From 74af1d361c0138c11603c59f7b982d16108fae72 Mon Sep 17 00:00:00 2001 From: Cory McWilliams Date: Sat, 16 Apr 2016 19:04:15 +0000 Subject: [PATCH] After a brief journey through namespaces and cgroups, rlimits seem to be an effective way to enforce most of the assurances I need. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@3205 ed5197a5-7fde-0310-b194-c3ffbd925b24 --- src/main.cpp | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/src/main.cpp b/src/main.cpp index 3f05b48d..36acf763 100644 --- a/src/main.cpp +++ b/src/main.cpp @@ -11,11 +11,49 @@ #if !defined (_WIN32) && !defined (__MACH__) #include #include +#include #include #endif v8::Platform* gPlatform = 0; +void shedPrivileges() { +#if !defined (_WIN32) && !defined (__MACH__) + struct rlimit zeroLimit; + zeroLimit.rlim_cur = 0; + zeroLimit.rlim_max = 0; + + // RLIMIT_AS + // RLIMIT_CORE + // RLIMIT_CPU + // RLIMIT_DATA + // RLIMIT_FSIZE + // RLIMIT_RSS + // RLIMIT_RTPRIO + // RLIMIT_RTTIME + // RLIMIT_SIGPENDING + // RLIMIT_STACK + + if (setrlimit(RLIMIT_FSIZE, &zeroLimit) != 0) { + perror("setrlimit(RLIMIT_FSIZE, {0, 0})"); + } + if (setrlimit(RLIMIT_LOCKS, &zeroLimit) != 0) { + perror("setrlimit(RLIMIT_LOCKS, {0, 0})"); + } + if (setrlimit(RLIMIT_MSGQUEUE, &zeroLimit) != 0) { + perror("setrlimit(RLIMIT_MSGQUEUE, {0, 0})"); + } + /* + XXX + if (setrlimit(RLIMIT_NOFILE, &zeroLimit) != 0) { + perror("setrlimit(RLIMIT_NOFILE, {0, 0})"); + } + */ + if (setrlimit(RLIMIT_NPROC, &zeroLimit) != 0) { + perror("setrlimit(RLIMIT_NPROC, {0, 0})"); + } +#endif +} int main(int argc, char* argv[]) { int result = 0; @@ -50,6 +88,7 @@ int main(int argc, char* argv[]) { #endif Task task; task.configureFromStdin(); + shedPrivileges(); task.activate(); task.run(); } else {