diff options
| author | Dmitry Vyukov <dvyukov@google.com> | 2017-08-08 13:24:46 +0200 |
|---|---|---|
| committer | Dmitry Vyukov <dvyukov@google.com> | 2017-08-08 13:24:46 +0200 |
| commit | a3c5751de3df4c49b3025ccf5971602b7badb2d3 (patch) | |
| tree | 79f04fbe46abe24456405d9742cc5d5f4000651a /executor/common.h | |
| parent | a48e1ead6170b63721ef12801ca6e6f5dee6aa09 (diff) | |
executor: sandbox with RLIMIT_MEMLOCK
Locking memory is a reasonably legitimate local DoS vector.
E.g. bpf maps allow allocation of large chunks of kernel memory
without RLIMIT_MEMLOCK, which leads to hangups.
Set RLIMIT_MEMLOCK=8MB in executor.
Diffstat (limited to 'executor/common.h')
| -rw-r--r-- | executor/common.h | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/executor/common.h b/executor/common.h index b087978a5..23cc02bb1 100644 --- a/executor/common.h +++ b/executor/common.h @@ -747,6 +747,8 @@ static void sandbox_common() struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_AS, &rlim); + rlim.rlim_cur = rlim.rlim_max = 8 << 20; + setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; |