Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp2585627pxb; Tue, 23 Feb 2021 10:22:37 -0800 (PST) X-Google-Smtp-Source: ABdhPJz3kDIB0bwxv3yi8HPYS0tnzJpKS2aHBQC7Pc5Esu8p92kyjckm/XQTNSnyEJ3caHKJhZcv X-Received: by 2002:a17:907:9856:: with SMTP id jj22mr26848015ejc.377.1614104557789; Tue, 23 Feb 2021 10:22:37 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1614104557; cv=none; d=google.com; s=arc-20160816; b=0VKh31+1LD+ZwJUh57znKD0D1dicjY9Y0zfN4/8+ZMCpYAC8XWsJK6xssaXkyQ9ZbX q+85bSkqzHcSy8QIBlXc/kKSEKnrzSKNs66cxe1EPX3C+ZgYWmBX+udXwnuM3c3tnj8S 8F4R7Iofaguoisvn6xIR4bao7KMMdnew3nUlGeGQGXoCS029+RPW2CgaDbLuVI8vllGN GHBFuz1IvhzFQCUcdo6geEdWRjR7f8os741KXk4dnQE08iv3mS8jQA30Xi4OStRMTX6q UO432dEiQ6EmIbY4QFnPh6CVGZmd0Q5XtqOhX1m/hWKCo+1IU/l1QrSKGU8aPvzzlkRa uZow== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=TwdZ1WRYTX2rdvZqNz6E4IBVORQA10YQ6G6IvEiroRI=; b=G8lCNaN9RpzD/ubso3PtN7MtivonJ1MKSRm3eMlVW1XEKscW97NIDDKZQJyLaFYP00 BgwtbquqaBYB6yMJWS9xl6kkGfuELPZCQRbzmqrAzmdmk3WVvj6PeCIMzdkDXYic8S9O h+VGrAW84AK4DJY+nc/Vkj/mqRDkThhBMDKLJk6LRyejnks9qt1+AE3CqzfIGJsNLohf YA98qHVKTi1gSA/e4Lj8i1FVqQYse1BHy/EtKlbHHdIjT9ydg7DK3nzY81p2xBgTVgjq BF6nivGzeKIYkm2rZ67zgnk1Zf+5fN07BfV7qiZ0QfKTPS1S7GNAvo8VOJF9V4p5/uCh YGPw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmx.net header.s=badeba3b8450 header.b=RwdP2vo0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=gmx.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id hr33si1043836ejc.653.2021.02.23.10.22.13; Tue, 23 Feb 2021 10:22:37 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmx.net header.s=badeba3b8450 header.b=RwdP2vo0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=gmx.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233918AbhBWSRU (ORCPT + 99 others); Tue, 23 Feb 2021 13:17:20 -0500 Received: from mout.gmx.net ([212.227.15.19]:49423 "EHLO mout.gmx.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233907AbhBWSQR (ORCPT ); Tue, 23 Feb 2021 13:16:17 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1614104057; bh=UWN3l183zAbiXXQl5Z1FP79kj4fY8vt9bxdy1C023fE=; h=X-UI-Sender-Class:Date:From:To:Cc:Subject:References:In-Reply-To; b=RwdP2vo09Qi6yabb1To6m8GrDpYMCrB9Toz8jPhUmaGzm2NF/CJpAr+fO4FkW6UjQ sSkQC/QiP6gDhhjy91h8xsZ/5YIedpcHVQhCXMTv/vGRB7XbB0y8uhngFmcvMTo1HY q0unAtaYO+aRTwu3lKu6QA3nWsJM5yo8P5wSC6qc= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from ubuntu ([83.52.229.153]) by mail.gmx.net (mrgmx004 [212.227.17.184]) with ESMTPSA (Nemesis) id 1MmULr-1leuOO2oWf-00iTJH; Tue, 23 Feb 2021 19:14:17 +0100 Date: Tue, 23 Feb 2021 19:13:57 +0100 From: John Wood To: Randy Dunlap , Kees Cook , Jann Horn , Jonathan Corbet , James Morris , Shuah Khan Cc: John Wood , "Serge E. Hallyn" , Greg Kroah-Hartman , linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kselftest@vger.kernel.org Subject: Re: [PATCH v3 3/8] securtiy/brute: Detect a brute force attack Message-ID: <20210223181357.GA3068@ubuntu> References: <20210221154919.68050-1-john.wood@gmx.com> <20210221154919.68050-4-john.wood@gmx.com> <085f8f05-243e-fbf0-3f9c-ea011511a296@infradead.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <085f8f05-243e-fbf0-3f9c-ea011511a296@infradead.org> X-Provags-ID: V03:K1:ju0O4S8Nvdn1JuYpx180LYXiBWGpIoiYfkvATFebYMFGyfsTHd9 wRuTsXxl4cu79Pht/Vpfew+2jDvQYKv5iUww/OxpFxO6Oy7oVj13CRoP4wzlOw4xwz8Y5xW EV9QLuqoaF7IpDYK0VQf+2Hi29tNzGfTXyrRtfMJ+VHp9d8v+MSrFpBSqlYxp80wKpa8D6C PpBaMCipfTcEh6OPnkTJg== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:3q+pBoAH1js=:XR39Nzb2x6fGQ/6FFW3zzi Raj2QUKGSNrAnWBTl55EaeZ1FAEaBNFiymAR3DARDcdjHtXDc7MIYW3hdPP2bo/i2u0EES61F 9NtsbISe79UKtCt+N05uJN1Jj/88oJ3KkWVYsHu7dotTKBpSEYBCVlxcFOLPZh3V8uRpWC+js z7UqeD9HfVM+rTCnLJ+N0Du3YMEbVWFnibChC88csO8+qSXSWI8Dza/GbTZAtEeGzU+iPmJ7z E+NzoGw87POsGI2iqlOpObfjATGvlXzkYfSiosJym0t89OTroKOd+jqBGQbfWmpT/ml0HEodo 3m9AC7sPvKRAvk2solGx9x10TF4sa2290yObfJZ2wjoCvMb+ytx3NXZoTerIa3IspleSjeojc gYwa9mNScd1Tt8mzItla7bIEaB2U+J+WuOkgjuffDTL5fg7AF85x5AAsfoFMA9nWCKDGJ9RZV czw8n7SfEqF6+a3gJ2bIKybk2U2I46Adh3I5JxpyPGh1tQz41e/I89PsTzhBhlD9CdvaTKnnD JuKIQUK8MhsAi+8jqBSwJ64rJ4nkTUl0xaQOepAvmRf3pJzPKJ5U1Wc250wLk1VAJIknA6NYx RY8f3TMnEU4JsRUqx5jX0RcbhbNM5IcRbk7qIFKxB+0oKgKC94asTvVS6flNDlNPEmpvt2A8Q gRAllOR73bp9psFz4pAuW5pp4wUF5Yd6MqUbCS7UgojyzF3moz+H248gDVNY/pLCh9AjhxX04 9lI5wVTR3Q1JOkrJ3yRm3KmYuZJ4McTThk2Yj2bAquYSFEPDTeos5Ts6yj24IkEgDYA+QOu88 D2rXeCkbRTJEGMzEa7ACchjgimJVFIYF3CZAhF3WfqLgTyHDyAWZMdh9TILAeQH/73t7+I58G oUFu7WyG0wdon7UHw00Q== Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, On Sun, Feb 21, 2021 at 06:25:51PM -0800, Randy Dunlap wrote: > Hi-- > > On 2/21/21 7:49 AM, John Wood wrote: > > > > +/** > > + * print_fork_attack_running() - Warn about a fork brute force attack= . > > + */ > > +static inline void print_fork_attack_running(void) > > +{ > > + pr_warn("Fork brute force attack detected [%s]\n", current->comm); > > +} > > Do these pr_warn() calls need to be rate-limited so that they don't > flood the kernel log? I think it is not necessary since when a brute force attack through the fo= rk system call is detected, a fork warning appears only once. Then, all the offending tasks involved in the attack are killed. But if the parent try t= o run again the same app already killed, a new crash will trigger a brute force = attack through the execve system call, then this parent is killed, and a new warn= ing message appears. Now, the parent and childs are killed, the attacks are mitigated and only a few messages (one or two) have been shown in the kern= el log. Thanks, John Wood > > +/** > > + * print_exec_attack_running() - Warn about an exec brute force attac= k. > > + * @stats: Statistical data shared by all the fork hierarchy processe= s. > > + * > > + * The statistical data shared by all the fork hierarchy processes ca= nnot be > > + * NULL. > > + * > > + * Before showing the process name it is mandatory to find a process = that holds > > + * a pointer to the exec statistics. > > + * > > + * Context: Must be called with tasklist_lock and brute_stats_ptr_loc= k held. > > + */ > > +static void print_exec_attack_running(const struct brute_stats *stats= ) > > +{ > > + struct task_struct *p; > > + struct brute_stats **p_stats; > > + bool found =3D false; > > + > > + for_each_process(p) { > > + p_stats =3D brute_stats_ptr(p); > > + if (*p_stats =3D=3D stats) { > > + found =3D true; > > + break; > > + } > > } > > + > > + if (WARN(!found, "No exec process\n")) > > + return; > > + > > + pr_warn("Exec brute force attack detected [%s]\n", p->comm); > > +} > > > thanks. > -- > ~Randy >