| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 9 Sep 2022 10:05:30 -0400
From: Paul Moore <paul@...l-moore.com>
To: Nathan Lynch <nathanl@...ux.ibm.com>
Cc: linux-security-module@...r.kernel.org,
linux-kernel@...r.kernel.org, jmorris@...ei.org, serge@...lyn.com
Subject: Re: [PATCH] lockdown: ratelimit denial messages
On Thu, Sep 8, 2022 at 6:02 PM Nathan Lynch <nathanl@...ux.ibm.com> wrote:
>
> User space can flood the log with lockdown denial messages:
>
> [ 662.555584] Lockdown: bash: debugfs access is restricted; see man kernel_lockdown.7
> [ 662.563237] Lockdown: bash: debugfs access is restricted; see man kernel_lockdown.7
> [ 662.571134] Lockdown: bash: debugfs access is restricted; see man kernel_lockdown.7
> [ 662.578668] Lockdown: bash: debugfs access is restricted; see man kernel_lockdown.7
> [ 662.586021] Lockdown: bash: debugfs access is restricted; see man kernel_lockdown.7
> [ 662.593398] Lockdown: bash: debugfs access is restricted; see man kernel_lockdown.7
>
> Ratelimiting these shouldn't meaningfully degrade the quality of the
> information logged.
>
> Signed-off-by: Nathan Lynch <nathanl@...ux.ibm.com>
> ---
> security/lockdown/lockdown.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
This seems reasonable. While the last visible lockdown message to the
console might be incorrect/old, I think it would give the user a good
indication that lockdown is being hit and hopefully preserve the start
of the denial storm. It is also worth noting that this does introduce
a spinlock to this code path, but since it is only an issue on error I
doubt it will have any significant impact.
I'll leave this until next week to give people a chance to
comment/object, but if there are no further comments I'll plan on
merging this into lsm/next.
> diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
> index 87cbdc64d272..a79b985e917e 100644
> --- a/security/lockdown/lockdown.c
> +++ b/security/lockdown/lockdown.c
> @@ -63,7 +63,7 @@ static int lockdown_is_locked_down(enum lockdown_reason what)
>
> if (kernel_locked_down >= what) {
> if (lockdown_reasons[what])
> - pr_notice("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n",
> + pr_notice_ratelimited("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n",
> current->comm, lockdown_reasons[what]);
> return -EPERM;
> }
> --
> 2.37.1
--
paul-moore.com
Powered by blists - more mailing lists