github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #1614] Support time based restriction limits #1078

New issue

Closed

opened 2026-05-05 07:25:28 -06:00 by gitea-mirror · 3 comments

gitea-mirror commented

2026-05-05 07:25:28 -06:00

Owner

Originally created by @legoktm on GitHub (Oct 24, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1614

For MediaWiki, we've been using firejail to sandbox image conversion binaries like imagemagick, ffmpeg, rsvg, etc. We currently have a bash script that implements time limits (among other things) on how long the execution can take in both CPU time (ulimit -t) and wallclock time (timeout) that I was investigating whether firejail could replace. I understand that this isn't something that makes sense for sandboxing GUI apps, but for us time limits are an important DoS protection. Are CPU and wall clock time limits something that could be added to firejail in addition to the current rlimit options? Thanks for considering.

Originally created by @legoktm on GitHub (Oct 24, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1614 For MediaWiki, we've been using firejail to sandbox image conversion binaries like imagemagick, ffmpeg, rsvg, etc. We currently have a bash script that implements time limits (among other things) on how long the execution can take in both CPU time (`ulimit -t`) and wallclock time (`timeout`) that I was investigating whether firejail could replace. I understand that this isn't something that makes sense for sandboxing GUI apps, but for us time limits are an important DoS protection. Are CPU and wall clock time limits something that could be added to firejail in addition to the current rlimit options? Thanks for considering.

gitea-mirror

2026-05-05 07:25:28 -06:00

closed this issue
added the
enhancement
label

gitea-mirror commented

2026-05-05 07:25:32 -06:00

Author

Owner

@gosre commented on GitHub (Oct 24, 2017):

@legoktm I've been researching similar techniques for a project I'm using firejail with. In addition to setting a hard limit on CPU time for a final stand, it might be best to look into control groups as firejail supports them and have proved quite handy for setting a cpu limit/throttle per process (i.e. only use 10% of 1 cpu core maximum or a quota for CPU time per period).

@gosre commented on GitHub (Oct 24, 2017): @legoktm I've been researching similar techniques for a project I'm using firejail with. In addition to setting a hard limit on CPU time for a final stand, it might be best to look into [control groups](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/resource_management_guide/ch01) as firejail supports them and have proved quite handy for setting a cpu limit/throttle per process (i.e. only use 10% of 1 cpu core maximum or a quota for CPU time per period).

gitea-mirror commented

2026-05-05 07:25:34 -06:00

Author

Owner

@netblue30 commented on GitHub (Oct 25, 2017):

You are all set:

      --rlimit-cpu=number
              Set  the  maximum limit, in seconds, for the amount of CPU time
              each sandboxed process  can consume. When the limit is reached,
              the processes are killed.

              The  CPU  limit  is  a limit on CPU seconds rather than elapsed
              time. CPU seconds is basically how many  seconds  the  CPU  has
              been  in  use  and  does not necessarily directly relate to the
              elapsed time. Linux kernel keeps track of CPU seconds for  each
              process independently.

       --timeout=hh:mm:ss
              Kill  the sandbox automatically after the time has elapsed. The
              time is specified in hours/minutes/seconds format.

              $ firejail --timeout=01:30:00 firefox

You also have support for them in the profile files. Let us know if you run into problems.

@netblue30 commented on GitHub (Oct 25, 2017): You are all set: ````` --rlimit-cpu=number Set the maximum limit, in seconds, for the amount of CPU time each sandboxed process can consume. When the limit is reached, the processes are killed. The CPU limit is a limit on CPU seconds rather than elapsed time. CPU seconds is basically how many seconds the CPU has been in use and does not necessarily directly relate to the elapsed time. Linux kernel keeps track of CPU seconds for each process independently. --timeout=hh:mm:ss Kill the sandbox automatically after the time has elapsed. The time is specified in hours/minutes/seconds format. $ firejail --timeout=01:30:00 firefox ````` You also have support for them in the profile files. Let us know if you run into problems.

gitea-mirror commented

2026-05-05 07:25:36 -06:00

Author

Owner

@legoktm commented on GitHub (Oct 25, 2017):

Thank you very much!

@legoktm commented on GitHub (Oct 25, 2017): Thank you very much!

gitea-mirror referenced this issue

2026-05-05 10:21:17 -06:00

[PR #2732] [CLOSED] improve/add support for arbitrary home directories #4501

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1078

No description provided.

Rows
Columns