Tor
0.4.7.0-alpha-dev
|
Drop privileges from the current process. More...
#include "orconfig.h"
#include "lib/process/restrict.h"
#include "lib/intmath/cmp.h"
#include "lib/log/log.h"
#include "lib/log/util_bug.h"
#include "lib/net/socket.h"
#include <errno.h>
#include <stdlib.h>
#include <string.h>
Go to the source code of this file.
Macros | |
#define | ULIMIT_BUFFER 32 /* keep 32 extra fd's beyond ConnLimit_ */ |
Functions | |
int | tor_disable_debugger_attach (void) |
int | tor_mlockall (void) |
int | set_max_file_descriptors (rlim_t limit, int *max_out) |
Drop privileges from the current process.
Definition in file restrict.c.
#define ULIMIT_BUFFER 32 /* keep 32 extra fd's beyond ConnLimit_ */ |
Number of extra file descriptors to keep in reserve beyond those that we tell Tor it's allowed to use.
Definition at line 163 of file restrict.c.
int set_max_file_descriptors | ( | rlim_t | limit, |
int * | max_out | ||
) |
Learn the maximum allowed number of file descriptors, and tell the system we want to use up to that number. (Some systems have a low soft limit, and let us set it higher.) We compute this by finding the largest number that we can use.
If the limit is below the reserved file descriptor value (ULIMIT_BUFFER), return -1 and max_out is untouched.
If we can't find a number greater than or equal to limit, then we fail by returning -1 and max_out is untouched.
If we are unable to set the limit value because of setrlimit() failing, return 0 and max_out is set to the current maximum value returned by getrlimit().
Otherwise, return 0 and store the maximum we found inside max_out and set max_sockets with that value as well.
Definition at line 183 of file restrict.c.
Referenced by options_rollback_listener_transaction().
int tor_disable_debugger_attach | ( | void | ) |
Attempt to disable debugger attachment: return 1 on success, -1 on failure, and 0 if we don't know how to try on this platform.
Definition at line 43 of file restrict.c.
Referenced by options_act().
int tor_mlockall | ( | void | ) |
Attempt to lock all current and all future memory pages. This should only be called once and while we're privileged. Like mlockall() we return 0 when we're successful and -1 when we're not. Unlike mlockall() we return 1 if we've already attempted to lock memory.
Definition at line 117 of file restrict.c.