On Fri, Sep 27, 2019 at 8:52 AM Neil Horman <nhorman@xxxxxxxxxxxxx> wrote: > On Wed, Sep 18, 2019 at 09:22:23PM -0400, Richard Guy Briggs wrote: > > Set an arbitrary limit on the number of audit container identifiers to > > limit abuse. > > > > Signed-off-by: Richard Guy Briggs <rgb@xxxxxxxxxx> > > --- > > kernel/audit.c | 8 ++++++++ > > kernel/audit.h | 4 ++++ > > 2 files changed, 12 insertions(+) > > > > diff --git a/kernel/audit.c b/kernel/audit.c > > index 53d13d638c63..329916534dd2 100644 > > --- a/kernel/audit.c > > +++ b/kernel/audit.c ... > > @@ -2465,6 +2472,7 @@ int audit_set_contid(struct task_struct *task, u64 contid) > > newcont->owner = current; > > refcount_set(&newcont->refcount, 1); > > list_add_rcu(&newcont->list, &audit_contid_hash[h]); > > + audit_contid_count++; > > } else { > > rc = -ENOMEM; > > goto conterror; > > diff --git a/kernel/audit.h b/kernel/audit.h > > index 162de8366b32..543f1334ba47 100644 > > --- a/kernel/audit.h > > +++ b/kernel/audit.h > > @@ -219,6 +219,10 @@ static inline int audit_hash_contid(u64 contid) > > return (contid & (AUDIT_CONTID_BUCKETS-1)); > > } > > > > +extern int audit_contid_count; > > + > > +#define AUDIT_CONTID_COUNT 1 << 16 > > + > > Just to ask the question, since it wasn't clear in the changelog, what > abuse are you avoiding here? Ostensibly you should be able to create as > many container ids as you have space for, and the simple creation of > container ids doesn't seem like the resource strain I would be concerned > about here, given that an orchestrator can still create as many > containers as the system will otherwise allow, which will consume > significantly more ram/disk/etc. I've got a similar question. Up to this point in the patchset, there is a potential issue of hash bucket chain lengths and traversing them with a spinlock held, but it seems like we shouldn't be putting an arbitrary limit on audit container IDs unless we have a good reason for it. If for some reason we do want to enforce a limit, it should probably be a tunable value like a sysctl, or similar. -- paul moore www.paul-moore.com