diff options
author | Nathan Lynch | 2022-09-08 17:02:22 -0500 |
---|---|---|
committer | Paul Moore | 2022-09-14 07:37:50 -0400 |
commit | 1e7d8bcbe37d3c63babe628443f13f77970dd06b (patch) | |
tree | b8dfa6b6f58903a95d47781a42815da1930078a1 | |
parent | abec3d015fdfb7c63105c7e1c956188bf381aa55 (diff) |
lockdown: ratelimit denial messages
User space can flood the log with lockdown denial messages:
[ 662.555584] Lockdown: bash: debugfs access is restricted; see man kernel_lockdown.7
[ 662.563237] Lockdown: bash: debugfs access is restricted; see man kernel_lockdown.7
[ 662.571134] Lockdown: bash: debugfs access is restricted; see man kernel_lockdown.7
[ 662.578668] Lockdown: bash: debugfs access is restricted; see man kernel_lockdown.7
[ 662.586021] Lockdown: bash: debugfs access is restricted; see man kernel_lockdown.7
[ 662.593398] Lockdown: bash: debugfs access is restricted; see man kernel_lockdown.7
Ratelimiting these shouldn't meaningfully degrade the quality of the
information logged.
Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
-rw-r--r-- | security/lockdown/lockdown.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 87cbdc64d272..a79b985e917e 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -63,7 +63,7 @@ static int lockdown_is_locked_down(enum lockdown_reason what) if (kernel_locked_down >= what) { if (lockdown_reasons[what]) - pr_notice("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n", + pr_notice_ratelimited("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n", current->comm, lockdown_reasons[what]); return -EPERM; } |