[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #20879 [Applications/Tor Browser Sandbox]: Set rlimits in the containers.
#20879: Set rlimits in the containers.
----------------------------------------------+-------------------------
Reporter: yawning | Owner: yawning
Type: enhancement | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser Sandbox | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
----------------------------------------------+-------------------------
Comment (by yawning):
First pass: https://gitweb.torproject.org/tor-browser/sandboxed-tor-
browser.git/commit/?id=82fcc3247c878cff63bbf34fe0c397638a232bde
I lower the soft/hard limits to:
{{{
RLIMIT_STACK = 512 * 1024
RLIMIT_RSS = 0
RLIMIT_NPROC = 512
RLIMIT_NOFILE = 1024
RLIMIT_MLOCK = 0 // Now proscribed via seccomp() as well.
RLIMIT_LOCKS = 32
RLIMIT_SIGPENDING = 64
RLIMIT_MSGQUEUE = 0
RLIMIT_NICE = 0
RLIMIT_RTPRIO = 0
RLIMIT_RTTIME = 0
}}}
I can probably go lower with NPROC/NOFILE, but erred on the side of
setting hte limits somewhat conservatively.
As far as `AS`, `DATA`, and `FSIZE` go, I agree that they should be set
*somehow* and I like your idea of applying soft limits, with UI
integration. In general the sandbox needs more UI feedback (#20844), but
I really need to think about all of this, so the initial release probably
won't ship with them set, sorry.
At least things can only improve from here...
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20879#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs