projects / platform / upstream / nsjail.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 0b1d5ac)
Add flag to disable rlimits
authorJay Lees <jay.lees@me.com>
Mon, 5 Aug 2019 10:25:22 +0000 (03:25 -0700)
committerJay Lees <jay.lees@me.com>
Mon, 5 Aug 2019 10:25:22 +0000 (03:25 -0700)
cmdline.cc patch | blob | history
config.cc patch | blob | history
config.proto patch | blob | history
contain.cc patch | blob | history
nsjail.1 patch | blob | history
nsjail.h patch | blob | history

diff --git a/cmdline.cc b/cmdline.cc
index f1a6d40ee268b94369f0f2efd1727026b8e39c7a..d6f8062ffeabce9318cb6742aab634776e046430 100644 (file)
--- a/cmdline.cc
+++ b/cmdline.cc
@@ -108,6 +108,7 @@ struct custom_option custom_opts[] = {
     { { "rlimit_nofile", required_argument, NULL, 0x0205 }, "RLIMIT_NOFILE, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 32)" },
     { { "rlimit_nproc", required_argument, NULL, 0x0206 }, "RLIMIT_NPROC, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 'soft')" },
     { { "rlimit_stack", required_argument, NULL, 0x0207 }, "RLIMIT_STACK in MB, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 'soft')" },
+    { { "disable_rlimits", no_argument, NULL, 0x0208 }, "Disable all rlimits, default to limits set by parent" },
     { { "persona_addr_compat_layout", no_argument, NULL, 0x0301 }, "personality(ADDR_COMPAT_LAYOUT)" },
     { { "persona_mmap_page_zero", no_argument, NULL, 0x0302 }, "personality(MMAP_PAGE_ZERO)" },
     { { "persona_read_implies_exec", no_argument, NULL, 0x0303 }, "personality(READ_IMPLIES_EXEC)" },
@@ -408,6 +409,7 @@ std::unique_ptr<nsjconf_t> parseArgs(int argc, char* argv[]) {
        nsjconf->rl_nofile = 32ULL;
        nsjconf->rl_nproc = parseRLimit(RLIMIT_NPROC, "soft", 1);
        nsjconf->rl_stack = parseRLimit(RLIMIT_STACK, "soft", 1);
+       nsjconf->disable_rl = false;
        nsjconf->personality = 0;
        nsjconf->clone_newnet = true;
        nsjconf->clone_newuser = true;
@@ -549,6 +551,9 @@ std::unique_ptr<nsjconf_t> parseArgs(int argc, char* argv[]) {
                case 0x0207:
                        nsjconf->rl_stack = parseRLimit(RLIMIT_STACK, optarg, (1024 * 1024));
                        break;
+               case 0x0208:
+                       nsjconf->disable_rl = true;
+                       break;
                case 0x0301:
                        nsjconf->personality |= ADDR_COMPAT_LAYOUT;
                        break;
diff --git a/config.cc b/config.cc
index 5c6057be7e38c8231a9450a0b3da671b98219207..d7e32df7b814348dbdb0c16c856521c918e74c54 100644 (file)
--- a/config.cc
+++ b/config.cc
@@ -160,6 +160,7 @@ static bool configParseInternal(nsjconf_t* nsjconf, const nsjail::NsJailConfig&
        nsjconf->rl_nproc = configRLimit(RLIMIT_NPROC, njc.rlimit_nproc_type(), njc.rlimit_nproc());
        nsjconf->rl_stack = configRLimit(
            RLIMIT_STACK, njc.rlimit_stack_type(), njc.rlimit_stack(), 1024UL * 1024UL);
+       nsjconf->disable_rl = njc.disable_rl();
 
        if (njc.persona_addr_compat_layout()) {
                nsjconf->personality |= ADDR_COMPAT_LAYOUT;
diff --git a/config.proto b/config.proto
index 29b982169f72c2e2f43376ebe5019c3079ae7c11..f8cc01c61a9c6f40026d6ba41b54f6f70726010c 100644 (file)
--- a/config.proto
+++ b/config.proto
@@ -249,4 +249,7 @@ message NsJailConfig {
 
     /* Use cgroup v2 */
     optional bool use_cgroupv2 = 83 [default = false];
+
+    /* Disable all rlimits, default to limits set by parent */
+    optional bool disable_rl = 84 [default = false];
 }
diff --git a/contain.cc b/contain.cc
index 7ef2bb30a5ecc3fd6c22907576ec44a0401bfb76..e1c337b9fb7c1896b902e40de2b8380fd850f9a0 100644 (file)
--- a/contain.cc
+++ b/contain.cc
@@ -120,6 +120,10 @@ static bool containCPU(nsjconf_t* nsjconf) {
 }
 
 static bool containSetLimits(nsjconf_t* nsjconf) {
+       if (nsjconf->disable_rl) {
+               return true;
+       }
+
        struct rlimit64 rl;
        rl.rlim_cur = rl.rlim_max = nsjconf->rl_as;
        if (setrlimit64(RLIMIT_AS, &rl) == -1) {
diff --git a/nsjail.1 b/nsjail.1
index 10ae1e38a83b262308dc2ee87ffccef9328c775c..8f42bcfc9a54b2ba2ea4677f4b593dd4f7ca4228 100644 (file)
--- a/nsjail.1
+++ b/nsjail.1
@@ -136,6 +136,9 @@ RLIMIT_NPROC, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for th
 \fB\-\-rlimit_stack\fR VALUE
 RLIMIT_STACK in MB, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM_INFINITY (default: 'soft')
 .TP
+\fB\-\-disable_rlimits\fR
+Disable all rlimits, default to limits set by parent
+.TP
 \fB\-\-persona_addr_compat_layout\fR
 personality(ADDR_COMPAT_LAYOUT)
 .TP
diff --git a/nsjail.h b/nsjail.h
index 1d04aaeb9baf42b7bb37e17de89c3f0c8204af15..68b1253aa9fe0f5b4802c2cf68fc7bb2d17cbbe0 100644 (file)
--- a/nsjail.h
+++ b/nsjail.h
@@ -104,6 +104,7 @@ struct nsjconf_t {
        uint64_t rl_nofile;
        uint64_t rl_nproc;
        uint64_t rl_stack;
+       bool disable_rl;
        unsigned long personality;
        bool clone_newnet;
        bool clone_newuser;
Domain: System / System Framework;