From: Simon McVittie <smcv@collabora.com>
Date: Wed, 21 Jun 2017 15:35:34 +0000 (+0100)
Subject: bus: Add (unused) settings for resource limits for containers
X-Git-Tag: dbus-1.13.0~57^2~9
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=913ea94c2211523fa5917e50a42935dbd424e5d8;p=thirdparty%2Fdbus.git

bus: Add (unused) settings for resource limits for containers

These will be enforced in subsequent commits.

Reviewed-by: Philip Withnall <withnall@endlessm.com>
[smcv: Fix whitespace]
Signed-off-by: Simon McVittie <smcv@collabora.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101354
---

diff --git a/bus/bus.c b/bus/bus.c
index b0a71f67a..a6f8db475 100644
--- a/bus/bus.c
+++ b/bus/bus.c
@@ -1397,6 +1397,26 @@ bus_context_get_reply_timeout (BusContext *context)
   return context->limits.reply_timeout;
 }
 
+int bus_context_get_max_containers (BusContext *context)
+{
+  return context->limits.max_containers;
+}
+
+int bus_context_get_max_containers_per_user (BusContext *context)
+{
+  return context->limits.max_containers_per_user;
+}
+
+int bus_context_get_max_container_metadata_bytes (BusContext *context)
+{
+  return context->limits.max_container_metadata_bytes;
+}
+
+int bus_context_get_max_connections_per_container (BusContext *context)
+{
+  return context->limits.max_connections_per_container;
+}
+
 DBusRLimit *
 bus_context_get_initial_fd_limit (BusContext *context)
 {
diff --git a/bus/bus.h b/bus/bus.h
index 5492af24e..8f96222f6 100644
--- a/bus/bus.h
+++ b/bus/bus.h
@@ -66,6 +66,10 @@ typedef struct
   int max_match_rules_per_connection; /**< Max number of match rules for a single connection */
   int max_replies_per_connection;     /**< Max number of replies that can be pending for each connection */
   int reply_timeout;                  /**< How long to wait before timing out a reply */
+  int max_containers;               /**< Max number of restricted servers for app-containers */
+  int max_containers_per_user;      /**< Max number of restricted servers for app-containers, per user */
+  int max_connections_per_container;  /**< Max number of connections per restricted server */
+  int max_container_metadata_bytes; /**< Max number of bytes of metadata per restricted server */
 } BusLimits;
 
 typedef enum
@@ -123,6 +127,10 @@ int               bus_context_get_max_services_per_connection    (BusContext
 int               bus_context_get_max_match_rules_per_connection (BusContext       *context);
 int               bus_context_get_max_replies_per_connection     (BusContext       *context);
 int               bus_context_get_reply_timeout                  (BusContext       *context);
+int               bus_context_get_max_containers                 (BusContext       *context);
+int               bus_context_get_max_containers_per_user        (BusContext       *context);
+int               bus_context_get_max_container_metadata_bytes   (BusContext       *context);
+int               bus_context_get_max_connections_per_container  (BusContext       *context);
 DBusRLimit *      bus_context_get_initial_fd_limit               (BusContext       *context);
 dbus_bool_t       bus_context_get_using_syslog                   (BusContext       *context);
 void              bus_context_log                                (BusContext       *context,
diff --git a/bus/config-parser.c b/bus/config-parser.c
index c99a71709..f49ab1dca 100644
--- a/bus/config-parser.c
+++ b/bus/config-parser.c
@@ -481,7 +481,10 @@ bus_config_parser_new (const DBusString      *basedir,
   else
     {
 
-      /* Make up some numbers! woot! */
+      /* Make up some numbers! woot!
+       * Please keep these hard-coded values in sync with the comments
+       * in bus/system.conf.in. */
+
       parser->limits.max_incoming_bytes = _DBUS_ONE_MEGABYTE * 127;
       parser->limits.max_outgoing_bytes = _DBUS_ONE_MEGABYTE * 127;
       parser->limits.max_message_size = _DBUS_ONE_MEGABYTE * 32;
@@ -514,12 +517,21 @@ bus_config_parser_new (const DBusString      *basedir,
       
       parser->limits.max_incomplete_connections = 64;
       parser->limits.max_connections_per_user = 256;
+      parser->limits.max_containers_per_user = 16;
       
       /* Note that max_completed_connections / max_connections_per_user
        * is the number of users that would have to work together to
-       * DOS all the other users.
+       * DOS all the other users. The same applies to containers.
        */
       parser->limits.max_completed_connections = 2048;
+      parser->limits.max_containers = 512;
+      /* Similarly max_connections_per_user / max_connections_per_container
+       * is the number of app-containers per user that would have to work
+       * together to DoS all the other processes of that user */
+      parser->limits.max_connections_per_container = 8;
+      /* Someone trying to do a denial of service attack can make us store
+       * this much data per app-container */
+      parser->limits.max_container_metadata_bytes = 4096;
       
       parser->limits.max_pending_activations = 512;
       parser->limits.max_services_per_connection = 512;
@@ -2177,6 +2189,30 @@ set_limit (BusConfigParser *parser,
       must_be_int = TRUE;
       parser->limits.max_replies_per_connection = value;
     }
+  else if (strcmp (name, "max_containers") == 0)
+    {
+      must_be_positive = TRUE;
+      must_be_int = TRUE;
+      parser->limits.max_containers = value;
+    }
+  else if (strcmp (name, "max_containers_per_user") == 0)
+    {
+      must_be_positive = TRUE;
+      must_be_int = TRUE;
+      parser->limits.max_containers_per_user = value;
+    }
+  else if (strcmp (name, "max_container_metadata_bytes") == 0)
+    {
+      must_be_positive = TRUE;
+      must_be_int = TRUE;
+      parser->limits.max_container_metadata_bytes = value;
+    }
+  else if (strcmp (name, "max_connections_per_container") == 0)
+    {
+      must_be_positive = TRUE;
+      must_be_int = TRUE;
+      parser->limits.max_connections_per_container = value;
+    }
   else
     {
       dbus_set_error (error, DBUS_ERROR_FAILED,
diff --git a/bus/session.conf.in b/bus/session.conf.in
index affa7f1d9..ace073c95 100644
--- a/bus/session.conf.in
+++ b/bus/session.conf.in
@@ -76,5 +76,11 @@
   <limit name="max_names_per_connection">50000</limit>
   <limit name="max_match_rules_per_connection">50000</limit>
   <limit name="max_replies_per_connection">50000</limit>
+  <limit name="max_containers">10000</limit>
+  <limit name="max_containers_per_user">10000</limit>
+  <limit name="max_container_metadata_bytes">1000000000</limit>
+  <!-- This is relatively low so that app-containers (which we do not fully
+       trust) do not cause DoS. -->
+  <limit name="max_connections_per_container">16</limit>
 
 </busconfig>
diff --git a/bus/system.conf.in b/bus/system.conf.in
index f139b5576..2ca4ae581 100644
--- a/bus/system.conf.in
+++ b/bus/system.conf.in
@@ -124,6 +124,10 @@
   <!-- <limit name="max_names_per_connection">512</limit> -->
   <!-- <limit name="max_match_rules_per_connection">512</limit> -->
   <!-- <limit name="max_replies_per_connection">128</limit> -->
+  <!-- <limit name="max_containers">512</limit> -->
+  <!-- <limit name="max_containers_per_user">16</limit> -->
+  <!-- <limit name="max_container_metadata_bytes">4096</limit> -->
+  <!-- <limit name="max_connections_per_container">8</limit> -->
 
   <!-- Config files are placed here that among other things, punch 
        holes in the above policy for specific services. -->
diff --git a/doc/dbus-daemon.1.xml.in b/doc/dbus-daemon.1.xml.in
index b029232d9..6368464f9 100644
--- a/doc/dbus-daemon.1.xml.in
+++ b/doc/dbus-daemon.1.xml.in
@@ -749,6 +749,14 @@ Available limit names are:</para>
                                      (number of calls-in-progress)
       "reply_timeout"              : milliseconds (thousandths)
                                      until a method call times out
+      "max_containers"             : max number of restricted servers for use
+                                     in app-containers, in total
+      "max_containers_per_user"    : max number of app-containers per Unix uid
+      "max_container_metadata_bytes": max number of bytes of metadata to store
+                                      for each app-container
+      "max_connections_per_container": max number of (authenticated or
+                                       unauthenticated) connections to each
+                                       app-container
 </literallayout> <!-- .fi -->