search for: rl_zero

...================================ RCS file: /var/cvs/openssh/sandbox-rlimit.c,v retrieving revision 1.2 diff -u -p -r1.2 sandbox-rlimit.c --- sandbox-rlimit.c 23 Jun 2011 09:45:51 -0000 1.2 +++ sandbox-rlimit.c 2 Jul 2012 15:17:56 -0000 @@ -64,9 +64,11 @@ ssh_sandbox_child(struct ssh_sandbox *bo rl_zero.rlim_cur = rl_zero.rlim_max = 0; +#ifndef SANDBOX_SKIP_RLIMIT_FSIZE if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1) fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s", __func__, strerror(errno)); +#endif if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1) fatal("%s: set...

Hi, The systrace and rlimit sandboxes have been committed and will be in snapshots dated 20110623 and later. This diff adds support for pre-auth privsep sandboxing using the OS X sandbox_init(3) service. It's a bit disappointing that the OS X developers chose such as namespace-polluting header and function names "sandbox.h", "sandbox_init()", etc. It already forced me to

...to maintain any state here but we need + * to return non-NULL to satisfy the API. + */ + debug3("%s: preparing rlimit sandbox", __func__); + box = xcalloc(1, sizeof(*box)); + box->child_pid = 0; + + return box; +} + +void +ssh_sandbox_child(struct ssh_sandbox *box) +{ + struct rlimit rl_zero; + + rl_zero.rlim_cur = rl_zero.rlim_max = 0; + + if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1) + fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s", + __func__, strerror(errno)); + if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1) + fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }...