Skip to content

Commit af5fff3

Browse files
jcpunkjcpunk
committed
Better descriptors/clang-format
1 parent 977ba4e commit af5fff3

1 file changed

Lines changed: 12 additions & 16 deletions

File tree

src/C/kcron_setup.h

Lines changed: 12 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -110,7 +110,9 @@ int set_kcron_ulimits(void) {
110110

111111
/* Minimal stack size should be sufficient for this simple program */
112112
long page_size = sysconf(_SC_PAGESIZE);
113-
if (page_size < 1024) page_size = 4096; /* fallback to workable size */
113+
if (page_size < 1024) {
114+
page_size = 4096; /* fallback to workable size */
115+
}
114116
rlim_t min_stack = (rlim_t)page_size * 2u;
115117
const struct rlimit stack = {min_stack, min_stack};
116118
if (setrlimit(RLIMIT_STACK, &stack) != 0) {
@@ -156,14 +158,14 @@ int set_kcron_ulimits(void) {
156158
* Apply comprehensive runtime hardening measures.
157159
*
158160
* This function sets up multiple layers of defense:
159-
* 1. Redirects stdin to /dev/null (prevents input-based attacks)
160-
* 2. Disables core dumps (prevents memory disclosure)
161-
* 3. Sets no_new_privs (prevents privilege escalation via execve)
162-
* 4. Clears environment variables (prevents LD_PRELOAD and similar attacks)
163-
* 5. Sets restrictive ulimits (resource exhaustion prevention)
164-
* 6. Enables landlock (filesystem access control)
165-
* 7. Enables seccomp (syscall filtering)
166-
* 8. Drops capabilities (privilege minimization)
161+
* - Redirects stdin to /dev/null (prevents input-based attacks)
162+
* - Disables core dumps (prevents memory disclosure)
163+
* - Sets no_new_privs (prevents privilege escalation via execve)
164+
* - Clears environment variables (prevents LD_PRELOAD and similar attacks)
165+
* - Sets restrictive ulimits (resource exhaustion prevention)
166+
* - Enables landlock (filesystem access control)
167+
* - Enables seccomp (syscall filtering)
168+
* - Drops capabilities (privilege minimization)
167169
*
168170
* Exits on any failure - hardening is mandatory, not optional.
169171
*
@@ -193,13 +195,7 @@ void harden_runtime(void) {
193195
exit(EXIT_FAILURE);
194196
}
195197

196-
/*
197-
* Clear all environment variables to prevent:
198-
* - LD_PRELOAD attacks
199-
* - LD_LIBRARY_PATH attacks
200-
* - Locale-based attacks
201-
* - Any other environment-dependent behavior
202-
*/
198+
/* Clear all environment variables to prevent environment-dependent behavior */
203199
if (clearenv() != 0) {
204200
(void)fprintf(stderr, "%s: Cannot clear environment variables: %s\n", __PROGRAM_NAME, strerror(errno));
205201
exit(EXIT_FAILURE);

0 commit comments

Comments
 (0)