From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 10 Mar 2025 11:57:29 +0000 (+0100)
Subject: nsresourced: put a limit on delegated network interfaces too
X-Git-Tag: v258-rc1~1062^2~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b2c43674a73858de17e7e6bfa615b4aab448ba62;p=thirdparty%2Fsystemd.git

nsresourced: put a limit on delegated network interfaces too
---

diff --git a/src/nsresourced/nsresourcework.c b/src/nsresourced/nsresourcework.c
index eda2d143528..86d1428ccc8 100644
--- a/src/nsresourced/nsresourcework.c
+++ b/src/nsresourced/nsresourcework.c
@@ -1742,6 +1742,9 @@ static int vl_method_add_netif_to_user_namespace(sd_varlink *link, sd_json_varia
         if (r < 0)
                 return r;
 
+        if (strv_length(userns_info->netifs) > USER_NAMESPACE_NETIFS_DELEGATE_MAX)
+                return sd_varlink_error(link, "io.systemd.NamespaceResource.TooManyNetworkInterfaces", NULL);
+
         /* Registering a network interface for this client is only allowed for the root or the owner of a userns */
         uid_t peer_uid;
         r = sd_varlink_get_peer_uid(link, &peer_uid);
diff --git a/src/nsresourced/userns-registry.h b/src/nsresourced/userns-registry.h
index 0a6f1c2c6eb..72fe9900793 100644
--- a/src/nsresourced/userns-registry.h
+++ b/src/nsresourced/userns-registry.h
@@ -3,7 +3,8 @@
 
 #include "macro.h"
 
-#define USER_NAMESPACE_CGROUPS_DELEGATE_MAX 16
+#define USER_NAMESPACE_CGROUPS_DELEGATE_MAX 16U
+#define USER_NAMESPACE_NETIFS_DELEGATE_MAX 16U
 
 typedef struct UserNamespaceInfo {
         uid_t owner;
diff --git a/src/shared/varlink-io.systemd.NamespaceResource.c b/src/shared/varlink-io.systemd.NamespaceResource.c
index 40d5c82663c..60985146d4e 100644
--- a/src/shared/varlink-io.systemd.NamespaceResource.c
+++ b/src/shared/varlink-io.systemd.NamespaceResource.c
@@ -57,6 +57,7 @@ static SD_VARLINK_DEFINE_ERROR(UserNamespaceNotRegistered);
 static SD_VARLINK_DEFINE_ERROR(UserNamespaceWithoutUserRange);
 static SD_VARLINK_DEFINE_ERROR(TooManyControlGroups);
 static SD_VARLINK_DEFINE_ERROR(ControlGroupAlreadyAdded);
+static SD_VARLINK_DEFINE_ERROR(TooManyNetworkInterfaces);
 
 SD_VARLINK_DEFINE_INTERFACE(
                 io_systemd_NamespaceResource,
@@ -74,4 +75,5 @@ SD_VARLINK_DEFINE_INTERFACE(
                 &vl_error_UserNamespaceNotRegistered,
                 &vl_error_UserNamespaceWithoutUserRange,
                 &vl_error_TooManyControlGroups,
-                &vl_error_ControlGroupAlreadyAdded);
+                &vl_error_ControlGroupAlreadyAdded,
+                &vl_error_TooManyNetworkInterfaces);