bool secure_runner::create_restrictions() {
// XXX check return values and report to the parent
if (check_restriction(restriction_memory_limit))
// linux&cygwin both supports Address Space rlimit
#if defined(__linux__)
impose_rlimit(RLIMIT_AS, 2*get_restriction(restriction_memory_limit));
#elif defined(__CYGWIN__)
impose_rlimit(RLIMIT_AS, get_restriction(restriction_memory_limit));
#else
// openbsd and os x does not, switch to Resident Size
// note that they both will just shrink process rss if memory is tight
impose_rlimit(RLIMIT_RSS, get_restriction(restriction_memory_limit));
#endif
#if !defined(__linux__) // linux version has a procfs judge
if (check_restriction(restriction_processor_time_limit))
impose_rlimit(RLIMIT_CPU, get_restriction(restriction_processor_time_limit) / 1000000);
#endif
if (check_restriction(restriction_security_limit)) {
impose_rlimit(RLIMIT_CORE, 0);
#if defined(__linux__)
if (seccomp_probe_filter())
exit(EXIT_FAILURE);
else
seccomp_setup_filter();
#endif // XXX warning for non linuxes
}
return true;
}
static bool
literal_is_valid(SordModel* model,
const URIs* uris,
const SordNode* literal,
const SordNode* type)
{
if (!type) {
return true;
}
/* Check that literal data is related to required type. We don't do a
strict subtype check here because e.g. an xsd:decimal might be a valid
xsd:unsignedInt, which the pattern checks will verify, but if the
literal type is not related to the required type at all
(e.g. xsd:decimal and xsd:string) there is a problem. */
const SordNode* datatype = sord_node_get_datatype(literal);
if (datatype && datatype != type) {
if (!is_descendant_of(
model, uris,
datatype, type, uris->owl_onDatatype) &&
!is_descendant_of(
model, uris,
type, datatype, uris->owl_onDatatype)) {
errorf("Literal `%s' datatype <%s> is not compatible with <%s>\n",
sord_node_get_string(literal),
sord_node_get_string(datatype),
sord_node_get_string(type));
return false;
}
}
// Find restrictions list
SordIter* rs = sord_search(model, type, uris->owl_withRestrictions, 0, 0);
if (sord_iter_end(rs)) {
return true; // No restrictions
}
// Walk list, checking each restriction
const SordNode* head = sord_iter_get_node(rs, SORD_OBJECT);
while (head) {
SordIter* f = sord_search(model, head, uris->rdf_first, 0, 0);
if (!f) {
break; // Reached end of restrictions list without failure
}
// Check this restriction
const bool good = check_restriction(
model, uris, literal, type, sord_iter_get_node(f, SORD_OBJECT));
sord_iter_free(f);
if (!good) {
sord_iter_free(rs);
return false; // Failed, literal is invalid
}
// Seek to next list node
SordIter* n = sord_search(model, head, uris->rdf_rest, 0, 0);
head = n ? sord_iter_get_node(n, SORD_OBJECT) : NULL;
sord_iter_free(n);
}
sord_iter_free(rs);
SordIter* s = sord_search(model, type, uris->owl_onDatatype, 0, 0);
if (s) {
const SordNode* super = sord_iter_get_node(s, SORD_OBJECT);
const bool good = literal_is_valid(model, uris, literal, super);
sord_iter_free(s);
return good; // Match iff literal also matches supertype
}
return true; // Matches top level type
}
