[rsbac] RES
Amon Ott
ao at rsbac.org
Mon Jan 17 10:57:47 CET 2011
On Monday 17 January 2011 wrote Jens Kasten:
> I set up the follow for RES:
>
> attr_set_user RES $user res_max fsize 250000 # user won t create file
> more than 1G (block size = 4096)
This value is in bytes, so 250000 bytes, not 1G.
> attr_set_user RES $user res_max stack 100000 # user stack won t get
> bigger than 100 KB
> attr_set_user RES $user res_max nofile 1024 # user won t open more
> than 1024 fds at a time
> attr_set_user RES $user res_min core -1 # user will coredump by
> default
> attr_set_user RES $user res_max nproc 200 # user won t start more
> than 200 process
> attr_set_user RES $user res_max as 100000000 # user s process won t
> get bigger than 100MB
>
>
> Then I call the python script ps-jail and I get:
> Jan 17 10:31:43 jaschtschik kernel: ps-jail[21077]: segfault at
> 3c0639ebf18 ip 000002be1843366c sp 000003c0639ebf20 error 6 in
> libpython2.6.so.1.0[2be1832e000+173000]
>
> Should the RES module not simply stop it if the script need more
> resources?
RES only changes the standard kernel resource settings, it does not check
itself. So this is not possible. Also, it is not possible to know in advance
how much memory a process will try to allocate (this is a variant of the
turing problem :).
Amon.
--
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
More information about the rsbac
mailing list