From a3c5751de3df4c49b3025ccf5971602b7badb2d3 Mon Sep 17 00:00:00 2001
From: Dmitry Vyukov <dvyukov@google.com>
Date: Tue, 8 Aug 2017 13:24:46 +0200
Subject: executor: sandbox with RLIMIT_MEMLOCK

Locking memory is a reasonably legitimate local DoS vector.
E.g. bpf maps allow allocation of large chunks of kernel memory
without RLIMIT_MEMLOCK, which leads to hangups.
Set RLIMIT_MEMLOCK=8MB in executor.
---
 executor/common.h | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'executor/common.h')

diff --git a/executor/common.h b/executor/common.h
index b087978a5..23cc02bb1 100644
--- a/executor/common.h
+++ b/executor/common.h
@@ -747,6 +747,8 @@ static void sandbox_common()
 	struct rlimit rlim;
 	rlim.rlim_cur = rlim.rlim_max = 128 << 20;
 	setrlimit(RLIMIT_AS, &rlim);
+	rlim.rlim_cur = rlim.rlim_max = 8 << 20;
+	setrlimit(RLIMIT_MEMLOCK, &rlim);
 	rlim.rlim_cur = rlim.rlim_max = 1 << 20;
 	setrlimit(RLIMIT_FSIZE, &rlim);
 	rlim.rlim_cur = rlim.rlim_max = 1 << 20;
-- 
cgit mrf-deployment