Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp2661357pxk; Sun, 6 Sep 2020 08:42:06 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyhm7ka+y1h0nnZmM1/Qdz8F/nDRyDa2H4I3rznB+3T/jbizGTxBEzBALjGtHxSJKfObURX X-Received: by 2002:a05:6402:1495:: with SMTP id e21mr17295497edv.146.1599406926373; Sun, 06 Sep 2020 08:42:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1599406926; cv=none; d=google.com; s=arc-20160816; b=BmJ33LgHiv8R7AT7ZBFsDWKQ67vqzfRE2RtEefHAywqBTfQf6OdZvG1G+xQIjmBHN/ 8zUbDOWSVlL3XTWJyQeql2Gr5QPhldK8ZRm05JLJM0uY3ITv/Y35w2PIni1BvcbjDPef krmQMwbt1wKWdWv4XMV/RbB9YBTU3lu7lYeKGTXULHTG6L3L8AcHE58yFmqqfIY9AZO6 cFrk8vy7EjGnL3pBZFE5TuUjN3wbWadu0PCNd/3Vr0uR6oexwiuk5X+w4xuiUd4rtoW3 5gIexTtzTptNWWHCepHSsdXSOgkZZjT4ND1nRhaQ+/n3qUfYIU6DJfy3b3p4pNtZStLK a+Kw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature:dkim-signature; bh=HHWFRuEjpwIOXF7bCKWeM4a7Gbd1H7mpKL9VNiaPJTA=; b=IM96xf6i0NQfZnx7DdLzu6gkeBS7++a6PLhNbIXN+bRHyGuXLOnDmDF6nrDlh+A8G9 XRaZoDCOgt4HtuusF6CiC1CcUMKByEPWZPJsSsx+u9TWeQSKWbr20NqPU9EayonJOFMN Qi0dFlER+cuchsfWG5HWO4lqrahIoNU5uHHvqcM6U0NxGdOQRQOtHT/P4MVK6xdJO1+i lY6mCu/T9HwY2jy+9/sr5IQeMNZQt5VbxOb7zU1ys1JNJNBaBHZYkAEjpQDhZImTwVTm CglKECd32WvdCVKabQB9L33//L3ItlyIhyWZkxrSK1JcxZTNKPGXfzutdXuhCylxeZBx NvFg== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@infradead.org header.s=casper.20170209 header.b=vRzoyIgE; dkim=pass header.i=@gmx.net header.s=badeba3b8450 header.b=cMQ4hK2t; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id k24si8128012eja.436.2020.09.06.08.41.43; Sun, 06 Sep 2020 08:42:06 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=fail header.i=@infradead.org header.s=casper.20170209 header.b=vRzoyIgE; dkim=pass header.i=@gmx.net header.s=badeba3b8450 header.b=cMQ4hK2t; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729010AbgIFPiR (ORCPT + 99 others); Sun, 6 Sep 2020 11:38:17 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59238 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728905AbgIFPh0 (ORCPT ); Sun, 6 Sep 2020 11:37:26 -0400 Received: from casper.infradead.org (casper.infradead.org [IPv6:2001:8b0:10b:1236::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1B8ACC061573; Sun, 6 Sep 2020 08:37:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=Content-Transfer-Encoding:MIME-Version: Message-Id:Date:Subject:Cc:To:From:Resent-To:Resent-Message-ID:Resent-Date: Resent-From:Sender:Reply-To:Content-Type:Content-ID:Content-Description: In-Reply-To:References; bh=HHWFRuEjpwIOXF7bCKWeM4a7Gbd1H7mpKL9VNiaPJTA=; b=vR zoyIgEAi4iUhcGAfu05yIGRGLtx/nVRFtggn80AnqsYPDc9KL0pFhrF5eAvXu05ZCOVw3QuT6tpXj htudfgpaP0aaDyrLM9l+i9zd1q7qlKDcFQVpB8dvPDI+7OSGvsFrSMMOlCK/dOz4dLSwEFr9X6jlq bXn9NPZbHQgtuIz8pNOn530Cmny6hS0qylaxd7FIv1qIAZpSJF7rGp8BRPaCjOGtmVqeKIt79APua SUEUAMoCXInqPnxmEDVDTLCJnqxwwU9hkt1nkTC5dhxWfmzFrJAXdKBGSaI8eO9seRoIKsHCzs4QW yTivDneKttLGahhNvYJF1PZHs1mBjhxw==; Received: from willy by casper.infradead.org with local (Exim 4.92.3 #3 (Red Hat Linux)) id 1kEwj8-0000zW-71; Sun, 06 Sep 2020 15:37:10 +0000 Received: from mout.gmx.net ([212.227.17.22]) by casper.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kEwW8-0000AK-Lu for willy@infradead.org; Sun, 06 Sep 2020 15:23:47 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1599405812; bh=VROIkO5uZFKsGitKUg2bOT0YSmMyUgd5L55Q6L52pS0=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date; b=cMQ4hK2ttARkZw4TLHsi6zh7VJQMCP0tMItp+XlAPEUO04XF/56UG12jK9keoDhw/ atx93ZFSUod4OJLvP3k9lX6suGyu7qUNqqDg5gspwLZElUzNYRB1YHEqwph8sxKjO+ Soiv3XirEippebRHbB9uAgskbXsmQl5AfVsn0V34= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from localhost.localdomain ([79.150.73.70]) by mail.gmx.com (mrgmx105 [212.227.17.174]) with ESMTPSA (Nemesis) id 1M2O6Y-1kGZsT3j1q-003tW0; Sun, 06 Sep 2020 17:23:32 +0200 From: John Wood To: Matthew Wilcox Cc: John Wood Subject: [RFC PATCH 4/9] security/fbfam: Add a new sysctl to control the crashing rate threshold Date: Sun, 6 Sep 2020 17:23:17 +0200 Message-Id: <20200906152317.7205-1-john.wood@gmx.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:mk3kJe9rY10ZeHn2yGb+zOmUatUjQwSkdPG9zxQvSGz0VpSRDFT IiAQRrxOwA+CJlE/QUXh740SI2r5nCQs+fY1wqF2ebIeiLQO7Z+yDcbV/FjQinR55Fnm9+q KbYjFECz43ELE1KRM8Gf3ceLvkzveOwV8N/5UNMlCcnJ9OJ9d4bJIuuw4rR9xjkjDM9xyfH orAdS6Vsi7VrOAkLAlHHw== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:hEo3Gmz3Nb4=:IXXiDAOW56JBjOT/9+Rxas BoSQiGtyiEBmcCkFqqi617lG6/SGc7E1JS+NXfE6yLikbfTZ2sm/+gVsGpVmmzhkowL1FwVfk QOS8hKUw/zyR5mGXxlCjCet5M+ZFfNbPidlyU7g3kj+YWsTxXO3IQsNIn9hN98+L0uZjPBczX ky0Mm4R/zouGShz0EcRqfEtxWPwTIKoUhkXkID01ByYrHJYSeTcoT89Z882clzdohXppwLeJc zJaTiQ7ZB2jEsEzAQIY1BApv+fOkexJQod86QUhjtFxAo+Su0ARS0jX4IV8rt0VQOY3m1pRrV 4uErMsfnQx+cTaDqvgS6ZSKMS3VKkQQbvY7PuNrVH9gs8pVo131tzA3JizrnTaTZkgRf/Bgei HDLRJbaPcPneREctNQ+9x1DkUQcVD3va7jPXpCCNoxoP4aRhZyOKaXJ8hnlHpe3zWjonVnqx8 sEXolQ3V9bVYVsAlUFbK7oXRUYUrM0H3ExMcLWM74ziZEOrlUjiYTVszAie2TRisfryo2/mS4 YW/QTETlIpgCcDw0SsqngN5fhcx8SLUDUWEthjzCAyAkyiYXaa8ej8i1lNPzInu5DT+HGcOg5 GDj8huOz26tYRz5Q+VOL2CTClGAnScQTgLMBT9sc+8RdodgMqGI6jMx1wLBYyK2tna7jjAHwh tGsdIFaBp+PGBxa7mGLWs4S6Z0tSZxT+mBFbP9hP/1fb47uTFiXo5IICsEbtFdLMrQNocqJMv Qk1h3TIBLHl31wFyL4AvJ0hwcbV+n4+Fp8UOrZM3EvqxFqKwkApKMsZdK1seuSzzm3tQKapUm qc7si+tMvt9iOYqwkRB47voi3h9J57vAFcpgGUoenNgMmNlTo/+B9Jl0K/ArtMzY2A1/H731T aPYm2ADr/lmxdHy7iMcNBhXnr+rpmnmmMLU/7KmbPEExGkr+Q5tCwr3IAjpg4HIwIbyrcb/Lx Wb9vHPOf8xzBltd6p1mMyQKTzP+S682jxIAoPLbuGhH/CQOj+oe9QVO/74BONmsZc9AaW/Gwv G5cyBd66SF4jkEKQYN9L5YrXrRa5fCCdGkH+QqlhWiIRTVyesvLqSMDzf4KRJ5ZKIKcA06I8Q MNosmeXK8sf38Q0T4U0qvhGSFRJcGDVv7jw2yMdPfSHl806KY3AkmzVdCghR6woP3KJQSgeLg K3nOWHgEaQw8rCKcEmNam0EUuXvIbZ8fbkLW+IuTcT9kUFmPHlU5qbq1pDFOvIE5ur78qf37+ +LO4gV8rcRpZnfOo9adVVS1cu3ifVAICvUbmZIw== X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20200906_162344_889745_5F17CC16 X-CRM114-Status: GOOD ( 15.38 ) X-Spam-Score: -2.6 (--) X-Spam-Report: SpamAssassin version 3.4.4 on casper.infradead.org summary: Content analysis details: (-2.6 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [212.227.17.22 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [212.227.17.22 listed in wl.mailspike.net] -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [john.wood[at]gmx.com] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This is a previous step to add the detection feature. A fork brute force attack will be detected when an application crashes quickly. Since, a rate can be defined as a time per fault, add a new sysctl to control the crashing rate threshold. This way, each system can tune the detection's sensibility adjusting the milliseconds per fault. So, if the application's crashing rate falls under this threshold an attack will be detected. So, the higher this value, the faster an attack will be detected. Signed-off-by: John Wood =2D-- include/fbfam/fbfam.h | 4 ++++ kernel/sysctl.c | 9 +++++++++ security/fbfam/Makefile | 1 + security/fbfam/fbfam.c | 11 +++++++++++ security/fbfam/sysctl.c | 20 ++++++++++++++++++++ 5 files changed, 45 insertions(+) create mode 100644 security/fbfam/sysctl.c diff --git a/include/fbfam/fbfam.h b/include/fbfam/fbfam.h index b5b7d1127a52..2cfe51d2b0d5 100644 =2D-- a/include/fbfam/fbfam.h +++ b/include/fbfam/fbfam.h @@ -3,8 +3,12 @@ #define _FBFAM_H_ #include +#include #ifdef CONFIG_FBFAM +#ifdef CONFIG_SYSCTL +extern struct ctl_table fbfam_sysctls[]; +#endif int fbfam_fork(struct task_struct *child); int fbfam_execve(void); int fbfam_exit(void); diff --git a/kernel/sysctl.c b/kernel/sysctl.c index 287862f91717..104b70c98251 100644 =2D-- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -77,6 +77,8 @@ #include #include +#include + #ifdef CONFIG_X86 #include #include @@ -2661,6 +2663,13 @@ static struct ctl_table kern_table[] =3D { .extra1 =3D SYSCTL_ZERO, .extra2 =3D SYSCTL_ONE, }, +#endif +#ifdef CONFIG_FBFAM + { + .procname =3D "fbfam", + .mode =3D 0555, + .child =3D fbfam_sysctls, + }, #endif { } }; diff --git a/security/fbfam/Makefile b/security/fbfam/Makefile index f4b9f0b19c44..b8d5751ecea4 100644 =2D-- a/security/fbfam/Makefile +++ b/security/fbfam/Makefile @@ -1,2 +1,3 @@ # SPDX-License-Identifier: GPL-2.0 obj-$(CONFIG_FBFAM) +=3D fbfam.o +obj-$(CONFIG_SYSCTL) +=3D sysctl.o diff --git a/security/fbfam/fbfam.c b/security/fbfam/fbfam.c index 0387f95f6408..9be4639b72eb 100644 =2D-- a/security/fbfam/fbfam.c +++ b/security/fbfam/fbfam.c @@ -7,6 +7,17 @@ #include #include +/** + * sysctl_crashing_rate_threshold - Crashing rate threshold. + * + * The rate's units are in milliseconds per fault. + * + * A fork brute force attack will be detected if the application's crashi= ng rate + * falls under this threshold. So, the higher this value, the faster an a= ttack + * will be detected. + */ +unsigned long sysctl_crashing_rate_threshold =3D 30000; + /** * struct fbfam_stats - Fork brute force attack mitigation statistics. * @refc: Reference counter. diff --git a/security/fbfam/sysctl.c b/security/fbfam/sysctl.c new file mode 100644 index 000000000000..430323ad8e9f =2D-- /dev/null +++ b/security/fbfam/sysctl.c @@ -0,0 +1,20 @@ +// SPDX-License-Identifier: GPL-2.0 +#include + +extern unsigned long sysctl_crashing_rate_threshold; +static unsigned long ulong_one =3D 1; +static unsigned long ulong_max =3D ULONG_MAX; + +struct ctl_table fbfam_sysctls[] =3D { + { + .procname =3D "crashing_rate_threshold", + .data =3D &sysctl_crashing_rate_threshold, + .maxlen =3D sizeof(sysctl_crashing_rate_threshold), + .mode =3D 0644, + .proc_handler =3D proc_doulongvec_minmax, + .extra1 =3D &ulong_one, + .extra2 =3D &ulong_max, + }, + { } +}; + =2D- 2.25.1