3 files changed, 51 insertions, 2 deletions

diff --git a/executor/common_linux.h b/executor/common_linux.h
index 5528257ac..56d5e15ab 100644
--- a/executor/common_linux.h
+++ b/executor/common_linux.h
@@ -902,7 +902,8 @@ static long syz_kvm_setup_cpu(long a0, long a1, long a2, long a3, long a4, long
 #endif
 #endif
 
-#if SYZ_EXECUTOR || SYZ_FAULT_INJECTION || SYZ_SANDBOX_NAMESPACE || SYZ_ENABLE_CGROUPS
+#if SYZ_EXECUTOR || SYZ_FAULT_INJECTION || SYZ_ENABLE_CGROUPS || SYZ_SANDBOX_NONE || \
+    SYZ_SANDBOX_SETUID || SYZ_SANDBOX_NAMESPACE || SYZ_SANDBOX_ANDROID_UNTRUSTED_APP
 #include <errno.h>
 #include <fcntl.h>
 #include <stdarg.h>
@@ -1557,6 +1558,29 @@ static void sandbox_common()
 	if (unshare(CLONE_SYSVSEM)) {
 		debug("unshare(CLONE_SYSVSEM): %d\n", errno);
 	}
+	// These sysctl's restrict ipc resource usage (by default it's possible
+	// to eat all system memory by creating e.g. lots of large sem sets).
+	// These sysctl's are per-namespace, so we need to set them inside
+	// of the test ipc namespace (after CLONE_NEWIPC).
+	typedef struct {
+		const char* name;
+		const char* value;
+	} sysctl_t;
+	static const sysctl_t sysctls[] = {
+	    {"/proc/sys/kernel/shmmax", "16777216"},
+	    {"/proc/sys/kernel/shmall", "536870912"},
+	    {"/proc/sys/kernel/shmmni", "1024"},
+	    {"/proc/sys/kernel/msgmax", "8192"},
+	    {"/proc/sys/kernel/msgmni", "1024"},
+	    {"/proc/sys/kernel/msgmnb", "1024"},
+	    {"/proc/sys/kernel/sem", "1024 1048576 500 1024"},
+	};
+	unsigned i;
+	for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) {
+		if (!write_file(sysctls[i].name, sysctls[i].value)) {
+			debug("failed to set sysctl %s=%s\n", sysctls[i].name, sysctls[i].value);
+		}
+	}
 }
 
 int wait_for_loop(int pid)
diff --git a/pkg/csource/generated.go b/pkg/csource/generated.go
index 8d6a56c66..01098e336 100644
--- a/pkg/csource/generated.go
+++ b/pkg/csource/generated.go
@@ -2728,7 +2728,8 @@ static long syz_kvm_setup_cpu(long a0, long a1, long a2, long a3, long a4, long
 #endif
 #endif
 
-#if SYZ_EXECUTOR || SYZ_FAULT_INJECTION || SYZ_SANDBOX_NAMESPACE || SYZ_ENABLE_CGROUPS
+#if SYZ_EXECUTOR || SYZ_FAULT_INJECTION || SYZ_ENABLE_CGROUPS || SYZ_SANDBOX_NONE || \
+    SYZ_SANDBOX_SETUID || SYZ_SANDBOX_NAMESPACE || SYZ_SANDBOX_ANDROID_UNTRUSTED_APP
 #include <errno.h>
 #include <fcntl.h>
 #include <stdarg.h>
@@ -3365,6 +3366,25 @@ static void sandbox_common()
 	if (unshare(CLONE_SYSVSEM)) {
 		debug("unshare(CLONE_SYSVSEM): %d\n", errno);
 	}
+	typedef struct {
+		const char* name;
+		const char* value;
+	} sysctl_t;
+	static const sysctl_t sysctls[] = {
+	    {"/proc/sys/kernel/shmmax", "16777216"},
+	    {"/proc/sys/kernel/shmall", "536870912"},
+	    {"/proc/sys/kernel/shmmni", "1024"},
+	    {"/proc/sys/kernel/msgmax", "8192"},
+	    {"/proc/sys/kernel/msgmni", "1024"},
+	    {"/proc/sys/kernel/msgmnb", "1024"},
+	    {"/proc/sys/kernel/sem", "1024 1048576 500 1024"},
+	};
+	unsigned i;
+	for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) {
+		if (!write_file(sysctls[i].name, sysctls[i].value)) {
+			debug("failed to set sysctl %s=%s\n", sysctls[i].name, sysctls[i].value);
+		}
+	}
 }
 
 int wait_for_loop(int pid)
diff --git a/sys/linux/test/ipc b/sys/linux/test/ipc
new file mode 100644
index 000000000..64d46355b
--- /dev/null
+++ b/sys/linux/test/ipc
@@ -0,0 +1,5 @@
+# Large sem sets must be prohibited in the main ipc namespace.
+
+semget$private(0x0, 0x4000, 0x0)	# EINVAL
+unshare(0x8000000)
+semget$private(0x0, 0x4000, 0x0)