[Libreoffice-commits] online.git: Branch 'distro/collabora/collabora-online-2-1' - common/Seccomp.cpp common/Seccomp.hpp

Ashod Nakashian ashod.nakashian at collabora.co.uk
Mon Jul 31 20:51:32 UTC 2017 

 common/Seccomp.cpp |   90 +++++++++++++++++++++++++++++++++++++++++++++++++----
 common/Seccomp.hpp |    4 ++
 2 files changed, 88 insertions(+), 6 deletions(-)

New commits:
commit 9216c4e81d798d15e321ba5805a04c6845c040a3
Author: Ashod Nakashian <ashod.nakashian at collabora.co.uk>
Date:   Sat Jun 10 20:41:30 2017 -0400

    wsd: support setting process rlimits
    
    Change-Id: I7117e6843d2ebc919d7d2303cc593de888cc54b1
    Reviewed-on: https://gerrit.libreoffice.org/38672
    Reviewed-by: Ashod Nakashian <ashnakash at gmail.com>
    Tested-by: Ashod Nakashian <ashnakash at gmail.com>
    (cherry picked from commit 92d29b1ce752f9562d6a98e5219bbcac6197d431)
    Reviewed-on: https://gerrit.libreoffice.org/38757
    Reviewed-by: Jan Holesovsky <kendy at collabora.com>
    Tested-by: Jan Holesovsky <kendy at collabora.com>

diff --git a/common/Seccomp.cpp b/common/Seccomp.cpp
index 5ac929f5..7fbf3869 100644
--- a/common/Seccomp.cpp
+++ b/common/Seccomp.cpp
@@ -16,16 +16,17 @@
 #if DISABLE_SECCOMP == 0
 #include <dlfcn.h>
 #include <ftw.h>
+#include <linux/audit.h>
+#include <linux/filter.h>
+#include <linux/seccomp.h>
 #include <malloc.h>
+#include <signal.h>
 #include <sys/capability.h>
+#include <sys/prctl.h>
+#include <sys/resource.h>
+#include <sys/time.h>
 #include <unistd.h>
 #include <utime.h>
-#include <signal.h>
-#include <sys/prctl.h>
-#include <linux/audit.h>
-#include <linux/filter.h>
-#include <linux/seccomp.h>
-#endif
 
 #include <common/Log.hpp>
 #include <common/SigUtil.hpp>
@@ -223,6 +224,83 @@ bool lockdown(Type type)
 #endif // DISABLE_SECCOMP == 0
 }
 
+bool handleSetrlimitCommand(const std::vector<std::string>& tokens)
+{
+    if (tokens.size() == 3 && tokens[0] == "setconfig")
+    {
+        if (tokens[1] == "limit_virt_mem_mb")
+        {
+            rlim_t lim = std::stoi(tokens[2]) * 1024 * 1024;
+            if (lim <= 0)
+                lim = RLIM_INFINITY;
+
+            rlimit rlim = { lim, lim };
+            if (setrlimit(RLIMIT_AS, &rlim) != 0)
+                LOG_SYS("Failed to set RLIMIT_AS to " << lim << " bytes.");
+
+            if (getrlimit(RLIMIT_AS, &rlim) == 0)
+                LOG_INF("RLIMIT_AS is " << rlim.rlim_max << " bytes after setting it to " << lim << " bytes.");
+            else
+                LOG_SYS("Failed to get RLIMIT_AS.");
+
+            return true;
+        }
+        else if (tokens[1] == "limit_data_mem_kb")
+        {
+            rlim_t lim = std::stoi(tokens[2]) * 1024;
+            if (lim <= 0)
+                lim = RLIM_INFINITY;
+
+            rlimit rlim = { lim, lim };
+            if (setrlimit(RLIMIT_DATA, &rlim) != 0)
+                LOG_SYS("Failed to set RLIMIT_DATA to " << lim << " bytes.");
+
+            if (getrlimit(RLIMIT_DATA, &rlim) == 0)
+                LOG_INF("RLIMIT_DATA is " << rlim.rlim_max << " bytes after setting it to " << lim << " bytes.");
+            else
+                LOG_SYS("Failed to get RLIMIT_DATA.");
+
+            return true;
+        }
+        else if (tokens[1] == "limit_stack_mem_kb")
+        {
+            rlim_t lim = std::stoi(tokens[2]) * 1024;
+            if (lim <= 0)
+                lim = RLIM_INFINITY;
+
+            rlimit rlim = { lim, lim };
+            if (setrlimit(RLIMIT_STACK, &rlim) != 0)
+                LOG_SYS("Failed to set RLIMIT_STACK to " << lim << " bytes.");
+
+            if (getrlimit(RLIMIT_STACK, &rlim) == 0)
+                LOG_INF("RLIMIT_STACK is " << rlim.rlim_max << " bytes after setting it to " << lim << " bytes.");
+            else
+                LOG_SYS("Failed to get RLIMIT_STACK.");
+
+            return true;
+        }
+        else if (tokens[1] == "limit_file_size_mb")
+        {
+            rlim_t lim = std::stoi(tokens[2]) * 1024 * 1024;
+            if (lim <= 0)
+                lim = RLIM_INFINITY;
+
+            rlimit rlim = { lim, lim };
+            if (setrlimit(RLIMIT_NOFILE, &rlim) != 0)
+                LOG_SYS("Failed to set RLIMIT_NOFILE to " << lim << " bytes.");
+
+            if (getrlimit(RLIMIT_NOFILE, &rlim) == 0)
+                LOG_INF("RLIMIT_NOFILE is " << rlim.rlim_max << " bytes after setting it to " << lim << " bytes.");
+            else
+                LOG_SYS("Failed to get RLIMIT_NOFILE.");
+
+            return true;
+        }
+    }
+
+    return false;
+}
+
 } // namespace Seccomp
 
 
diff --git a/common/Seccomp.hpp b/common/Seccomp.hpp
index 865b5c91..f6d1a130 100644
--- a/common/Seccomp.hpp
+++ b/common/Seccomp.hpp
@@ -14,6 +14,10 @@ namespace Seccomp {
 
     /// Lock-down a process hard - @returns true on success.
     bool lockdown(Type type);
+
+    /// Handles setconfig command with limit_... subcommands.
+    /// Returns true iff it handled the command, regardless of success/failure.
+    bool handleSetrlimitCommand(const std::vector<std::string>& tokens);
 };
 
 #endif

More information about the Libreoffice-commits mailing list