Macros | Functions
restrict.c File Reference

Drop privileges from the current process. More...

#include "orconfig.h"
#include "lib/process/restrict.h"
#include "lib/intmath/cmp.h"
#include "lib/log/log.h"
#include "lib/log/util_bug.h"
#include "lib/net/socket.h"
#include <errno.h>
#include <stdlib.h>
#include <string.h>

Go to the source code of this file.


#define ULIMIT_BUFFER   32 /* keep 32 extra fd's beyond ConnLimit_ */


int tor_disable_debugger_attach (void)
int tor_mlockall (void)
int set_max_file_descriptors (rlim_t limit, int *max_out)

Detailed Description

Drop privileges from the current process.

Definition in file restrict.c.

Macro Definition Documentation


#define ULIMIT_BUFFER   32 /* keep 32 extra fd's beyond ConnLimit_ */

Number of extra file descriptors to keep in reserve beyond those that we tell Tor it's allowed to use.

Definition at line 163 of file restrict.c.

Function Documentation

◆ set_max_file_descriptors()

int set_max_file_descriptors ( rlim_t  limit,
int *  max_out 

Learn the maximum allowed number of file descriptors, and tell the system we want to use up to that number. (Some systems have a low soft limit, and let us set it higher.) We compute this by finding the largest number that we can use.

If the limit is below the reserved file descriptor value (ULIMIT_BUFFER), return -1 and max_out is untouched.

If we can't find a number greater than or equal to limit, then we fail by returning -1 and max_out is untouched.

If we are unable to set the limit value because of setrlimit() failing, return 0 and max_out is set to the current maximum value returned by getrlimit().

Otherwise, return 0 and store the maximum we found inside max_out and set max_sockets with that value as well.

Definition at line 183 of file restrict.c.

Referenced by options_rollback_listener_transaction().

◆ tor_disable_debugger_attach()

int tor_disable_debugger_attach ( void  )

Attempt to disable debugger attachment: return 1 on success, -1 on failure, and 0 if we don't know how to try on this platform.

Definition at line 43 of file restrict.c.

Referenced by options_act().

◆ tor_mlockall()

int tor_mlockall ( void  )

Attempt to lock all current and all future memory pages. This should only be called once and while we're privileged. Like mlockall() we return 0 when we're successful and -1 when we're not. Unlike mlockall() we return 1 if we've already attempted to lock memory.

Definition at line 117 of file restrict.c.