Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp1267443pxb;
        Sun, 21 Feb 2021 18:49:24 -0800 (PST)
X-Google-Smtp-Source: ABdhPJyhlBBoRtPyg1RKWiLPRV7Dv+u4EMHTQ1EjsZKBjuH/yKeyYkAfCuJNy3kgL23C2OqR2T6T
X-Received: by 2002:a17:907:111b:: with SMTP id qu27mr19668146ejb.453.1613962163919;
        Sun, 21 Feb 2021 18:49:23 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1613962163; cv=none;
        d=google.com; s=arc-20160816;
        b=t8lswI/mxmJf0CzunUj5tIic+iGLKlhEBio6RLXciBXh13N4RxSvawiiBL9xf5p0Le
         3XZI9zOuBKwDcEzH21q/p5HGo666zMe7RB1ugPKCSUudxjYNeKA58dYaS32n+795bARz
         J5bM5l+yd0GY9hV2vfnLL5yDVXFMt+xp1jrz1kfuRGtyZ81EUVhHP9cyTw76wF20HJm8
         F+jjEq1a/cCPagBIBz+3e29ZmrzbxizHTW9z1N/k42v9/VKC8BApi/B9JCkdjGSXXMxQ
         gtxQCDu2B4YsTZbovFSmdTx7X2zNp+wLYQgd1wY8A+abYfPQeRgzYTXECAGp/KiW9Uw+
         Coxg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:content-language
         :in-reply-to:mime-version:user-agent:date:message-id:from:references
         :cc:to:subject:dkim-signature;
        bh=5fFHNeJ8nqeNMa0DGHcRPcH+3cOuL7XbveGYEMFXDD0=;
        b=BYWU4XeVxp/J4J5iS4s3VZoFoKo08hbvTJHvWrzWnFQBrcL8xmwYoX0PSU2IRw2srU
         o5XiBxtn2vSmG7UziaV0fu7Sfb9MOP0rug6PfKi+Hkutm+kfMujcsrkPqJc0PzvsDkxY
         Vx/arq8CGlPju6nmUJ4coyjspsteu5+7wrfxon5Ms5bchHpmSv4q8mKV9kfUXgSsEZBp
         NLrWPDZmxyQ3YREKXcOmQodNaLvcFkzByzV01C/+BVqJx3pMp/P2FUsqI3/QPVA8vhE2
         G/1sN31osuFMLr1LADm3SUpS7Tv0LQwdHtPi5Brj+xR1FIwZZYbTC928enA5Cims2Bpu
         70sw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@infradead.org header.s=merlin.20170209 header.b=zv4edCC+;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id bs2si10096008edb.459.2021.02.21.18.49.00;
        Sun, 21 Feb 2021 18:49:23 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@infradead.org header.s=merlin.20170209 header.b=zv4edCC+;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231671AbhBVCsP (ORCPT <rfc822;lsq991025@gmail.com> + 99 others);
        Sun, 21 Feb 2021 21:48:15 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50236 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231871AbhBVCsG (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 21 Feb 2021 21:48:06 -0500
Received: from merlin.infradead.org (merlin.infradead.org [IPv6:2001:8b0:10b:1231::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1BD12C061574;
        Sun, 21 Feb 2021 18:47:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
        d=infradead.org; s=merlin.20170209; h=Content-Transfer-Encoding:Content-Type:
        In-Reply-To:MIME-Version:Date:Message-ID:From:References:Cc:To:Subject:Sender
        :Reply-To:Content-ID:Content-Description;
        bh=5fFHNeJ8nqeNMa0DGHcRPcH+3cOuL7XbveGYEMFXDD0=; b=zv4edCC+GUZ4S1hKw2n1qVccHA
        SyAdKzZ7/YhO7qCGFXhKPPMOylEbFxDAr3gyFcD+aWyX7xIx/6p393eHfreBW3ie4QmMpK/fm81Bn
        VZg+wbJHlpaMhy/OexPEqs2ay95PZ97d006cElTeOeBdu50B12NLBz3h+Gl0Q54P4S2AQ4Cuq9yE8
        BnfK+54Y9cUu52AYwqTyGiyPerKvaKwtu4W9BqkMib187LitIbX5AWpKuN8nhXdNCISllSyZV3nw0
        RcPrJWAo0C5WilVYiksG1s7MyFmNEyhvjkZFw5dYkxLNaT+C6UTobqz3cDtYT2UmpB5ffJ3KahLbz
        EwpxiH5Q==;
Received: from [2601:1c0:6280:3f0::d05b]
        by merlin.infradead.org with esmtpsa (Exim 4.92.3 #3 (Red Hat Linux))
        id 1lE1Fq-0001g8-QV; Mon, 22 Feb 2021 02:47:23 +0000
Subject: Re: [PATCH v3 3/8] securtiy/brute: Detect a brute force attack
To:     John Wood <john.wood@gmx.com>, Kees Cook <keescook@chromium.org>,
        Jann Horn <jannh@google.com>, Jonathan Corbet <corbet@lwn.net>,
        James Morris <jmorris@namei.org>, Shuah Khan <shuah@kernel.org>
Cc:     "Serge E. Hallyn" <serge@hallyn.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
        linux-security-module@vger.kernel.org,
        linux-kselftest@vger.kernel.org
References: <20210221154919.68050-1-john.wood@gmx.com>
 <20210221154919.68050-4-john.wood@gmx.com>
From:   Randy Dunlap <rdunlap@infradead.org>
Message-ID: <f4fd9e44-539e-279e-a3a6-8af39f863f73@infradead.org>
Date:   Sun, 21 Feb 2021 18:47:16 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
 Thunderbird/78.7.0
MIME-Version: 1.0
In-Reply-To: <20210221154919.68050-4-john.wood@gmx.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi--

scripts/kernel-doc does not like these items to be marked
as being in kernel-doc notation. scripts/kernel-doc does not
recognize them as one of: struct, union, enum, typedef, so it
defaults to trying to interpret these as functions, and then
says:

(I copied these blocks to my test megatest.c source file.)


../src/megatest.c:1214: warning: cannot understand function prototype: 'const u64 BRUTE_EMA_WEIGHT_NUMERATOR = 7; '
../src/megatest.c:1219: warning: cannot understand function prototype: 'const u64 BRUTE_EMA_WEIGHT_DENOMINATOR = 10; '
../src/megatest.c:1228: warning: cannot understand function prototype: 'const unsigned char BRUTE_MAX_FAULTS = 200; '
../src/megatest.c:1239: warning: cannot understand function prototype: 'const unsigned char BRUTE_MIN_FAULTS = 5; '
../src/megatest.c:1249: warning: cannot understand function prototype: 'const u64 BRUTE_CRASH_PERIOD_THRESHOLD = 30000; '


On 2/21/21 7:49 AM, John Wood wrote:
> 
> +/**
> + * brute_stats_ptr_lock - Lock to protect the brute_stats structure pointer.
> + */
> +static DEFINE_RWLOCK(brute_stats_ptr_lock);

> +/**
> + * BRUTE_EMA_WEIGHT_NUMERATOR - Weight's numerator of EMA.
> + */
> +static const u64 BRUTE_EMA_WEIGHT_NUMERATOR = 7;

> +/**
> + * BRUTE_EMA_WEIGHT_DENOMINATOR - Weight's denominator of EMA.
> + */
> +static const u64 BRUTE_EMA_WEIGHT_DENOMINATOR = 10;

> +/**
> + * BRUTE_MAX_FAULTS - Maximum number of faults.
> + *
> + * If a brute force attack is running slowly for a long time, the application
> + * crash period's EMA is not suitable for the detection. This type of attack
> + * must be detected using a maximum number of faults.
> + */
> +static const unsigned char BRUTE_MAX_FAULTS = 200;

> +/**
> + * BRUTE_MIN_FAULTS - Minimum number of faults.
> + *
> + * The application crash period's EMA cannot be used until a minimum number of
> + * data has been applied to it. This constraint allows getting a trend when this
> + * moving average is used. Moreover, it avoids the scenario where an application
> + * fails quickly from execve system call due to reasons unrelated to a real
> + * attack.
> + */
> +static const unsigned char BRUTE_MIN_FAULTS = 5;

> +/**
> + * BRUTE_CRASH_PERIOD_THRESHOLD - Application crash period threshold.
> + *
> + * The units are expressed in milliseconds.
> + *
> + * A fast brute force attack is detected when the application crash period falls
> + * below this threshold.
> + */
> +static const u64 BRUTE_CRASH_PERIOD_THRESHOLD = 30000;

Basically we don't support scalars in kernel-doc notation...

-- 
~Randy