Re: [PATCH] lockdown: ratelimit denial messages
From: Paul Moore
Date: Wed Sep 14 2022 - 07:43:44 EST
On Fri, Sep 9, 2022 at 10:05 AM Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
> On Thu, Sep 8, 2022 at 6:02 PM Nathan Lynch <nathanl@xxxxxxxxxxxxx> wrote:
> >
> > User space can flood the log with lockdown denial messages:
> >
> > [ 662.555584] Lockdown: bash: debugfs access is restricted; see man kernel_lockdown.7
> > [ 662.563237] Lockdown: bash: debugfs access is restricted; see man kernel_lockdown.7
> > [ 662.571134] Lockdown: bash: debugfs access is restricted; see man kernel_lockdown.7
> > [ 662.578668] Lockdown: bash: debugfs access is restricted; see man kernel_lockdown.7
> > [ 662.586021] Lockdown: bash: debugfs access is restricted; see man kernel_lockdown.7
> > [ 662.593398] Lockdown: bash: debugfs access is restricted; see man kernel_lockdown.7
> >
> > Ratelimiting these shouldn't meaningfully degrade the quality of the
> > information logged.
> >
> > Signed-off-by: Nathan Lynch <nathanl@xxxxxxxxxxxxx>
> > ---
> > security/lockdown/lockdown.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
>
> This seems reasonable. While the last visible lockdown message to the
> console might be incorrect/old, I think it would give the user a good
> indication that lockdown is being hit and hopefully preserve the start
> of the denial storm. It is also worth noting that this does introduce
> a spinlock to this code path, but since it is only an issue on error I
> doubt it will have any significant impact.
>
> I'll leave this until next week to give people a chance to
> comment/object, but if there are no further comments I'll plan on
> merging this into lsm/next.
Now merged into lsm/next, thanks!
--
paul-moore.com