Re: [patch] [sg]etaffinity hooks

From: Crispin Cowan (crispinat_private)
Date: Mon Oct 07 2002 - 12:41:03 PDT

  • Next message: Valdis.Kletnieksat_private: "Re: [patch] [sg]etaffinity hooks"

    Valdis.Kletnieksat_private wrote:
    
    >On Mon, 07 Oct 2002 11:05:36 PDT, Seth Arnold <sarnoldat_private>  said:
    >  
    >
    >>prevent cache thrashing; I don't see a point to mediating cpu affinity
    >>in an access control module. (Well, aside from covert timing channels,
    >>    
    >>
    >Umm.. taking a shot in the dark here, but to make sure that one user can't
    >cause a DoS against some production workload that needs affinity?  It
    >would suck if your payroll system ran on a box that had 4 CPUs, and needed
    >to set affinity to 3 of them - and Fred J Nasty has already started 2
    >processes with affinity...
    >  
    >
    Anticipating predictable rebuttal :) aside from processor affinity, have 
    we also closed all of the other trivial ways that a local user/process 
    can DoS a machine into the ground by consuming gobs of resources? Fork 
    bombing, consuming as much memory as possible, thrashing all levels of 
    cache and disk, flooding network connections, etc. I'm not convinced 
    that we even come close to preventing local DoS.
    
    But I could be wrong. Convince me, as I'm much more patient than the 
    LKML crowd with this kind of thing :) and these are the kinds of 
    questions they will ask.
    
    Crispin
    
    -- 
    Crispin Cowan, Ph.D.
    Chief Scientist, WireX                      http://wirex.com/~crispin/
    Security Hardened Linux Distribution:       http://immunix.org
    Available for purchase: http://wirex.com/Products/Immunix/purchase.html
    
    
    
    

    _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module



    This archive was generated by hypermail 2b30 : Mon Oct 07 2002 - 12:42:29 PDT