@ std::string PolicyBuilderTest::Run(const std::vector<std::string>& args,
|
||||||
}
|
}
|
||||||
|
|
||||||
auto executor = std::make_unique<sandbox2::Executor>(args[0], args);
|
auto executor = std::make_unique<sandbox2::Executor>(args[0], args);
|
||||||
if constexpr (sapi::sanitizers::IsAny()) {
|
|
||||||
executor->limits()->set_rlimit_as(RLIM64_INFINITY);
|
|
||||||
}
|
|
||||||
int fd1 = executor->ipc()->ReceiveFd(STDOUT_FILENO);
|
int fd1 = executor->ipc()->ReceiveFd(STDOUT_FILENO);
|
||||||
sandbox2::Sandbox2 s2(std::move(executor), builder.BuildOrDie());
|
sandbox2::Sandbox2 s2(std::move(executor), builder.BuildOrDie());
|
||||||
|
|
||||||
|
|
|
@ -175,10 +175,7 @@ absl::StatusOr<std::vector<std::string>> StackTracePeer::LaunchLibunwindSandbox(
|
||||||
// non-public constructor.
|
// non-public constructor.
|
||||||
auto executor = absl::WrapUnique(new Executor(pid));
|
auto executor = absl::WrapUnique(new Executor(pid));
|
||||||
|
|
||||||
executor->limits()
|
executor->limits()->set_rlimit_cpu(10).set_walltime_limit(absl::Seconds(5));
|
||||||
->set_rlimit_as(RLIM64_INFINITY)
|
|
||||||
.set_rlimit_cpu(10)
|
|
||||||
.set_walltime_limit(absl::Seconds(5));
|
|
||||||
|
|
||||||
// Temporary directory used to provide files from /proc to the unwind sandbox.
|
// Temporary directory used to provide files from /proc to the unwind sandbox.
|
||||||
char unwind_temp_directory_template[] = "/tmp/.sandbox2_unwind_XXXXXX";
|
char unwind_temp_directory_template[] = "/tmp/.sandbox2_unwind_XXXXXX";
|
||||||
|
|
Loading…
Reference in New Issue
Block a user