3. Adjust Limits

The Sandbox Policy prevents the Sandboxee from calling specific syscalls and thus reduces the attack surface. However, an attacker might still be able to cause undesired effects by running a process indefinitely or exhausting RAM and other resources.

To address this threat, the Sandboxee runs under tight execution limits by default. If these default limits cause issues for the legitimate execution of your program, you can adjust them using the sandbox2::Limits class by calling limits() on the executor object.

The code snippet below shows some example limit adjustments. All available options are documented in the limits.h header file.

// Restrict the address space size of the sandboxee to 4 GiB.
executor->limits()->set_rlimit_as(4ULL << 30);
// Kill sandboxee with SIGXFSZ if it writes more than 1 GiB to the filesystem.
executor->limits()->set_rlimit_fsize(1ULL << 30);
// Number of file descriptors which can be used by the sandboxee.
executor->limits()->set_rlimit_nofile(1ULL << 10);
// The sandboxee is not allowed to create core files.
executor->limits()->set_rlimit_core(0);
// Maximum 300s of real CPU time.
executor->limits()->set_rlimit_cpu(300);
// Maximum 120s of wall time.
executor->limits()->set_walltime_limit(absl::Seconds(120));

For an example of the use of the sandbox2::Limits class, see the example tool.