archive mirror
 help / color / mirror / Atom feed
* Notify special task kill using wait* functions
@ 2021-03-30 17:34 John Wood
  2021-03-30 18:40 ` Valdis Klētnieks
  0 siblings, 1 reply; 18+ messages in thread
From: John Wood @ 2021-03-30 17:34 UTC (permalink / raw)
  To: kernelnewbies


I'm working in a LSM whose goal is to detect and mitigate fork brute force
attacks against vulnerable userspace applications. The detection and
mitigation works as expected by I'm stuck at this point.

The mitigation method used is to kill all the offending tasks involved in
the attack. To do so, I kill the tasks using:

do_send_sig_info(SIGKILL, SEND_SIG_PRIV, p, PIDTYPE_PID);

The question is: How can I notify to wait* functions that the task has
been killed by the "Brute" LSM. For example, in the function
wait_task_zombie, in the "out_info:" label, the code is the following:

	infop = wo->wo_info;
	if (infop) {
		if ((status & 0x7f) == 0) {
			infop->cause = CLD_EXITED;
			infop->status = status >> 8;
		} else {
			infop->cause = (status & 0x80) ? CLD_DUMPED : CLD_KILLED;
			infop->status = status & 0x7f;
		infop->pid = pid;
		infop->uid = uid;

I think I need to modify this code to achieve the commented goal. But
I don't know how to proceed.

Is it possible to kill a task in a way that this code can detect ? Now,
with this code, we know that a task has been killed and with what signal.
But is it possible to know that the task has been killed by the "Brute" LSM.
Using for example the 8 upper bits in the status that I think are unused
when a process is killed or dumped.

It is possible to use the do_send_sig_info passing to the struct kernel_siginfo
the necessary information to be able to detect this scenario in the wait*
functions? If yes, what info I need to pass?

The final purpose of all of this is that using the waitid function from
userspace (or waitpid function) we can know that a child task has been killed
by the "Brute" LSM or not. I try to inform to userspace that a task has been
killed due to the "Brute" mitigation.

Sorry, but I'm stuck at this point. Any help would be greatly appreciated.

John Wood

Kernelnewbies mailing list

^ permalink raw reply	[flat|nested] 18+ messages in thread

end of thread, other threads:[~2021-04-11  8:48 UTC | newest]

Thread overview: 18+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-30 17:34 Notify special task kill using wait* functions John Wood
2021-03-30 18:40 ` Valdis Klētnieks
2021-04-02 12:49   ` John Wood
2021-04-03  3:50     ` Valdis Klētnieks
2021-04-03  7:02       ` John Wood
2021-04-03 21:34         ` Valdis Klētnieks
2021-04-04  9:48           ` John Wood
2021-04-04 21:10             ` Valdis Klētnieks
2021-04-05  7:31               ` John Wood
2021-04-06 23:55                 ` Valdis Klētnieks
2021-04-07 17:51                   ` John Wood
2021-04-07 20:38                     ` Valdis Klētnieks
2021-04-08  1:51                       ` Andi Kleen
2021-04-09 14:29                         ` John Wood
2021-04-09 15:06                           ` Andi Kleen
2021-04-09 16:08                             ` John Wood
2021-04-09 23:28                             ` Valdis Klētnieks
2021-04-11  8:46                               ` John Wood

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).