[PATCH] lockdown: ratelimit denial messages

Paul Moore paul at paul-moore.com
Fri Sep 9 14:05:30 UTC 2022 

On Thu, Sep 8, 2022 at 6:02 PM Nathan Lynch <nathanl at linux.ibm.com> wrote:
>
> User space can flood the log with lockdown denial messages:
>
> [  662.555584] Lockdown: bash: debugfs access is restricted; see man kernel_lockdown.7
> [  662.563237] Lockdown: bash: debugfs access is restricted; see man kernel_lockdown.7
> [  662.571134] Lockdown: bash: debugfs access is restricted; see man kernel_lockdown.7
> [  662.578668] Lockdown: bash: debugfs access is restricted; see man kernel_lockdown.7
> [  662.586021] Lockdown: bash: debugfs access is restricted; see man kernel_lockdown.7
> [  662.593398] Lockdown: bash: debugfs access is restricted; see man kernel_lockdown.7
>
> Ratelimiting these shouldn't meaningfully degrade the quality of the
> information logged.
>
> Signed-off-by: Nathan Lynch <nathanl at linux.ibm.com>
> ---
>  security/lockdown/lockdown.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

This seems reasonable.  While the last visible lockdown message to the
console might be incorrect/old, I think it would give the user a good
indication that lockdown is being hit and hopefully preserve the start
of the denial storm.  It is also worth noting that this does introduce
a spinlock to this code path, but since it is only an issue on error I
doubt it will have any significant impact.

I'll leave this until next week to give people a chance to
comment/object, but if there are no further comments I'll plan on
merging this into lsm/next.

> diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
> index 87cbdc64d272..a79b985e917e 100644
> --- a/security/lockdown/lockdown.c
> +++ b/security/lockdown/lockdown.c
> @@ -63,7 +63,7 @@ static int lockdown_is_locked_down(enum lockdown_reason what)
>
>         if (kernel_locked_down >= what) {
>                 if (lockdown_reasons[what])
> -                       pr_notice("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n",
> +                       pr_notice_ratelimited("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n",
>                                   current->comm, lockdown_reasons[what]);
>                 return -EPERM;
>         }
> --
> 2.37.1

-- 
paul-moore.com

More information about the Linux-security-module-archive mailing list