From 2341330aba3c5473ce8cf715bc7e641fd2382624 Mon Sep 17 00:00:00 2001
From: Robert Muir <rmuir@apache.org>
Date: Thu, 26 Nov 2015 02:58:53 -0500
Subject: [PATCH] set RLIMIT_NPROC = 0 on bsd/os X systems.

This BSD-specific limit prevents child process creation.
---
 .../elasticsearch/bootstrap/JNACLibrary.java  |  1 +
 .../org/elasticsearch/bootstrap/Seccomp.java  | 34 ++++++++++++++++++-
 2 files changed, 34 insertions(+), 1 deletion(-)

diff --git a/core/src/main/java/org/elasticsearch/bootstrap/JNACLibrary.java b/core/src/main/java/org/elasticsearch/bootstrap/JNACLibrary.java
index 8a2cc96f9c6..bff22bc19f5 100644
--- a/core/src/main/java/org/elasticsearch/bootstrap/JNACLibrary.java
+++ b/core/src/main/java/org/elasticsearch/bootstrap/JNACLibrary.java
@@ -66,6 +66,7 @@ final class JNACLibrary {
     }
     
     static native int getrlimit(int resource, Rlimit rlimit);
+    static native int setrlimit(int resource, Rlimit rlimit);
     
     static native String strerror(int errno);
 
diff --git a/core/src/main/java/org/elasticsearch/bootstrap/Seccomp.java b/core/src/main/java/org/elasticsearch/bootstrap/Seccomp.java
index 8e2d96f8729..3c8186f4ce1 100644
--- a/core/src/main/java/org/elasticsearch/bootstrap/Seccomp.java
+++ b/core/src/main/java/org/elasticsearch/bootstrap/Seccomp.java
@@ -47,7 +47,7 @@ import java.util.Map;
  * Installs a limited form of secure computing mode,
  * to filters system calls to block process execution.
  * <p>
- * This is only supported on the Linux, Solaris, and Mac OS X operating systems.
+ * This is only supported on the Linux, Solaris, FreeBSD, OpenBSD, and Mac OS X operating systems.
  * <p>
  * On Linux it currently supports amd64 and i386 architectures, requires Linux kernel 3.5 or above, and requires
  * {@code CONFIG_SECCOMP} and {@code CONFIG_SECCOMP_FILTER} compiled into the kernel.
@@ -71,6 +71,8 @@ import java.util.Map;
  *   <li>{@code PRIV_PROC_EXEC}</li>
  * </ul>
  * <p>
+ * On BSD systems, process creation is restricted with {@code setrlimit(RLIMIT_NPROC)}.
+ * <p>
  * On Mac OS X Leopard or above, a custom {@code sandbox(7)} ("Seatbelt") profile is installed that
  * denies the following rules:
  * <ul>
@@ -534,6 +536,31 @@ final class Seccomp {
         logger.debug("Solaris priv_set initialization successful");
     }
 
+    // BSD implementation via setrlimit(2)
+
+    // TODO: add OpenBSD to Lucene Constants
+    // TODO: JNA doesn't have netbsd support, but this mechanism should work there too.
+    static final boolean OPENBSD = Constants.OS_NAME.startsWith("OpenBSD");
+
+    // not a standard limit, means something different on linux, etc!
+    static final int RLIMIT_NPROC = 7;
+
+    static void bsdImpl() {
+        boolean supported = Constants.FREE_BSD || OPENBSD || Constants.MAC_OS_X;
+        if (supported == false) {
+            throw new IllegalStateException("bug: should not be trying to initialize RLIMIT_NPROC for an unsupported OS");
+        }
+
+        JNACLibrary.Rlimit limit = new JNACLibrary.Rlimit();
+        limit.rlim_cur.setValue(0);
+        limit.rlim_max.setValue(0);
+        if (JNACLibrary.setrlimit(RLIMIT_NPROC, limit) != 0) {
+            throw new UnsupportedOperationException("RLIMIT_NPROC unavailable: " + JNACLibrary.strerror(Native.getLastError()));
+        }
+
+        logger.debug("BSD RLIMIT_NPROC initialization successful");
+    }
+
     /**
      * Attempt to drop the capability to execute for the process.
      * <p>
@@ -544,11 +571,16 @@ final class Seccomp {
         if (Constants.LINUX) {
             return linuxImpl();
         } else if (Constants.MAC_OS_X) {
+            // try to enable both mechanisms if possible
+            bsdImpl();
             macImpl(tmpFile);
             return 1;
         } else if (Constants.SUN_OS) {
             solarisImpl();
             return 1;
+        } else if (Constants.FREE_BSD || OPENBSD) {
+            bsdImpl();
+            return 1;
         } else {
             throw new UnsupportedOperationException("syscall filtering not supported for OS: '" + Constants.OS_NAME + "'");
         }