Make shadow limit configurable with bounds

include/kbox/cli.h

@@ -4,6 +4,7 @@
 #define KBOX_CLI_H
 
 #include <stdbool.h>
+#include <stdint.h>
 #include "kbox/mount.h"
 
 /* CLI argument structures and parsing. */
@@ -45,6 +46,8 @@ struct kbox_image_args {
     bool sqpoll;                   /* --sqpoll: busy-poll service thread */
     const char *const *extra_args; /* remaining args after -- */
     int extra_argc;                /* count of extra_args */
+    uint64_t shadow_limit; /* --shadow-limit BYTES: max size for shadow FDs
+                              (default: 256MB) */
 };
 
 /* Parse command-line arguments.

src/cli.c

@@ -21,6 +21,7 @@ enum {
     OPT_SYSCALL_MODE,
     OPT_TRACE_FORMAT,
     OPT_SQPOLL,
+    OPT_SHADOW_LIMIT,
     OPT_HELP,
 };
 
@@ -46,6 +47,7 @@ static const struct option longopts[] = {
     {"syscall-mode", required_argument, NULL, OPT_SYSCALL_MODE},
     {"sqpoll", no_argument, NULL, OPT_SQPOLL},
     {"trace-format", required_argument, NULL, OPT_TRACE_FORMAT},
+    {"shadow-limit", required_argument, NULL, OPT_SHADOW_LIMIT},
     {"help", no_argument, NULL, OPT_HELP},
     {NULL, 0, NULL, 0},
 };
@@ -85,6 +87,8 @@ void kbox_usage(const char *argv0)
         "      --web-bind ADDR        Bind address for web (default: "
         "127.0.0.1)\n"
         "      --trace-format FMT     Trace output format (json)\n"
+        "      --shadow-limit BYTES   Max size for shadow FDs (default: "
+        "256MB)\n"
         "  -h, --help                 Show this help\n",
         argv0);
 }
@@ -259,6 +263,17 @@ int kbox_parse_args(int argc, char *argv[], struct kbox_image_args *img)
                 return -1;
             }
             break;
+        case OPT_SHADOW_LIMIT: {
+            char *end;
+            errno = 0;
+            unsigned long long v = strtoull(optarg, &end, 10);
+            if (*end != '\0' || errno != 0) {
+                fprintf(stderr, "invalid shadow limit: %s\n", optarg);
+                return -1;
+            }
+            img->shadow_limit = (uint64_t) v;
+            break;
+        }
         case 'h':
         case OPT_HELP:
             kbox_usage(argv[0]);

src/image.c

@@ -828,6 +828,9 @@ int kbox_run_image(const struct kbox_image_args *args)
     if (!root_path)
         return -1;
 
+    if (args->shadow_limit > 0)
+        kbox_shadow_set_limit(args->shadow_limit);
+
     fs_type = args->fs_type ? args->fs_type : "ext4";
     work_dir = args->work_dir ? args->work_dir : "/";
     command = args->command ? args->command : "/bin/sh";

src/shadow-fd.c

@@ -40,6 +40,8 @@
 /* Read chunk size: 128 KB, matches KBOX_IO_CHUNK_LEN. */
 #define SHADOW_CHUNK_LEN (128 * 1024)
 
+static uint64_t current_shadow_limit = DEFAULT_SHADOW_LIMIT;
+
 int kbox_shadow_create(const struct kbox_sysnrs *s, long lkl_fd)
 {
     /* Use kbox_lkl_stat (generic-arch layout) instead of struct stat
@@ -57,7 +59,7 @@ int kbox_shadow_create(const struct kbox_sysnrs *s, long lkl_fd)
     if (!S_ISREG(kst.st_mode))
         return -ENODEV;
 
-    if (kst.st_size > KBOX_SHADOW_MAX_SIZE)
+    if ((uint64_t) kst.st_size > current_shadow_limit)
         return -EFBIG;
 
     int memfd = memfd_create("kbox-shadow", MFD_CLOEXEC | MFD_ALLOW_SEALING);
@@ -127,3 +129,12 @@ int kbox_shadow_seal(int memfd)
     return fcntl(memfd, F_ADD_SEALS,
                  F_SEAL_WRITE | F_SEAL_GROW | F_SEAL_SHRINK | F_SEAL_SEAL);
 }
+
+void kbox_shadow_set_limit(uint64_t limit)
+{
+    if (limit > MAX_SHADOW_LIMIT) {
+        current_shadow_limit = MAX_SHADOW_LIMIT;
+    } else if (limit > 0) {
+        current_shadow_limit = limit;
+    }
+}

src/shadow-fd.h

@@ -4,8 +4,10 @@
 
 struct kbox_sysnrs;
 
-#define KBOX_SHADOW_MAX_SIZE (256L * 1024 * 1024)
 
+#define DEFAULT_SHADOW_LIMIT (256ULL * 1024 * 1024)
+#define MAX_SHADOW_LIMIT (512ULL * 1024 * 1024)
+void kbox_shadow_set_limit(uint64_t limit);
 int kbox_shadow_create(const struct kbox_sysnrs *s, long lkl_fd);
 int kbox_shadow_seal(int memfd);