On Fri, 02 Apr 2021 14:49:32 +0200, John Wood said: > the attack can be started again. So, he suggested that notifying to userspace > (via wait*() functions) that a child task has been killed by the "Brute" LSM, > the supervisor can adopt the correct policy and avoid respawn the killed > processes. > [1] https://lore.kernel.org/kernel-hardening/20210227153013.6747-8-john.wood@xxxxxxx/ That patch contains the biggest problem with your idea: +Moreover, this method is based on the idea that the protection doesn't act if +the parent crashes. So, it would still be possible for an attacker to fork a +process and probe itself. Then, fork the child process and probe itself again. +This way, these steps can be repeated infinite times without any mitigation. In general, "security" that has an obvious and easy way to bypass it isn't providing any real security at all. If all it takes to bypass it is a double fork, everybody who didn't just fall out of the tree will do a double fork. In other words, anybody who's clued enough to write malware that actually works and does the sort of attack you're trying to prevent should be able to fix the malware to bypass your "security" with just a few added lines of code.
Attachment:
pgpLStZ6lrJmh.pgp
Description: PGP signature
_______________________________________________ Kernelnewbies mailing list Kernelnewbies@xxxxxxxxxxxxxxxxx https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies