diff options
-rw-r--r-- | content/common/sandbox_init_linux.cc | 3 | ||||
-rw-r--r-- | content/common/sandbox_linux.cc | 26 | ||||
-rw-r--r-- | content/common/sandbox_linux.h | 4 |
3 files changed, 33 insertions, 0 deletions
diff --git a/content/common/sandbox_init_linux.cc b/content/common/sandbox_init_linux.cc index 1c59e9e..25cbf95 100644 --- a/content/common/sandbox_init_linux.cc +++ b/content/common/sandbox_init_linux.cc @@ -33,6 +33,9 @@ bool InitializeSandbox() { return false; } + // Attempt to limit the future size of the address space of the process. + linux_sandbox->LimitAddressSpace(process_type); + // First, try to enable seccomp-bpf. seccomp_bpf_started = linux_sandbox->StartSeccompBpf(process_type); diff --git a/content/common/sandbox_linux.cc b/content/common/sandbox_linux.cc index ad73fe6..715bad5 100644 --- a/content/common/sandbox_linux.cc +++ b/content/common/sandbox_linux.cc @@ -3,7 +3,9 @@ // found in the LICENSE file. #include <fcntl.h> +#include <sys/resource.h> #include <sys/stat.h> +#include <sys/time.h> #include <sys/types.h> #include "base/command_line.h" @@ -238,5 +240,29 @@ bool LinuxSandbox::seccomp_bpf_supported() const { return seccomp_bpf_supported_; } +bool LinuxSandbox::LimitAddressSpace(const std::string& process_type) { + (void) process_type; +#if defined(__x86_64__) && !defined(ADDRESS_SANITIZER) + CommandLine* command_line = CommandLine::ForCurrentProcess(); + if (command_line->HasSwitch(switches::kNoSandbox)) { + return false; + } + // Limit the address space to 8GB. + const rlim_t kNewAddressSpaceMaxSize = 0x200000000L; + struct rlimit old_address_space_limit; + if (getrlimit(RLIMIT_AS, &old_address_space_limit)) + return false; + // Make sure we don't raise the existing limit. + const struct rlimit new_address_space_limit = { + std::min(old_address_space_limit.rlim_cur, kNewAddressSpaceMaxSize), + std::min(old_address_space_limit.rlim_max, kNewAddressSpaceMaxSize) + }; + int rc = setrlimit(RLIMIT_AS, &new_address_space_limit); + return (rc == 0); +#else + return false; +#endif // __x86_64__ && !defined(ADDRESS_SANITIZER) +} + } // namespace content diff --git a/content/common/sandbox_linux.h b/content/common/sandbox_linux.h index bd512f0..0fa9718 100644 --- a/content/common/sandbox_linux.h +++ b/content/common/sandbox_linux.h @@ -73,6 +73,10 @@ class LinuxSandbox { // Check the policy and eventually start the seccomp-bpf sandbox. bool StartSeccompBpf(const std::string& process_type); + // Limit the address space of the current process (and its children). + // to make some vulnerabilities harder to exploit. + bool LimitAddressSpace(const std::string& process_type); + private: friend struct DefaultSingletonTraits<LinuxSandbox>; |