On Thu, Sep 10, 2020 at 10:21 PM Kees Cook <keescook@xxxxxxxxxxxx> wrote: > From: John Wood <john.wood@xxxxxxx> > > Add a menu entry under "Security options" to enable the "Fork brute > force attack mitigation" feature. [...] > +config FBFAM Please give this a more descriptive name than FBFAM. Some name where, if a random kernel developer sees an "#ifdef" with that name in some random piece of kernel code, they immediately have a rough idea for what kind of feature this is. Perhaps something like THROTTLE_FORK_CRASHES. Or something else that is equally descriptive. > + bool "Fork brute force attack mitigation" > + default n "default n" is superfluous and should AFAIK be omitted. > + help > + This is a user defense that detects any fork brute force attack > + based on the application's crashing rate. When this measure is > + triggered the fork system call is blocked. This help text claims that the mitigation will block fork(), but patch 6/6 actually kills the process hierarchy.
