Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp1267443pxb; Sun, 21 Feb 2021 18:49:24 -0800 (PST) X-Google-Smtp-Source: ABdhPJyhlBBoRtPyg1RKWiLPRV7Dv+u4EMHTQ1EjsZKBjuH/yKeyYkAfCuJNy3kgL23C2OqR2T6T X-Received: by 2002:a17:907:111b:: with SMTP id qu27mr19668146ejb.453.1613962163919; Sun, 21 Feb 2021 18:49:23 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1613962163; cv=none; d=google.com; s=arc-20160816; b=t8lswI/mxmJf0CzunUj5tIic+iGLKlhEBio6RLXciBXh13N4RxSvawiiBL9xf5p0Le 3XZI9zOuBKwDcEzH21q/p5HGo666zMe7RB1ugPKCSUudxjYNeKA58dYaS32n+795bARz J5bM5l+yd0GY9hV2vfnLL5yDVXFMt+xp1jrz1kfuRGtyZ81EUVhHP9cyTw76wF20HJm8 F+jjEq1a/cCPagBIBz+3e29ZmrzbxizHTW9z1N/k42v9/VKC8BApi/B9JCkdjGSXXMxQ gtxQCDu2B4YsTZbovFSmdTx7X2zNp+wLYQgd1wY8A+abYfPQeRgzYTXECAGp/KiW9Uw+ Coxg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject:dkim-signature; bh=5fFHNeJ8nqeNMa0DGHcRPcH+3cOuL7XbveGYEMFXDD0=; b=BYWU4XeVxp/J4J5iS4s3VZoFoKo08hbvTJHvWrzWnFQBrcL8xmwYoX0PSU2IRw2srU o5XiBxtn2vSmG7UziaV0fu7Sfb9MOP0rug6PfKi+Hkutm+kfMujcsrkPqJc0PzvsDkxY Vx/arq8CGlPju6nmUJ4coyjspsteu5+7wrfxon5Ms5bchHpmSv4q8mKV9kfUXgSsEZBp NLrWPDZmxyQ3YREKXcOmQodNaLvcFkzByzV01C/+BVqJx3pMp/P2FUsqI3/QPVA8vhE2 G/1sN31osuFMLr1LADm3SUpS7Tv0LQwdHtPi5Brj+xR1FIwZZYbTC928enA5Cims2Bpu 70sw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@infradead.org header.s=merlin.20170209 header.b=zv4edCC+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id bs2si10096008edb.459.2021.02.21.18.49.00; Sun, 21 Feb 2021 18:49:23 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@infradead.org header.s=merlin.20170209 header.b=zv4edCC+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231671AbhBVCsP (ORCPT + 99 others); Sun, 21 Feb 2021 21:48:15 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50236 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231871AbhBVCsG (ORCPT ); Sun, 21 Feb 2021 21:48:06 -0500 Received: from merlin.infradead.org (merlin.infradead.org [IPv6:2001:8b0:10b:1231::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1BD12C061574; Sun, 21 Feb 2021 18:47:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=merlin.20170209; h=Content-Transfer-Encoding:Content-Type: In-Reply-To:MIME-Version:Date:Message-ID:From:References:Cc:To:Subject:Sender :Reply-To:Content-ID:Content-Description; bh=5fFHNeJ8nqeNMa0DGHcRPcH+3cOuL7XbveGYEMFXDD0=; b=zv4edCC+GUZ4S1hKw2n1qVccHA SyAdKzZ7/YhO7qCGFXhKPPMOylEbFxDAr3gyFcD+aWyX7xIx/6p393eHfreBW3ie4QmMpK/fm81Bn VZg+wbJHlpaMhy/OexPEqs2ay95PZ97d006cElTeOeBdu50B12NLBz3h+Gl0Q54P4S2AQ4Cuq9yE8 BnfK+54Y9cUu52AYwqTyGiyPerKvaKwtu4W9BqkMib187LitIbX5AWpKuN8nhXdNCISllSyZV3nw0 RcPrJWAo0C5WilVYiksG1s7MyFmNEyhvjkZFw5dYkxLNaT+C6UTobqz3cDtYT2UmpB5ffJ3KahLbz EwpxiH5Q==; Received: from [2601:1c0:6280:3f0::d05b] by merlin.infradead.org with esmtpsa (Exim 4.92.3 #3 (Red Hat Linux)) id 1lE1Fq-0001g8-QV; Mon, 22 Feb 2021 02:47:23 +0000 Subject: Re: [PATCH v3 3/8] securtiy/brute: Detect a brute force attack To: John Wood , Kees Cook , Jann Horn , Jonathan Corbet , James Morris , Shuah Khan Cc: "Serge E. Hallyn" , Greg Kroah-Hartman , linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kselftest@vger.kernel.org References: <20210221154919.68050-1-john.wood@gmx.com> <20210221154919.68050-4-john.wood@gmx.com> From: Randy Dunlap Message-ID: Date: Sun, 21 Feb 2021 18:47:16 -0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.0 MIME-Version: 1.0 In-Reply-To: <20210221154919.68050-4-john.wood@gmx.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi-- scripts/kernel-doc does not like these items to be marked as being in kernel-doc notation. scripts/kernel-doc does not recognize them as one of: struct, union, enum, typedef, so it defaults to trying to interpret these as functions, and then says: (I copied these blocks to my test megatest.c source file.) ../src/megatest.c:1214: warning: cannot understand function prototype: 'const u64 BRUTE_EMA_WEIGHT_NUMERATOR = 7; ' ../src/megatest.c:1219: warning: cannot understand function prototype: 'const u64 BRUTE_EMA_WEIGHT_DENOMINATOR = 10; ' ../src/megatest.c:1228: warning: cannot understand function prototype: 'const unsigned char BRUTE_MAX_FAULTS = 200; ' ../src/megatest.c:1239: warning: cannot understand function prototype: 'const unsigned char BRUTE_MIN_FAULTS = 5; ' ../src/megatest.c:1249: warning: cannot understand function prototype: 'const u64 BRUTE_CRASH_PERIOD_THRESHOLD = 30000; ' On 2/21/21 7:49 AM, John Wood wrote: > > +/** > + * brute_stats_ptr_lock - Lock to protect the brute_stats structure pointer. > + */ > +static DEFINE_RWLOCK(brute_stats_ptr_lock); > +/** > + * BRUTE_EMA_WEIGHT_NUMERATOR - Weight's numerator of EMA. > + */ > +static const u64 BRUTE_EMA_WEIGHT_NUMERATOR = 7; > +/** > + * BRUTE_EMA_WEIGHT_DENOMINATOR - Weight's denominator of EMA. > + */ > +static const u64 BRUTE_EMA_WEIGHT_DENOMINATOR = 10; > +/** > + * BRUTE_MAX_FAULTS - Maximum number of faults. > + * > + * If a brute force attack is running slowly for a long time, the application > + * crash period's EMA is not suitable for the detection. This type of attack > + * must be detected using a maximum number of faults. > + */ > +static const unsigned char BRUTE_MAX_FAULTS = 200; > +/** > + * BRUTE_MIN_FAULTS - Minimum number of faults. > + * > + * The application crash period's EMA cannot be used until a minimum number of > + * data has been applied to it. This constraint allows getting a trend when this > + * moving average is used. Moreover, it avoids the scenario where an application > + * fails quickly from execve system call due to reasons unrelated to a real > + * attack. > + */ > +static const unsigned char BRUTE_MIN_FAULTS = 5; > +/** > + * BRUTE_CRASH_PERIOD_THRESHOLD - Application crash period threshold. > + * > + * The units are expressed in milliseconds. > + * > + * A fast brute force attack is detected when the application crash period falls > + * below this threshold. > + */ > +static const u64 BRUTE_CRASH_PERIOD_THRESHOLD = 30000; Basically we don't support scalars in kernel-doc notation... -- ~Randy