[tor-bugs] #20879 [Applications/Tor Browser Sandbox]: Set rlimits in the containers.
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Dec 5 04:22:09 UTC 2016
#20879: Set rlimits in the containers.
----------------------------------------------+-------------------------
Reporter: yawning | Owner: yawning
Type: enhancement | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser Sandbox | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
----------------------------------------------+-------------------------
Comment (by cypherpunks):
It doesn't look like Firefox is locking any memory, so `RLIMIT_MEMLOCK`
can be safely set to 0.
{{{
$ pidof -s firefox
9688
$ prlimit -p 9688 -l
RESOURCE DESCRIPTION SOFT HARD UNITS
MEMLOCK max locked-in-memory address space 65536 65536 bytes
$ grep -E 'Vm(Size|Lck)' /proc/9688/status
VmSize: 1069636 kB
VmLck: 0 kB
}}}
Regarding the `RLIMIT_STACK`, 8 MiB is probably overkill. It's safe, but
very high.
{{{
$ prlimit -p 9688 -s
RESOURCE DESCRIPTION SOFT HARD UNITS
STACK max stack size 8388608 8388608 bytes
$ grep -E 'Vm(Size|Stk)' /proc/9688/status
VmSize: 1069640 kB
VmStk: 132 kB
}}}
Be careful with reducing `RLIMIT_NOFILE` too low. Much lower than 512
might be risky.
{{{
$ prlimit -p 9688 -n
RESOURCE DESCRIPTION SOFT HARD UNITS
NOFILE max number of open files 4096 4096
$ ls /proc/9688/fd | sort -n | tail -n 1
71
$ ls /proc/9688/fd | sort -n | wc -l
52
}}}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20879#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list