diff options
| author |  MarkKoz <[email protected]> | 2021-01-10 14:12:57 -0800 |
|---|---|---|
| committer | MarkKoz <[email protected]> | 2021-01-10 17:04:59 -0800 |
| commit | 8528ab06b1991004cd7d6fd6c3e5d850cbdaedbc (patch) | |
| tree | bf57a5ad1da2f5b27fdd8c4c0356c9bff3563aaa | |
| parent | Read the nsjail config into a protobuf Message object (diff) | |
Read cgroup values from the config file
| -rw-r--r-- | snekbox/nsjail.py | 25 |
1 files changed, 7 insertions, 18 deletions
diff --git a/snekbox/nsjail.py b/snekbox/nsjail.py index 0b6d1c6..f5df64c 100644 --- a/snekbox/nsjail.py +++ b/snekbox/nsjail.py @@ -22,13 +22,8 @@ LOG_PATTERN = re.compile( ) LOG_BLACKLIST = ("Process will be ",) -# Explicitly define constants for NsJail's default values. -CGROUP_PIDS_PARENT = Path("/sys/fs/cgroup/pids/NSJAIL") -CGROUP_MEMORY_PARENT = Path("/sys/fs/cgroup/memory/NSJAIL") - NSJAIL_PATH = os.getenv("NSJAIL_PATH", "/usr/sbin/nsjail") NSJAIL_CFG = os.getenv("NSJAIL_CFG", "./config/snekbox.cfg") -MEM_MAX = 52428800 # Limit of stdout bytes we consume before terminating nsjail OUTPUT_MAX = 1_000_000 # 1 MB @@ -58,11 +53,7 @@ class NsJail: return config - @staticmethod - def _create_parent_cgroups( - pids: Path = CGROUP_PIDS_PARENT, - mem: Path = CGROUP_MEMORY_PARENT - ) -> None: + def _create_parent_cgroups(self) -> None: """ Create the PIDs and memory cgroups which NsJail will use as its parent cgroups. @@ -71,16 +62,20 @@ class NsJail: Disables memory swapping. """ + pids = Path(self.config.cgroup_pids_mount, self.config.cgroup_pids_parent) + mem = Path(self.config.cgroup_mem_mount, self.config.cgroup_mem_parent) + mem_max = str(self.config.cgroup_mem_max) + pids.mkdir(parents=True, exist_ok=True) mem.mkdir(parents=True, exist_ok=True) # Swap limit cannot be set to a value lower than memory.limit_in_bytes. # Therefore, this must be set first. - (mem / "memory.limit_in_bytes").write_text(str(MEM_MAX), encoding="utf-8") + (mem / "memory.limit_in_bytes").write_text(mem_max, encoding="utf-8") try: # Swap limit is specified as the sum of the memory and swap limits. - (mem / "memory.memsw.limit_in_bytes").write_text(str(MEM_MAX), encoding="utf-8") + (mem / "memory.memsw.limit_in_bytes").write_text(mem_max, encoding="utf-8") except PermissionError: log.warning( "Failed to set the memory swap limit for the cgroup. " @@ -158,12 +153,6 @@ class NsJail: self.nsjail_binary, "--config", NSJAIL_CFG, "--log", nsj_log.name, - f"--cgroup_mem_max={MEM_MAX}", - "--cgroup_mem_mount", str(CGROUP_MEMORY_PARENT.parent), - "--cgroup_mem_parent", CGROUP_MEMORY_PARENT.name, - "--cgroup_pids_max=1", - "--cgroup_pids_mount", str(CGROUP_PIDS_PARENT.parent), - "--cgroup_pids_parent", CGROUP_PIDS_PARENT.name, "--", self.python_binary, "-Squ", "-c", code ) |