orchestrator-runner 0.2.5

Command runner, sandbox, output capture, and network allowlist
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78

#[cfg(unix)]
use super::profile::ResolvedExecutionProfile;
#[cfg(unix)]
use super::profile::UnixResourceLimits;
#[cfg(unix)]
use anyhow::{Result, anyhow};
#[cfg(unix)]
use std::io;

#[cfg(unix)]
pub(crate) fn apply_unix_resource_limits_to_command(
    cmd: &mut tokio::process::Command,
    execution_profile: &ResolvedExecutionProfile,
) -> Result<()> {
    let Some(limits) = UnixResourceLimits::from_execution_profile(execution_profile) else {
        return Ok(());
    };
    // SAFETY: `pre_exec` runs in the forked child between fork() and exec().
    // The closure only calls `setrlimit`, which is async-signal-safe per POSIX.
    // No heap allocations, mutex acquisitions, or non-signal-safe operations
    // occur inside the closure.
    unsafe {
        cmd.pre_exec(move || apply_unix_resource_limits(&limits).map_err(io::Error::other));
    }
    Ok(())
}

#[cfg(unix)]
fn apply_unix_resource_limits(limits: &UnixResourceLimits) -> Result<()> {
    if let Some(value) = limits.max_memory_bytes {
        set_rlimit(rlimit_resource(libc::RLIMIT_AS as u64)?, value)?;
    }
    if let Some(value) = limits.max_cpu_seconds {
        set_rlimit(rlimit_resource(libc::RLIMIT_CPU as u64)?, value)?;
    }
    if let Some(value) = limits.max_processes {
        set_rlimit(rlimit_resource(libc::RLIMIT_NPROC as u64)?, value)?;
    }
    if let Some(value) = limits.max_open_files {
        set_rlimit(rlimit_resource(libc::RLIMIT_NOFILE as u64)?, value)?;
    }
    Ok(())
}

#[cfg(unix)]
#[cfg(all(target_os = "linux", target_env = "gnu"))]
type RlimitResource = libc::__rlimit_resource_t;

#[cfg(unix)]
#[cfg(not(all(target_os = "linux", target_env = "gnu")))]
type RlimitResource = libc::c_int;

#[cfg(unix)]
fn rlimit_resource(resource: u64) -> Result<RlimitResource> {
    // libc exposes RLIMIT_* with target-specific integer types. Convert via a
    // wide intermediate so Linux GNU x86/u32 and Darwin/i32 both type-check.
    RlimitResource::try_from(resource)
        .map_err(|_| anyhow!("unsupported rlimit resource selector: {resource}"))
}

#[cfg(unix)]
fn set_rlimit(resource: RlimitResource, value: u64) -> Result<()> {
    let limit = libc::rlimit {
        rlim_cur: value as libc::rlim_t,
        rlim_max: value as libc::rlim_t,
    };
    // SAFETY: `setrlimit` is called in the child process before exec with a
    // valid resource selector and initialized `rlimit` struct.
    let rc = unsafe { libc::setrlimit(resource, &limit) };
    if rc == 0 {
        Ok(())
    } else {
        Err(anyhow!(
            "setrlimit({resource}) failed: {}",
            io::Error::last_os_error()
        ))
    }
}