projects / platform / upstream / nsjail.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 62879de)
Added rt, memlock & msgq limits
authorEli Zrihen <ezrihen@gmail.com>
Mon, 19 Jul 2021 14:21:34 +0000 (17:21 +0300)
committerEli Zrihen <ezrihen@gmail.com>
Mon, 19 Jul 2021 14:21:34 +0000 (17:21 +0300)
cmdline.cc patch | blob | history
config.cc patch | blob | history
config.proto patch | blob | history
contain.cc patch | blob | history
nsjail.h patch | blob | history

diff --git a/cmdline.cc b/cmdline.cc
index 051619dcef915ae5a6cf55f73fa9fceaa64fa97a..79b1053a0d72ac09c6ad5dbd986baf69ef5d8bbc 100644 (file)
--- a/cmdline.cc
+++ b/cmdline.cc
@@ -109,6 +109,9 @@ struct custom_option custom_opts[] = {
     { { "rlimit_nofile", required_argument, NULL, 0x0205 }, "RLIMIT_NOFILE, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 32)" },
     { { "rlimit_nproc", required_argument, NULL, 0x0206 }, "RLIMIT_NPROC, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 'soft')" },
     { { "rlimit_stack", required_argument, NULL, 0x0207 }, "RLIMIT_STACK in MB, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 'soft')" },
+    { { "rlimit_mlock", required_argument, NULL, 0x0209 }, "RLIMIT_MEMLOCK in KB, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 'soft')" },
+    { { "rlimit_rtpr", required_argument, NULL, 0x0210 }, "RLIMIT_RTPRIO, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 0)" },
+    { { "rlimit_msgq", required_argument, NULL, 0x0211 }, "RLIMIT_MSGQUEUE in bytes, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 128)" },
     { { "disable_rlimits", no_argument, NULL, 0x0208 }, "Disable all rlimits, default to limits set by parent" },
     { { "persona_addr_compat_layout", no_argument, NULL, 0x0301 }, "personality(ADDR_COMPAT_LAYOUT)" },
     { { "persona_mmap_page_zero", no_argument, NULL, 0x0302 }, "personality(MMAP_PAGE_ZERO)" },
@@ -426,6 +429,9 @@ std::unique_ptr<nsjconf_t> parseArgs(int argc, char* argv[]) {
        nsjconf->rl_nofile = 32ULL;
        nsjconf->rl_nproc = parseRLimit(RLIMIT_NPROC, "soft", 1);
        nsjconf->rl_stack = parseRLimit(RLIMIT_STACK, "soft", 1);
+       nsjconf->rl_mlock = parseRLimit(RLIMIT_MEMLOCK, "soft", 1);
+       nsjconf->rl_rtpr = 0;
+       nsjconf->rl_msgq = 1024ULL;
        nsjconf->disable_rl = false;
        nsjconf->personality = 0;
        nsjconf->clone_newnet = true;
@@ -578,6 +584,15 @@ std::unique_ptr<nsjconf_t> parseArgs(int argc, char* argv[]) {
                case 0x0207:
                        nsjconf->rl_stack = parseRLimit(RLIMIT_STACK, optarg, (1024 * 1024));
                        break;
+               case 0x0209:
+                       nsjconf->rl_mlock = parseRLimit(RLIMIT_MEMLOCK, optarg, 1024);
+                       break;
+               case 0x0210:
+                       nsjconf->rl_rtpr = parseRLimit(RLIMIT_RTPRIO, optarg, 1);
+                       break;
+               case 0x0211:
+                       nsjconf->rl_msgq = parseRLimit(RLIMIT_MSGQUEUE, optarg, 1);
+                       break;
                case 0x0208:
                        nsjconf->disable_rl = true;
                        break;
diff --git a/config.cc b/config.cc
index 413f6fc33e794efa1aebe5b6b49a5a0debb99daa..2b84ae45364d2debd42a9c4187497bbcc3009dcd 100644 (file)
--- a/config.cc
+++ b/config.cc
@@ -158,6 +158,11 @@ static bool configParseInternal(nsjconf_t* nsjconf, const nsjail::NsJailConfig&
        nsjconf->rl_nproc = configRLimit(RLIMIT_NPROC, njc.rlimit_nproc_type(), njc.rlimit_nproc());
        nsjconf->rl_stack = configRLimit(
            RLIMIT_STACK, njc.rlimit_stack_type(), njc.rlimit_stack(), 1024UL * 1024UL);
+       nsjconf->rl_mlock = configRLimit(
+           RLIMIT_MEMLOCK, njc.rlimit_mlock_type(), njc.rlimit_mlock(), 1024UL);
+       nsjconf->rl_rtpr = configRLimit(RLIMIT_RTPRIO, njc.rlimit_rtpr_type(), njc.rlimit_rtpr());
+       nsjconf->rl_msgq = configRLimit(RLIMIT_MSGQUEUE, njc.rlimit_msgq_type(), njc.rlimit_msgq());
+
        nsjconf->disable_rl = njc.disable_rl();
 
        if (njc.persona_addr_compat_layout()) {
diff --git a/config.proto b/config.proto
index 8c55991054c36eada29833f197f6b01cde3064d0..54f2e7024c926b9dc6d2b7e516bd9ac119d7f1e3 100644 (file)
--- a/config.proto
+++ b/config.proto
@@ -157,6 +157,13 @@ message NsJailConfig {
     /* In MiB, use the soft limit value by default */
     optional uint64 rlimit_stack = 40 [default = 8];
     optional RLimit rlimit_stack_type = 41 [default = SOFT];
+    /* In KB, use the soft limit value by default */
+    optional uint64 rlimit_mlock = 88 [default = 64];
+    optional RLimit rlimit_mlock_type = 89 [default = SOFT];
+    optional uint64 rlimit_rtpr =  90 [default = 0];
+    optional RLimit rlimit_rtpr_type = 91 [default = VALUE];
+    optional uint64 rlimit_msgq =  92 [default = 1024];
+    optional RLimit rlimit_msgq_type = 93 [default = VALUE];
 
     /* Disable all rlimits, default to limits set by parent */
     optional bool disable_rl = 84 [default = false];
diff --git a/contain.cc b/contain.cc
index e1c337b9fb7c1896b902e40de2b8380fd850f9a0..db741a5332399550c744584ac418b23451825c1d 100644 (file)
--- a/contain.cc
+++ b/contain.cc
@@ -160,6 +160,21 @@ static bool containSetLimits(nsjconf_t* nsjconf) {
                PLOG_E("setrlimit64(0, RLIMIT_STACK, %" PRIu64 ")", nsjconf->rl_stack);
                return false;
        }
+       rl.rlim_cur = rl.rlim_max = nsjconf->rl_mlock;
+       if (setrlimit64(RLIMIT_MEMLOCK, &rl) == -1) {
+               PLOG_E("setrlimit64(0, RLIMIT_MEMLOCK, %" PRIu64 ")", nsjconf->rl_mlock);
+               return false;
+       }
+       rl.rlim_cur = rl.rlim_max = nsjconf->rl_rtpr;
+       if (setrlimit64(RLIMIT_RTPRIO, &rl) == -1) {
+               PLOG_E("setrlimit64(0, RLIMIT_RTPRIO, %" PRIu64 ")", nsjconf->rl_rtpr);
+               return false;
+       }
+       rl.rlim_cur = rl.rlim_max = nsjconf->rl_msgq;
+       if (setrlimit64(RLIMIT_MSGQUEUE , &rl) == -1) {
+               PLOG_E("setrlimit64(0, RLIMIT_MSGQUEUE , %" PRIu64 ")", nsjconf->rl_msgq);
+               return false;
+       }
        return true;
 }
 
diff --git a/nsjail.h b/nsjail.h
index 7dd588e55ed31d9deee981645a78f733d8cc2e70..589f3509329d97bb51477e2a384600593e245e6a 100644 (file)
--- a/nsjail.h
+++ b/nsjail.h
@@ -115,6 +115,9 @@ struct nsjconf_t {
        uint64_t rl_nofile;
        uint64_t rl_nproc;
        uint64_t rl_stack;
+       uint64_t rl_mlock;
+       uint64_t rl_rtpr;
+       uint64_t rl_msgq;
        bool disable_rl;
        unsigned long personality;
        bool clone_newnet;
Domain: System / System Framework;