From 4093e33b1338f274ae0062f555de9d6af8640d61 Mon Sep 17 00:00:00 2001 From: Greg Steuck Date: Mon, 10 Dec 2018 10:16:29 -0800 Subject: Revert "executor: add setuid sandbox for openbsd" This reverts commit 6565f24da9f4eb36702339ba290213995fcc902f. --- executor/executor_bsd.h | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) (limited to 'executor/executor_bsd.h') diff --git a/executor/executor_bsd.h b/executor/executor_bsd.h index 8f364ca13..7119a3992 100644 --- a/executor/executor_bsd.h +++ b/executor/executor_bsd.h @@ -21,6 +21,25 @@ static void os_init(int argc, char** argv, void* data, size_t data_size) if (mmap(data, data_size, prot, MAP_ANON | MAP_PRIVATE | MAP_FIXED, -1, 0) != data) fail("mmap of data segment failed"); + + // Some minimal sandboxing. + // TODO: this should go into common_bsd.h because csource needs this too. + struct rlimit rlim; +#if GOOS_netbsd + // This causes frequent random aborts on netbsd. Reason unknown. + rlim.rlim_cur = rlim.rlim_max = 128 << 20; + setrlimit(RLIMIT_AS, &rlim); +#endif + rlim.rlim_cur = rlim.rlim_max = 8 << 20; + setrlimit(RLIMIT_MEMLOCK, &rlim); + rlim.rlim_cur = rlim.rlim_max = 1 << 20; + setrlimit(RLIMIT_FSIZE, &rlim); + rlim.rlim_cur = rlim.rlim_max = 1 << 20; + setrlimit(RLIMIT_STACK, &rlim); + rlim.rlim_cur = rlim.rlim_max = 0; + setrlimit(RLIMIT_CORE, &rlim); + rlim.rlim_cur = rlim.rlim_max = 256; // see kMaxFd + setrlimit(RLIMIT_NOFILE, &rlim); } static long execute_syscall(const call_t* c, long a[kMaxArgs]) -- cgit mrf-deployment