示例#1
0
bool secure_runner::create_restrictions() {
    // XXX check return values and report to the parent
    if (check_restriction(restriction_memory_limit))
        // linux&cygwin both supports Address Space rlimit
#if defined(__linux__)
        impose_rlimit(RLIMIT_AS, 2*get_restriction(restriction_memory_limit));
#elif defined(__CYGWIN__)
        impose_rlimit(RLIMIT_AS, get_restriction(restriction_memory_limit));
#else
        // openbsd and os x does not, switch to Resident Size
        // note that they both will just shrink process rss if memory is tight
        impose_rlimit(RLIMIT_RSS, get_restriction(restriction_memory_limit));
#endif

#if !defined(__linux__) // linux version has a procfs judge
    if (check_restriction(restriction_processor_time_limit))
        impose_rlimit(RLIMIT_CPU, get_restriction(restriction_processor_time_limit) / 1000000);
#endif
    if (check_restriction(restriction_security_limit)) {
        impose_rlimit(RLIMIT_CORE, 0);
#if defined(__linux__)
        if (seccomp_probe_filter())
            exit(EXIT_FAILURE);
        else
            seccomp_setup_filter();
#endif // XXX warning for non linuxes
    }

    return true;
}
示例#2
0
bool secure_runner::check_restriction(const restriction_kind_t &restriction) const {
    return get_restriction(restriction) != restriction_no_limit;
}
示例#3
0
 const validity_restriction_type<T>* get_restriction() const
 {
     using type = validity_restriction_type<T>;
     const ValidityRestriction* field = get_restriction(T);
     return boost::get<type>(field);
 }