[tor-bugs] #20879 [Applications/Tor Browser Sandbox]: Set rlimits in the containers.

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Dec 5 04:22:09 UTC 2016


#20879: Set rlimits in the containers.
----------------------------------------------+-------------------------
 Reporter:  yawning                           |          Owner:  yawning
     Type:  enhancement                       |         Status:  new
 Priority:  Medium                            |      Milestone:
Component:  Applications/Tor Browser Sandbox  |        Version:
 Severity:  Normal                            |     Resolution:
 Keywords:                                    |  Actual Points:
Parent ID:                                    |         Points:
 Reviewer:                                    |        Sponsor:
----------------------------------------------+-------------------------

Comment (by cypherpunks):

 It doesn't look like Firefox is locking any memory, so `RLIMIT_MEMLOCK`
 can be safely set to 0.

 {{{
 $ pidof -s firefox
 9688

 $ prlimit -p 9688 -l
 RESOURCE DESCRIPTION                         SOFT  HARD UNITS
 MEMLOCK  max locked-in-memory address space 65536 65536 bytes

 $ grep -E 'Vm(Size|Lck)' /proc/9688/status
 VmSize:  1069636 kB
 VmLck:         0 kB
 }}}

 Regarding the `RLIMIT_STACK`, 8 MiB is probably overkill. It's safe, but
 very high.
 {{{
 $ prlimit -p 9688 -s
 RESOURCE DESCRIPTION       SOFT    HARD UNITS
 STACK    max stack size 8388608 8388608 bytes

 $ grep -E 'Vm(Size|Stk)' /proc/9688/status
 VmSize:  1069640 kB
 VmStk:       132 kB
 }}}

 Be careful with reducing `RLIMIT_NOFILE` too low. Much lower than 512
 might be risky.
 {{{
 $ prlimit -p 9688 -n
 RESOURCE DESCRIPTION              SOFT HARD UNITS
 NOFILE   max number of open files 4096 4096

 $ ls /proc/9688/fd | sort -n | tail -n 1
 71

 $ ls /proc/9688/fd | sort -n | wc -l
 52
 }}}

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20879#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list