Remove the fd limit in the unwind sandbox

Sandboxed API Team · copybara-github · commit 1d16925f4208 · 2026-04-07T07:41:24.000-07:00
Some users are running sandboxes concurrently, and it is possible that we are at some point launching unwind sandboxes concurrently as well. If that happens, we could theoretically reach the kernel limit of fds in flight in sockets.

PiperOrigin-RevId: 895895003
Change-Id: Icca7183ae37d0268d5c5a7f374855c1ee6298690
diff --git a/sandboxed_api/sandbox2/stack_trace.cc b/sandboxed_api/sandbox2/stack_trace.cc
@@ -190,6 +190,11 @@ absl::StatusOr<std::vector<std::string>> StackTracePeer::LaunchLibunwindSandbox(
   auto executor = absl::WrapUnique(new Executor(pid, recursion_depth));
 
   executor->limits()->set_rlimit_cpu(10).set_walltime_limit(absl::Seconds(5));
+  // See b/492118811.
+  // When running sandboxes concurrently, we might get a problem with sending
+  // the unotify file descriptor in the unwind sandbox, as we might exceed the
+  // maximum number of file descriptors.
+  executor->limits()->set_rlimit_nofile(RLIM64_INFINITY);
 
   // Get path to the binary.
   // app_path contains the path like it is also in /proc/pid/maps. It is
