синтаксис файла профиля безопасности и информация о создании новых профилей приложений (Security profile file syntax, and information about building new application profiles.)
Resource limits, CPU affinity, Control Groups
These profile entries define the limits on system resources
(rlimits) for the processes inside the sandbox. The limits can
be modified inside the sandbox using the regular ulimit command.
cpu command configures the CPU cores available, and cgroup
command place the sandbox in an existing control group.
Examples:
cgroup /sys/fs/cgroup/g1/tasks
The sandbox is placed in g1 control group.
cpu 0,1,2
Use only CPU cores 0, 1 and 2.
nice -5
Set a nice value of -5 to all processes running inside the
sandbox.
rlimit-as 123456789012
Set the maximum size of the process's virtual memory to
123456789012 bytes.
rlimit-cpu 123
Set the maximum CPU time in seconds.
rlimit-fsize 1024
Set the maximum file size that can be created by a process
to 1024 bytes.
rlimit-nproc 1000
Set the maximum number of processes that can be created
for the real user ID of the calling process to 1000.
rlimit-nofile 500
Set the maximum number of files that can be opened by a
process to 500.
rlimit-sigpending 200
Set the maximum number of processes that can be created
for the real user ID of the calling process to 200.
timeout hh:mm:ss
Kill the sandbox automatically after the time has elapsed.
The time is specified in hours/minutes/seconds format.
