2018-10-19 23:34:09 +00:00
|
|
|
// Copyright 2018 Google LLC
|
2018-04-27 17:37:02 +00:00
|
|
|
//
|
|
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
// you may not use this file except in compliance with the License.
|
|
|
|
// You may obtain a copy of the License at
|
|
|
|
//
|
|
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
//
|
|
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
// See the License for the specific language governing permissions and
|
|
|
|
// limitations under the License.
|
|
|
|
|
|
|
|
package limits
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
|
|
|
|
|
|
|
"gvisor.googlesource.com/gvisor/pkg/abi/linux"
|
|
|
|
)
|
|
|
|
|
|
|
|
// FromLinuxResource maps linux resources to sentry LimitTypes.
|
|
|
|
var FromLinuxResource = map[int]LimitType{
|
|
|
|
linux.RLIMIT_CPU: CPU,
|
|
|
|
linux.RLIMIT_FSIZE: FileSize,
|
|
|
|
linux.RLIMIT_DATA: Data,
|
|
|
|
linux.RLIMIT_STACK: Stack,
|
|
|
|
linux.RLIMIT_CORE: Core,
|
|
|
|
linux.RLIMIT_RSS: Rss,
|
|
|
|
linux.RLIMIT_NPROC: ProcessCount,
|
|
|
|
linux.RLIMIT_NOFILE: NumberOfFiles,
|
2018-12-20 21:27:25 +00:00
|
|
|
linux.RLIMIT_MEMLOCK: MemoryLocked,
|
2018-04-27 17:37:02 +00:00
|
|
|
linux.RLIMIT_AS: AS,
|
|
|
|
linux.RLIMIT_LOCKS: Locks,
|
|
|
|
linux.RLIMIT_SIGPENDING: SignalsPending,
|
|
|
|
linux.RLIMIT_MSGQUEUE: MessageQueueBytes,
|
|
|
|
linux.RLIMIT_NICE: Nice,
|
|
|
|
linux.RLIMIT_RTPRIO: RealTimePriority,
|
|
|
|
linux.RLIMIT_RTTIME: Rttime,
|
|
|
|
}
|
|
|
|
|
|
|
|
// FromLinux maps linux rlimit values to sentry Limits, being careful to handle
|
|
|
|
// infinities.
|
|
|
|
func FromLinux(rl uint64) uint64 {
|
|
|
|
if rl == linux.RLimInfinity {
|
|
|
|
return Infinity
|
|
|
|
}
|
|
|
|
return rl
|
|
|
|
}
|
|
|
|
|
|
|
|
// ToLinux maps sentry Limits to linux rlimit values, being careful to handle
|
|
|
|
// infinities.
|
|
|
|
func ToLinux(l uint64) uint64 {
|
|
|
|
if l == Infinity {
|
|
|
|
return linux.RLimInfinity
|
|
|
|
}
|
|
|
|
return l
|
|
|
|
}
|
|
|
|
|
|
|
|
// NewLinuxLimitSet returns a LimitSet whose values match the default rlimits
|
|
|
|
// in Linux.
|
|
|
|
func NewLinuxLimitSet() (*LimitSet, error) {
|
|
|
|
ls := NewLimitSet()
|
|
|
|
for rlt, rl := range linux.InitRLimits {
|
|
|
|
lt, ok := FromLinuxResource[rlt]
|
|
|
|
if !ok {
|
|
|
|
return nil, fmt.Errorf("unknown rlimit type %v", rlt)
|
|
|
|
}
|
|
|
|
ls.SetUnchecked(lt, Limit{
|
|
|
|
Cur: FromLinux(rl.Cur),
|
|
|
|
Max: FromLinux(rl.Max),
|
|
|
|
})
|
|
|
|
}
|
|
|
|
return ls, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// NewLinuxDistroLimitSet returns a new LimitSet whose values are typical
|
|
|
|
// for a booted Linux distro.
|
|
|
|
//
|
|
|
|
// Many Linux init systems adjust the default Linux limits to values more
|
|
|
|
// expected by the rest of the userspace. NewLinuxDistroLimitSet returns a
|
|
|
|
// LimitSet with sensible defaults for applications that aren't starting
|
|
|
|
// their own init system.
|
|
|
|
func NewLinuxDistroLimitSet() (*LimitSet, error) {
|
|
|
|
ls, err := NewLinuxLimitSet()
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
// Adjust ProcessCount to a lower value because GNU bash allocates 16
|
|
|
|
// bytes per proc and OOMs if this number is set too high. Value was
|
|
|
|
// picked arbitrarily.
|
|
|
|
//
|
|
|
|
// 1,048,576 ought to be enough for anyone.
|
|
|
|
l := ls.Get(ProcessCount)
|
|
|
|
l.Cur = 1 << 20
|
|
|
|
ls.Set(ProcessCount, l)
|
|
|
|
return ls, nil
|
|
|
|
}
|