changeset 5334:0669fbaf2e5d draft

privsep: Apply what resource limits we can to capsicum
author Roy Marples <roy@marples.name>
date Wed, 10 Jun 2020 05:27:25 +0100
parents 4fb2ba0739f0
children d708e3b7cce0
files src/privsep.c
diffstat 1 files changed, 4 insertions(+), 3 deletions(-) [+]
line wrap: on
line diff
--- a/src/privsep.c	Wed Jun 10 05:04:02 2020 +0100
+++ b/src/privsep.c	Wed Jun 10 05:27:25 2020 +0100
@@ -129,9 +129,8 @@
 		return -1;
 	}
 
-#if defined(HAVE_CAPSICUM) || defined(HAVE_PLEDGE)
-	/* These sandbox technologies do not work well with
-	 * resource limits. */
+#if defined(HAVE_PLEDGE)
+	/* Pledge does not seem to work well with resource limits. */
 #else
 	struct rlimit rzero = { .rlim_cur = 0, .rlim_max = 0 };
 
@@ -167,11 +166,13 @@
 #endif
 	}
 
+#ifndef HAVE_CAPSICUM
 	/* Prohibit large files */
 	if (setrlimit(RLIMIT_FSIZE, &rzero) == -1) {
 		logerr("setrlimit RLIMIT_FSIZE");
 		return -1;
 	}
+#endif
 
 #ifdef RLIMIT_NPROC
 	/* Prohibit forks */