From 48556bbd49c89a0bb8d71fc935c2af9cbb60cfc2 Mon Sep 17 00:00:00 2001
From: Nils <nils@lyllia.fritz.box>
Date: Thu, 22 Jul 2021 13:57:37 +0200
Subject: [PATCH] Improved configurability

---
 child_launcher.cpp | 65 ++++++++++++++++++++++++++++++++--------------
 1 file changed, 46 insertions(+), 19 deletions(-)

diff --git a/child_launcher.cpp b/child_launcher.cpp
index 6a39e10..a4e92c8 100644
--- a/child_launcher.cpp
+++ b/child_launcher.cpp
@@ -9,25 +9,55 @@
 #include <dlhandle.hpp>
 
 
-void enable_limits() {
+struct Limits {
+    size_t max_mem = 4 * 1000; // 4 KB
+    bool enable_seccomp = true;
+    bool close_stdio = true;
+
+    Limits() {
+        auto HSS_MAX_MEM = getenv("HSS_MAX_MEM");
+        auto HSS_NO_SECCOMP = getenv("HSS_NO_SECCOMP");
+        auto HSS_KEEP_STDIO = getenv("HSS_KEEP_STDIO");
+        if (HSS_MAX_MEM) {
+            max_mem = std::stoul(HSS_MAX_MEM);
+        }
+        if (HSS_NO_SECCOMP) {
+            enable_seccomp = false;
+        }
+        if (HSS_KEEP_STDIO) {
+            close_stdio = false;
+        }
+    }
+};
+
+void enable_limits(const Limits& limits) {
     // rlimit
-    constexpr size_t memLimit = 4 * 1000; // 4 KB
-    rlimit memRLimit{memLimit, memLimit};
-    if (setrlimit(RLIMIT_AS, &memRLimit) < 0) {
-        throw std::runtime_error("Error setting ressource limits");
+    if (limits.max_mem) {
+        rlimit memRLimit{limits.max_mem, limits.max_mem};
+        if (setrlimit(RLIMIT_AS, &memRLimit) < 0) {
+            throw std::runtime_error("Error setting ressource limits");
+        }
     }
     // Seccomp
-    scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ERRNO(EOPNOTSUPP));
-    for (const auto sysc : {
-         SCMP_SYS(mmap), SCMP_SYS(mmap2), SCMP_SYS(munmap),
-         SCMP_SYS(write), SCMP_SYS(read), SCMP_SYS(close),
-         SCMP_SYS(exit), SCMP_SYS(exit_group)
-                            }) {
-        seccomp_rule_add(ctx, SCMP_ACT_ALLOW, sysc, 0);
+    if (limits.enable_seccomp) {
+        scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ERRNO(EOPNOTSUPP));
+        for (const auto sysc : {
+             SCMP_SYS(mmap), SCMP_SYS(mmap2), SCMP_SYS(munmap),
+             SCMP_SYS(write), SCMP_SYS(read), SCMP_SYS(close),
+             SCMP_SYS(exit), SCMP_SYS(exit_group)
+                                }) {
+            seccomp_rule_add(ctx, SCMP_ACT_ALLOW, sysc, 0);
+        }
+        seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(write), 0);
+        if (seccomp_load(ctx) < 0) {
+            throw std::runtime_error("Error setting up seccomp");
+        }
     }
-    seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(write), 0);
-    if (seccomp_load(ctx) < 0) {
-        throw std::runtime_error("Error setting up seccomp");
+    if (limits.close_stdio) {
+        // Close stdio
+        close(STDIN_FILENO);
+        close(STDOUT_FILENO);
+        close(STDERR_FILENO);
     }
 }
 
@@ -40,10 +70,7 @@ int main(int argc, char **argv) {
     // Launch
     Dlhandle dl(argv[5], RTLD_NOW | RTLD_LOCAL);
     auto entry = dl.get<void*(QBiIPC&)>("entry");
-    enable_limits();
-    close(STDIN_FILENO);
-    close(STDOUT_FILENO);
-    close(STDERR_FILENO);
+    enable_limits(Limits());
     entry(ipc);
     exit(EXIT_SUCCESS);
 }