RE: [PATCH 1/2] fs/efivarfs: restrict inode permissions

From: Luck, Tony
Date: Wed Feb 21 2018 - 14:59:01 EST

Next message: Brijesh Singh: "Re: [PATCH] KVM: SVM: Fix sparse: incorrect type in argument 1 (different base types)"
Previous message: Alexey Dobriyan: "Re: [PATCH] fs: proc: use down_read_killable in proc_pid_cmdline_read()"
In reply to: Linus Torvalds: "Re: [PATCH 1/2] fs/efivarfs: restrict inode permissions"
Next in thread: Linus Torvalds: "Re: [PATCH 1/2] fs/efivarfs: restrict inode permissions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> It's not about slowing down.
>
> It's about "user Xyz is messing with the system and reading efi vars
> all the time" resulting in "user 'torvalds' is installing a kernel,
> and actually wants to read efi vars, but can't".
>
> if you don't make it per-user, you're just replacing one DoS attack
> with another one!

How are you envisioning this rate-limiting to be implemented? Are
you going to fail an EFI call if the rate is too high? I'm thinking that
we just add a delay to each call so that we can't exceed the limit.
That means your kernel install will complete, just slower than it
would without the delays.

I think I want a small random delay anyway to prevent users from
causing an SMI at the precise moment of their choosing.

-Tony

Next message: Brijesh Singh: "Re: [PATCH] KVM: SVM: Fix sparse: incorrect type in argument 1 (different base types)"
Previous message: Alexey Dobriyan: "Re: [PATCH] fs: proc: use down_read_killable in proc_pid_cmdline_read()"
In reply to: Linus Torvalds: "Re: [PATCH 1/2] fs/efivarfs: restrict inode permissions"
Next in thread: Linus Torvalds: "Re: [PATCH 1/2] fs/efivarfs: restrict inode permissions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]