使用集合让一切井井有条
根据您的偏好保存内容并对其进行分类。
3. 调整限制
沙盒政策可防止 Sandboxee 调用特定系统调用,从而减小攻击面。不过,攻击者仍可能会无限期地运行进程或耗尽 RAM 和其他资源,从而造成意外影响。
为了应对这种威胁,Sandboxee 默认在严格的执行限制下运行。如果这些默认限制会导致程序的合法执行出现问题,您可以通过对 executor 对象调用 limits() 来使用 sandbox2::Limits 类调整这些限制。
以下代码段展示了一些示例限制调整。所有可用的选项都记录在 limits.h 头文件中。
// Restrict the address space size of the sandboxee to 4 GiB.
executor->limits()->set_rlimit_as(4ULL << 30);
// Kill sandboxee with SIGXFSZ if it writes more than 1 GiB to the filesystem.
executor->limits()->set_rlimit_fsize(1ULL << 30);
// Number of file descriptors which can be used by the sandboxee.
executor->limits()->set_rlimit_nofile(1ULL << 10);
// The sandboxee is not allowed to create core files.
executor->limits()->set_rlimit_core(0);
// Maximum 300s of real CPU time.
executor->limits()->set_rlimit_cpu(300);
// Maximum 120s of wall time.
executor->limits()->set_walltime_limit(absl::Seconds(120));
如需查看 sandbox2::Limits 类的使用示例,请参阅示例工具。
如未另行说明,那么本页面中的内容已根据知识共享署名 4.0 许可获得了许可,并且代码示例已根据 Apache 2.0 许可获得了许可。有关详情,请参阅 Google 开发者网站政策。Java 是 Oracle 和/或其关联公司的注册商标。
最后更新时间 (UTC):2023-12-06。
[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["没有我需要的信息","missingTheInformationINeed","thumb-down"],["太复杂/步骤太多","tooComplicatedTooManySteps","thumb-down"],["内容需要更新","outOfDate","thumb-down"],["翻译问题","translationIssue","thumb-down"],["示例/代码问题","samplesCodeIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2023-12-06。"],[[["Sandboxee execution is restricted by default to minimize potential harm from malicious code."],["Sandbox2 provides the `Limits` class to adjust resource limits like address space size, file size, and CPU time, allowing customization for specific program needs."],["Developers can fine-tune resource constraints using methods like `set_rlimit_as` or `set_rlimit_cpu` for more control over the Sandboxee's behavior."],["Refer to the `limits.h` header file for detailed documentation on all available limit options and their functionalities."]]],[]]
