diff options
| author | Simon McVittie <smcv@collabora.com> | 2017-06-21 16:35:34 +0100 |
|---|---|---|
| committer | Simon McVittie <smcv@collabora.com> | 2017-12-11 16:05:18 +0000 |
| commit | f701da16c9dd23cc0be5dc37473d8b6f30f6c1ea (patch) | |
| tree | f30f09e1409be4cf872c1c0d18d9e7654c5918c2 | |
| parent | 3faac25886c1b69d94298563363a71bd59cabb50 (diff) | |
bus: Add (unused) settings for resource limits for containers
These will be enforced in subsequent commits.
Reviewed-by: Philip Withnall <withnall@endlessm.com>
[smcv: Fix whitespace]
Signed-off-by: Simon McVittie <smcv@collabora.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101354
| -rw-r--r-- | bus/bus.c | 20 | ||||
| -rw-r--r-- | bus/bus.h | 8 | ||||
| -rw-r--r-- | bus/config-parser.c | 40 | ||||
| -rw-r--r-- | bus/session.conf.in | 6 | ||||
| -rw-r--r-- | bus/system.conf.in | 4 | ||||
| -rw-r--r-- | doc/dbus-daemon.1.xml.in | 8 |
6 files changed, 84 insertions, 2 deletions
@@ -1397,6 +1397,26 @@ bus_context_get_reply_timeout (BusContext *context) return context->limits.reply_timeout; } +int bus_context_get_max_containers (BusContext *context) +{ + return context->limits.max_containers; +} + +int bus_context_get_max_containers_per_user (BusContext *context) +{ + return context->limits.max_containers_per_user; +} + +int bus_context_get_max_container_metadata_bytes (BusContext *context) +{ + return context->limits.max_container_metadata_bytes; +} + +int bus_context_get_max_connections_per_container (BusContext *context) +{ + return context->limits.max_connections_per_container; +} + DBusRLimit * bus_context_get_initial_fd_limit (BusContext *context) { @@ -66,6 +66,10 @@ typedef struct int max_match_rules_per_connection; /**< Max number of match rules for a single connection */ int max_replies_per_connection; /**< Max number of replies that can be pending for each connection */ int reply_timeout; /**< How long to wait before timing out a reply */ + int max_containers; /**< Max number of restricted servers for app-containers */ + int max_containers_per_user; /**< Max number of restricted servers for app-containers, per user */ + int max_connections_per_container; /**< Max number of connections per restricted server */ + int max_container_metadata_bytes; /**< Max number of bytes of metadata per restricted server */ } BusLimits; typedef enum @@ -123,6 +127,10 @@ int bus_context_get_max_services_per_connection (BusContext int bus_context_get_max_match_rules_per_connection (BusContext *context); int bus_context_get_max_replies_per_connection (BusContext *context); int bus_context_get_reply_timeout (BusContext *context); +int bus_context_get_max_containers (BusContext *context); +int bus_context_get_max_containers_per_user (BusContext *context); +int bus_context_get_max_container_metadata_bytes (BusContext *context); +int bus_context_get_max_connections_per_container (BusContext *context); DBusRLimit * bus_context_get_initial_fd_limit (BusContext *context); dbus_bool_t bus_context_get_using_syslog (BusContext *context); void bus_context_log (BusContext *context, diff --git a/bus/config-parser.c b/bus/config-parser.c index c99a7170..f49ab1dc 100644 --- a/bus/config-parser.c +++ b/bus/config-parser.c @@ -481,7 +481,10 @@ bus_config_parser_new (const DBusString *basedir, else { - /* Make up some numbers! woot! */ + /* Make up some numbers! woot! + * Please keep these hard-coded values in sync with the comments + * in bus/system.conf.in. */ + parser->limits.max_incoming_bytes = _DBUS_ONE_MEGABYTE * 127; parser->limits.max_outgoing_bytes = _DBUS_ONE_MEGABYTE * 127; parser->limits.max_message_size = _DBUS_ONE_MEGABYTE * 32; @@ -514,12 +517,21 @@ bus_config_parser_new (const DBusString *basedir, parser->limits.max_incomplete_connections = 64; parser->limits.max_connections_per_user = 256; + parser->limits.max_containers_per_user = 16; /* Note that max_completed_connections / max_connections_per_user * is the number of users that would have to work together to - * DOS all the other users. + * DOS all the other users. The same applies to containers. */ parser->limits.max_completed_connections = 2048; + parser->limits.max_containers = 512; + /* Similarly max_connections_per_user / max_connections_per_container + * is the number of app-containers per user that would have to work + * together to DoS all the other processes of that user */ + parser->limits.max_connections_per_container = 8; + /* Someone trying to do a denial of service attack can make us store + * this much data per app-container */ + parser->limits.max_container_metadata_bytes = 4096; parser->limits.max_pending_activations = 512; parser->limits.max_services_per_connection = 512; @@ -2177,6 +2189,30 @@ set_limit (BusConfigParser *parser, must_be_int = TRUE; parser->limits.max_replies_per_connection = value; } + else if (strcmp (name, "max_containers") == 0) + { + must_be_positive = TRUE; + must_be_int = TRUE; + parser->limits.max_containers = value; + } + else if (strcmp (name, "max_containers_per_user") == 0) + { + must_be_positive = TRUE; + must_be_int = TRUE; + parser->limits.max_containers_per_user = value; + } + else if (strcmp (name, "max_container_metadata_bytes") == 0) + { + must_be_positive = TRUE; + must_be_int = TRUE; + parser->limits.max_container_metadata_bytes = value; + } + else if (strcmp (name, "max_connections_per_container") == 0) + { + must_be_positive = TRUE; + must_be_int = TRUE; + parser->limits.max_connections_per_container = value; + } else { dbus_set_error (error, DBUS_ERROR_FAILED, diff --git a/bus/session.conf.in b/bus/session.conf.in index affa7f1d..ace073c9 100644 --- a/bus/session.conf.in +++ b/bus/session.conf.in @@ -76,5 +76,11 @@ <limit name="max_names_per_connection">50000</limit> <limit name="max_match_rules_per_connection">50000</limit> <limit name="max_replies_per_connection">50000</limit> + <limit name="max_containers">10000</limit> + <limit name="max_containers_per_user">10000</limit> + <limit name="max_container_metadata_bytes">1000000000</limit> + <!-- This is relatively low so that app-containers (which we do not fully + trust) do not cause DoS. --> + <limit name="max_connections_per_container">16</limit> </busconfig> diff --git a/bus/system.conf.in b/bus/system.conf.in index f139b557..2ca4ae58 100644 --- a/bus/system.conf.in +++ b/bus/system.conf.in @@ -124,6 +124,10 @@ <!-- <limit name="max_names_per_connection">512</limit> --> <!-- <limit name="max_match_rules_per_connection">512</limit> --> <!-- <limit name="max_replies_per_connection">128</limit> --> + <!-- <limit name="max_containers">512</limit> --> + <!-- <limit name="max_containers_per_user">16</limit> --> + <!-- <limit name="max_container_metadata_bytes">4096</limit> --> + <!-- <limit name="max_connections_per_container">8</limit> --> <!-- Config files are placed here that among other things, punch holes in the above policy for specific services. --> diff --git a/doc/dbus-daemon.1.xml.in b/doc/dbus-daemon.1.xml.in index b029232d..6368464f 100644 --- a/doc/dbus-daemon.1.xml.in +++ b/doc/dbus-daemon.1.xml.in @@ -749,6 +749,14 @@ Available limit names are:</para> (number of calls-in-progress) "reply_timeout" : milliseconds (thousandths) until a method call times out + "max_containers" : max number of restricted servers for use + in app-containers, in total + "max_containers_per_user" : max number of app-containers per Unix uid + "max_container_metadata_bytes": max number of bytes of metadata to store + for each app-container + "max_connections_per_container": max number of (authenticated or + unauthenticated) connections to each + app-container </literallayout> <!-- .fi --> |