Forkbombs, memory limits and read-only filesystem #238
Labels
testneeded
Issue is generally resolved but tests were not written yet
whateverable
Issues affecting the bot framework (and therefore all of the bots)
Comments
AlexDaniel
added
whateverable
AlexDaniel
added a commit
that referenced
this issue
Sep 29, 2017
This commit resolves many long-standing problems: * Issue #25 (RESTRICTED setting) is resolved. Bots are still not fully secure, but now they are more secure that they've even been given that RESTRICTED setting is entirely useless * Issue #52 (predictable filenames) is no longer blocked * Issue #55 (sandboxable) is probably no longer relevant * Issue #118 (ramfs for /tmp) now needs an update * Issue #144 (bots leaving stuff behind) is resolved because every bot has its own /tmp * Issue #183 (source ip issue) possibly has a systemd solution for it * Issue #197 is tackled a little bit also because now there's a memory limit for every bot (3G for now, we can probably make it smaller) * Issue #238 (e.g. forkbombs) is basically resolved, but needs a bit more work * Moreover, there's now a watchdog that makes sure that bots come back online if something bad happens Not that all of this wasn't possible without systemd, it's just that it is so much easier now. Feel free to hate me as much as you want.
|
FWIW, everything is really not very secure right now, more work is required. But we're getting there. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This was an issue previously, but not anymore. We should write some tests for it, but tests are not systemd-ed.
The text was updated successfully, but these errors were encountered: