github.com/metacubex/gvisor@v0.0.0-20240320004321-933faba989ec/pkg/sentry/limits/linux.go (about)

     1  // Copyright 2018 The gVisor Authors.
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package limits
    16  
    17  import (
    18  	"fmt"
    19  
    20  	"github.com/metacubex/gvisor/pkg/abi/linux"
    21  )
    22  
    23  // FromLinuxResource maps linux resources to LimitTypes.
    24  var FromLinuxResource = map[int]LimitType{
    25  	linux.RLIMIT_CPU:        CPU,
    26  	linux.RLIMIT_FSIZE:      FileSize,
    27  	linux.RLIMIT_DATA:       Data,
    28  	linux.RLIMIT_STACK:      Stack,
    29  	linux.RLIMIT_CORE:       Core,
    30  	linux.RLIMIT_RSS:        Rss,
    31  	linux.RLIMIT_NPROC:      ProcessCount,
    32  	linux.RLIMIT_NOFILE:     NumberOfFiles,
    33  	linux.RLIMIT_MEMLOCK:    MemoryLocked,
    34  	linux.RLIMIT_AS:         AS,
    35  	linux.RLIMIT_LOCKS:      Locks,
    36  	linux.RLIMIT_SIGPENDING: SignalsPending,
    37  	linux.RLIMIT_MSGQUEUE:   MessageQueueBytes,
    38  	linux.RLIMIT_NICE:       Nice,
    39  	linux.RLIMIT_RTPRIO:     RealTimePriority,
    40  	linux.RLIMIT_RTTIME:     Rttime,
    41  }
    42  
    43  // FromLinuxResourceName maps from linux resource names to LimitTypes.
    44  var FromLinuxResourceName = map[string]LimitType{
    45  	"RLIMIT_AS":         AS,
    46  	"RLIMIT_CORE":       Core,
    47  	"RLIMIT_CPU":        CPU,
    48  	"RLIMIT_DATA":       Data,
    49  	"RLIMIT_FSIZE":      FileSize,
    50  	"RLIMIT_LOCKS":      Locks,
    51  	"RLIMIT_MEMLOCK":    MemoryLocked,
    52  	"RLIMIT_MSGQUEUE":   MessageQueueBytes,
    53  	"RLIMIT_NICE":       Nice,
    54  	"RLIMIT_NOFILE":     NumberOfFiles,
    55  	"RLIMIT_NPROC":      ProcessCount,
    56  	"RLIMIT_RSS":        Rss,
    57  	"RLIMIT_RTPRIO":     RealTimePriority,
    58  	"RLIMIT_RTTIME":     Rttime,
    59  	"RLIMIT_SIGPENDING": SignalsPending,
    60  	"RLIMIT_STACK":      Stack,
    61  }
    62  
    63  // FromLinux maps linux rlimit values to sentry Limits, being careful to handle
    64  // infinities.
    65  func FromLinux(rl uint64) uint64 {
    66  	if rl == linux.RLimInfinity {
    67  		return Infinity
    68  	}
    69  	return rl
    70  }
    71  
    72  // ToLinux maps sentry Limits to linux rlimit values, being careful to handle
    73  // infinities.
    74  func ToLinux(l uint64) uint64 {
    75  	if l == Infinity {
    76  		return linux.RLimInfinity
    77  	}
    78  	return l
    79  }
    80  
    81  // NewLinuxLimitSet returns a LimitSet whose values match the default rlimits
    82  // in Linux.
    83  func NewLinuxLimitSet() (*LimitSet, error) {
    84  	ls := NewLimitSet()
    85  	for rlt, rl := range linux.InitRLimits {
    86  		lt, ok := FromLinuxResource[rlt]
    87  		if !ok {
    88  			return nil, fmt.Errorf("unknown rlimit type %v", rlt)
    89  		}
    90  		ls.SetUnchecked(lt, Limit{
    91  			Cur: FromLinux(rl.Cur),
    92  			Max: FromLinux(rl.Max),
    93  		})
    94  	}
    95  	return ls, nil
    96  }
    97  
    98  // NewLinuxDistroLimitSet returns a new LimitSet whose values are typical
    99  // for a booted Linux distro.
   100  //
   101  // Many Linux init systems adjust the default Linux limits to values more
   102  // expected by the rest of the userspace. NewLinuxDistroLimitSet returns a
   103  // LimitSet with sensible defaults for applications that aren't starting
   104  // their own init system.
   105  func NewLinuxDistroLimitSet() (*LimitSet, error) {
   106  	ls, err := NewLinuxLimitSet()
   107  	if err != nil {
   108  		return nil, err
   109  	}
   110  
   111  	// Adjust ProcessCount to a lower value because GNU bash allocates 16
   112  	// bytes per proc and OOMs if this number is set too high. Value was
   113  	// picked arbitrarily.
   114  	//
   115  	// 1,048,576 ought to be enough for anyone.
   116  	l := ls.Get(ProcessCount)
   117  	l.Cur = 1 << 20
   118  	ls.Set(ProcessCount, l, true /* privileged */)
   119  	return ls, nil
   120  }