From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-12.5 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 26338C433E2 for ; Sun, 6 Sep 2020 15:31:55 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id C9EC2207BB for ; Sun, 6 Sep 2020 15:31:54 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=infradead.org header.i=@infradead.org header.b="Iv56LjyO"; dkim=pass (1024-bit key) header.d=gmx.net header.i=@gmx.net header.b="WdAsesRc" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728948AbgIFPbm (ORCPT ); Sun, 6 Sep 2020 11:31:42 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58346 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728807AbgIFPbh (ORCPT ); Sun, 6 Sep 2020 11:31:37 -0400 Received: from casper.infradead.org (casper.infradead.org [IPv6:2001:8b0:10b:1236::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 723CAC061573; Sun, 6 Sep 2020 08:31:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=Content-Transfer-Encoding:MIME-Version: Message-Id:Date:Subject:Cc:To:From:Resent-To:Resent-Message-ID:Resent-Date: Resent-From:Sender:Reply-To:Content-Type:Content-ID:Content-Description: In-Reply-To:References; bh=+LuTTLR0kikmiTPRNn7HRx+lG0J24aqE2GOmu3Oa2sw=; b=Iv 56LjyORAFwYrKSoOUcozZlC8D7x28mv1jADrDsw+d5sW6g3aVgTlH/ulJxo5BEfjsQsvAwKpwY5eo U9cM9I3Nn2wDS49/Yx1FLMPr0Bu0wOxD06M/tNVhvXLUk0NkfaTJaHZgOPxW2Nd4BrC8/D0kmmeS1 XCiERjXbTzGwNNPHv9iEwzUS4/T03+IKDl9UNjtmD3AkYZNf1pToaCDFjaastD2tY6r+KfSk4MXNe rkzWxfXqvBwRrhx6nEhpEsmZ+JZ4iTRbzUaMl40Wgv9c/0xes2avQbrCRhvofUQ4k5nWoyQ1VluI6 7w9yDYWxbOCq5u7mO8e5PlWgbvtZZW5g==; Received: from willy by casper.infradead.org with local (Exim 4.92.3 #3 (Red Hat Linux)) id 1kEwd7-0000ez-VR; Sun, 06 Sep 2020 15:30:58 +0000 Received: from mout.gmx.net ([212.227.15.19]) by casper.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kEwUS-0008VS-9s for willy@infradead.org; Sun, 06 Sep 2020 15:22:03 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1599405707; bh=OsxpPblvcfbkLBG7YNry2w3YzWs9opU/5ZYfutycyP4=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date; b=WdAsesRcMV68cWnh7AHo4lMG5EF3yv/IKp+HXjsNEtzXlYJLCQvPS16iqKGMbYpFc GeQ+OUaDxJR2iTy0ddSiIY8H0PJcWllNSempn1M5LhmizOlL2s8MpgJjMYYWY6sxcE DGXr+Rq8tBXFCu7HjqmBcGmAKRJjv5PbwQdcU5SY= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from localhost.localdomain ([79.150.73.70]) by mail.gmx.com (mrgmx005 [212.227.17.184]) with ESMTPSA (Nemesis) id 1MplXz-1ktiIY1sC5-00qDKx; Sun, 06 Sep 2020 17:21:47 +0200 From: John Wood To: Matthew Wilcox Cc: John Wood Subject: [RFC PATCH 1/9] security/fbfam: Add a Kconfig to enable the fbfam feature Date: Sun, 6 Sep 2020 17:21:27 +0200 Message-Id: <20200906152127.7041-1-john.wood@gmx.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:2u2gXcLhUDn9TTnBUfWY9zdvza+bDn2ZuoUGv9LzAMqYlfqshaa Z22NwRAHHZvIhSdQXi88KVnQ1rg7nvY7H2FTiiorpFOg2ffSlbtOP18HoALjboSFcC+Ueto /pbRLpyIfRM6wZzVwBKM1oL4G8hMozqdPTnwos/CcMGzCGKCPICbfZjVztn8vrzbkfWIZ4v xjOFWnELHWYuG+qIJGcUw== X-UI-Out-Filterresults: notjunk:1;V03:K0:wuvmYeR2Az0=:0uNCS8Ux1zJup5fojaQl+4 FLaCs/qiZqatmVYg4glHtMKzy50ZZHloLDIlM4SsP4fo/70xx2O6rx7hn0+BRMUZlIfrfIuHX cJGuttkcQcAYStyQVC6r3xi7ImxkM15ClFybN1+TZNwvzVgzQfm17cy23wIa39WtxDydM1YIW 16d7ZExY7ZbydmJCtuibu5c1dyjkRYI211wgBbCV7QjAqJSqX6EOXDtrOFuHGZm3IrTUBSug2 6n0f7UwLNsgoCW1o4bcA687gmKVuH50VhOWQNnYln/m9iRoWFukUP8P5g94sqwsA8QqtBpohX yZEeHiTd96fK/3TMUSLOgO4Q9wiHe1m9xV5FNgJydekUcHtQB8TGhXeFqts2ycbHrLt0QeYcY GwB3BKyjXt+o2wZeZ4cYmAKNhD12FkT0REGVd3XAoeWVAPTVhD4SEDagbJLDmH66o3E3Xeh1Z D8Q242o4JYzk3Sapn9yZ65BIWULrdd+Io9VfbIwJkxy2RlwvBwq8Csm/vBZ9DYBuA/XfH54zp 531y0hUYW1MHoishQqHjtYMSa2bUpKNrm6wNeFIxjVZCN9HDuEv0TUA0OEVAbUXGwP03FNq2x 3aS5zegAFT9nIfpjrahgfUd0VROfZc3dNpIWEABGlUabGd6IukTpjHHrOoEzjSzzwOMewcrtO w6p3sGuNeo+vRXBzvzQiBc8V59wSBgAllOuFbKbZdcYm3Ylx1OPdhRruQ7zlOHYVXGCxb+T3W n0cTuwU0GxlFjr+hJGDcVpgyT4xHsamqy0pmV/jMJ5XouVvtKeNCiCIHyXEfoFmQ90mI7zTes K4u75/dOuv+fEMlh40wbQQYJM5Uhjk7VzDzgIPx/lIXIBBapMVNb0EgsysTN/eZf/BCZm63XD kkPDNNuJiDj3RpsOgDrtt+lGjgELTuBFM4qlDnzvwv4jFloi5t1XvJLiL4sEl8rJO9JGRfbgB e+v3RUa8seBXYVdTma+xunnR8SEWM9a+gBLeHYYyaxyQQO2DW3/ee40wZ+HoJL1DzFwYt0wNK 216DGqQ9lfAvAOdRc34npkrcnTLJcMV4xt7MKi7t3k7UDmfGL4QzvJ2GAn0HgtBHrHb2MenKU vJUZNWS8tNBfhOAYdUaYjiKE5G+luvICD3xuI+nlx28un4ETw46NWykmoJ1owkOkjyIye0OXV rxcZkSdBpumU6ltNhAlzdHNKzcVSuFOx6+V8DKzWMOMv2X1zLqKlV9v42WE1k1BWP4gA4ZGZN knMtrcHxA6p1RsqmropDN6BPqRT9tv50c7MwfOA== X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20200906_162200_565156_EBED4387 X-CRM114-Status: GOOD ( 11.55 ) Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org Add a menu entry under "Security options" to enable the "Fork brute force attack mitigation" feature. Signed-off-by: John Wood =2D-- security/Kconfig | 1 + security/fbfam/Kconfig | 10 ++++++++++ 2 files changed, 11 insertions(+) create mode 100644 security/fbfam/Kconfig diff --git a/security/Kconfig b/security/Kconfig index 7561f6f99f1d..00a90e25b8d5 100644 =2D-- a/security/Kconfig +++ b/security/Kconfig @@ -290,6 +290,7 @@ config LSM If unsure, leave this as the default. source "security/Kconfig.hardening" +source "security/fbfam/Kconfig" endmenu diff --git a/security/fbfam/Kconfig b/security/fbfam/Kconfig new file mode 100644 index 000000000000..bbe7f6aad369 =2D-- /dev/null +++ b/security/fbfam/Kconfig @@ -0,0 +1,10 @@ +# SPDX-License-Identifier: GPL-2.0 +config FBFAM + bool "Fork brute force attack mitigation" + default n + help + This is a user defense that detects any fork brute force attack + based on the application's crashing rate. When this measure is + triggered the fork system call is blocked. + + If you are unsure how to answer this question, answer N. =2D- 2.25.1