CME-114

Process Resource Limits (ulimit/prlimit)

Harden OS/Kernel High Confidence

Description

Configures per-process resource limits via ulimit/prlimit to prevent algorithmic complexity attacks, infinite loops, and resource exhaustion from consuming unbounded system resources. Key limits include RLIMIT_CPU (maximum CPU time), RLIMIT_AS (maximum address space), RLIMIT_NPROC (maximum processes), and RLIMIT_NOFILE (maximum open files). Complements container-level cgroup limits (CME-704) by providing process-granularity controls that apply even outside containers.

CVSS Vector Impacts

Metric Transition Rationale
Availability (A) H L Resource limits contain the blast radius of denial-of-service conditions to the targeted process rather than the system; an infinite loop consumes its CPU quota then receives SIGKILL, preventing system-wide resource exhaustion.

CWE Relationships

CWE-835 CWE-400 CWE-770 CWE-834

Verification

Check that CPU time limits are set for processes

$ ulimit -t
# Expected: A finite value (not unlimited)
Platform: linux
← CME-113: Control Flow Integrity (CFI / Shadow Call Stack) CME-116: FORTIFY_SOURCE (Buffer Overflow Detection) →