Implement Layer 3: rate limiting and time-limited access#2
Merged
Conversation
Add per-session and cross-session rate controls to limit bulk data extraction through /proc/kcore_filtered. Per-session controls: - max_session_bytes (default 64M): caps bytes per open fd - max_session_secs (default 300): caps session duration Global controls (address rapid-restart attacks): - max_opens_per_min (default 10): caps open() rate across all processes - max_global_bytes_per_min (default 128M): caps aggregate read rate All parameters are runtime-tunable via sysfs and setting 0 disables the limit. Rate-limit events emit audit records and increment counters in /proc/kcore_filtered_stats. https://claude.ai/code/session_01JnpSAhxxEZsVqN8JG5uvqn
Tests added (Tests 18-23 in test_basic.sh): - sysfs parameter verification for all 4 rate-limit params - stats file contains rl_* counter fields - session byte budget enforcement (load with 8K budget, verify cap) - open rate limit enforcement (load with 3/min, verify 4th denied) - rl_denied_opens counter increments after denied open All behavioral tests use volume-based limits only (no sleeps/timing), avoiding flakiness from CI/VM timing jitter. Time-based limits (max_session_secs) and window-reset behavior are not tested for this reason. Also shortened rl_sessions_expired/budget to rl_sess_expired/budget in stats output so all fields have whitespace-delimited values for reliable awk parsing. https://claude.ai/code/session_01JnpSAhxxEZsVqN8JG5uvqn
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add per-session and cross-session rate controls to limit bulk data
extraction through /proc/kcore_filtered.
Per-session controls:
Global controls (address rapid-restart attacks):
All parameters are runtime-tunable via sysfs and setting 0 disables
the limit. Rate-limit events emit audit records and increment
counters in /proc/kcore_filtered_stats.
https://claude.ai/code/session_01JnpSAhxxEZsVqN8JG5uvqn