archive mirror
 help / color / mirror / Atom feed
From: John Wood <>
Subject: Notify special task kill using wait* functions
Date: Tue, 30 Mar 2021 19:34:59 +0200	[thread overview]
Message-ID: <20210330173459.GA3163@ubuntu> (raw)


I'm working in a LSM whose goal is to detect and mitigate fork brute force
attacks against vulnerable userspace applications. The detection and
mitigation works as expected by I'm stuck at this point.

The mitigation method used is to kill all the offending tasks involved in
the attack. To do so, I kill the tasks using:

do_send_sig_info(SIGKILL, SEND_SIG_PRIV, p, PIDTYPE_PID);

The question is: How can I notify to wait* functions that the task has
been killed by the "Brute" LSM. For example, in the function
wait_task_zombie, in the "out_info:" label, the code is the following:

	infop = wo->wo_info;
	if (infop) {
		if ((status & 0x7f) == 0) {
			infop->cause = CLD_EXITED;
			infop->status = status >> 8;
		} else {
			infop->cause = (status & 0x80) ? CLD_DUMPED : CLD_KILLED;
			infop->status = status & 0x7f;
		infop->pid = pid;
		infop->uid = uid;

I think I need to modify this code to achieve the commented goal. But
I don't know how to proceed.

Is it possible to kill a task in a way that this code can detect ? Now,
with this code, we know that a task has been killed and with what signal.
But is it possible to know that the task has been killed by the "Brute" LSM.
Using for example the 8 upper bits in the status that I think are unused
when a process is killed or dumped.

It is possible to use the do_send_sig_info passing to the struct kernel_siginfo
the necessary information to be able to detect this scenario in the wait*
functions? If yes, what info I need to pass?

The final purpose of all of this is that using the waitid function from
userspace (or waitpid function) we can know that a child task has been killed
by the "Brute" LSM or not. I try to inform to userspace that a task has been
killed due to the "Brute" mitigation.

Sorry, but I'm stuck at this point. Any help would be greatly appreciated.

John Wood

Kernelnewbies mailing list

             reply	other threads:[~2021-03-30 17:35 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-03-30 17:34 John Wood [this message]
2021-03-30 18:40 ` Notify special task kill using wait* functions Valdis Klētnieks
2021-04-02 12:49   ` John Wood
2021-04-03  3:50     ` Valdis Klētnieks
2021-04-03  7:02       ` John Wood
2021-04-03 21:34         ` Valdis Klētnieks
2021-04-04  9:48           ` John Wood
2021-04-04 21:10             ` Valdis Klētnieks
2021-04-05  7:31               ` John Wood
2021-04-06 23:55                 ` Valdis Klētnieks
2021-04-07 17:51                   ` John Wood
2021-04-07 20:38                     ` Valdis Klētnieks
2021-04-08  1:51                       ` Andi Kleen
2021-04-09 14:29                         ` John Wood
2021-04-09 15:06                           ` Andi Kleen
2021-04-09 16:08                             ` John Wood
2021-04-09 23:28                             ` Valdis Klētnieks
2021-04-11  8:46                               ` John Wood

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210330173459.GA3163@ubuntu \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).