summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorsilby <silby@FreeBSD.org>2002-02-19 03:15:28 +0000
committersilby <silby@FreeBSD.org>2002-02-19 03:15:28 +0000
commite561ca6dce9bfce4a370c4046c20f4332d55fe5c (patch)
tree44883e81ed61ee6f1cc358fe804a3d3fe41470db
parent53507926a42033a398cb6f8e44dd99d68aafab0f (diff)
downloadFreeBSD-src-e561ca6dce9bfce4a370c4046c20f4332d55fe5c.zip
FreeBSD-src-e561ca6dce9bfce4a370c4046c20f4332d55fe5c.tar.gz
A few misc forkbomb defenses:
- Leave 10 processes for root-only use, the previous value of 1 was insufficient to run ps ax | more. - Remove the printing of "proc: table full". When the table really is full, this would flood the screen/logs, making the problem tougher to deal with. - Force any process trying to fork beyond its user's maximum number of processes to sleep for .5 seconds before returning failure. This turns 2000 rampaging fork monsters into 2000 harmlessly snoozing fork monsters. Reviewed by: dillon, peter MFC after: 1 week
-rw-r--r--sys/kern/kern_fork.c7
1 files changed, 5 insertions, 2 deletions
diff --git a/sys/kern/kern_fork.c b/sys/kern/kern_fork.c
index c7cbf28..d791302 100644
--- a/sys/kern/kern_fork.c
+++ b/sys/kern/kern_fork.c
@@ -93,6 +93,8 @@ struct fork_args {
};
#endif
+int forksleep; /* Place for fork1() to sleep on. */
+
static void
init_fork_list(void *data __unused)
{
@@ -297,8 +299,8 @@ fork1(td, flags, procp)
* processes, maxproc is the limit.
*/
uid = p1->p_ucred->cr_ruid;
- if ((nprocs >= maxproc - 1 && uid != 0) || nprocs >= maxproc) {
- tablefull("proc");
+ if ((nprocs >= maxproc - 10 && uid != 0) || nprocs >= maxproc) {
+ tsleep(&forksleep, PUSER, "fork", hz / 2);
return (EAGAIN);
}
/*
@@ -318,6 +320,7 @@ fork1(td, flags, procp)
* Back out the process count
*/
nprocs--;
+ tsleep(&forksleep, PUSER, "fork", hz / 2);
return (EAGAIN);
}
OpenPOWER on IntegriCloud