Hi, I'm working in a LSM whose goal is to detect and mitigate fork brute force attacks against vulnerable userspace applications. The detection and mitigation works as expected by I'm stuck at this point. The mitigation method used is to kill all the offending tasks involved in the attack. To do so, I kill the tasks using: do_send_sig_info(SIGKILL, SEND_SIG_PRIV, p, PIDTYPE_PID); The question is: How can I notify to wait* functions that the task has been killed by the "Brute" LSM. For example, in the function wait_task_zombie, in the "out_info:" label, the code is the following: out_info: infop = wo->wo_info; if (infop) { if ((status & 0x7f) == 0) { infop->cause = CLD_EXITED; infop->status = status >> 8; } else { infop->cause = (status & 0x80) ? CLD_DUMPED : CLD_KILLED; infop->status = status & 0x7f; } infop->pid = pid; infop->uid = uid; } I think I need to modify this code to achieve the commented goal. But I don't know how to proceed. Is it possible to kill a task in a way that this code can detect ? Now, with this code, we know that a task has been killed and with what signal. But is it possible to know that the task has been killed by the "Brute" LSM. Using for example the 8 upper bits in the status that I think are unused when a process is killed or dumped. It is possible to use the do_send_sig_info passing to the struct kernel_siginfo the necessary information to be able to detect this scenario in the wait* functions? If yes, what info I need to pass? The final purpose of all of this is that using the waitid function from userspace (or waitpid function) we can know that a child task has been killed by the "Brute" LSM or not. I try to inform to userspace that a task has been killed due to the "Brute" mitigation. Sorry, but I'm stuck at this point. Any help would be greatly appreciated. Regards, John Wood _______________________________________________ Kernelnewbies mailing list Kernelnewbies@xxxxxxxxxxxxxxxxx https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies