Improved configurability

child_launcher.cpp

@@ -9,25 +9,55 @@
 #include <dlhandle.hpp>
 
 
-void enable_limits() {
+struct Limits {
+    size_t max_mem = 4 * 1000; // 4 KB
+    bool enable_seccomp = true;
+    bool close_stdio = true;
+
+    Limits() {
+        auto HSS_MAX_MEM = getenv("HSS_MAX_MEM");
+        auto HSS_NO_SECCOMP = getenv("HSS_NO_SECCOMP");
+        auto HSS_KEEP_STDIO = getenv("HSS_KEEP_STDIO");
+        if (HSS_MAX_MEM) {
+            max_mem = std::stoul(HSS_MAX_MEM);
+        }
+        if (HSS_NO_SECCOMP) {
+            enable_seccomp = false;
+        }
+        if (HSS_KEEP_STDIO) {
+            close_stdio = false;
+        }
+    }
+};
+
+void enable_limits(const Limits& limits) {
     // rlimit
-    constexpr size_t memLimit = 4 * 1000; // 4 KB
+    if (limits.max_mem) {
-    rlimit memRLimit{memLimit, memLimit};
+        rlimit memRLimit{limits.max_mem, limits.max_mem};
-    if (setrlimit(RLIMIT_AS, &memRLimit) < 0) {
+        if (setrlimit(RLIMIT_AS, &memRLimit) < 0) {
-        throw std::runtime_error("Error setting ressource limits");
+            throw std::runtime_error("Error setting ressource limits");
+        }
     }
     // Seccomp
-    scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ERRNO(EOPNOTSUPP));
+    if (limits.enable_seccomp) {
-    for (const auto sysc : {
+        scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ERRNO(EOPNOTSUPP));
-         SCMP_SYS(mmap), SCMP_SYS(mmap2), SCMP_SYS(munmap),
+        for (const auto sysc : {
-         SCMP_SYS(write), SCMP_SYS(read), SCMP_SYS(close),
+             SCMP_SYS(mmap), SCMP_SYS(mmap2), SCMP_SYS(munmap),
-         SCMP_SYS(exit), SCMP_SYS(exit_group)
+             SCMP_SYS(write), SCMP_SYS(read), SCMP_SYS(close),
-                            }) {
+             SCMP_SYS(exit), SCMP_SYS(exit_group)
-        seccomp_rule_add(ctx, SCMP_ACT_ALLOW, sysc, 0);
+                                }) {
+            seccomp_rule_add(ctx, SCMP_ACT_ALLOW, sysc, 0);
+        }
+        seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(write), 0);
+        if (seccomp_load(ctx) < 0) {
+            throw std::runtime_error("Error setting up seccomp");
+        }
     }
-    seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(write), 0);
+    if (limits.close_stdio) {
-    if (seccomp_load(ctx) < 0) {
+        // Close stdio
-        throw std::runtime_error("Error setting up seccomp");
+        close(STDIN_FILENO);
+        close(STDOUT_FILENO);
+        close(STDERR_FILENO);
     }
 }
 
@@ -40,10 +70,7 @@ int main(int argc, char **argv) {
     // Launch
     Dlhandle dl(argv[5], RTLD_NOW | RTLD_LOCAL);
     auto entry = dl.get<void*(QBiIPC&)>("entry");
-    enable_limits();
+    enable_limits(Limits());
-    close(STDIN_FILENO);
-    close(STDOUT_FILENO);
-    close(STDERR_FILENO);
     entry(ipc);
     exit(EXIT_SUCCESS);
 }