From ad17dac9a3817fc44825a7e538fe54ee49b99c5f Mon Sep 17 00:00:00 2001 From: Joe Banks Date: Thu, 9 Oct 2025 22:44:08 +0100 Subject: Reduce PID limits for test_forkbomb_resource_unavailable This test case was being caught and nsjail was killing it, but not because of PID exhaustion but memory exhaustion. To ensure PID exhaustion is guarded against the PID count is now reduced to a level where nsjail will kill the process earlier before the memory limit. --- tests/test_nsjail.py | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/tests/test_nsjail.py b/tests/test_nsjail.py index 85bee68..71f797c 100644 --- a/tests/test_nsjail.py +++ b/tests/test_nsjail.py @@ -213,6 +213,13 @@ class NsJailTests(unittest.TestCase): self.assertEqual(result.files[0].content, b"a") def test_forkbomb_resource_unavailable(self): + # Using the production max PIDs causes processes to be killed due to memory instead of + # PID allocation exhaustion. For this test case, the PID limit is reduced to ensure + # that PID exhaustion is still something that is guarded against. + + previous_pids_max = self.nsjail.config.cgroup_pids_max + self.nsjail.config.cgroup_pids_max = 5 + code = dedent( """ import os @@ -221,10 +228,13 @@ class NsJailTests(unittest.TestCase): """ ).strip() - result = self.eval_file(code) - self.assertEqual(result.returncode, 1) - self.assertIn("Resource temporarily unavailable", result.stdout) - self.assertEqual(result.stderr, None) + try: + result = self.eval_file(code) + self.assertEqual(result.returncode, 1) + self.assertIn("Resource temporarily unavailable", result.stdout) + self.assertEqual(result.stderr, None) + finally: + self.nsjail.config.cgroup_pids_max = previous_pids_max def test_file_parsing_timeout(self): code = dedent( -- cgit v1.2.3