Re: [patch] [sg]etaffinity hooks

From: Valdis.Kletnieksat_private
Date: Mon Oct 07 2002 - 12:54:58 PDT

  • Next message: Valdis.Kletnieksat_private: "Re: [patch] [sg]etaffinity hooks"

    On Mon, 07 Oct 2002 12:41:03 PDT, Crispin Cowan said:
    
    > Anticipating predictable rebuttal :) aside from processor affinity, have 
    > we also closed all of the other trivial ways that a local user/process 
    > can DoS a machine into the ground by consuming gobs of resources? Fork 
    > bombing, consuming as much memory as possible, thrashing all levels of 
    > cache and disk, flooding network connections, etc. I'm not convinced 
    > that we even come close to preventing local DoS.
    
    I think fork-bombing is already (mostly) managed by per-user process limits,
    the others are open research problems. ;)
    
    The interesting thing about affinity is that it's a case where a rogue
    program can "fly under the wire" of all the usual existing tools and *still*
    cause a DoS, *and* that there's a demonstrable way to 100% close *that*
    set of holes with a kook.  I've never understood the LKML's attitude of "don't
    even bother because there's other classes of holes" - under THAT logic, the
    kernel shouldn't even have the current per-user process limit, since there's
    still other ways to hose the system...
    -- 
    				Valdis Kletnieks
    				Computer Systems Senior Engineer
    				Virginia Tech
    
    
    
    

    _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module



    This archive was generated by hypermail 2b30 : Mon Oct 07 2002 - 12:57:01 PDT