Skip to content

Commit

Permalink
lockdown: ratelimit denial messages
Browse files Browse the repository at this point in the history 
User space can flood the log with lockdown denial messages:

[  662.555584] Lockdown: bash: debugfs access is restricted; see man kernel_lockdown.7
[  662.563237] Lockdown: bash: debugfs access is restricted; see man kernel_lockdown.7
[  662.571134] Lockdown: bash: debugfs access is restricted; see man kernel_lockdown.7
[  662.578668] Lockdown: bash: debugfs access is restricted; see man kernel_lockdown.7
[  662.586021] Lockdown: bash: debugfs access is restricted; see man kernel_lockdown.7
[  662.593398] Lockdown: bash: debugfs access is restricted; see man kernel_lockdown.7

Ratelimiting these shouldn't meaningfully degrade the quality of the
information logged.

Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
  • Loading branch information
@nathanlynch @pcmoore
nathanlynch authored and pcmoore committed Sep 14, 2022
1 parent abec3d0 commit 1e7d8bc
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion security/lockdown/lockdown.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ static int lockdown_is_locked_down(enum lockdown_reason what)

if (kernel_locked_down >= what) {
if (lockdown_reasons[what])
pr_notice("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n",
pr_notice_ratelimited("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n",
current->comm, lockdown_reasons[what]);
return -EPERM;
}
Expand Down

0 comments on commit 1e7d8bc

Please sign in to comment.