Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp1453886pxf; Fri, 12 Mar 2021 09:50:02 -0800 (PST) X-Google-Smtp-Source: ABdhPJxZnpMRTg6N1yw+SjZUBL8Sq3rd9GuozLv+IA6EfEg4b0D0zZE0sBhfHZsdX+WpcuQ8siAi X-Received: by 2002:a05:6402:704:: with SMTP id w4mr16231500edx.175.1615571402123; Fri, 12 Mar 2021 09:50:02 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1615571402; cv=none; d=google.com; s=arc-20160816; b=TjpbF9tbFBJAy9qULrrrcoQdZ7JrMuV2r1Q3RU8wNXr/ZQBiqzKdOOJ7+PJzUHdatU 7qdX7slGPupmZUeK+QY8jyrgqYK5xCXXh/XVNFLvnaKm6lIKmAdujm8B5oDSCjJtfl1S uQ+tzd6tlkYTBgOz473LNR4Xvf338txgClt+MQypYjWd35F14buG7vRW6+VJwVv84tgG WjfSK0q1/Fmc2K3KNTlmiGpkhGSzdiaVtjWquTDnQC9cms3jDqbafEL23US8cbhaFW2k snz05aIvcHFlv6yvuWUULx9BEl8QdmtTqgNT0wTvXAz5uNMZIyUow+Zr42kysXRNYCEk k2mg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=96okdsjmYxkyuvU3jynnJpcGFMFp7wUO4yXvIopds0o=; b=lapqRqe0OzfAyAVxWlF2k+TlZgD42yw3aeI60Vhk9nlp/DcFqPmjwhX+Ff7xtaCCyK rIP8UzqTBT9ivcn5Bt7jGusvi1QKwBUlBDbXjKJUCZUxgrdpOd6u3mqaU/7wpyJIy3ZI /DsLP5A0x1/+jNw8j5sgehP6rs/yDXB0VFbw3R3IiY+w0oKr1Z21R9zbwLIpkeOD72FG hkU4/G0GaJPJVxpNJCajUL3hC6X9M5pVZDr1zJABFAjAXGklJZLNMYa4pi5mxJ24NKjQ /7agH073uZ/nUZ2InJnMCcPySEjlEawZZrEQXus8KsMvTsIiKilg+hwrn3+2i3PhFa6i HnYg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmx.net header.s=badeba3b8450 header.b=dqkbj0HP; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=gmx.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id a4si4840761edq.271.2021.03.12.09.49.39; Fri, 12 Mar 2021 09:50:02 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmx.net header.s=badeba3b8450 header.b=dqkbj0HP; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=gmx.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232255AbhCLRso (ORCPT + 99 others); Fri, 12 Mar 2021 12:48:44 -0500 Received: from mout.gmx.net ([212.227.17.21]:39525 "EHLO mout.gmx.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232986AbhCLRsa (ORCPT ); Fri, 12 Mar 2021 12:48:30 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1615571277; bh=N7aaRYZfX/Hb6VlN8Wx+85FD6PVBAfrso1H+m3RhVgI=; h=X-UI-Sender-Class:Date:From:To:Cc:Subject:References:In-Reply-To; b=dqkbj0HPv6IV6VLmjL2AunUTiuhd3XZppUip+EU++Lv1CBjXMi0q1DIVd6E9PONkg yBaD5Abld3wV4pG9SHf6j7FAtb/U99bTalzVylotpn9vyknFOOpqDhHFn7JdoL5Mkm VtGT2OKRd22A+feY3HTTQQezJuH+nqlqpcFQCnHk= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from ubuntu ([83.52.229.153]) by mail.gmx.net (mrgmx105 [212.227.17.174]) with ESMTPSA (Nemesis) id 1M7sHy-1lOdmI3LaU-004xcl; Fri, 12 Mar 2021 18:47:57 +0100 Date: Fri, 12 Mar 2021 18:47:51 +0100 From: John Wood To: Andi Kleen Cc: John Wood , Kees Cook , Jann Horn , Randy Dunlap , Jonathan Corbet , James Morris , Shuah Khan , "Serge E. Hallyn" , Greg Kroah-Hartman , linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kselftest@vger.kernel.org, kernel-hardening@lists.openwall.com Subject: Re: [PATCH v5 7/8] Documentation: Add documentation for the Brute LSM Message-ID: <20210312174751.GB3103@ubuntu> References: <878s78dnrm.fsf@linux.intel.com> <20210302183032.GA3049@ubuntu> <20210307151920.GR472138@tassilo.jf.intel.com> <20210307164520.GA16296@ubuntu> <20210307172540.GS472138@tassilo.jf.intel.com> <20210307180541.GA17108@ubuntu> <20210307224927.GT472138@tassilo.jf.intel.com> <20210309184054.GA3058@ubuntu> <20210311182252.GA3349@ubuntu> <20210311200811.GH203350@tassilo.jf.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210311200811.GH203350@tassilo.jf.intel.com> X-Provags-ID: V03:K1:IUthEqD1fZ9e0K8Z2cjFF7rovLU03kPvwTyh75j6PKDuHOoiQDU QEPH5uc4EbVEB5MQbG4jK0nNoUKsYW+xa8qKA3qSN3U0Oe/cUSyjP1QEXV8XyjnZb/QirhO maBhqRkbARdxEaucB1YV6TkiVH+V9g/iljzJXTgZjMHDAMhQponafjwjTyCwaaIFKRmzQRd 5lHdpa2QoMcLV0Jg5MoEg== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:MHKN75O+KwE=:qy5atky2c0DlG84lzjYs1m iHPrnxxMvxMmvLXO6PhxCzQl5IggF6i2ZAxG48eZM6hntijGVKhUK8w/yluHp2Rg7Ig8FU2Iw FG6qZdHgjyYI2loJ22t7dvUC/ius00oTQY82YLy+aPn3Y+WbIHJPujCCedLb2qApieTCQ0Cwi Owj2+gTujdzplUbuD0aAHutXzr54Iv0jfdXGG2ql2NLueCTzmz5ApSa77IApQthTTVtzGNQ4L FLkgINQebbs88KAx18x/BeFOfe/wAqxYF45qGFuBv0B/TK2cEHMiliSSnrUvmfDjlQ8B5FWzR 0dbp8TY8c4UzTSb86uT+pz7JEFr11oddQpNHG3XPFQm+bsvn31uyfwV2GpGNJh1NH5xMfV1wE oDHOsRTGdxN1UIU5eoifRpqp4hwDoC26Y+/XEvuY0kKcGMUmSXj+st9hEKwPka+ZqbZneVe06 O9VZCEXtf1/RhT2dGWAJH8Jf5bmsMAzyJQ0Ju0L4wiVfYYkxiteFUC61SONuCsKpS79XcOPHo vv7SmCWpEcDV/xFhVIm4C72XrKkh9aJIKOcDfmOPkG7O7DRd1X6Z/nX1aApPKR822pVelITug l+yDgfQPtnl7AZMIwm9q5sbBlS67ZSwYUuBgLhXaqMuN7nnPhN6tQCYl2bQ9zcg4sy1HpzSJd yfWMMzrf2NdDJgfnOugRhM1dLGWjoXNW9/FUxzSfa3R/8Y8EU7VPd+RiLgn++hb6ttBoGlmmd mcoU2I9+iqzrmEHjESnyAq0SQPSQGcTnekPwhZ8l3s/SiMTbdf5DlbtqTXq8U5OSlS0E1Ixom gXTzCWO0D7Srif0BAGtD9JEcL2OHNwntX07M4nvTkAly2e4LZEtIgs1puYjsICu4I8YJwwXVi 6+DhvQHYDAuZtMt2/R3w== Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Mar 11, 2021 at 12:08:11PM -0800, Andi Kleen wrote: > > When a brute force attack is detected through the fork or execve syste= m call, > > all the tasks involved in the attack will be killed with the exception= of the > > init task (task with pid equal to zero). Now, and only if the init tas= k is > > involved in the attack, block the fork system call from the init proce= ss during > > a user defined time (using a sysctl attribute). This way the brute for= ce attack > > is mitigated and the system does not panic. > > That means nobody can log in and fix the system during that time. > > Would be better to have that policy in init. Perhaps add some way > that someone doing wait*() can know the exit was due this mitigation > (and not something way) Then they could disable respawning of that daemo= n. Great. So, if we use wait*() to inform userspace that the exit of a proces= s was due to a brute force attack then, the supervisors (not only init) can adop= t the necessary policy in each case. This also allow us to deal with the respawn= ed daemons. As a summary of this useful discussion: - When a brute force attack is detected through the fork or execve system = call all the offending tasks involved in the attack will be killed. Due to th= e mitigation normally not reach init, do nothing special in this case -> t= he system will panic when we kill init. - Use wait*() to inform userspace that every process killed by the mitigat= ion has exited due to a brute force attack mitigation. So, each supervisor c= an adopt their own policy regarding respawned daemons. I will work in that direction for the next version. Thanks a lot for your time, proposals, guidance and solutions. John Wood