Hi, On Tue, Mar 30, 2021 at 02:40:38PM -0400, Valdis Klētnieks wrote: > On Tue, 30 Mar 2021 19:34:59 +0200, John Wood said: > > > The question is: How can I notify to wait* functions that the task has > > been killed by the "Brute" LSM. > > What wait* functions even *care* that your LSM was what killed it? > > If you're caring about somehow notifying userspace that it was your LSM > specifically, remember that if your code works properly, only attackers > get notified - and they can then determine "Ah, this system has Brute installed, > we need to back off and fly under its radar". > > You're much better off sending a SIGKILL to the entire process group > and be done with it. That way the bad guys get less information. Thanks for the suggestion, but I will expose more info to try to clarify why to notify to userspace can be useful. In a discussion with Andi Kleen in the v5 review [1] he explain me some cons with the current mitiggation method. Without entering in more detail, the mitigation kills all the tasks involved in the attack, but a supervisor can respawn the processes killed and the attack can be started again. So, he suggested that notifying to userspace (via wait*() functions) that a child task has been killed by the "Brute" LSM, the supervisor can adopt the correct policy and avoid respawn the killed processes. [1] https://lore.kernel.org/kernel-hardening/20210227153013.6747-8-john.wood@xxxxxxx/ Thanks, John Wood _______________________________________________ Kernelnewbies mailing list Kernelnewbies@xxxxxxxxxxxxxxxxx https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
