* [PATCH] lockdown: Only log restrictions once
@ 2025-11-19 13:22 Daniel Tang
2025-11-19 16:05 ` Paul Moore
0 siblings, 1 reply; 7+ messages in thread
From: Daniel Tang @ 2025-11-19 13:22 UTC (permalink / raw)
To: linux-security-module
Cc: linux-kernel, Nathan Lynch, Paul Moore, Matthew Garrett,
Kees Cook, David Howells, James Morris
KDE's lockscreen causes systemd-logind to spam dmesg about hibernation.
systemd declined to cache /sys/power/state due to runtime changeability.
Link: https://github.com/systemd/systemd/pull/39802
Signed-off-by: Daniel Tang <danielzgtg.opensource@gmail.com>
---
security/lockdown/lockdown.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
index cf83afa1d879..4ced8c76dc6b 100644
--- a/security/lockdown/lockdown.c
+++ b/security/lockdown/lockdown.c
@@ -62,9 +62,11 @@ static int lockdown_is_locked_down(enum lockdown_reason what)
"Invalid lockdown reason"))
return -EPERM;
+ static volatile unsigned long lockdown_reasons_seen;
+ static_assert(ARRAY_SIZE(lockdown_reasons) < sizeof(lockdown_reasons_seen) * 8);
if (kernel_locked_down >= what) {
- if (lockdown_reasons[what])
- pr_notice_ratelimited("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n",
+ if (lockdown_reasons[what] && !test_and_set_bit(what, &lockdown_reasons_seen))
+ pr_notice("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n",
current->comm, lockdown_reasons[what]);
return -EPERM;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH] lockdown: Only log restrictions once
2025-11-19 13:22 [PATCH] lockdown: Only log restrictions once Daniel Tang
@ 2025-11-19 16:05 ` Paul Moore
2025-11-19 18:07 ` [PATCH v2] " Daniel Tang
0 siblings, 1 reply; 7+ messages in thread
From: Paul Moore @ 2025-11-19 16:05 UTC (permalink / raw)
To: Daniel Tang, Nicolas Bouchinet, Xiu Jianfeng
Cc: linux-security-module, linux-kernel, Nathan Lynch,
Matthew Garrett, Kees Cook, David Howells, James Morris
On Wed, Nov 19, 2025 at 8:22 AM Daniel Tang
<danielzgtg.opensource@gmail.com> wrote:
>
> KDE's lockscreen causes systemd-logind to spam dmesg about hibernation.
> systemd declined to cache /sys/power/state due to runtime changeability.
>
> Link: https://github.com/systemd/systemd/pull/39802
> Signed-off-by: Daniel Tang <danielzgtg.opensource@gmail.com>
> ---
> security/lockdown/lockdown.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
Adding the Lockdown maintainers to the To/CC line.
> diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
> index cf83afa1d879..4ced8c76dc6b 100644
> --- a/security/lockdown/lockdown.c
> +++ b/security/lockdown/lockdown.c
> @@ -62,9 +62,11 @@ static int lockdown_is_locked_down(enum lockdown_reason what)
> "Invalid lockdown reason"))
> return -EPERM;
>
> + static volatile unsigned long lockdown_reasons_seen;
I'll let the Lockdown folks comment on the rest, but at the very least
this variable should be declared at the top of the function. Yes, you
*can* declare it in the middle, but just because you can, doesn't mean
you should ;)
> + static_assert(ARRAY_SIZE(lockdown_reasons) < sizeof(lockdown_reasons_seen) * 8);
> if (kernel_locked_down >= what) {
> - if (lockdown_reasons[what])
> - pr_notice_ratelimited("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n",
> + if (lockdown_reasons[what] && !test_and_set_bit(what, &lockdown_reasons_seen))
> + pr_notice("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n",
> current->comm, lockdown_reasons[what]);
> return -EPERM;
> }
> --
> 2.51.0
--
paul-moore.com
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH v2] lockdown: Only log restrictions once
2025-11-19 16:05 ` Paul Moore
@ 2025-11-19 18:07 ` Daniel Tang
2025-11-20 7:37 ` Xiujianfeng
0 siblings, 1 reply; 7+ messages in thread
From: Daniel Tang @ 2025-11-19 18:07 UTC (permalink / raw)
To: Nicolas Bouchinet, Xiu Jianfeng, Paul Moore
Cc: linux-security-module, linux-kernel, Nathan Lynch,
Matthew Garrett, Kees Cook, David Howells, James Morris
KDE's lockscreen causes systemd-logind to spam dmesg about hibernation.
systemd declined to cache /sys/power/state due to runtime changeability.
Link: https://github.com/systemd/systemd/pull/39802
Signed-off-by: Daniel Tang <danielzgtg.opensource@gmail.com>
---
security/lockdown/lockdown.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
index cf83afa1d879..83b50de52f21 100644
--- a/security/lockdown/lockdown.c
+++ b/security/lockdown/lockdown.c
@@ -58,13 +58,16 @@ early_param("lockdown", lockdown_param);
*/
static int lockdown_is_locked_down(enum lockdown_reason what)
{
+ static volatile unsigned long lockdown_reasons_seen;
+ static_assert(ARRAY_SIZE(lockdown_reasons) < sizeof(lockdown_reasons_seen) * 8);
+
if (WARN(what >= LOCKDOWN_CONFIDENTIALITY_MAX,
"Invalid lockdown reason"))
return -EPERM;
if (kernel_locked_down >= what) {
- if (lockdown_reasons[what])
- pr_notice_ratelimited("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n",
+ if (lockdown_reasons[what] && !test_and_set_bit(what, &lockdown_reasons_seen))
+ pr_notice("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n",
current->comm, lockdown_reasons[what]);
return -EPERM;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH v2] lockdown: Only log restrictions once
2025-11-19 18:07 ` [PATCH v2] " Daniel Tang
@ 2025-11-20 7:37 ` Xiujianfeng
2025-11-20 9:26 ` Daniel Tang
2025-11-25 10:00 ` Nicolas Bouchinet
0 siblings, 2 replies; 7+ messages in thread
From: Xiujianfeng @ 2025-11-20 7:37 UTC (permalink / raw)
To: Daniel Tang, Nicolas Bouchinet, Xiu Jianfeng, Paul Moore
Cc: linux-security-module, linux-kernel, Nathan Lynch,
Matthew Garrett, Kees Cook, David Howells, James Morris
Hi Daniel,
On 11/20/2025 2:07 AM, Daniel Tang wrote:
> KDE's lockscreen causes systemd-logind to spam dmesg about hibernation.
> systemd declined to cache /sys/power/state due to runtime changeability.
>
> Link: https://github.com/systemd/systemd/pull/39802
> Signed-off-by: Daniel Tang <danielzgtg.opensource@gmail.com>
> ---
> security/lockdown/lockdown.c | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
> index cf83afa1d879..83b50de52f21 100644
> --- a/security/lockdown/lockdown.c
> +++ b/security/lockdown/lockdown.c
> @@ -58,13 +58,16 @@ early_param("lockdown", lockdown_param);
> */
> static int lockdown_is_locked_down(enum lockdown_reason what)
> {
> + static volatile unsigned long lockdown_reasons_seen;
> + static_assert(ARRAY_SIZE(lockdown_reasons) < sizeof(lockdown_reasons_seen) * 8);
> +
> if (WARN(what >= LOCKDOWN_CONFIDENTIALITY_MAX,
> "Invalid lockdown reason"))
> return -EPERM;
>
> if (kernel_locked_down >= what) {
> - if (lockdown_reasons[what])
> - pr_notice_ratelimited("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n",
> + if (lockdown_reasons[what] && !test_and_set_bit(what, &lockdown_reasons_seen))
> + pr_notice("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n",
> current->comm, lockdown_reasons[what]);
Currently lockdown does not support the audit function, so I believe the
logs here serve a purpose similar to auditing. Based on this, I think
this change will meaningfully degrade the quality of the logs, making it
hard for users to find out what happens when lockdown is active,
especially after a long time running.
Is it possible to adjust the printk_ratelimit & printk_ratelimit_burst
in /proc/sys/kernel/ to reduce the logs in your scenario?
Anyway, I will wait for Nicolas's comment.
> return -EPERM;
> }
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v2] lockdown: Only log restrictions once
2025-11-20 7:37 ` Xiujianfeng
@ 2025-11-20 9:26 ` Daniel Tang
2025-11-20 13:35 ` Xiujianfeng
2025-11-25 10:00 ` Nicolas Bouchinet
1 sibling, 1 reply; 7+ messages in thread
From: Daniel Tang @ 2025-11-20 9:26 UTC (permalink / raw)
To: Nicolas Bouchinet, Xiu Jianfeng, Paul Moore, Xiujianfeng
Cc: linux-security-module, linux-kernel, Nathan Lynch,
Matthew Garrett, Kees Cook, David Howells, James Morris
On Thursday, 20 November 2025, 02:37:56 EST Xiujianfeng <xiujianfeng@huaweicloud.com> wrote:
> Is it possible to adjust the printk_ratelimit & printk_ratelimit_burst
> in /proc/sys/kernel/ to reduce the logs in your scenario?
It's not working. Watching the console after setting the sysctl and
repeatedly clicking org.freedesktop.login1.Manager.CanSuspend in
qdbusviewer (simulating what the lockscreen does), I see:
```console
root@daniel-desktop3:~# uname -a
Linux daniel-desktop3 6.17.0-6-generic #6-Ubuntu SMP PREEMPT_DYNAMIC Tue Oct 7 13:34:17 UTC 2025 x86_64 GNU/Linux
root@daniel-desktop3:~# sysctl kernel.printk_ratelimit_burst=1
kernel.printk_ratelimit_burst = 1
root@daniel-desktop3:~# sysctl kernel.printk_ratelimit=999999
kernel.printk_ratelimit = 999999
root@daniel-desktop3:~# dmesg -W
[14385.334698] lockdown_is_locked_down: 3 callbacks suppressed
[14385.334701] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[14385.614738] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[14385.878857] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[14386.166744] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[14386.454771] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[14386.750900] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[14387.038795] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[14387.334770] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[14387.622696] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[14387.926763] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[14390.366582] lockdown_is_locked_down: 7 callbacks suppressed
[14390.366585] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[14390.798744] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[14391.118802] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[14391.422728] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[14391.742754] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[14392.046735] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[14392.350745] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[14392.654992] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[14392.974797] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[14393.270741] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
```
At my desk, I lock my screen every 5 hours. In public, I might lock my
screen every 1 minute, 5 minute, or 15 *minutes*. printk_ratelimit
seems to be targeted towards things that happen every N *seconds*.
> logs here serve a purpose similar to auditing. Based on this, I think
> this change will meaningfully degrade the quality of the logs, making it
> hard for users to find out what happens when lockdown is active,
> especially after a long time running.
For v3 in December, I'm thinking of adding a code path to special-case
*reads* from /sys/power/state. What do you think?
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v2] lockdown: Only log restrictions once
2025-11-20 9:26 ` Daniel Tang
@ 2025-11-20 13:35 ` Xiujianfeng
0 siblings, 0 replies; 7+ messages in thread
From: Xiujianfeng @ 2025-11-20 13:35 UTC (permalink / raw)
To: Daniel Tang, Nicolas Bouchinet, Xiu Jianfeng, Paul Moore
Cc: linux-security-module, linux-kernel, Nathan Lynch,
Matthew Garrett, Kees Cook, David Howells, James Morris
Hi Daniel,
On 11/20/2025 5:26 PM, Daniel Tang wrote:
> On Thursday, 20 November 2025, 02:37:56 EST Xiujianfeng <xiujianfeng@huaweicloud.com> wrote:
>> Is it possible to adjust the printk_ratelimit & printk_ratelimit_burst
>> in /proc/sys/kernel/ to reduce the logs in your scenario?
>
> It's not working. Watching the console after setting the sysctl and
> repeatedly clicking org.freedesktop.login1.Manager.CanSuspend in
> qdbusviewer (simulating what the lockscreen does), I see:
>
> ```console
> root@daniel-desktop3:~# uname -a
> Linux daniel-desktop3 6.17.0-6-generic #6-Ubuntu SMP PREEMPT_DYNAMIC Tue Oct 7 13:34:17 UTC 2025 x86_64 GNU/Linux
> root@daniel-desktop3:~# sysctl kernel.printk_ratelimit_burst=1
> kernel.printk_ratelimit_burst = 1
> root@daniel-desktop3:~# sysctl kernel.printk_ratelimit=999999
> kernel.printk_ratelimit = 999999
> root@daniel-desktop3:~# dmesg -W
> [14385.334698] lockdown_is_locked_down: 3 callbacks suppressed
> [14385.334701] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
> [14385.614738] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
> [14385.878857] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
> [14386.166744] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
> [14386.454771] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
> [14386.750900] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
> [14387.038795] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
> [14387.334770] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
> [14387.622696] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
> [14387.926763] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
> [14390.366582] lockdown_is_locked_down: 7 callbacks suppressed
> [14390.366585] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
> [14390.798744] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
> [14391.118802] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
> [14391.422728] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
> [14391.742754] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
> [14392.046735] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
> [14392.350745] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
> [14392.654992] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
> [14392.974797] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
> [14393.270741] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
> ```
>
> At my desk, I lock my screen every 5 hours. In public, I might lock my
> screen every 1 minute, 5 minute, or 15 *minutes*. printk_ratelimit
> seems to be targeted towards things that happen every N *seconds*.
Sorry for misleading.
After reading the code, I found that the macro of printk_ratelimited is
#define printk_ratelimited(fmt, ...) \
({ \
static DEFINE_RATELIMIT_STATE(_rs, \
DEFAULT_RATELIMIT_INTERVAL, \
DEFAULT_RATELIMIT_BURST); \
\
if (__ratelimit(&_rs)) \
printk(fmt, ##__VA_ARGS__); \
})
It seems that the rate is fixed and can not be modified via sysctl.
While another interface with a modifiable rate, which is
printk_ratelimit(), is marked as "don't use".
>
>> logs here serve a purpose similar to auditing. Based on this, I think
>> this change will meaningfully degrade the quality of the logs, making it
>> hard for users to find out what happens when lockdown is active,
>> especially after a long time running.
>
> For v3 in December, I'm thinking of adding a code path to special-case
> *reads* from /sys/power/state. What do you think?
Sorry, I am not familiar with hibernation, maybe you can CC hibernation
maintainers.
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v2] lockdown: Only log restrictions once
2025-11-20 7:37 ` Xiujianfeng
2025-11-20 9:26 ` Daniel Tang
@ 2025-11-25 10:00 ` Nicolas Bouchinet
1 sibling, 0 replies; 7+ messages in thread
From: Nicolas Bouchinet @ 2025-11-25 10:00 UTC (permalink / raw)
To: Xiujianfeng
Cc: Daniel Tang, Xiu Jianfeng, Paul Moore, linux-security-module,
linux-kernel, Nathan Lynch, Matthew Garrett, Kees Cook,
David Howells, James Morris
Hi,
> Currently lockdown does not support the audit function, so I believe the
> logs here serve a purpose similar to auditing. Based on this, I think
> this change will meaningfully degrade the quality of the logs, making it
> hard for users to find out what happens when lockdown is active,
> especially after a long time running.
I agree with Xiu.
I'm not sure to understand how this is a kernel issue. I mean beside
that we do not support hibernation in Lockdown for now.
Can't you just disable hibernation with systemd-logind using someting like
'AllowHibernation=no' ?
Best regards,
Nicolas
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2025-11-25 10:21 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-11-19 13:22 [PATCH] lockdown: Only log restrictions once Daniel Tang
2025-11-19 16:05 ` Paul Moore
2025-11-19 18:07 ` [PATCH v2] " Daniel Tang
2025-11-20 7:37 ` Xiujianfeng
2025-11-20 9:26 ` Daniel Tang
2025-11-20 13:35 ` Xiujianfeng
2025-11-25 10:00 ` Nicolas Bouchinet
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).