UbiquitousOS
/
OpenCloudOS-Kernel
mirror of https://gitee.com/OpenCloudOS/OpenCloudOS-Kernel.git
11
0
Fork 0
Code Issues Projects Releases Wiki Activity

lockdown: ratelimit denial messages 

User space can flood the log with lockdown denial messages:

[  662.555584] Lockdown: bash: debugfs access is restricted; see man kernel_lockdown.7
[  662.563237] Lockdown: bash: debugfs access is restricted; see man kernel_lockdown.7
[  662.571134] Lockdown: bash: debugfs access is restricted; see man kernel_lockdown.7
[  662.578668] Lockdown: bash: debugfs access is restricted; see man kernel_lockdown.7
[  662.586021] Lockdown: bash: debugfs access is restricted; see man kernel_lockdown.7
[  662.593398] Lockdown: bash: debugfs access is restricted; see man kernel_lockdown.7

Ratelimiting these shouldn't meaningfully degrade the quality of the
information logged.

Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
This commit is contained in:
Nathan Lynch 2022-09-08 17:02:22 -05:00 committed by Paul Moore
parent abec3d015f
commit 1e7d8bcbe3
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
security/lockdown/lockdown.c
View File

@ -63,7 +63,7 @@ static int lockdown_is_locked_down(enum lockdown_reason what)
if (kernel_locked_down >= what) { if (kernel_locked_down >= what) {
if (lockdown_reasons[what]) if (lockdown_reasons[what])
pr_notice("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n", pr_notice_ratelimited("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n",
current->comm, lockdown_reasons[what]); current->comm, lockdown_reasons[what]);
return -EPERM; return -EPERM;
} }