max connections per control group (cgroup)

Alban Crequy alban.crequy at collabora.co.uk
Thu Aug 14 05:04:35 PDT 2014


On Wed, 13 Aug 2014 19:06:42 +0200
Lennart Poettering <mzqohf at 0pointer.de> wrote:

> On Wed, 06.08.14 15:16, Alban Crequy (alban.crequy at collabora.co.uk)
> wrote:
> 
> > Hi,
> > 
> > In order to make dbus-daemon more resistant against
> > denial-of-service issues, I implemented a new limit that could be
> > added in the configuration: <limit
> > name="max_connections_per_cgroup">16</limit>
> 
> Currently there's no way to racefreely acquire the cgroup path
> really. While acquiring it racefully is OK for purely informational
> purposes it sounds weird actually binding policy to it...

I'm not sure I understand the race correctly:

sd_pid_get_unit() reads /proc/<pid>/cgroup in a similar way to my
patches and it finds the line with name=systemd. Is there something
in sd_pid_get_unit() which makes it race-free?

By the way, are sd_pid_get_unit() / sd_pid_get_user_unit() used
somewhere for binding policy so far? I'm wondering if the parsing is
safe: http://thread.gmane.org/gmane.linux.kernel.cgroups/11676

Alban


More information about the dbus mailing list