From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.4 required=3.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED, USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1DFE5C43461 for ; Mon, 14 Sep 2020 19:39:42 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id CEB4D2193E for ; Mon, 14 Sep 2020 19:39:41 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="KMb8YL82" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726062AbgINTjk (ORCPT ); Mon, 14 Sep 2020 15:39:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57726 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725914AbgINTji (ORCPT ); Mon, 14 Sep 2020 15:39:38 -0400 Received: from mail-ed1-x543.google.com (mail-ed1-x543.google.com [IPv6:2a00:1450:4864:20::543]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4DA7AC06174A for ; Mon, 14 Sep 2020 12:39:38 -0700 (PDT) Received: by mail-ed1-x543.google.com with SMTP id b12so712244edz.11 for ; Mon, 14 Sep 2020 12:39:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=lG5XGf95bwNJOiL8PcjSLhdHd8W32J8QXR/kZviOKdg=; b=KMb8YL82jYt+MdR+06nAv1SDjyBvY4xZgeT/ZSDzaA/sIk4BMgBJiDBRB+e1bufy3+ 8ZUWjMH8ilySI8ll0tpW9SGHNcwfcXvuO/ogAr+JiAJ+gLYB2oFiAISVMsXaZiFZKhG6 rNV9jXE4AzKiGnJtbZ01dTfsAaRXm01QgaG5C8WCbA0mkKFr6J1uj1+DZPrJ9hzkpFLt 7CafX7kXEWTa72gmB4FzIyzXC1KrE0sLckGmAtvfbSZqoUxrNCh+knJSNyZnBMhxAxTx dNPT5gnmXVGLWsSSXLj6HwJ+ZnTlIAmp/gH/hWa2wQfaMmrOBh6HBlLkbN6H+zlGsjQ8 UTIw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=lG5XGf95bwNJOiL8PcjSLhdHd8W32J8QXR/kZviOKdg=; b=QmmJuz3vFGdWC9AJEgauqoX481GHClD0j4tnZHr18AHBQ5QO9zZ5mRaA2PVKMowrS/ lG7ieufcnqKYnCPjf/2D3UlFz7zzYd+g//1H17oI31RjgSJCrPYgLj7BsRTz6C09Mcak MeJfDpbTrMhSM/GFmReOTnbDdA8QA4bq4/SHdGfdZ49JhpQ49Jiy6quembivzouqsYnc TwlmpmESZZYwITze1OqoP22QRIfrHK57bPVTDNrkJRXxGs6RCYcJEGww7gHDwL2L0n6U dL2OFELYlqkEU4E623HdCo3z9Ieos8ylOct9xyghmvq+DeHFYuH+4yWCyLP+yZ9n2iyV P1LA== X-Gm-Message-State: AOAM533nS983c5P8lqhLMIbEm0MRGRJ6x1avP9RMZ4qugfeOCFPCLoyj KyKenxNJIBvgWOHXo9kjd7mxP30ufu5uEXNo3au6Ug== X-Google-Smtp-Source: ABdhPJxc/PtfgEbkD4fcsDei9QMBxurLSxbpcXluh3HHDXLs/uUkzi3B73RmIjNWnbIXKDpCIS3Fg5qNSvIHPX0J6v4= X-Received: by 2002:a50:e807:: with SMTP id e7mr19255309edn.84.1600112376719; Mon, 14 Sep 2020 12:39:36 -0700 (PDT) MIME-Version: 1.0 References: <20200910202107.3799376-1-keescook@chromium.org> <20200910202107.3799376-6-keescook@chromium.org> <202009101634.52ED6751AD@keescook> <20200913152724.GB2873@ubuntu> In-Reply-To: <20200913152724.GB2873@ubuntu> From: Jann Horn Date: Mon, 14 Sep 2020 21:39:10 +0200 Message-ID: Subject: Re: [RFC PATCH 5/6] security/fbfam: Detect a fork brute force attack To: John Wood Cc: Kees Cook , Kernel Hardening , Matthew Wilcox , Jonathan Corbet , Alexander Viro , Ingo Molnar , Peter Zijlstra , Juri Lelli , Vincent Guittot , Dietmar Eggemann , Steven Rostedt , Ben Segall , Mel Gorman , Luis Chamberlain , Iurii Zaikin , James Morris , "Serge E. Hallyn" , linux-doc@vger.kernel.org, kernel list , linux-fsdevel , linux-security-module Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Sep 13, 2020 at 6:56 PM John Wood wrote: > On Fri, Sep 11, 2020 at 02:01:56AM +0200, Jann Horn wrote: > > On Fri, Sep 11, 2020 at 1:49 AM Kees Cook wrote: > > > On Thu, Sep 10, 2020 at 01:21:06PM -0700, Kees Cook wrote: > > > > diff --git a/fs/coredump.c b/fs/coredump.c > > > > index 76e7c10edfc0..d4ba4e1828d5 100644 > > > > --- a/fs/coredump.c > > > > +++ b/fs/coredump.c > > > > @@ -51,6 +51,7 @@ > > > > #include "internal.h" > > > > > > > > #include > > > > +#include > > > > > > > > int core_uses_pid; > > > > unsigned int core_pipe_limit; > > > > @@ -825,6 +826,7 @@ void do_coredump(const kernel_siginfo_t *siginfo) > > > > fail_creds: > > > > put_cred(cred); > > > > fail: > > > > + fbfam_handle_attack(siginfo->si_signo); > > > > > > I don't think this is the right place for detecting a crash -- isn't > > > this only for the "dumping core" condition? In other words, don't you > > > want to do this in get_signal()'s "fatal" block? (i.e. very close to the > > > do_coredump, but without the "should I dump?" check?) > > > > > > Hmm, but maybe I'm wrong? It looks like you're looking at noticing the > > > process taking a signal from SIG_KERNEL_COREDUMP_MASK ? > > > > > > (Better yet: what are fatal conditions that do NOT match > > > SIG_KERNEL_COREDUMP_MASK, and should those be covered?) > > > > > > Regardless, *this* looks like the only place without an LSM hook. And it > > > doesn't seem unreasonable to add one here. I assume it would probably > > > just take the siginfo pointer, which is also what you're checking. > > > > Good point, making this an LSM might be a good idea. > > > > > e.g. for include/linux/lsm_hook_defs.h: > > > > > > LSM_HOOK(int, 0, task_coredump, const kernel_siginfo_t *siginfo); > > > > I guess it should probably be an LSM_RET_VOID hook? And since, as you > > said, it's not really semantically about core dumping, maybe it should > > be named task_fatal_signal or something like that. > > If I understand correctly you propose to add a new LSM hook without return > value and place it here: > > diff --git a/kernel/signal.c b/kernel/signal.c > index a38b3edc6851..074492d23e98 100644 > --- a/kernel/signal.c > +++ b/kernel/signal.c > @@ -2751,6 +2751,8 @@ bool get_signal(struct ksignal *ksig) > do_coredump(&ksig->info); > } > > + // Add the new LSM hook here > + > /* > * Death signals, no core dump. > */ It should probably be in the "if (sig_kernel_coredump(signr)) {" branch. And I'm not sure whether it should be before or after do_coredump() - if you do it after do_coredump(), the hook will have to wait until the core dump file has been written, which may take a little bit of time. From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.4 required=3.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED, USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8955EC433E2 for ; Mon, 14 Sep 2020 19:39:57 +0000 (UTC) Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.kernel.org (Postfix) with SMTP id 930882193E for ; Mon, 14 Sep 2020 19:39:56 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="KMb8YL82" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 930882193E Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kernel-hardening-return-19896-kernel-hardening=archiver.kernel.org@lists.openwall.com Received: (qmail 28304 invoked by uid 550); 14 Sep 2020 19:39:48 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Received: (qmail 28283 invoked from network); 14 Sep 2020 19:39:48 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=lG5XGf95bwNJOiL8PcjSLhdHd8W32J8QXR/kZviOKdg=; b=KMb8YL82jYt+MdR+06nAv1SDjyBvY4xZgeT/ZSDzaA/sIk4BMgBJiDBRB+e1bufy3+ 8ZUWjMH8ilySI8ll0tpW9SGHNcwfcXvuO/ogAr+JiAJ+gLYB2oFiAISVMsXaZiFZKhG6 rNV9jXE4AzKiGnJtbZ01dTfsAaRXm01QgaG5C8WCbA0mkKFr6J1uj1+DZPrJ9hzkpFLt 7CafX7kXEWTa72gmB4FzIyzXC1KrE0sLckGmAtvfbSZqoUxrNCh+knJSNyZnBMhxAxTx dNPT5gnmXVGLWsSSXLj6HwJ+ZnTlIAmp/gH/hWa2wQfaMmrOBh6HBlLkbN6H+zlGsjQ8 UTIw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=lG5XGf95bwNJOiL8PcjSLhdHd8W32J8QXR/kZviOKdg=; b=uZRG72dk8uL/KcPOPPk5TezHdPh/kvIzX2RKM+9Sc3Il0Oc3ccmIOIwAuYNY+oxVGa sn0PD33mAppWqu9RVrKS+mWiG0nb0YHG8NpxyUyj7rZqVwQ7HaGefqjs4hBA4UlYTx4b +zoc/87KDGDQs88Y7wRKlozwRyY6n0pkwOXh9RPpIu3wkYj0NZtBHSDGKGp2hC8mbtjZ BB8vfYfryZSNuCHwecBhBh8Py/fz44s6yOugSZNpj/IgehpeHgHB8L4XHWMFBnH0CDWZ xEq7Nl0R2fW8z+M0m8bzRkSqb803EI1ZO1kYEyQRAjqJukW2MorAUDKF/ss071fd1d+9 ZlUw== X-Gm-Message-State: AOAM533Qf2bXph5daNRJzRIrczCuW0ffMoaKaaHDswSe6ZJOLBsZX/0Y 76lEfHzAYB/ZM3Mpa+N9VY+TVyy6lQXdQWxMjmw5sg== X-Google-Smtp-Source: ABdhPJxc/PtfgEbkD4fcsDei9QMBxurLSxbpcXluh3HHDXLs/uUkzi3B73RmIjNWnbIXKDpCIS3Fg5qNSvIHPX0J6v4= X-Received: by 2002:a50:e807:: with SMTP id e7mr19255309edn.84.1600112376719; Mon, 14 Sep 2020 12:39:36 -0700 (PDT) MIME-Version: 1.0 References: <20200910202107.3799376-1-keescook@chromium.org> <20200910202107.3799376-6-keescook@chromium.org> <202009101634.52ED6751AD@keescook> <20200913152724.GB2873@ubuntu> In-Reply-To: <20200913152724.GB2873@ubuntu> From: Jann Horn Date: Mon, 14 Sep 2020 21:39:10 +0200 Message-ID: Subject: Re: [RFC PATCH 5/6] security/fbfam: Detect a fork brute force attack To: John Wood Cc: Kees Cook , Kernel Hardening , Matthew Wilcox , Jonathan Corbet , Alexander Viro , Ingo Molnar , Peter Zijlstra , Juri Lelli , Vincent Guittot , Dietmar Eggemann , Steven Rostedt , Ben Segall , Mel Gorman , Luis Chamberlain , Iurii Zaikin , James Morris , "Serge E. Hallyn" , linux-doc@vger.kernel.org, kernel list , linux-fsdevel , linux-security-module Content-Type: text/plain; charset="UTF-8" On Sun, Sep 13, 2020 at 6:56 PM John Wood wrote: > On Fri, Sep 11, 2020 at 02:01:56AM +0200, Jann Horn wrote: > > On Fri, Sep 11, 2020 at 1:49 AM Kees Cook wrote: > > > On Thu, Sep 10, 2020 at 01:21:06PM -0700, Kees Cook wrote: > > > > diff --git a/fs/coredump.c b/fs/coredump.c > > > > index 76e7c10edfc0..d4ba4e1828d5 100644 > > > > --- a/fs/coredump.c > > > > +++ b/fs/coredump.c > > > > @@ -51,6 +51,7 @@ > > > > #include "internal.h" > > > > > > > > #include > > > > +#include > > > > > > > > int core_uses_pid; > > > > unsigned int core_pipe_limit; > > > > @@ -825,6 +826,7 @@ void do_coredump(const kernel_siginfo_t *siginfo) > > > > fail_creds: > > > > put_cred(cred); > > > > fail: > > > > + fbfam_handle_attack(siginfo->si_signo); > > > > > > I don't think this is the right place for detecting a crash -- isn't > > > this only for the "dumping core" condition? In other words, don't you > > > want to do this in get_signal()'s "fatal" block? (i.e. very close to the > > > do_coredump, but without the "should I dump?" check?) > > > > > > Hmm, but maybe I'm wrong? It looks like you're looking at noticing the > > > process taking a signal from SIG_KERNEL_COREDUMP_MASK ? > > > > > > (Better yet: what are fatal conditions that do NOT match > > > SIG_KERNEL_COREDUMP_MASK, and should those be covered?) > > > > > > Regardless, *this* looks like the only place without an LSM hook. And it > > > doesn't seem unreasonable to add one here. I assume it would probably > > > just take the siginfo pointer, which is also what you're checking. > > > > Good point, making this an LSM might be a good idea. > > > > > e.g. for include/linux/lsm_hook_defs.h: > > > > > > LSM_HOOK(int, 0, task_coredump, const kernel_siginfo_t *siginfo); > > > > I guess it should probably be an LSM_RET_VOID hook? And since, as you > > said, it's not really semantically about core dumping, maybe it should > > be named task_fatal_signal or something like that. > > If I understand correctly you propose to add a new LSM hook without return > value and place it here: > > diff --git a/kernel/signal.c b/kernel/signal.c > index a38b3edc6851..074492d23e98 100644 > --- a/kernel/signal.c > +++ b/kernel/signal.c > @@ -2751,6 +2751,8 @@ bool get_signal(struct ksignal *ksig) > do_coredump(&ksig->info); > } > > + // Add the new LSM hook here > + > /* > * Death signals, no core dump. > */ It should probably be in the "if (sig_kernel_coredump(signr)) {" branch. And I'm not sure whether it should be before or after do_coredump() - if you do it after do_coredump(), the hook will have to wait until the core dump file has been written, which may take a little bit of time.