kernelnewbies.kernelnewbies.org archive mirror
 help / color / mirror / Atom feed
From: John Wood <john.wood@gmx.com>
To: "Valdis Klētnieks" <valdis.kletnieks@vt.edu>
Cc: John Wood <john.wood@gmx.com>, kernelnewbies@kernelnewbies.org
Subject: Re: Notify special task kill using wait* functions
Date: Fri, 2 Apr 2021 14:49:32 +0200	[thread overview]
Message-ID: <20210402124932.GA3012@ubuntu> (raw)
In-Reply-To: <79804.1617129638@turing-police>

Hi,

On Tue, Mar 30, 2021 at 02:40:38PM -0400, Valdis Klētnieks wrote:
> On Tue, 30 Mar 2021 19:34:59 +0200, John Wood said:
>
> > The question is: How can I notify to wait* functions that the task has
> > been killed by the "Brute" LSM.
>
> What wait* functions even *care* that your LSM was what killed it?
>
> If you're caring about somehow notifying userspace that it was your LSM
> specifically, remember that if your code works properly, only attackers
> get notified - and they can then determine "Ah, this system has Brute installed,
> we need to back off and fly under its radar".
>
> You're much better off sending a SIGKILL to the entire process group
> and be done with it. That way the bad guys get less information.

Thanks for the suggestion, but I will expose more info to try to clarify
why to notify to userspace can be useful. In a discussion with Andi Kleen
in the v5 review [1] he explain me some cons with the current mitiggation
method. Without entering in more detail, the mitigation kills all the tasks
involved in the attack, but a supervisor can respawn the processes killed and
the attack can be started again. So, he suggested that notifying to userspace
(via wait*() functions) that a child task has been killed by the "Brute" LSM,
the supervisor can adopt the correct policy and avoid respawn the killed
processes.

[1] https://lore.kernel.org/kernel-hardening/20210227153013.6747-8-john.wood@gmx.com/

Thanks,
John Wood

_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

  reply	other threads:[~2021-04-02 12:50 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-03-30 17:34 John Wood
2021-03-30 18:40 ` Valdis Klētnieks
2021-04-02 12:49   ` John Wood [this message]
2021-04-03  3:50     ` Valdis Klētnieks
2021-04-03  7:02       ` John Wood
2021-04-03 21:34         ` Valdis Klētnieks
2021-04-04  9:48           ` John Wood
2021-04-04 21:10             ` Valdis Klētnieks
2021-04-05  7:31               ` John Wood
2021-04-06 23:55                 ` Valdis Klētnieks
2021-04-07 17:51                   ` John Wood
2021-04-07 20:38                     ` Valdis Klētnieks
2021-04-08  1:51                       ` Andi Kleen
2021-04-09 14:29                         ` John Wood
2021-04-09 15:06                           ` Andi Kleen
2021-04-09 16:08                             ` John Wood
2021-04-09 23:28                             ` Valdis Klētnieks
2021-04-11  8:46                               ` John Wood

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210402124932.GA3012@ubuntu \
    --to=john.wood@gmx.com \
    --cc=kernelnewbies@kernelnewbies.org \
    --cc=valdis.kletnieks@vt.edu \
    --subject='Re: Notify special task kill using wait* functions' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).