On Thu, 01 Oct 2020 19:49:02 +0200, John Wood said: > Idea: The purpose of my LSM is to detect and mitigate a fork brute force > attack. To do so, I need a hierarchy of fork processes. In other words, there > is a pointer in the task_struct structure that points to an statistics data > structure. This pointer is copied to the child process when a process forks. > This way, all the tasks that fork with the same root share the same statistics. > These statistics allow to compute the application crashing period and detect > the attack. How is this any better than applying a ulimit to the userid, and using the existing audit subsystem for reporting the attack, which is what that subsystem was designed for? > But there is the case when the task 0 is allocated. In this case it's not > possible to copy the parent pointer to the statistical data. The task 0 don't > have parent. In this scenario a new statistics structure need to be allocated. At that point, your LSM probably hasn't been initialized yet. If your LSM is being called before task 0 (let alone task 1) is created, there's probably something wonky going on. Are you seeing this happen on an actual system?
Attachment:
pgp5SHcDeEay3.pgp
Description: PGP signature
_______________________________________________ Kernelnewbies mailing list Kernelnewbies@xxxxxxxxxxxxxxxxx https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
