Remove superfluous set_rlimit_as(RLIM64_INFINITY)

Address space limit is set to infinite by default.

PiperOrigin-RevId: 513755637
Change-Id: I42e79b21bc9b0f4b52e461994fef2ed104752957
This commit is contained in:
Wiktor Garbacz 2023-03-03 01:13:44 -08:00 committed by Copybara-Service
parent cd945565f5
commit 6827dc0059
9 changed files with 8 additions and 36 deletions

View File

@ -188,9 +188,7 @@ absl::Status Sandbox::Init() {
.limits() .limits()
// Disable time limits. // Disable time limits.
->set_walltime_limit(absl::ZeroDuration()) ->set_walltime_limit(absl::ZeroDuration())
.set_rlimit_cpu(RLIM64_INFINITY) .set_rlimit_cpu(RLIM64_INFINITY);
// Needed by the Scudo Allocator, and by various *SAN options.
.set_rlimit_as(RLIM64_INFINITY);
// Modify the executor, e.g. by setting custom limits and IPC. // Modify the executor, e.g. by setting custom limits and IPC.
ModifyExecutor(executor.get()); ModifyExecutor(executor.get());

View File

@ -113,12 +113,9 @@ int main(int argc, char* argv[]) {
// of enabling sandboxing on its own). // of enabling sandboxing on its own).
->set_enable_sandbox_before_exec(false) ->set_enable_sandbox_before_exec(false)
.limits() .limits()
// Remove restrictions on the size of address-space of sandboxed
// processes.
->set_rlimit_as(RLIM64_INFINITY)
// Kill sandboxed processes with a signal (SIGXFSZ) if it writes more than // Kill sandboxed processes with a signal (SIGXFSZ) if it writes more than
// these many bytes to the file-system. // these many bytes to the file-system.
.set_rlimit_fsize(1024) ->set_rlimit_fsize(1024)
.set_rlimit_cpu(60) // The CPU time limit in seconds. .set_rlimit_cpu(60) // The CPU time limit in seconds.
.set_walltime_limit(absl::Seconds(5)); .set_walltime_limit(absl::Seconds(5));

View File

@ -65,15 +65,10 @@ static int SandboxIteration(sandbox2::ForkClient* fork_client, int32_t i) {
// Set limits as usual. // Set limits as usual.
executor executor
->limits() ->limits()
// Remove restrictions on the size of address-space of sandboxed
// processes. Here, it's 1GiB.
->set_rlimit_as(sapi::sanitizers::IsAny() ? RLIM64_INFINITY
: 1ULL << 30 // 1GiB
)
// Kill sandboxed processes with a signal (SIGXFSZ) if it writes more than // Kill sandboxed processes with a signal (SIGXFSZ) if it writes more than
// these many bytes to the file-system (including logs in prod, which // these many bytes to the file-system (including logs in prod, which
// write to files STDOUT and STDERR). // write to files STDOUT and STDERR).
.set_rlimit_fsize(1024 /* bytes */) ->set_rlimit_fsize(1024 /* bytes */)
// The CPU time limit. // The CPU time limit.
.set_rlimit_cpu(10 /* CPU-seconds */) .set_rlimit_cpu(10 /* CPU-seconds */)
.set_walltime_limit(absl::Seconds(5)); .set_walltime_limit(absl::Seconds(5));

View File

@ -199,12 +199,9 @@ int main(int argc, char* argv[]) {
executor executor
->limits() ->limits()
// Remove restrictions on the size of address-space of sandboxed
// processes.
->set_rlimit_as(RLIM64_INFINITY)
// Kill sandboxed processes with a signal (SIGXFSZ) if it writes more than // Kill sandboxed processes with a signal (SIGXFSZ) if it writes more than
// these many bytes to the file-system. // these many bytes to the file-system.
.set_rlimit_fsize(10000) ->set_rlimit_fsize(10000)
.set_rlimit_cpu(100) // The CPU time limit in seconds .set_rlimit_cpu(100) // The CPU time limit in seconds
.set_walltime_limit(absl::Seconds(100)); .set_walltime_limit(absl::Seconds(100));

View File

@ -152,12 +152,9 @@ int main(int argc, char* argv[]) {
.set_cwd("/"); .set_cwd("/");
executor executor
->limits() ->limits()
// Remove restrictions on the size of address-space of sandboxed
// processes.
->set_rlimit_as(RLIM64_INFINITY)
// Kill sandboxed processes with a signal (SIGXFSZ) if it writes more than // Kill sandboxed processes with a signal (SIGXFSZ) if it writes more than
// these many bytes to the file-system. // these many bytes to the file-system.
.set_rlimit_fsize(10000) ->set_rlimit_fsize(10000)
// The CPU time limit in seconds. // The CPU time limit in seconds.
.set_rlimit_cpu(100) .set_rlimit_cpu(100)
.set_walltime_limit(absl::Seconds(100)); .set_walltime_limit(absl::Seconds(100));

View File

@ -145,12 +145,9 @@ int main(int argc, char* argv[]) {
// Note: 'true' is the default setting for this class. // Note: 'true' is the default setting for this class.
->set_enable_sandbox_before_exec(true) ->set_enable_sandbox_before_exec(true)
.limits() .limits()
// Remove restrictions on the size of address-space of sandboxed
// processes.
->set_rlimit_as(RLIM64_INFINITY)
// Kill sandboxed processes with a signal (SIGXFSZ) if it writes more than // Kill sandboxed processes with a signal (SIGXFSZ) if it writes more than
// these many bytes to the file-system. // these many bytes to the file-system.
.set_rlimit_fsize(1024 * 1024) ->set_rlimit_fsize(1024 * 1024)
// The CPU time limit. // The CPU time limit.
.set_rlimit_cpu(60) .set_rlimit_cpu(60)
.set_walltime_limit(absl::Seconds(30)); .set_walltime_limit(absl::Seconds(30));

View File

@ -144,12 +144,9 @@ int main(int argc, char* argv[]) {
executor executor
->limits() ->limits()
// Remove restrictions on the size of address-space of sandboxed
// processes.
->set_rlimit_as(RLIM64_INFINITY)
// Kill sandboxed processes with a signal (SIGXFSZ) if it writes more than // Kill sandboxed processes with a signal (SIGXFSZ) if it writes more than
// this to the file-system. // this to the file-system.
.set_rlimit_fsize( ->set_rlimit_fsize(
absl::GetFlag(FLAGS_sandbox2tool_file_size_creation_limit)) absl::GetFlag(FLAGS_sandbox2tool_file_size_creation_limit))
// An arbitrary, but empirically safe value. // An arbitrary, but empirically safe value.
.set_rlimit_nofile(1024U) .set_rlimit_nofile(1024U)

View File

@ -172,9 +172,6 @@ std::string PolicyBuilderTest::Run(const std::vector<std::string>& args,
} }
auto executor = std::make_unique<sandbox2::Executor>(args[0], args); auto executor = std::make_unique<sandbox2::Executor>(args[0], args);
if constexpr (sapi::sanitizers::IsAny()) {
executor->limits()->set_rlimit_as(RLIM64_INFINITY);
}
int fd1 = executor->ipc()->ReceiveFd(STDOUT_FILENO); int fd1 = executor->ipc()->ReceiveFd(STDOUT_FILENO);
sandbox2::Sandbox2 s2(std::move(executor), builder.BuildOrDie()); sandbox2::Sandbox2 s2(std::move(executor), builder.BuildOrDie());

View File

@ -175,10 +175,7 @@ absl::StatusOr<std::vector<std::string>> StackTracePeer::LaunchLibunwindSandbox(
// non-public constructor. // non-public constructor.
auto executor = absl::WrapUnique(new Executor(pid)); auto executor = absl::WrapUnique(new Executor(pid));
executor->limits() executor->limits()->set_rlimit_cpu(10).set_walltime_limit(absl::Seconds(5));
->set_rlimit_as(RLIM64_INFINITY)
.set_rlimit_cpu(10)
.set_walltime_limit(absl::Seconds(5));
// Temporary directory used to provide files from /proc to the unwind sandbox. // Temporary directory used to provide files from /proc to the unwind sandbox.
char unwind_temp_directory_template[] = "/tmp/.sandbox2_unwind_XXXXXX"; char unwind_temp_directory_template[] = "/tmp/.sandbox2_unwind_XXXXXX";