18 #ifdef HAVE_SYS_MMAN_H
47 "Attempting to disable debugger attachment to Tor for "
48 "unprivileged users.");
49 #if defined(__linux__) && defined(HAVE_SYS_PRCTL_H) \
50 && defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
51 #define TRIED_TO_DISABLE
52 r = prctl(PR_SET_DUMPABLE, 0);
53 #elif defined(__APPLE__) && defined(PT_DENY_ATTACH)
54 #define TRIED_TO_ATTACH
55 r = ptrace(PT_DENY_ATTACH, 0, 0, 0);
60 #ifdef TRIED_TO_DISABLE
62 log_debug(
LD_CONFIG,
"Debugger attachment disabled for "
63 "unprivileged users.");
66 log_warn(
LD_CONFIG,
"Unable to disable debugger attaching: %s",
70 #undef TRIED_TO_DISABLE
74 #if defined(HAVE_MLOCKALL) && HAVE_DECL_MLOCKALL && defined(RLIMIT_MEMLOCK)
75 #define HAVE_UNIX_MLOCKALL
78 #ifdef HAVE_UNIX_MLOCKALL
84 tor_set_max_memlock(
void)
94 limit.rlim_cur = RLIM_INFINITY;
95 limit.rlim_max = RLIM_INFINITY;
97 if (setrlimit(RLIMIT_MEMLOCK, &limit) == -1) {
99 log_warn(
LD_GENERAL,
"You appear to lack permissions to change memory "
100 "limits. Are you root?");
102 log_warn(
LD_GENERAL,
"Unable to raise RLIMIT_MEMLOCK: %s",
119 static int memory_lock_attempted = 0;
121 if (memory_lock_attempted) {
125 memory_lock_attempted = 1;
134 #ifdef HAVE_UNIX_MLOCKALL
135 if (tor_set_max_memlock() == 0) {
136 log_debug(
LD_GENERAL,
"RLIMIT_MEMLOCK is now set to RLIM_INFINITY.");
139 if (mlockall(MCL_CURRENT|MCL_FUTURE) == 0) {
140 log_info(
LD_GENERAL,
"Insecure OS paging is effectively disabled.");
143 if (errno == ENOSYS) {
145 log_notice(
LD_GENERAL,
"It appears that mlockall() is not available on "
147 }
else if (errno == EPERM) {
148 log_notice(
LD_GENERAL,
"It appears that you lack the permissions to "
149 "lock memory. Are you root?");
151 log_notice(
LD_GENERAL,
"Unable to lock all current and future memory "
152 "pages: %s", strerror(errno));
156 log_warn(
LD_GENERAL,
"Unable to lock memory pages. mlockall() unsupported?");
163 #define ULIMIT_BUFFER 32
196 #ifndef HAVE_GETRLIMIT
197 #if defined(CYGWIN) || defined(__CYGWIN__)
198 const char *platform =
"Cygwin";
199 const unsigned long MAX_CONNECTIONS = 3200;
200 #elif defined(_WIN32)
201 const char *platform =
"Windows";
202 const unsigned long MAX_CONNECTIONS = 15000;
204 const char *platform =
"unknown platforms with no getrlimit()";
205 const unsigned long MAX_CONNECTIONS = 15000;
208 "This platform is missing getrlimit(). Proceeding.");
209 if (limit > MAX_CONNECTIONS) {
211 "We do not support more than %lu file descriptors "
212 "on %s. Tried to raise to %lu.",
213 (
unsigned long)MAX_CONNECTIONS, platform, (
unsigned long)limit);
216 limit = MAX_CONNECTIONS;
220 if (getrlimit(RLIMIT_NOFILE, &rlim) != 0) {
221 log_warn(
LD_NET,
"Could not get maximum number of file descriptors: %s",
225 if (rlim.rlim_max < limit) {
226 log_warn(
LD_CONFIG,
"We need %lu file descriptors available, and we're "
227 "limited to %lu. Please change your ulimit -n.",
228 (
unsigned long)limit, (
unsigned long)rlim.rlim_max);
232 if (rlim.rlim_max > rlim.rlim_cur) {
233 log_info(
LD_NET,
"Raising max file descriptors from %lu to %lu.",
234 (
unsigned long)rlim.rlim_cur, (
unsigned long)rlim.rlim_max);
240 rlim.rlim_cur = rlim.rlim_max;
242 if (setrlimit(RLIMIT_NOFILE, &rlim) != 0) {
244 const int setrlimit_errno = errno;
247 if (errno == EINVAL && try_limit < (uint64_t) rlim.rlim_cur) {
250 rlim.rlim_cur = MIN((rlim_t) try_limit, rlim.rlim_cur);
251 if (setrlimit(RLIMIT_NOFILE, &rlim) == 0) {
252 if (rlim.rlim_cur < (rlim_t)limit) {
253 log_warn(
LD_CONFIG,
"We are limited to %lu file descriptors by "
254 "OPEN_MAX (%lu), and ConnLimit is %lu. Changing "
256 (
unsigned long)try_limit, (
unsigned long)OPEN_MAX,
257 (
unsigned long)limit);
259 log_info(
LD_CONFIG,
"Dropped connection limit to %lu based on "
260 "OPEN_MAX (%lu); Apparently, %lu was too high and rlimit "
262 (
unsigned long)try_limit, (
unsigned long)OPEN_MAX,
263 (
unsigned long)rlim.rlim_max);
270 log_warn(
LD_CONFIG,
"Couldn't set maximum number of file descriptors: %s",
271 strerror(setrlimit_errno));
275 limit = rlim.rlim_cur;
Macro definitions for MIN, MAX, and CLAMP.
#define log_fn(severity, domain, args,...)
int set_max_file_descriptors(rlim_t limit, int *max_out)
int tor_disable_debugger_attach(void)
void set_max_sockets(int n)
Macros to manage assertions, fatal and non-fatal.