From 868113fa1d219a6bc0da3fe4918fdbe67682d5c5 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Wed, 21 Jun 2017 16:35:34 +0100
Subject: [PATCH] bus: Add (unused) settings for resource limits for containers

These will be enforced in subsequent commits.

Signed-off-by: Simon McVittie <smcv@collabora.com>

https://bugs.freedesktop.org/show_bug.cgi?id=101354
---
 bus/bus.c                | 20 ++++++++++++++++++++
 bus/bus.h                |  8 ++++++++
 bus/config-parser.c      | 40 ++++++++++++++++++++++++++++++++++++++--
 bus/session.conf.in      |  6 ++++++
 bus/system.conf.in       |  4 ++++
 doc/dbus-daemon.1.xml.in |  8 ++++++++
 6 files changed, 84 insertions(+), 2 deletions(-)

diff --git a/bus/bus.c b/bus/bus.c
index c46dc6e6..760703bb 100644
--- a/bus/bus.c
+++ b/bus/bus.c
@@ -1394,6 +1394,26 @@ bus_context_get_reply_timeout (BusContext *context)
   return context->limits.reply_timeout;
 }
 
+int bus_context_get_max_containers (BusContext *context)
+{
+  return context->limits.max_containers;
+}
+
+int bus_context_get_max_containers_per_user (BusContext *context)
+{
+  return context->limits.max_containers_per_user;
+}
+
+int bus_context_get_max_container_metadata_bytes (BusContext *context)
+{
+  return context->limits.max_container_metadata_bytes;
+}
+
+int bus_context_get_max_connections_per_container (BusContext *context)
+{
+  return context->limits.max_connections_per_container;
+}
+
 DBusRLimit *
 bus_context_get_initial_fd_limit (BusContext *context)
 {
diff --git a/bus/bus.h b/bus/bus.h
index c19650bd..380eaddd 100644
--- a/bus/bus.h
+++ b/bus/bus.h
@@ -66,6 +66,10 @@ typedef struct
   int max_match_rules_per_connection; /**< Max number of match rules for a single connection */
   int max_replies_per_connection;     /**< Max number of replies that can be pending for each connection */
   int reply_timeout;                  /**< How long to wait before timing out a reply */
+  int max_containers;               /**< Max number of restricted servers for app-containers*/
+  int max_containers_per_user;      /**< Max number of restricted servers for app-containers, per user */
+  int max_connections_per_container; /**< Max number of connections per restricted server */
+  int max_container_metadata_bytes; /**< Max number of bytes of metadata per restricted server */
 } BusLimits;
 
 typedef enum
@@ -123,6 +127,10 @@ int               bus_context_get_max_services_per_connection    (BusContext
 int               bus_context_get_max_match_rules_per_connection (BusContext       *context);
 int               bus_context_get_max_replies_per_connection     (BusContext       *context);
 int               bus_context_get_reply_timeout                  (BusContext       *context);
+int               bus_context_get_max_containers                 (BusContext       *context);
+int               bus_context_get_max_containers_per_user        (BusContext       *context);
+int               bus_context_get_max_container_metadata_bytes   (BusContext       *context);
+int               bus_context_get_max_connections_per_container  (BusContext       *context);
 DBusRLimit *      bus_context_get_initial_fd_limit               (BusContext       *context);
 dbus_bool_t       bus_context_get_using_syslog                   (BusContext       *context);
 void              bus_context_log                                (BusContext       *context,
diff --git a/bus/config-parser.c b/bus/config-parser.c
index 7b3aabb2..9aadd464 100644
--- a/bus/config-parser.c
+++ b/bus/config-parser.c
@@ -480,7 +480,10 @@ bus_config_parser_new (const DBusString      *basedir,
   else
     {
 
-      /* Make up some numbers! woot! */
+      /* Make up some numbers! woot!
+       * Please keep these hard-coded values in sync with the comments
+       * in bus/system.conf.in. */
+
       parser->limits.max_incoming_bytes = _DBUS_ONE_MEGABYTE * 127;
       parser->limits.max_outgoing_bytes = _DBUS_ONE_MEGABYTE * 127;
       parser->limits.max_message_size = _DBUS_ONE_MEGABYTE * 32;
@@ -513,12 +516,21 @@ bus_config_parser_new (const DBusString      *basedir,
       
       parser->limits.max_incomplete_connections = 64;
       parser->limits.max_connections_per_user = 256;
+      parser->limits.max_containers_per_user = 16;
       
       /* Note that max_completed_connections / max_connections_per_user
        * is the number of users that would have to work together to
-       * DOS all the other users.
+       * DOS all the other users. The same applies to containers.
        */
       parser->limits.max_completed_connections = 2048;
+      parser->limits.max_containers = 512;
+      /* Similarly max_connections_per_user / max_connections_per_container
+       * is the number of app-containers per user that would have to work
+       * together to DoS all the other processes of that user */
+      parser->limits.max_connections_per_container = 8;
+      /* Someone trying to do a denial of service attack can make us store
+       * this much data per app-container */
+      parser->limits.max_container_metadata_bytes = 4096;
       
       parser->limits.max_pending_activations = 512;
       parser->limits.max_services_per_connection = 512;
@@ -2093,6 +2105,30 @@ set_limit (BusConfigParser *parser,
       must_be_int = TRUE;
       parser->limits.max_replies_per_connection = value;
     }
+  else if (strcmp (name, "max_containers") == 0)
+    {
+      must_be_positive = TRUE;
+      must_be_int = TRUE;
+      parser->limits.max_containers = value;
+    }
+  else if (strcmp (name, "max_containers_per_user") == 0)
+    {
+      must_be_positive = TRUE;
+      must_be_int = TRUE;
+      parser->limits.max_containers_per_user = value;
+    }
+  else if (strcmp (name, "max_container_metadata_bytes") == 0)
+    {
+      must_be_positive = TRUE;
+      must_be_int = TRUE;
+      parser->limits.max_container_metadata_bytes = value;
+    }
+  else if (strcmp (name, "max_connections_per_container") == 0)
+    {
+      must_be_positive = TRUE;
+      must_be_int = TRUE;
+      parser->limits.max_connections_per_container = value;
+    }
   else
     {
       dbus_set_error (error, DBUS_ERROR_FAILED,
diff --git a/bus/session.conf.in b/bus/session.conf.in
index affa7f1d..ace073c9 100644
--- a/bus/session.conf.in
+++ b/bus/session.conf.in
@@ -76,5 +76,11 @@
   <limit name="max_names_per_connection">50000</limit>
   <limit name="max_match_rules_per_connection">50000</limit>
   <limit name="max_replies_per_connection">50000</limit>
+  <limit name="max_containers">10000</limit>
+  <limit name="max_containers_per_user">10000</limit>
+  <limit name="max_container_metadata_bytes">1000000000</limit>
+  <!-- This is relatively low so that app-containers (which we do not fully
+       trust) do not cause DoS. -->
+  <limit name="max_connections_per_container">16</limit>
 
 </busconfig>
diff --git a/bus/system.conf.in b/bus/system.conf.in
index f139b557..2ca4ae58 100644
--- a/bus/system.conf.in
+++ b/bus/system.conf.in
@@ -124,6 +124,10 @@
   <!-- <limit name="max_names_per_connection">512</limit> -->
   <!-- <limit name="max_match_rules_per_connection">512</limit> -->
   <!-- <limit name="max_replies_per_connection">128</limit> -->
+  <!-- <limit name="max_containers">512</limit> -->
+  <!-- <limit name="max_containers_per_user">16</limit> -->
+  <!-- <limit name="max_container_metadata_bytes">4096</limit> -->
+  <!-- <limit name="max_connections_per_container">8</limit> -->
 
   <!-- Config files are placed here that among other things, punch 
        holes in the above policy for specific services. -->
diff --git a/doc/dbus-daemon.1.xml.in b/doc/dbus-daemon.1.xml.in
index a9a46eef..da899a85 100644
--- a/doc/dbus-daemon.1.xml.in
+++ b/doc/dbus-daemon.1.xml.in
@@ -749,6 +749,14 @@ Available limit names are:</para>
                                      (number of calls-in-progress)
       "reply_timeout"              : milliseconds (thousandths)
                                      until a method call times out
+      "max_containers"             : max number of restricted servers for use
+                                     in app-containers, in total
+      "max_containers_per_user"    : max number of app-containers per Unix uid
+      "max_container_metadata_bytes": max number of bytes of metadata to store
+                                      for each app-container
+      "max_connections_per_container": max number of (authenticated or
+                                       unauthenticated) connections to each
+                                       app-container
 </literallayout> <!-- .fi -->
 
 
-- 
2.13.3