A few misc forkbomb defenses:
- Leave 10 processes for root-only use, the previous value of 1 was insufficient to run ps ax | more. - Remove the printing of "proc: table full". When the table really is full, this would flood the screen/logs, making the problem tougher to deal with. - Force any process trying to fork beyond its user's maximum number of processes to sleep for .5 seconds before returning failure. This turns 2000 rampaging fork monsters into 2000 harmlessly snoozing fork monsters. Reviewed by: dillon, peter MFC after: 1 week
This commit is contained in:
silby
parent
53507926a4
commit
e561ca6dce
@ -93,6 +93,8 @@ struct fork_args {
|
||||
};
|
||||
#endif
|
||||
|
||||
int forksleep; /* Place for fork1() to sleep on. */
|
||||
|
||||
static void
|
||||
init_fork_list(void *data __unused)
|
||||
{
|
||||
@ -297,8 +299,8 @@ fork1(td, flags, procp)
|
||||
* processes, maxproc is the limit.
|
||||
*/
|
||||
uid = p1->p_ucred->cr_ruid;
|
||||
if ((nprocs >= maxproc - 1 && uid != 0) || nprocs >= maxproc) {
|
||||
tablefull("proc");
|
||||
if ((nprocs >= maxproc - 10 && uid != 0) || nprocs >= maxproc) {
|
||||
tsleep(&forksleep, PUSER, "fork", hz / 2);
|
||||
return (EAGAIN);
|
||||
}
|
||||
/*
|
||||
@ -318,6 +320,7 @@ fork1(td, flags, procp)
|
||||
* Back out the process count
|
||||
*/
|
||||
nprocs--;
|
||||
tsleep(&forksleep, PUSER, "fork", hz / 2);
|
||||
return (EAGAIN);
|
||||
}
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user