Connection capabilities allow compartments to open an unlimited number of TCP connections

[hlef]

Let us assume that two compartments, A and B, use the network stack to create TCP connections.

Compartment A can prevent compartment B from establishing new network connections by using up all the TCP connection slots in the network stack.

This number (the maximum number of concurrent TCP connections) is quite limited in practice, typically <10, for memory usage reasons, see 86655f6#diff-2ac1b26f6aca4a80627e284a1d72685579cf5f4deafad7a45ae565abd0cbcde4.

The problem stems from the fact that connection capabilities do not come with a limit on how many times they can be used: compartment A can call network_socket_connect_tcp as many times as it wants to exhaust the maximum number of concurrent TCP connections.

A potential solution would be to have users declare a maximum number of concurrent TCP connections in the connection capability, and use that as a counter - decrement on each connection, and when it reaches zero, further calls to network_socket_connect_tcp fail. One difficulty is that the counter would need to be incremented on network_socket_close, at which point we do not have access to the connection capability anymore.

[davidchisnall]

What is the use case for this? The number of sockets is limited by the memory available in the caller's quota. The problem with listen is that sockets aren't accounted to the caller until they are accepted, but with outbound connections the sockets are accounted to the caller as soon as they exist.