github.com/metacubex/gvisor@v0.0.0-20240320004321-933faba989ec/pkg/sentry/limits/linux.go (about) 1 // Copyright 2018 The gVisor Authors. 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package limits 16 17 import ( 18 "fmt" 19 20 "github.com/metacubex/gvisor/pkg/abi/linux" 21 ) 22 23 // FromLinuxResource maps linux resources to LimitTypes. 24 var FromLinuxResource = map[int]LimitType{ 25 linux.RLIMIT_CPU: CPU, 26 linux.RLIMIT_FSIZE: FileSize, 27 linux.RLIMIT_DATA: Data, 28 linux.RLIMIT_STACK: Stack, 29 linux.RLIMIT_CORE: Core, 30 linux.RLIMIT_RSS: Rss, 31 linux.RLIMIT_NPROC: ProcessCount, 32 linux.RLIMIT_NOFILE: NumberOfFiles, 33 linux.RLIMIT_MEMLOCK: MemoryLocked, 34 linux.RLIMIT_AS: AS, 35 linux.RLIMIT_LOCKS: Locks, 36 linux.RLIMIT_SIGPENDING: SignalsPending, 37 linux.RLIMIT_MSGQUEUE: MessageQueueBytes, 38 linux.RLIMIT_NICE: Nice, 39 linux.RLIMIT_RTPRIO: RealTimePriority, 40 linux.RLIMIT_RTTIME: Rttime, 41 } 42 43 // FromLinuxResourceName maps from linux resource names to LimitTypes. 44 var FromLinuxResourceName = map[string]LimitType{ 45 "RLIMIT_AS": AS, 46 "RLIMIT_CORE": Core, 47 "RLIMIT_CPU": CPU, 48 "RLIMIT_DATA": Data, 49 "RLIMIT_FSIZE": FileSize, 50 "RLIMIT_LOCKS": Locks, 51 "RLIMIT_MEMLOCK": MemoryLocked, 52 "RLIMIT_MSGQUEUE": MessageQueueBytes, 53 "RLIMIT_NICE": Nice, 54 "RLIMIT_NOFILE": NumberOfFiles, 55 "RLIMIT_NPROC": ProcessCount, 56 "RLIMIT_RSS": Rss, 57 "RLIMIT_RTPRIO": RealTimePriority, 58 "RLIMIT_RTTIME": Rttime, 59 "RLIMIT_SIGPENDING": SignalsPending, 60 "RLIMIT_STACK": Stack, 61 } 62 63 // FromLinux maps linux rlimit values to sentry Limits, being careful to handle 64 // infinities. 65 func FromLinux(rl uint64) uint64 { 66 if rl == linux.RLimInfinity { 67 return Infinity 68 } 69 return rl 70 } 71 72 // ToLinux maps sentry Limits to linux rlimit values, being careful to handle 73 // infinities. 74 func ToLinux(l uint64) uint64 { 75 if l == Infinity { 76 return linux.RLimInfinity 77 } 78 return l 79 } 80 81 // NewLinuxLimitSet returns a LimitSet whose values match the default rlimits 82 // in Linux. 83 func NewLinuxLimitSet() (*LimitSet, error) { 84 ls := NewLimitSet() 85 for rlt, rl := range linux.InitRLimits { 86 lt, ok := FromLinuxResource[rlt] 87 if !ok { 88 return nil, fmt.Errorf("unknown rlimit type %v", rlt) 89 } 90 ls.SetUnchecked(lt, Limit{ 91 Cur: FromLinux(rl.Cur), 92 Max: FromLinux(rl.Max), 93 }) 94 } 95 return ls, nil 96 } 97 98 // NewLinuxDistroLimitSet returns a new LimitSet whose values are typical 99 // for a booted Linux distro. 100 // 101 // Many Linux init systems adjust the default Linux limits to values more 102 // expected by the rest of the userspace. NewLinuxDistroLimitSet returns a 103 // LimitSet with sensible defaults for applications that aren't starting 104 // their own init system. 105 func NewLinuxDistroLimitSet() (*LimitSet, error) { 106 ls, err := NewLinuxLimitSet() 107 if err != nil { 108 return nil, err 109 } 110 111 // Adjust ProcessCount to a lower value because GNU bash allocates 16 112 // bytes per proc and OOMs if this number is set too high. Value was 113 // picked arbitrarily. 114 // 115 // 1,048,576 ought to be enough for anyone. 116 l := ls.Get(ProcessCount) 117 l.Cur = 1 << 20 118 ls.Set(ProcessCount, l, true /* privileged */) 119 return ls, nil 120 }