CVE-2014-7824: set fd rlimit to 64k for the system dbus-daemon

This ensures that our rlimit is actually high enough to avoid the denial of service described in CVE-2014-3636 part A. CVE-2014-7824 has been allocated for this incomplete fix. Restore the original rlimit for activated services, to avoid them getting undesired higher limits. (Thanks to Alban Crequy for various adjustments which have been included in this commit.) Bug: https://bugs.freedesktop.org/show_bug.cgi?id=85105 Reviewed-by: Alban Crequy <alban.crequy@collabora.co.uk>
author: Simon McVittie <simon.mcvittie@collabora.co.uk> 2014-11-04 14:41:54 +0000
committer: Simon McVittie <simon.mcvittie@collabora.co.uk> 2014-11-06 15:31:07 +0000
commit: 4e466446d27f1a3991c22307a47a81c9e93e530d (patch)
tree: 5e5b27972b0246ef93f9baab230cdfb042dba8e6 /bus/activation.c
parent: 8874d3a0c57c0cae97cbe426e3686936da53f649 (diff)
1 files changed, 27 insertions, 1 deletions
diff --git a/bus/activation.c b/bus/activation.c
index 149cca8a..ecd19bb4 100644
--- a/bus/activation.c
+++ b/bus/activation.c
@@ -1688,6 +1688,31 @@ out:
   return retval;
 }
 
+static void
+child_setup (void *user_data)
+{
+#ifdef DBUS_UNIX
+  BusActivation *activation = user_data;
+  DBusRLimit *initial_fd_limit;
+  DBusError error;
+
+  dbus_error_init (&error);
+  initial_fd_limit = bus_context_get_initial_fd_limit (activation->context);
+
+  if (initial_fd_limit != NULL &&
+      !_dbus_rlimit_restore_fd_limit (initial_fd_limit, &error))
+    {
+      /* unfortunately we don't actually know the service name here */
+      bus_context_log (activation->context,
+                       DBUS_SYSTEM_LOG_INFO,
+                       "Failed to reset fd limit before activating "
+                       "service: %s: %s",
+                       error.name, error.message);
+    }
+#endif
+}
+
+
 dbus_bool_t
 bus_activation_activate_service (BusActivation  *activation,
                                  DBusConnection *connection,
@@ -2121,7 +2146,8 @@ bus_activation_activate_service (BusActivation  *activation,
                                           service_name,
                                           argv,
                                           envp,
-                                          NULL, activation,
+                                          child_setup,
+                                          activation,
                                           &tmp_error))
     {
       _dbus_verbose ("Failed to spawn child\n");
author	Simon McVittie <simon.mcvittie@collabora.co.uk>	2014-11-04 14:41:54 +0000
committer	Simon McVittie <simon.mcvittie@collabora.co.uk>	2014-11-06 15:31:07 +0000
commit	4e466446d27f1a3991c22307a47a81c9e93e530d (patch)
tree	5e5b27972b0246ef93f9baab230cdfb042dba8e6 /bus/activation.c
parent	8874d3a0c57c0cae97cbe426e3686936da53f649 (diff)