File tree Expand file tree Collapse file tree
packages/edge/infra/client/manager/src/actor Expand file tree Collapse file tree Original file line number Diff line number Diff line change @@ -65,6 +65,26 @@ pub fn config(opts: ConfigOpts) -> Result<serde_json::Value> {
6565 "type" : "RLIMIT_NOFILE" ,
6666 "hard" : 1024 ,
6767 "soft" : 1024
68+ } ,
69+ {
70+ "type" : "RLIMIT_CPU" ,
71+ "hard" : 300 ,
72+ "soft" : 300
73+ } ,
74+ {
75+ "type" : "RLIMIT_NPROC" ,
76+ "hard" : 256 ,
77+ "soft" : 256
78+ } ,
79+ {
80+ "type" : "RLIMIT_MEMLOCK" ,
81+ "hard" : 65536 ,
82+ "soft" : 65536
83+ } ,
84+ {
85+ "type" : "RLIMIT_FSIZE" ,
86+ "hard" : 1073741824 ,
87+ "soft" : 1073741824
6888 }
6989 ] ,
7090 "noNewPrivileges" : true
@@ -103,17 +123,40 @@ pub fn config(opts: ConfigOpts) -> Result<serde_json::Value> {
103123 "limit" : opts. memory_max,
104124 } ,
105125
106- // TODO: network
107- // TODO: pids
108- // TODO: hugepageLimits
109- // TODO: blockIO
126+ "pids" : {
127+ "limit" : 256
128+ } ,
129+ "blockIO" : {
130+ "weight" : 500 ,
131+ "weightDevice" : [ ] ,
132+ "throttleReadBpsDevice" : [
133+ {
134+ "major" : 259 ,
135+ "minor" : 0 ,
136+ "rate" : 10485760
137+ }
138+ ] ,
139+ "throttleWriteBpsDevice" : [
140+ {
141+ "major" : 259 ,
142+ "minor" : 0 ,
143+ "rate" : 10485760
144+ }
145+ ]
146+ } ,
147+ "network" : {
148+ "classID" : 1048577 ,
149+ "priorities" : [ ]
150+ }
110151 } ,
111152 "namespaces" : [
112153 { "type" : "pid" } ,
113154 { "type" : "ipc" } ,
114155 { "type" : "uts" } ,
115156 { "type" : "mount" } ,
116157 { "type" : "network" , "path" : opts. netns_path. to_str( ) . context( "netns_path" ) ? } ,
158+ { "type" : "user" } ,
159+ { "type" : "cgroup" }
117160 ] ,
118161 "maskedPaths" : [
119162 "/proc/acpi" ,
@@ -142,20 +185,10 @@ pub fn config(opts: ConfigOpts) -> Result<serde_json::Value> {
142185// Default Docker capabilities: https://github.com/moby/moby/blob/777e9f271095685543f30df0ff7a12397676f938/oci/caps/defaults.go#L4
143186fn capabilities ( ) -> Vec < & ' static str > {
144187 vec ! [
145- "CAP_CHOWN" ,
146- "CAP_DAC_OVERRIDE" ,
147- "CAP_FSETID" ,
148- "CAP_FOWNER" ,
149- "CAP_MKNOD" ,
150- "CAP_NET_RAW" ,
151188 "CAP_SETGID" ,
152189 "CAP_SETUID" ,
153- "CAP_SETFCAP" ,
154- "CAP_SETPCAP" ,
155190 "CAP_NET_BIND_SERVICE" ,
156- "CAP_SYS_CHROOT" ,
157191 "CAP_KILL" ,
158- "CAP_AUDIT_WRITE" ,
159192 ]
160193}
161194
Original file line number Diff line number Diff line change @@ -81,25 +81,13 @@ pub fn config() -> serde_json::Value {
8181 }
8282 ]
8383 } ,
84- {
85- "names" : [
86- "ptrace"
87- ] ,
88- "action" : "SCMP_ACT_ALLOW"
89- } ,
9084 {
9185 "names" : [
9286 "arch_prctl" ,
9387 "modify_ldt"
9488 ] ,
9589 "action" : "SCMP_ACT_ALLOW"
9690 } ,
97- {
98- "names" : [
99- "chroot"
100- ] ,
101- "action" : "SCMP_ACT_ALLOW"
102- } ,
10391 {
10492 "names" : [
10593 "clone"
@@ -108,7 +96,7 @@ pub fn config() -> serde_json::Value {
10896 "args" : [
10997 {
11098 "index" : 0 ,
111- "value" : 2114060288 ,
99+ "value" : 4096 ,
112100 "op" : "SCMP_CMP_MASKED_EQ"
113101 }
114102 ]
@@ -129,18 +117,14 @@ fn syscall_names() -> Vec<&'static str> {
129117 "accept" ,
130118 "accept4" ,
131119 "access" ,
132- "adjtimex" ,
133120 "alarm" ,
134121 "bind" ,
135122 "brk" ,
136123 "capget" ,
137- "capset" ,
138124 "chdir" ,
139125 "chmod" ,
140126 "chown" ,
141127 "chown32" ,
142- "clock_adjtime" ,
143- "clock_adjtime64" ,
144128 "clock_getres" ,
145129 "clock_getres_time64" ,
146130 "clock_gettime" ,
You can’t perform that action at this time.
0 commit comments