kernelnewbies.kernelnewbies.org archive mirror
 help / color / mirror / Atom feed
From: "Valdis Klētnieks" <valdis.kletnieks@vt.edu>
To: John Wood <john.wood@gmx.com>
Cc: kernelnewbies@kernelnewbies.org
Subject: Re: Notify special task kill using wait* functions
Date: Fri, 02 Apr 2021 23:50:18 -0400	[thread overview]
Message-ID: <106842.1617421818@turing-police> (raw)
In-Reply-To: <20210402124932.GA3012@ubuntu>


[-- Attachment #1.1: Type: text/plain, Size: 1223 bytes --]

On Fri, 02 Apr 2021 14:49:32 +0200, John Wood said:

> the attack can be started again. So, he suggested that notifying to userspace
> (via wait*() functions) that a child task has been killed by the "Brute" LSM,
> the supervisor can adopt the correct policy and avoid respawn the killed
> processes.

> [1] https://lore.kernel.org/kernel-hardening/20210227153013.6747-8-john.wood@gmx.com/

That patch contains the biggest problem with your idea:

+Moreover, this method is based on the idea that the protection doesn't act if
+the parent crashes. So, it would still be possible for an attacker to fork a
+process and probe itself. Then, fork the child process and probe itself again.
+This way, these steps can be repeated infinite times without any mitigation.

In general, "security" that has an obvious and easy way to bypass it isn't
providing any real security at all. If all it takes to bypass it is a double fork,
everybody who didn't just fall out of the tree will do a double fork.  In other
words, anybody who's clued enough to write malware that actually works
and does the sort of attack you're trying to prevent should be able to fix
the malware to bypass your "security" with just a few added lines of code.

[-- Attachment #1.2: Type: application/pgp-signature, Size: 832 bytes --]

[-- Attachment #2: Type: text/plain, Size: 170 bytes --]

_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

  reply	other threads:[~2021-04-03  3:52 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-03-30 17:34 John Wood
2021-03-30 18:40 ` Valdis Klētnieks
2021-04-02 12:49   ` John Wood
2021-04-03  3:50     ` Valdis Klētnieks [this message]
2021-04-03  7:02       ` John Wood
2021-04-03 21:34         ` Valdis Klētnieks
2021-04-04  9:48           ` John Wood
2021-04-04 21:10             ` Valdis Klētnieks
2021-04-05  7:31               ` John Wood
2021-04-06 23:55                 ` Valdis Klētnieks
2021-04-07 17:51                   ` John Wood
2021-04-07 20:38                     ` Valdis Klētnieks
2021-04-08  1:51                       ` Andi Kleen
2021-04-09 14:29                         ` John Wood
2021-04-09 15:06                           ` Andi Kleen
2021-04-09 16:08                             ` John Wood
2021-04-09 23:28                             ` Valdis Klētnieks
2021-04-11  8:46                               ` John Wood

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=106842.1617421818@turing-police \
    --to=valdis.kletnieks@vt.edu \
    --cc=john.wood@gmx.com \
    --cc=kernelnewbies@kernelnewbies.org \
    --subject='Re: Notify special task kill using wait* functions' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).