bus-proxy: increase NOFILE limit

The bus-proxy manages the kdbus connections of all users on the system
(regarding the system bus), hence, it needs an elevated NOFILE.
Otherwise, a single user can trigger ENFILE by opening NOFILE connections
to the bus-proxy.

Note that the bus-proxy still does per-user accounting, indirectly via
the proxy/fake API of kdbus. Hence, the effective per-user limit is not
raised by this. However, we now prevent one user from consuming the whole
FD limit of the shared proxy.

Also note that there is no *perfect* way to set this. The proxy is a
shared object, so it needs a larger NOFILE limit than the highest limit
of all users. This limit can be changed dynamically, though. Hence, we
cannot protect against it. However, a raised NOFILE limit is a privilege,
so we just treat it as such and basically allow these privileged users to
be able to consume more resources than normal users (and, maybe, cause
some limits to be exceeded by this).

Right now, kdbus hard-codes 1024 max connections per user on each bus.
However, we *must not* rely on this. This limits could be easily dropped
entirely, as the NOFILE limit is a suitable limit on its on.

diff --git a/units/systemd-bus-proxyd.service.m4.in b/units/systemd-bus-proxyd.service.m4.in
index 64f5ac7d17a892876240f8efe2aa37c1d09a8b7a..e75cdb1a597c79d513589dd258f7fbf0ed1cfd40 100644 (file)
--- a/units/systemd-bus-proxyd.service.m4.in
+++ b/units/systemd-bus-proxyd.service.m4.in
@@ -18,3 +18,8 @@ PrivateDevices=yes
 PrivateNetwork=yes
 ProtectSystem=full
 ProtectHome=yes
+
+# The proxy manages connections of all users, so it needs an elevated file
+# limit. It does proper per-user accounting (indirectly via kdbus), therefore,
+# the effective per-user limits stay the same.
+LimitNOFILE=16384