On Thu, Sep 10, 2020 at 11:21:58PM +0200, Jann Horn wrote: > On Thu, Sep 10, 2020 at 10:21 PM Kees Cook <keescook@xxxxxxxxxxxx> wrote: > > From: John Wood <john.wood@xxxxxxx> > > > > Add a menu entry under "Security options" to enable the "Fork brute > > force attack mitigation" feature. > [...] > > +config FBFAM > > Please give this a more descriptive name than FBFAM. Some name where, > if a random kernel developer sees an "#ifdef" with that name in some > random piece of kernel code, they immediately have a rough idea for > what kind of feature this is. > > Perhaps something like THROTTLE_FORK_CRASHES. Or something else that > is equally descriptive. Ok, understood. This will be fixed for the next version. Thanks. > > + bool "Fork brute force attack mitigation" > > + default n > > "default n" is superfluous and should AFAIK be omitted. Ok. I will remove it. Thanks. > > + help > > + This is a user defense that detects any fork brute force attack > > + based on the application's crashing rate. When this measure is > > + triggered the fork system call is blocked. > > This help text claims that the mitigation will block fork(), but patch > 6/6 actually kills the process hierarchy. Sorry, it's a mistake. It was the first idea but finally the implementation changed and this description not was modified. Apologies. It will be fixed for the next version. Thanks, John Wood
