bool secure_runner::create_restrictions() {
// XXX check return values and report to the parent
if (check_restriction(restriction_memory_limit))
// linux&cygwin both supports Address Space rlimit
#if defined(__linux__)
impose_rlimit(RLIMIT_AS, 2*get_restriction(restriction_memory_limit));
#elif defined(__CYGWIN__)
impose_rlimit(RLIMIT_AS, get_restriction(restriction_memory_limit));
#else
// openbsd and os x does not, switch to Resident Size
// note that they both will just shrink process rss if memory is tight
impose_rlimit(RLIMIT_RSS, get_restriction(restriction_memory_limit));
#endif
#if !defined(__linux__) // linux version has a procfs judge
if (check_restriction(restriction_processor_time_limit))
impose_rlimit(RLIMIT_CPU, get_restriction(restriction_processor_time_limit) / 1000000);
#endif
if (check_restriction(restriction_security_limit)) {
impose_rlimit(RLIMIT_CORE, 0);
#if defined(__linux__)
if (seccomp_probe_filter())
exit(EXIT_FAILURE);
else
seccomp_setup_filter();
#endif // XXX warning for non linuxes
}
return true;
}
bool secure_runner::check_restriction(const restriction_kind_t &restriction) const {
return get_restriction(restriction) != restriction_no_limit;
}
const validity_restriction_type<T>* get_restriction() const
{
using type = validity_restriction_type<T>;
const ValidityRestriction* field = get_restriction(T);
return boost::get<type>(field);
}