nsresourced: put a limit on delegated network interfaces too

author Lennart Poettering <lennart@poettering.net>

Mon, 10 Mar 2025 11:57:29 +0000 (12:57 +0100)

committer Lennart Poettering <lennart@poettering.net>

Mon, 17 Mar 2025 15:03:18 +0000 (16:03 +0100)
author Lennart Poettering <lennart@poettering.net>
Mon, 10 Mar 2025 11:57:29 +0000 (12:57 +0100)
committer Lennart Poettering <lennart@poettering.net>
Mon, 17 Mar 2025 15:03:18 +0000 (16:03 +0100)
diff --git a/src/nsresourced/nsresourcework.c b/src/nsresourced/nsresourcework.c

index eda2d143528429963f2921253c56e440e3a70b4d..86d1428ccc8820efd9825eaa7bede45627871f1d 100644 (file)
--- a/src/nsresourced/nsresourcework.c
+++ b/src/nsresourced/nsresourcework.c
@@ -1742,6 +1742,9 @@ static int vl_method_add_netif_to_user_namespace(sd_varlink *link, sd_json_varia
          if (r < 0)
                  return r;
  
+        if (strv_length(userns_info->netifs) > USER_NAMESPACE_NETIFS_DELEGATE_MAX)
+                return sd_varlink_error(link, "io.systemd.NamespaceResource.TooManyNetworkInterfaces", NULL);
+
          /* Registering a network interface for this client is only allowed for the root or the owner of a userns */
          uid_t peer_uid;
          r = sd_varlink_get_peer_uid(link, &peer_uid);
diff --git a/src/nsresourced/userns-registry.h b/src/nsresourced/userns-registry.h

index 0a6f1c2c6eb629854d57072c6ca96280509890c9..72fe99007939f68fe93d0deaf6fce67299f35384 100644 (file)
--- a/src/nsresourced/userns-registry.h
+++ b/src/nsresourced/userns-registry.h
@@ -3,7 +3,8 @@
  
  #include "macro.h"
  
-#define USER_NAMESPACE_CGROUPS_DELEGATE_MAX 16
+#define USER_NAMESPACE_CGROUPS_DELEGATE_MAX 16U
+#define USER_NAMESPACE_NETIFS_DELEGATE_MAX 16U
  
  typedef struct UserNamespaceInfo {
          uid_t owner;
diff --git a/src/shared/varlink-io.systemd.NamespaceResource.c b/src/shared/varlink-io.systemd.NamespaceResource.c

index 40d5c82663c5113ad32e87ab5c4c82590b4c9738..60985146d4e1b679a06ea9ef69a36fade6c81caf 100644 (file)
--- a/src/shared/varlink-io.systemd.NamespaceResource.c
+++ b/src/shared/varlink-io.systemd.NamespaceResource.c
@@ -57,6 +57,7 @@ static SD_VARLINK_DEFINE_ERROR(UserNamespaceNotRegistered);
  static SD_VARLINK_DEFINE_ERROR(UserNamespaceWithoutUserRange);
  static SD_VARLINK_DEFINE_ERROR(TooManyControlGroups);
  static SD_VARLINK_DEFINE_ERROR(ControlGroupAlreadyAdded);
+static SD_VARLINK_DEFINE_ERROR(TooManyNetworkInterfaces);
  
  SD_VARLINK_DEFINE_INTERFACE(
                  io_systemd_NamespaceResource,
@@ -74,4 +75,5 @@ SD_VARLINK_DEFINE_INTERFACE(
                  &vl_error_UserNamespaceNotRegistered,
                  &vl_error_UserNamespaceWithoutUserRange,
                  &vl_error_TooManyControlGroups,
-                &vl_error_ControlGroupAlreadyAdded);
+                &vl_error_ControlGroupAlreadyAdded,
+                &vl_error_TooManyNetworkInterfaces);
author	Lennart Poettering <lennart@poettering.net>
	Mon, 10 Mar 2025 11:57:29 +0000 (12:57 +0100)
committer	Lennart Poettering <lennart@poettering.net>
	Mon, 17 Mar 2025 15:03:18 +0000 (16:03 +0100)
src/nsresourced/nsresourcework.c		patch \| blob \| blame \| history
src/nsresourced/userns-registry.h		patch \| blob \| blame \| history
src/shared/varlink-io.systemd.NamespaceResource.c		patch \| blob \| blame \| history