executor: sandbox with RLIMIT_MEMLOCK

Locking memory is a reasonably legitimate local DoS vector. E.g. bpf maps allow allocation of large chunks of kernel memory without RLIMIT_MEMLOCK, which leads to hangups. Set RLIMIT_MEMLOCK=8MB in executor.
author: Dmitry Vyukov <dvyukov@google.com> 2017-08-08 13:24:46 +0200
committer: Dmitry Vyukov <dvyukov@google.com> 2017-08-08 13:24:46 +0200
commit: a3c5751de3df4c49b3025ccf5971602b7badb2d3 (patch)
tree: 79f04fbe46abe24456405d9742cc5d5f4000651a /pkg/csource
parent: a48e1ead6170b63721ef12801ca6e6f5dee6aa09 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/pkg/csource/common.go b/pkg/csource/common.go
index a2fcd6897..fc5fd8782 100644
--- a/pkg/csource/common.go
+++ b/pkg/csource/common.go
@@ -1654,6 +1654,8 @@ static void sandbox_common()
 	struct rlimit rlim;
 	rlim.rlim_cur = rlim.rlim_max = 128 << 20;
 	setrlimit(RLIMIT_AS, &rlim);
+	rlim.rlim_cur = rlim.rlim_max = 8 << 20;
+	setrlimit(RLIMIT_MEMLOCK, &rlim);
 	rlim.rlim_cur = rlim.rlim_max = 1 << 20;
 	setrlimit(RLIMIT_FSIZE, &rlim);
 	rlim.rlim_cur = rlim.rlim_max = 1 << 20;
author	Dmitry Vyukov <dvyukov@google.com>	2017-08-08 13:24:46 +0200
committer	Dmitry Vyukov <dvyukov@google.com>	2017-08-08 13:24:46 +0200
commit	a3c5751de3df4c49b3025ccf5971602b7badb2d3 (patch)
tree	79f04fbe46abe24456405d9742cc5d5f4000651a /pkg/csource
parent	a48e1ead6170b63721ef12801ca6e6f5dee6aa09 (diff)