[tor-bugs] #20879 [Applications/Tor Browser Sandbox]: Set rlimits in the containers.
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sun Dec 4 07:25:39 UTC 2016
#20879: Set rlimits in the containers.
--------------------------------------------------+---------------------
Reporter: yawning | Owner: yawning
Type: enhancement | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser Sandbox | Version:
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
--------------------------------------------------+---------------------
The containers should have rlimits set to prevent runaway resource use,
though some of these (eg: address space) are tricky and require thought.
After discussion on IRC, sensible defaults that could be applied to
everything as a first pass would be something like:
RLIMIT_STACK: 8192
RLIMIT_RSS: 0 (No effect as of Linux 2.6.x)
RLIMIT_CORE: 0
RLIMIT_NPROC: 512
RLIMIT_NOFILE: 1024 (512?, lower?)
RLIMIT_MEMLOCK: 64 (KiB)
RLIMIT_LOCKS: (check how much firefox/tor uses flock, set to something
low)
RLIMIT_SIGPENDING: 64
RLIMIT_MSGQUEUE: 0 (assuming nothing uses this)
RLIMIT_NICE: 0
RLIMIT_RTPRIO: 0
RLIMIT_RTTIME: 0
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20879>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list