Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1710)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: content/common/sandbox_linux/sandbox_linux.cc

Issue 919203002: Linux Sandbox: add resource limits to NaCl (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Address nits. Created 5 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc ('K') | « components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc ('k') | sandbox/linux/BUILD.gn » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: content/common/sandbox_linux/sandbox_linux.cc
diff --git a/content/common/sandbox_linux/sandbox_linux.cc b/content/common/sandbox_linux/sandbox_linux.cc
index 68a7b2a4451b025e5406143b885d86b2176c5547..12e12fee0979cf07d1a5d483a072c3502fdb6578 100644
--- a/content/common/sandbox_linux/sandbox_linux.cc
+++ b/content/common/sandbox_linux/sandbox_linux.cc
@@ -36,6 +36,7 @@
#include "sandbox/linux/services/credentials.h"
#include "sandbox/linux/services/namespace_sandbox.h"
#include "sandbox/linux/services/proc_util.h"
+#include "sandbox/linux/services/resource_limits.h"
#include "sandbox/linux/services/thread_helpers.h"
#include "sandbox/linux/services/yama.h"
#include "sandbox/linux/suid/client/setuid_sandbox_client.h"
@@ -67,19 +68,6 @@ void LogSandboxStarted(const std::string& sandbox_name) {
VLOG(1) << activated_sandbox;
}
-bool AddResourceLimit(int resource, rlim_t limit) {
- struct rlimit old_rlimit;
- if (getrlimit(resource, &old_rlimit))
- return false;
- // Make sure we don't raise the existing limit.
- const struct rlimit new_rlimit = {
- std::min(old_rlimit.rlim_cur, limit),
- std::min(old_rlimit.rlim_max, limit)
- };
- int rc = setrlimit(resource, &new_rlimit);
- return rc == 0;
-}
-
bool IsRunningTSAN() {
#if defined(THREAD_SANITIZER)
return true;
@@ -420,17 +408,16 @@ bool LinuxSandbox::LimitAddressSpace(const std::string& process_type) {
// allocations that can't be index by an int.
const rlim_t kNewDataSegmentMaxSize = std::numeric_limits<int>::max();
- bool limited_as = AddResourceLimit(RLIMIT_AS, address_space_limit);
- bool limited_data = AddResourceLimit(RLIMIT_DATA, kNewDataSegmentMaxSize);
+ bool limited_as =
+ sandbox::ResourceLimits::Lower(RLIMIT_AS, address_space_limit);
+ bool limited_data =
+ sandbox::ResourceLimits::Lower(RLIMIT_DATA, kNewDataSegmentMaxSize);
// Cache the resource limit before turning on the sandbox.
base::SysInfo::AmountOfVirtualMemory();
return limited_as && limited_data;
#else
- // Silence the compiler warning about unused function. This doesn't actually
- // call AddResourceLimit().
- ignore_result(AddResourceLimit);
base::SysInfo::AmountOfVirtualMemory();
return false;
#endif // !defined(ADDRESS_SANITIZER) && !defined(MEMORY_SANITIZER) &&
« components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc ('K') | « components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc ('k') | sandbox/linux/BUILD.gn » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698