Apply the rlimits after sending over the unotify FD

happyCoder92 · copybara-github · commit 29e9c4114cb9 · 2026-04-09T09:38:45.000-07:00
Unfortunately Linux kernel accounts all FDs inflight in unix socket to the user (uid). When starting multiple sandboxees concurrently with a low RLIMIT_NOFILE we can go over that limit on send (checks against sum of open fds for the process and inflight fds for the user). We should therefore avoid any SendFDs on setup path after the limits are applied.

PiperOrigin-RevId: 897157290
Change-Id: I71ab1568e7f363d741716a99782a5db720052355
diff --git a/sandboxed_api/sandbox2/client.cc b/sandboxed_api/sandbox2/client.cc
@@ -94,6 +94,16 @@ void InitSeccompUnotify(sock_fprog prog, Comms* comms,
       error.store(true, std::memory_order_seq_cst);
       SAPI_RAW_LOG(FATAL, "closing unotify fd");
     }
+    // Wait for the monitor to apply limits.
+    uint32_t msg;
+    if (!comms->RecvUint32(&msg)) {
+      error.store(true, std::memory_order_seq_cst);
+      SAPI_RAW_LOG(FATAL, "receiving limits applied message");
+    }
+    if (msg != Client::kSandbox2UnotifyLimitsApplied) {
+      error.store(true, std::memory_order_seq_cst);
+      SAPI_RAW_LOG(FATAL, "invalid limits applied message");
+    }
     sock_filter filter = ALLOW;
     struct sock_fprog allow_prog = {
         .len = 1,
diff --git a/sandboxed_api/sandbox2/client.h b/sandboxed_api/sandbox2/client.h
@@ -45,6 +45,10 @@ class Client {
   // UnotifyMonitor.
   static constexpr uint32_t kSandbox2ClientUnotify = 0x0A0B0C03;
 
+  // Sandboxee can proceed after seccomp_unotify setup as limits have been
+  // applied by the monitor.
+  static constexpr uint32_t kSandbox2UnotifyLimitsApplied = 0x0A0B0C04;
+
   // Allow speculation in the seccomp policy.
   static constexpr uint32_t kAllowSpeculationBit = 0x10000000;
 
diff --git a/sandboxed_api/sandbox2/monitor_base.cc b/sandboxed_api/sandbox2/monitor_base.cc
@@ -236,10 +236,6 @@ void MonitorBase::Launch() {
     SetExitStatusCode(Result::SETUP_ERROR, Result::FAILED_WAIT);
     return;
   }
-  if (!InitApplyLimits()) {
-    SetExitStatusCode(Result::SETUP_ERROR, Result::FAILED_LIMITS);
-    return;
-  }
   std::move(process_cleanup).Cancel();
 
   RunInternal();
diff --git a/sandboxed_api/sandbox2/monitor_base.h b/sandboxed_api/sandbox2/monitor_base.h
@@ -81,6 +81,9 @@ class MonitorBase {
   virtual void SetWallTimeLimit(absl::Duration limit) = 0;
 
  protected:
+  // Applies limits on the sandboxee.
+  bool InitApplyLimits();
+
   // Sends the policy to the client.
   // Can be overridden by subclasses to save/modify policy before sending.
   // Returns success/failure status.
@@ -153,9 +156,6 @@ class MonitorBase {
   // Sends information about the current working directory.
   bool InitSendCwd();
 
-  // Applies limits on the sandboxee.
-  bool InitApplyLimits();
-
   // Applies individual limit on the sandboxee.
   bool InitApplyLimit(pid_t pid, int resource, const rlimit64& rlim) const;
 
diff --git a/sandboxed_api/sandbox2/monitor_ptrace.cc b/sandboxed_api/sandbox2/monitor_ptrace.cc
@@ -315,8 +315,18 @@ void PtraceMonitor::Run() {
     getrusage(RUSAGE_THREAD, result_.GetRUsageMonitor());
     OnDone();
   };
-
   absl::Cleanup setup_notify = [this] { setup_notification_.Notify(); };
+  absl::Cleanup process_cleanup = [this] {
+    if (process_.init_pid > 0) {
+      kill(process_.init_pid, SIGKILL);
+    } else if (process_.main_pid > 0) {
+      kill(process_.main_pid, SIGKILL);
+    }
+  };
+  if (!InitApplyLimits()) {
+    SetExitStatusCode(Result::SETUP_ERROR, Result::FAILED_LIMITS);
+    return;
+  }
   // It'd be costly to initialize the sigset_t for each sigtimedwait()
   // invocation, so do it once per Monitor.
   if (!use_deadline_manager_ && !InitSetupSignals()) {
@@ -334,6 +344,7 @@ void PtraceMonitor::Run() {
   // Tell the parent thread (Sandbox2 object) that we're done with the initial
   // set-up process of the sandboxee.
   std::move(setup_notify).Invoke();
+  std::move(process_cleanup).Cancel();
 
   bool sandboxee_exited = false;
   pid_waiter_.SetPriorityPid(process_.main_pid);
diff --git a/sandboxed_api/sandbox2/monitor_unotify.cc b/sandboxed_api/sandbox2/monitor_unotify.cc
@@ -1,5 +1,6 @@
 #include "sandboxed_api/sandbox2/monitor_unotify.h"
 
+#include <fcntl.h>
 #include <linux/seccomp.h>
 #include <poll.h>
 #include <sys/eventfd.h>
@@ -259,12 +260,20 @@ void UnotifyMonitor::Run() {
     getrusage(RUSAGE_THREAD, result_.GetRUsageMonitor());
     OnDone();
   };
-
   absl::Cleanup setup_notify = [this] { setup_notification_.Notify(); };
+  absl::Cleanup process_cleanup = [this] { KillInit(); };
   if (!InitSetupUnotify()) {
     SetExitStatusCode(Result::SETUP_ERROR, Result::FAILED_NOTIFY);
     return;
   }
+  if (!InitApplyLimits()) {
+    SetExitStatusCode(Result::SETUP_ERROR, Result::FAILED_LIMITS);
+    return;
+  }
+  if (!comms_->SendUint32(Client::kSandbox2UnotifyLimitsApplied)) {
+    SetExitStatusCode(Result::SETUP_ERROR, Result::FAILED_NOTIFY);
+    return;
+  }
   if (!InitSetupNotifyEventFd()) {
     SetExitStatusCode(Result::SETUP_ERROR, Result::FAILED_NOTIFY);
     return;
@@ -340,7 +349,6 @@ void UnotifyMonitor::Run() {
       HandleUnotify();
     }
   }
-  KillInit();
 }
 
 void UnotifyMonitor::SetExitStatusFromStatusPipe() {
