bool secure_runner::create_restrictions() { // XXX check return values and report to the parent if (check_restriction(restriction_memory_limit)) // linux&cygwin both supports Address Space rlimit #if defined(__linux__) impose_rlimit(RLIMIT_AS, 2*get_restriction(restriction_memory_limit)); #elif defined(__CYGWIN__) impose_rlimit(RLIMIT_AS, get_restriction(restriction_memory_limit)); #else // openbsd and os x does not, switch to Resident Size // note that they both will just shrink process rss if memory is tight impose_rlimit(RLIMIT_RSS, get_restriction(restriction_memory_limit)); #endif #if !defined(__linux__) // linux version has a procfs judge if (check_restriction(restriction_processor_time_limit)) impose_rlimit(RLIMIT_CPU, get_restriction(restriction_processor_time_limit) / 1000000); #endif if (check_restriction(restriction_security_limit)) { impose_rlimit(RLIMIT_CORE, 0); #if defined(__linux__) if (seccomp_probe_filter()) exit(EXIT_FAILURE); else seccomp_setup_filter(); #endif // XXX warning for non linuxes } return true; }
bool secure_runner::check_restriction(const restriction_kind_t &restriction) const { return get_restriction(restriction) != restriction_no_limit; }
const validity_restriction_type<T>* get_restriction() const { using type = validity_restriction_type<T>; const ValidityRestriction* field = get_restriction(T); return boost::get<type>(field); }