From ed15589c983ee46a3a0fb1e6f348f673c2b8f2aa Mon Sep 17 00:00:00 2001 From: David Herrmann Date: Fri, 4 Sep 2015 11:13:32 +0200 Subject: bus-proxy: increase NOFILE limit The bus-proxy manages the kdbus connections of all users on the system (regarding the system bus), hence, it needs an elevated NOFILE. Otherwise, a single user can trigger ENFILE by opening NOFILE connections to the bus-proxy. Note that the bus-proxy still does per-user accounting, indirectly via the proxy/fake API of kdbus. Hence, the effective per-user limit is not raised by this. However, we now prevent one user from consuming the whole FD limit of the shared proxy. Also note that there is no *perfect* way to set this. The proxy is a shared object, so it needs a larger NOFILE limit than the highest limit of all users. This limit can be changed dynamically, though. Hence, we cannot protect against it. However, a raised NOFILE limit is a privilege, so we just treat it as such and basically allow these privileged users to be able to consume more resources than normal users (and, maybe, cause some limits to be exceeded by this). Right now, kdbus hard-codes 1024 max connections per user on each bus. However, we *must not* rely on this. This limits could be easily dropped entirely, as the NOFILE limit is a suitable limit on its on. --- units/systemd-bus-proxyd.service.m4.in | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'units') diff --git a/units/systemd-bus-proxyd.service.m4.in b/units/systemd-bus-proxyd.service.m4.in index 64f5ac7d17..e75cdb1a59 100644 --- a/units/systemd-bus-proxyd.service.m4.in +++ b/units/systemd-bus-proxyd.service.m4.in @@ -18,3 +18,8 @@ PrivateDevices=yes PrivateNetwork=yes ProtectSystem=full ProtectHome=yes + +# The proxy manages connections of all users, so it needs an elevated file +# limit. It does proper per-user accounting (indirectly via kdbus), therefore, +# the effective per-user limits stay the same. +LimitNOFILE=16384 -- cgit v1.2.3-54-g00ecf