attemping to fix possible shell code injection through GUI notifications
This commit is contained in:
Alexey Avramov
parent
b910bf1b28
commit
53dbd40128
19
README.md
19
README.md
@ -89,17 +89,16 @@ optional arguments:
|
||||
|
||||
The program can be configured by editing the [config file](https://github.com/hakavlad/nohang/blob/master/nohang.conf). The configuration includes the following sections:
|
||||
|
||||
- THRESHOLDS FOR SENDING SIGNALS
|
||||
- INTENSITY OF MONITORING (AND CPU USAGE)
|
||||
- PREVENTION OF KILLING INNOCENT VICTIMS
|
||||
- AVOID AND PREFER VICTIM NAMES VIA REGEX
|
||||
- EXECUTE THE COMMAND INSTEAD OF SENDING THE SIGTERM SIGNAL
|
||||
- GUI NOTIFICATIONS
|
||||
- LOW MEMORY WARNINGS
|
||||
- SELF-DEFENSE AND PREVENTING SLOWING DOWN THE PROGRAM
|
||||
- OUTPUT VERBOSITY
|
||||
- Thresholds for sending signals to victims
|
||||
- Intensity of monitoring (and CPU usage)
|
||||
- Prevention of killing innocent victims
|
||||
- Avoid and prefer victim names via regex matching
|
||||
- Execute the command instead of sending the SIGTERM signal
|
||||
- GUI notifications: results of preventing OOM and low memory warnings
|
||||
- Self-defense and preventing slowing down the program
|
||||
- Output verbosity
|
||||
|
||||
Just read the description of the parameters and edit the values. Run the command `sudo systemctl restart nohang` to apply changes. Default path to the config arter installing via `./install.sh` is `/etc/nohang/nohang.conf`.
|
||||
Just read the description of the parameters and edit the values. Please restart nohang to apply changes. Default path to the config arter installing via `./install.sh` is `/etc/nohang/nohang.conf`.
|
||||
|
||||
### Feedback
|
||||
|
||||
|
||||
13
nohang
13
nohang
@ -33,6 +33,8 @@ conf_err_mess = '\nSet up the path to the valid config file with -c/--confi' \
|
||||
# но это утверждение противоречит опытным данным
|
||||
zram_disksize_factor = 0.0042
|
||||
|
||||
name_strip_string = '\'"`\\!-$'
|
||||
|
||||
##########################################################################
|
||||
|
||||
# function definition section
|
||||
@ -199,7 +201,7 @@ def send_notify(signal, name, pid, oom_score, vm_rss, vm_swap):
|
||||
info = '"<u>Nohang</u> sent <u>{}</u> \nto the process <b>{}</b> \n<i>P' \
|
||||
'id:</i> <b>{}</b> \n<i>Badness:</i> <b>{}</b> \n<i>VmRSS:</i> <b' \
|
||||
'>{} MiB</b> \n<i>VmSwap:</i> <b>{} MiB</b>" &'.format(
|
||||
sig_dict[signal], name, pid, oom_score, vm_rss, vm_swap)
|
||||
sig_dict[signal], name.strip(name_strip_string), pid, oom_score, vm_rss, vm_swap)
|
||||
if root:
|
||||
# отправляем уведомление всем залогиненным пользователям
|
||||
for uid in os.listdir('/run/user'):
|
||||
@ -227,7 +229,6 @@ def sleep_after_send_signal(signal):
|
||||
|
||||
def find_victim_and_send_signal(signal):
|
||||
|
||||
print('****')
|
||||
print(mem_info)
|
||||
|
||||
# выставляем потолок для oom_score_adj всех процессов
|
||||
@ -1320,7 +1321,7 @@ while True:
|
||||
# MEM SWAP KILL
|
||||
if mem_available <= mem_min_sigkill_kb and swap_free <= swap_min_sigkill_kb:
|
||||
|
||||
mem_info = ' MemAvailable ({} MiB, {} %) < mem_min_sigkill ({} MiB, {} %)\n Swa' \
|
||||
mem_info = '* MemAvailable ({} MiB, {} %) < mem_min_sigkill ({} MiB, {} %)\n Swa' \
|
||||
'pFree ({} MiB, {} %) < swap_min_sigkill ({} MiB, {} %)'.format(
|
||||
kib_to_mib(mem_available),
|
||||
percent(mem_available / mem_total),
|
||||
@ -1339,7 +1340,7 @@ while True:
|
||||
# ZRAM KILL
|
||||
elif mem_used_zram >= zram_max_sigkill_kb:
|
||||
|
||||
mem_info = ' MemUsedZram ({} MiB, {} %) > zram_max_sigkill ({} MiB, {} %)'.format(
|
||||
mem_info = '* MemUsedZram ({} MiB, {} %) > zram_max_sigkill ({} MiB, {} %)'.format(
|
||||
kib_to_mib(mem_used_zram),
|
||||
percent(mem_used_zram / mem_total),
|
||||
kib_to_mib(zram_max_sigkill_kb),
|
||||
@ -1350,7 +1351,7 @@ while True:
|
||||
# MEM SWAP TERM
|
||||
elif mem_available <= mem_min_sigterm_kb and swap_free <= swap_min_sigterm_kb:
|
||||
|
||||
mem_info = ' MemAvailable ({} MiB, {} %) < mem_min_sigterm ({} MiB, {} %)\n Sw' \
|
||||
mem_info = '* MemAvailable ({} MiB, {} %) < mem_min_sigterm ({} MiB, {} %)\n Sw' \
|
||||
'apFree ({} MiB, {} %) < swap_min_sigterm ({} MiB, {} %)'.format(
|
||||
kib_to_mib(mem_available),
|
||||
percent(mem_available / mem_total),
|
||||
@ -1374,7 +1375,7 @@ while True:
|
||||
# ZRAM TERM
|
||||
elif mem_used_zram >= zram_max_sigterm_kb:
|
||||
|
||||
mem_info = ' MemUsedZram ({} MiB, {} %) > zram_max_sigter' \
|
||||
mem_info = '* MemUsedZram ({} MiB, {} %) > zram_max_sigter' \
|
||||
'm ({} M, {} %)'.format(
|
||||
kib_to_mib(mem_used_zram),
|
||||
percent(mem_used_zram / mem_total),
|
||||
|
||||
40
nohang.conf
40
nohang.conf
@ -5,13 +5,12 @@
|
||||
|
||||
The configuration includes the following sections:
|
||||
|
||||
* THRESHOLDS FOR SENDING SIGNALS
|
||||
* THRESHOLDS FOR SENDING SIGNALS TO VICTIMS
|
||||
* INTENSITY OF MONITORING (AND CPU USAGE)
|
||||
* PREVENTION OF KILLING INNOCENT VICTIMS
|
||||
* AVOID AND PREFER VICTIM NAMES VIA REGEX
|
||||
* AVOID AND PREFER VICTIM NAMES VIA REGEX MATCHING
|
||||
* EXECUTE THE COMMAND INSTEAD OF SENDING THE SIGTERM SIGNAL
|
||||
* GUI NOTIFICATIONS
|
||||
* LOW MEMORY WARNINGS
|
||||
* GUI NOTIFICATIONS: RESULTS OF PREVENTING OOM AND LOW MEMORY WARNINGS
|
||||
* SELF-DEFENSE AND PREVENTING SLOWING DOWN THE PROGRAM
|
||||
* OUTPUT VERBOSITY
|
||||
|
||||
@ -20,7 +19,7 @@
|
||||
|
||||
#####################################################################
|
||||
|
||||
I. THRESHOLDS FOR SENDING SIGNALS
|
||||
* THRESHOLDS FOR SENDING SIGNALS TO VICTIMS
|
||||
|
||||
Sets the available memory levels below which SIGTERM or SIGKILL
|
||||
signals are sent. The signal will be sent if MemAvailable and
|
||||
@ -47,7 +46,7 @@ zram_max_sigkill = 60 %
|
||||
|
||||
#####################################################################
|
||||
|
||||
II. INTENSITY OF MONITORING
|
||||
* INTENSITY OF MONITORING (AND CPU USAGE)
|
||||
|
||||
Coefficients that affect the intensity of monitoring. Reducing
|
||||
the coefficients can reduce CPU usage and increase the periods
|
||||
@ -75,7 +74,7 @@ rate_zram = 1
|
||||
|
||||
#####################################################################
|
||||
|
||||
III. PREVENTION OF KILLING INNOCENT VICTIMS
|
||||
* PREVENTION OF KILLING INNOCENT VICTIMS
|
||||
|
||||
Минимальное значение oom_score, которым должен обладать
|
||||
процесс для того, чтобы ему был отправлен сигнал.
|
||||
@ -114,7 +113,7 @@ oom_score_adj_max = 20
|
||||
|
||||
#####################################################################
|
||||
|
||||
IV. AVOID AND PREFER VICTIM NAMES VIA REGEX
|
||||
* AVOID AND PREFER VICTIM NAMES VIA REGEX MATCHING
|
||||
|
||||
Можно задать регулярные выражения (Perl-compatible regular
|
||||
expressions), которые будут использоваться для сопоставления с
|
||||
@ -151,7 +150,7 @@ avoidlist_factor = 4
|
||||
|
||||
#####################################################################
|
||||
|
||||
V. EXECUTE THE COMMAND INSTEAD OF SENDING THE SIGTERM SIGNAL
|
||||
* EXECUTE THE COMMAND INSTEAD OF SENDING THE SIGTERM SIGNAL
|
||||
|
||||
Для процессов с определенным именем можно задать команду,
|
||||
которая будет выполняться вместо отправки сигнала SIGTERM
|
||||
@ -180,7 +179,9 @@ execute_the_command = False
|
||||
|
||||
#####################################################################
|
||||
|
||||
VI. GUI NOTIFICATIONS
|
||||
* GUI NOTIFICATIONS:
|
||||
* RESULTS OF PREVENTING OOM
|
||||
* LOW MEMORY WARNINGS
|
||||
|
||||
Включение этой опции требует наличия notify-send в системе.
|
||||
В Debian/Ubuntu это обеспечивается установкой пакета
|
||||
@ -193,9 +194,9 @@ execute_the_command = False
|
||||
|
||||
desktop_notifications = False
|
||||
|
||||
Дополнительные опции для notify-send.
|
||||
См. notify-send --help и man notify-send
|
||||
Примеры:
|
||||
Additional options for notify-send.
|
||||
See `notify-send --help` and read `man notify-send`
|
||||
For example:
|
||||
notify_options = -u "critical"
|
||||
notify_options = -t "20000" -i "dialog-warning"
|
||||
|
||||
@ -208,14 +209,8 @@ notify_options =
|
||||
|
||||
root_display = :0
|
||||
|
||||
#####################################################################
|
||||
|
||||
VII. LOW MEMORY WARNINGS
|
||||
|
||||
Десктопные уведомления о низком уровне доступной памяти.
|
||||
Enable GUI notifications about the low level of available memory.
|
||||
Для работы опции должны быть включены десктопные уведомления.
|
||||
Возможно стоит этот раздел объединить с GUI NOTIFICATIONS.
|
||||
|
||||
Valid values are True and False.
|
||||
|
||||
low_memory_warnings = False
|
||||
@ -243,7 +238,7 @@ zram_max_warnings = 40 %
|
||||
|
||||
#####################################################################
|
||||
|
||||
VIII. SELF-DEFENSE AND PREVENTING SLOWING DOWN THE PROGRAM
|
||||
* SELF-DEFENSE AND PREVENTING SLOWING DOWN THE PROGRAM
|
||||
|
||||
True - заблокировать процесс в памяти для запрета его своппинга.
|
||||
False - не блокировать.
|
||||
@ -284,7 +279,7 @@ realtime_ionice_classdata = 5
|
||||
|
||||
#####################################################################
|
||||
|
||||
IX. STANDARD OUTPUT VERBOSITY
|
||||
* STANDARD OUTPUT VERBOSITY
|
||||
|
||||
Display the configuration when the program starts.
|
||||
Valid values are True and False.
|
||||
@ -302,3 +297,4 @@ print_mem_check_results = False
|
||||
|
||||
print_sleep_periods = False
|
||||
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user