max connections per control group (cgroup)
Alban Crequy
alban.crequy at collabora.co.uk
Wed Aug 6 07:16:27 PDT 2014
Hi,
In order to make dbus-daemon more resistant against denial-of-service issues, I
implemented a new limit that could be added in the configuration:
<limit name="max_connections_per_cgroup">16</limit>
However, I would like feedback on whether it is a good idea or if you think of
a better way.
dbus-daemon already has some limits on connections:
- max_completed_connections: (default|system bus)=2048 (session bus)=100000
- max_connections_per_user: (default|system bus)=256 (session bus)=100000
So an user on the system bus cannot use all connections and prevent other users
from connecting to the bus.
But this per-user granularity does not allow to distinguish different services
running as the same user. For example, both Avahi and ConsoleKit are system
services, running as the same user root, and they connect to the system bus. If
one of them starts to use all the available connections due to a bug, the other
will not be able to connect.
With the development of cgroups and systemd, system services and session
services start in different cgroups. However, cgroups are not a security
boundary: a process can freely be moved from a cgroup to another cgroup by an
unprivileged user if the user moving the process is the same as the destination
cgroup. So max_connections_per_cgroup only gives more protection against
programmatic errors but not against malicious attacks.
The patches implementing max_connections_per_cgroup set the same limit for all
cgroups. Another possibility could be to set limits to specific services, such as
a limit for the /system.slice/bluetooth.service cgroup. But it is more complex for
no clear benefit.
Similarly, do you think a limit of connections per process would be good?
Patches on:
https://bugs.freedesktop.org/show_bug.cgi?id=81469
Alban
More information about the dbus
mailing list