Re: [PATCH ghak90 V7 06/21] audit: contid limit of 32k imposed to avoid DoS

On Wed, Sep 18, 2019 at 09:22:23PM -0400, Richard Guy Briggs wrote: > Set an arbitrary limit on the number of audit container identifiers to > limit abuse. > > Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com&gt; > --- > kernel/audit.c | 8 ++++++++ > kernel/audit.h | 4 ++++ > 2 files changed, 12 insertions(+) > > diff --git a/kernel/audit.c b/kernel/audit.c > index 53d13d638c63..329916534dd2 100644 > --- a/kernel/audit.c > +++ b/kernel/audit.c

> @@ -2465,6 +2472,7 @@ int audit_set_contid(struct task_struct *task, u64 contid) > newcont->owner = current; > refcount_set(&newcont->refcount, 1); > list_add_rcu(&newcont->list, &audit_contid_hash[h]); > + audit_contid_count++; > } else { > rc = -ENOMEM; > goto conterror; > diff --git a/kernel/audit.h b/kernel/audit.h > index 162de8366b32..543f1334ba47 100644 > --- a/kernel/audit.h > +++ b/kernel/audit.h > @@ -219,6 +219,10 @@ static inline int audit_hash_contid(u64 contid) > return (contid & (AUDIT_CONTID_BUCKETS-1)); > } > > +extern int audit_contid_count; > + > +#define AUDIT_CONTID_COUNT 1 << 16 > + Just to ask the question, since it wasn't clear in the changelog, what abuse are you avoiding here? Ostensibly you should be able to create as many container ids as you have space for, and the simple creation of container ids doesn't seem like the resource strain I would be concerned about here, given that an orchestrator can still create as many containers as the system will otherwise allow, which will consume significantly more ram/disk/etc.