bus: Add (unused) settings for resource limits for containers

These will be enforced in subsequent commits. Reviewed-by: Philip Withnall <withnall@endlessm.com> [smcv: Fix whitespace] Signed-off-by: Simon McVittie <smcv@collabora.com> Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101354
2026-04-23 01:40:40 +02:00 · 2017-06-21 16:35:34 +01:00 · 2017-06-21 16:35:34 +01:00 · 913ea94c22
commit 913ea94c22
parent 5be6ca4163
6 changed files with 84 additions and 2 deletions
--- a/bus/bus.c
+++ b/bus/bus.c
@ -1397,6 +1397,26 @@ bus_context_get_reply_timeout (BusContext *context)
  return context->limits.reply_timeout;
 }

+int bus_context_get_max_containers (BusContext *context)
+{
+  return context->limits.max_containers;
+}
+
+int bus_context_get_max_containers_per_user (BusContext *context)
+{
+  return context->limits.max_containers_per_user;
+}
+
+int bus_context_get_max_container_metadata_bytes (BusContext *context)
+{
+  return context->limits.max_container_metadata_bytes;
+}
+
+int bus_context_get_max_connections_per_container (BusContext *context)
+{
+  return context->limits.max_connections_per_container;
+}
+
 DBusRLimit *
 bus_context_get_initial_fd_limit (BusContext *context)
 {
--- a/bus/bus.h
+++ b/bus/bus.h
@ -66,6 +66,10 @@ typedef struct
  int max_match_rules_per_connection; /**< Max number of match rules for a single connection */
  int max_replies_per_connection;     /**< Max number of replies that can be pending for each connection */
  int reply_timeout;                  /**< How long to wait before timing out a reply */
+  int max_containers;               /**< Max number of restricted servers for app-containers */
+  int max_containers_per_user;      /**< Max number of restricted servers for app-containers, per user */
+  int max_connections_per_container;  /**< Max number of connections per restricted server */
+  int max_container_metadata_bytes; /**< Max number of bytes of metadata per restricted server */
 } BusLimits;

 typedef enum
@ -123,6 +127,10 @@ int               bus_context_get_max_services_per_connection    (BusContext
 int               bus_context_get_max_match_rules_per_connection (BusContext       *context);
 int               bus_context_get_max_replies_per_connection     (BusContext       *context);
 int               bus_context_get_reply_timeout                  (BusContext       *context);
+int               bus_context_get_max_containers                 (BusContext       *context);
+int               bus_context_get_max_containers_per_user        (BusContext       *context);
+int               bus_context_get_max_container_metadata_bytes   (BusContext       *context);
+int               bus_context_get_max_connections_per_container  (BusContext       *context);
 DBusRLimit *      bus_context_get_initial_fd_limit               (BusContext       *context);
 dbus_bool_t       bus_context_get_using_syslog                   (BusContext       *context);
 void              bus_context_log                                (BusContext       *context,
--- a/bus/config-parser.c
+++ b/bus/config-parser.c
@ -481,7 +481,10 @@ bus_config_parser_new (const DBusString      *basedir,
  else
    {

-      /* Make up some numbers! woot! */
+      /* Make up some numbers! woot!
+       * Please keep these hard-coded values in sync with the comments
+       * in bus/system.conf.in. */
+
      parser->limits.max_incoming_bytes = _DBUS_ONE_MEGABYTE * 127;
      parser->limits.max_outgoing_bytes = _DBUS_ONE_MEGABYTE * 127;
      parser->limits.max_message_size = _DBUS_ONE_MEGABYTE * 32;
@ -514,12 +517,21 @@ bus_config_parser_new (const DBusString      *basedir,
      
      parser->limits.max_incomplete_connections = 64;
      parser->limits.max_connections_per_user = 256;
+      parser->limits.max_containers_per_user = 16;
      
      /* Note that max_completed_connections / max_connections_per_user
       * is the number of users that would have to work together to
-       * DOS all the other users.
+       * DOS all the other users. The same applies to containers.
       */
      parser->limits.max_completed_connections = 2048;
+      parser->limits.max_containers = 512;
+      /* Similarly max_connections_per_user / max_connections_per_container
+       * is the number of app-containers per user that would have to work
+       * together to DoS all the other processes of that user */
+      parser->limits.max_connections_per_container = 8;
+      /* Someone trying to do a denial of service attack can make us store
+       * this much data per app-container */
+      parser->limits.max_container_metadata_bytes = 4096;
      
      parser->limits.max_pending_activations = 512;
      parser->limits.max_services_per_connection = 512;
@ -2177,6 +2189,30 @@ set_limit (BusConfigParser *parser,
      must_be_int = TRUE;
      parser->limits.max_replies_per_connection = value;
    }
+  else if (strcmp (name, "max_containers") == 0)
+    {
+      must_be_positive = TRUE;
+      must_be_int = TRUE;
+      parser->limits.max_containers = value;
+    }
+  else if (strcmp (name, "max_containers_per_user") == 0)
+    {
+      must_be_positive = TRUE;
+      must_be_int = TRUE;
+      parser->limits.max_containers_per_user = value;
+    }
+  else if (strcmp (name, "max_container_metadata_bytes") == 0)
+    {
+      must_be_positive = TRUE;
+      must_be_int = TRUE;
+      parser->limits.max_container_metadata_bytes = value;
+    }
+  else if (strcmp (name, "max_connections_per_container") == 0)
+    {
+      must_be_positive = TRUE;
+      must_be_int = TRUE;
+      parser->limits.max_connections_per_container = value;
+    }
  else
    {
      dbus_set_error (error, DBUS_ERROR_FAILED,
--- a/bus/session.conf.in
+++ b/bus/session.conf.in
@ -76,5 +76,11 @@
  <limit name="max_names_per_connection">50000</limit>
  <limit name="max_match_rules_per_connection">50000</limit>
  <limit name="max_replies_per_connection">50000</limit>
+  <limit name="max_containers">10000</limit>
+  <limit name="max_containers_per_user">10000</limit>
+  <limit name="max_container_metadata_bytes">1000000000</limit>
+  <!-- This is relatively low so that app-containers (which we do not fully
+       trust) do not cause DoS. -->
+  <limit name="max_connections_per_container">16</limit>

 </busconfig>
--- a/bus/system.conf.in
+++ b/bus/system.conf.in
@ -124,6 +124,10 @@
  <!-- <limit name="max_names_per_connection">512</limit> -->
  <!-- <limit name="max_match_rules_per_connection">512</limit> -->
  <!-- <limit name="max_replies_per_connection">128</limit> -->
+  <!-- <limit name="max_containers">512</limit> -->
+  <!-- <limit name="max_containers_per_user">16</limit> -->
+  <!-- <limit name="max_container_metadata_bytes">4096</limit> -->
+  <!-- <limit name="max_connections_per_container">8</limit> -->

  <!-- Config files are placed here that among other things, punch 
       holes in the above policy for specific services. -->
--- a/doc/dbus-daemon.1.xml.in
+++ b/doc/dbus-daemon.1.xml.in
@ -749,6 +749,14 @@ Available limit names are:</para>
                                     (number of calls-in-progress)
      "reply_timeout"              : milliseconds (thousandths)
                                     until a method call times out
+      "max_containers"             : max number of restricted servers for use
+                                     in app-containers, in total
+      "max_containers_per_user"    : max number of app-containers per Unix uid
+      "max_container_metadata_bytes": max number of bytes of metadata to store
+                                      for each app-container
+      "max_connections_per_container": max number of (authenticated or
+                                       unauthenticated) connections to each
+                                       app-container
 </literallayout> <!-- .fi -->