github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #1337] Possible to set runtime limit? #917

New issue

Closed

opened 2026-05-05 07:08:39 -06:00 by gitea-mirror · 3 comments

gitea-mirror commented

2026-05-05 07:08:39 -06:00

Owner

Originally created by @sknepal on GitHub (Jun 15, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1337

Hi,

I am using firejail to run bash for an online repl. The user might run python, java or other codes on the bash. Is it possible to set runtime limit for these codes so that the user for example, can be stopped from doing infinite loops etc? Like, kill the python execution as soon as it goes over 2 minutes?

If its not possible via firejail, can you think of any other way? Please let me know. I have no idea how this can be achieved.

Thank you!

Originally created by @sknepal on GitHub (Jun 15, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1337 Hi, I am using firejail to run bash for an online repl. The user might run python, java or other codes on the bash. Is it possible to set runtime limit for these codes so that the user for example, can be stopped from doing infinite loops etc? Like, kill the python execution as soon as it goes over 2 minutes? If its not possible via firejail, can you think of any other way? Please let me know. I have no idea how this can be achieved. Thank you!

gitea-mirror

2026-05-05 07:08:39 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 07:08:46 -06:00

Author

Owner

@Ferroin commented on GitHub (Jun 15, 2017):

AFAIK, it's not possible with firejail, but it is possible using the ulimit builtin in bash.

For example, the following bash script will run a python script passed to it and cause SIGKILL to be sent if the total CPU time exceeds roughly 2 minutes:

#!/bin/bash
ulimit -H -t 120
exec /usr/bin/env python $@

Similar scripts will work for just about any interpreted language as well as mono and java.

The downside to this is that total CPU time doesn't work like most people expect it. Put simply:

If 2 threads in the same process both spend 1 second executing on different CPU's, the process is accounted for 2 seconds of CPU time (one second for each CPU).
Time spent waiting on I/O may or may not be counted depending on how the I/O is performed at the kernel level.
Time spent sleeping (for example, time spent in the time.sleep() or signal.pause() functions in Python) is not accounted against CPU time.

Assuming this is a web app, you can also do filtering in the app itself to catch obviously bad stuff like:

while True:
    do_something()

@Ferroin commented on GitHub (Jun 15, 2017): AFAIK, it's not possible with firejail, but it is possible using the ulimit builtin in bash. For example, the following bash script will run a python script passed to it and cause SIGKILL to be sent if the total CPU time exceeds roughly 2 minutes: ```sh #!/bin/bash ulimit -H -t 120 exec /usr/bin/env python $@ ``` Similar scripts will work for just about any interpreted language as well as mono and java. The downside to this is that total CPU time doesn't work like most people expect it. Put simply: * If 2 threads in the same process both spend 1 second executing on different CPU's, the process is accounted for 2 seconds of CPU time (one second for each CPU). * Time spent waiting on I/O may or may not be counted depending on how the I/O is performed at the kernel level. * Time spent sleeping (for example, time spent in the time.sleep() or signal.pause() functions in Python) is not accounted against CPU time. Assuming this is a web app, you can also do filtering in the app itself to catch obviously bad stuff like: ```python while True: do_something() ```

gitea-mirror commented

2026-05-05 07:08:50 -06:00

Author

Owner

@reinerh commented on GitHub (Jun 15, 2017):

Using timeout also works:
$ timeout 1s firejail sleep 20

@reinerh commented on GitHub (Jun 15, 2017): Using timeout also works: `$ timeout 1s firejail sleep 20`

gitea-mirror commented

2026-05-05 07:08:53 -06:00

Author

Owner

@sknepal commented on GitHub (Jun 18, 2017):

@reinerh I think that would timeout firejail but not the processes that are running on the bash (which is inside the jail). I would just like to timeout the processes, not firejail itself.

Anyway, I wrote a script to monitor for processes running longer than X seconds and kill them. Put it on crontab so that it runs regularly. That seems to have solved my problem. Thank you for the responses.

@sknepal commented on GitHub (Jun 18, 2017): @reinerh I think that would timeout firejail but not the processes that are running on the bash (which is inside the jail). I would just like to timeout the processes, not firejail itself. Anyway, I wrote a script to monitor for processes running longer than X seconds and kill them. Put it on crontab so that it runs regularly. That seems to have solved my problem. Thank you for the responses.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#917

No description provided.

Rows
Columns