Received: by 10.223.185.116 with SMTP id b49csp1085334wrg; Wed, 21 Feb 2018 11:51:38 -0800 (PST) X-Google-Smtp-Source: AH8x227V1ef1TKe8KqGY31o7TgYf8Mp6hT/Fxo/A/Tu/0a3iE/DiQd+DTrJCbcIQP3jh+vEM9hct X-Received: by 10.98.0.67 with SMTP id 64mr4296972pfa.63.1519242698265; Wed, 21 Feb 2018 11:51:38 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519242698; cv=none; d=google.com; s=arc-20160816; b=VDbuM9SaFATGkeluP1FtVQN9hHSDp4f76J7z0nJ7D9dERttJ1slzN9aoy83VQ7WQqu rVTGvoSMuDikZcXVa7KZjcliXUXAewQkminXbiNVXTrz2fMdcaV3pU+SyUWl78YYorpb wz9pBmQzPAax79dM0Ef/xykOtsEzavVLCRlpoM6i68GcmQcJ9+6BgSImyqw+4K36GW/z EjxXuP2O4icgb7Crh5txEISbjxKyvME1RGOMswlwRgMhIXgUETlvQquTW/GtCdOXkZ1t 1ip9BuqCwUhT55L+WWvQ4HPwlO67rMwXnMg+8ZTDUaLKdLk6FZku7qZGImoikQZvuTWf kehw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=HLK+oXi3Ld2sTR1d5f1n9nfSpLSC/ua328193R8uzyM=; b=MDIEuHm62751QArc2m7WpSm1PfGDp/O9lG9BQJCtkOv12Mr1skJ33Y2V0FhCXkj8Xj VLE4zZtohQ+iYrRJJaDzPCAJQFNuqVbE0B4IAFfU4NgA5G41Q7dur0Pc5QgJ+Z9SMrGp vWoeBRqSRc1bz2CjS/UygJ0NW/Kvr6dJ0qcf2oOxoNZqh4wwe8IQ4dZFfpzkdevif+v2 cwJMjGgAxIzSaFNyzExaD8Sikb5IyVkm7cr8h/whFwcy4j8ibpNX3h2pSjlpoLbVaUO2 hjAcn7T72n3kYJlfEXngpZX4EkkZSQR7nATizpgHu4rPMxhA+cMjAtWzFeAE9RyOdEks UaJg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 62-v6si1253421pld.136.2018.02.21.11.51.24; Wed, 21 Feb 2018 11:51:38 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751366AbeBUTri (ORCPT + 99 others); Wed, 21 Feb 2018 14:47:38 -0500 Received: from mga04.intel.com ([192.55.52.120]:23493 "EHLO mga04.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751053AbeBUTrg (ORCPT ); Wed, 21 Feb 2018 14:47:36 -0500 X-Amp-Result: UNKNOWN X-Amp-Original-Verdict: FILE UNKNOWN X-Amp-File-Uploaded: False Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga104.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 21 Feb 2018 11:47:35 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.47,375,1515484800"; d="scan'208";a="32537889" Received: from agluck-desk.sc.intel.com (HELO agluck-desk) ([10.3.52.160]) by fmsmga001.fm.intel.com with ESMTP; 21 Feb 2018 11:47:35 -0800 Date: Wed, 21 Feb 2018 11:47:32 -0800 From: "Luck, Tony" To: Andi Kleen Cc: Linus Torvalds , Ard Biesheuvel , Joe Konno , "linux-efi@vger.kernel.org" , Linux Kernel Mailing List , Matthew Garrett , Jeremy Kerr , Matthew Garrett , Peter Jones , Andy Lutomirski , James Bottomley Subject: Re: [PATCH 1/2] fs/efivarfs: restrict inode permissions Message-ID: <20180221194731.t7jowrmicvaggu3x@agluck-desk> References: <6680a760-eb30-4daf-2dad-a9628f1c15a8@kernel.org> <20180220211849.fqjb6rdmypl6opir@agluck-desk> <20180220233008.55rfm7zw62hrao5p@agluck-desk> <3908561D78D1C84285E8C5FCA982C28F7B37DE1B@ORSMSX110.amr.corp.intel.com> <20180221182104.GI3231@tassilo.jf.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180221182104.GI3231@tassilo.jf.intel.com> User-Agent: NeoMutt/20170609 (1.8.3) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Feb 21, 2018 at 10:21:04AM -0800, Andi Kleen wrote: > > But it should be fairly easy to just add a 'struct ratelimit_state' to > > 'struct user_struct', and then you can easily just use > > > > '&file->f_cred->user->ratelimit' > > > > and you're done. Make sure the initial root user has it unlimited, and > > limit it to something reasonable for all other user allocations. > > How about uid name spaces? Someone untrusted in a container could > create a lot of uids and switch between them. > > A global rate limit seems better. While in theory it allows DoS > it's probably not worse than a lot of others we have with > other resources, and it's relatively harmless. The EFI calls are all about checking system configuration. A thing that only a handful of users do on a very occasional basis. I don't see much harm if my "efibootmgr -v" call is slowed down a bit (or even a lot) because you are using a bunch of the available ratelimit reading the efivars. Per-user seems over engineered to solve this problem. -Tony