bool secure_runner::create_restrictions() { // XXX check return values and report to the parent if (check_restriction(restriction_memory_limit)) // linux&cygwin both supports Address Space rlimit #if defined(__linux__) impose_rlimit(RLIMIT_AS, 2*get_restriction(restriction_memory_limit)); #elif defined(__CYGWIN__) impose_rlimit(RLIMIT_AS, get_restriction(restriction_memory_limit)); #else // openbsd and os x does not, switch to Resident Size // note that they both will just shrink process rss if memory is tight impose_rlimit(RLIMIT_RSS, get_restriction(restriction_memory_limit)); #endif #if !defined(__linux__) // linux version has a procfs judge if (check_restriction(restriction_processor_time_limit)) impose_rlimit(RLIMIT_CPU, get_restriction(restriction_processor_time_limit) / 1000000); #endif if (check_restriction(restriction_security_limit)) { impose_rlimit(RLIMIT_CORE, 0); #if defined(__linux__) if (seccomp_probe_filter()) exit(EXIT_FAILURE); else seccomp_setup_filter(); #endif // XXX warning for non linuxes } return true; }
static bool literal_is_valid(SordModel* model, const URIs* uris, const SordNode* literal, const SordNode* type) { if (!type) { return true; } /* Check that literal data is related to required type. We don't do a strict subtype check here because e.g. an xsd:decimal might be a valid xsd:unsignedInt, which the pattern checks will verify, but if the literal type is not related to the required type at all (e.g. xsd:decimal and xsd:string) there is a problem. */ const SordNode* datatype = sord_node_get_datatype(literal); if (datatype && datatype != type) { if (!is_descendant_of( model, uris, datatype, type, uris->owl_onDatatype) && !is_descendant_of( model, uris, type, datatype, uris->owl_onDatatype)) { errorf("Literal `%s' datatype <%s> is not compatible with <%s>\n", sord_node_get_string(literal), sord_node_get_string(datatype), sord_node_get_string(type)); return false; } } // Find restrictions list SordIter* rs = sord_search(model, type, uris->owl_withRestrictions, 0, 0); if (sord_iter_end(rs)) { return true; // No restrictions } // Walk list, checking each restriction const SordNode* head = sord_iter_get_node(rs, SORD_OBJECT); while (head) { SordIter* f = sord_search(model, head, uris->rdf_first, 0, 0); if (!f) { break; // Reached end of restrictions list without failure } // Check this restriction const bool good = check_restriction( model, uris, literal, type, sord_iter_get_node(f, SORD_OBJECT)); sord_iter_free(f); if (!good) { sord_iter_free(rs); return false; // Failed, literal is invalid } // Seek to next list node SordIter* n = sord_search(model, head, uris->rdf_rest, 0, 0); head = n ? sord_iter_get_node(n, SORD_OBJECT) : NULL; sord_iter_free(n); } sord_iter_free(rs); SordIter* s = sord_search(model, type, uris->owl_onDatatype, 0, 0); if (s) { const SordNode* super = sord_iter_get_node(s, SORD_OBJECT); const bool good = literal_is_valid(model, uris, literal, super); sord_iter_free(s); return good; // Match iff literal also matches supertype } return true; // Matches top level type }