Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp2961333pxf; Sun, 21 Mar 2021 13:07:10 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwDBAD9XDtGQmP4q7r/mMTlnr4TmMoOskKxmgotEcSNs0Tv/jwKSII+9QnVgO5MXJKZiyX0 X-Received: by 2002:a17:906:9243:: with SMTP id c3mr16402351ejx.388.1616357230481; Sun, 21 Mar 2021 13:07:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1616357230; cv=none; d=google.com; s=arc-20160816; b=CUJMzL875GQe1AYaYgh14AQEmzeWEWFwrrDK+9zvq4uvelNK2cS9hQ+MFCXr5JNzoq aU0gcl11CiUgbzJWLs6qwWBzlPaDp/CFQ/DnG+6SZPjg9XUodK/+aTK2Zpf89F1cfrmh 1LwyQ3iYvHpwwDEQgrb5C6HevaAPIDh3RoxM60K69gSq/EWbiKXp/LUVZxJq9BAJ6wlx VsLiyWLg1X9RZcMngvAOSBmgDQlz7XEkcxc/yJpDDIBCiGOTy3RdsGsyxTpgG0wsJe3a FFo/kUgsF/ZOKSI8riHQSrE+gn5tMM15u6nx2iMYbT4GXqPnYjUy/VZsPIwpwfjLvOTM zahw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=iBrKCN7co0fN6DQ3Z7oVF42ggkUDpYbjPmhV3o6bWXE=; b=fUvhTZp5byeNSvxe0YfoXTlvl7rXMOjGGLBN4Z7b9BH0qVrxpmmAlRob8W5X7nKNPM lO6MCUeOkPxuRL25x8RUlHxZEFf5J8g76zxrmbSAOJLB3eXDgq1MrSBUj9zB1WlLnOiD S60mjzbgA3z53La65UyngxrCWt0uzy9JYtDwfqAU1bAx4QkUWQ8QQfOQlwnZxeikEaMb LtDBzDTg/u37QyGghEuDXsPwTHRiFGRoTv/LwCvEPMz6jKB5llJvZUrFOrG+Ck5yLbFj SiVXuyodJXgD972XVi1iKdrm1EMo8vRKtFv1L6IkaRcxVPdBnxi3qcsa4uG0KyolLpwO aqxg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=cCKPMhwk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i25si9463243eje.58.2021.03.21.13.06.17; Sun, 21 Mar 2021 13:07:10 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=cCKPMhwk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230021AbhCUSBS (ORCPT + 99 others); Sun, 21 Mar 2021 14:01:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37768 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230018AbhCUSBF (ORCPT ); Sun, 21 Mar 2021 14:01:05 -0400 Received: from mail-pj1-x102b.google.com (mail-pj1-x102b.google.com [IPv6:2607:f8b0:4864:20::102b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7220AC061763 for ; Sun, 21 Mar 2021 11:01:05 -0700 (PDT) Received: by mail-pj1-x102b.google.com with SMTP id gb6so7191410pjb.0 for ; Sun, 21 Mar 2021 11:01:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=iBrKCN7co0fN6DQ3Z7oVF42ggkUDpYbjPmhV3o6bWXE=; b=cCKPMhwksUZ+yG1vaCu6wa8LkufPS1iF7vvliCffs1hluULxo1HADGt4q9mvtjBqIR U1ubZko3f81D30hNlvfAjNKNIaI/FvSlsAfUF32Cr2jNM/Z3Uvzr6yN9spxjY+SqBjwB ZW++v4cMTbXPBele8dErnlXmZCdJPemi1xzbo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=iBrKCN7co0fN6DQ3Z7oVF42ggkUDpYbjPmhV3o6bWXE=; b=VW2wYtXmKqSVped9OJ1cxuTBXuhv+adgM1YJ1fhP9XOAn5EeewYd5mE04kQrKifJUq a3WO8KcZCn7BMA1XGqOpBvPU2VDyDMo2FOZ8rgRSxME1CsteVfYdmeXdYvmwbKoHj73p MPd9wYjcWB3dpWEb3ZJgKyeGt/y+X6/i3vqUKgfJZPW8xGmhWD5/EdwpB+jF1bBx74nw e6cPel+3FQIz+XSDIudhDlSf6qQP++XaFqDAaKcxHV8vLjIajWxjYMW9EcEpU7mf9ejR HoqSBqDzTbNNGOQkZM9J4uVAxt2oSCKohZ7emUNDUWlJIt99gWXlTvF3TXVKuPEo+3y2 wXFQ== X-Gm-Message-State: AOAM533KPcONJi3YTbHar8Xb7shFja9DzQPY8Mb5cjdygXE+qvZUZcJX fUdqOBvzcj8pNeSgYnDxnsMgsxPZFHbyhA== X-Received: by 2002:a17:90b:116:: with SMTP id p22mr9044261pjz.161.1616349664842; Sun, 21 Mar 2021 11:01:04 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id l190sm11312520pfl.73.2021.03.21.11.01.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 21 Mar 2021 11:01:04 -0700 (PDT) Date: Sun, 21 Mar 2021 11:01:03 -0700 From: Kees Cook To: John Wood Cc: Jann Horn , Randy Dunlap , Jonathan Corbet , James Morris , Shuah Khan , "Serge E. Hallyn" , Greg Kroah-Hartman , Andi Kleen , kernel test robot , linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kselftest@vger.kernel.org, kernel-hardening@lists.openwall.com Subject: Re: [PATCH v6 4/8] security/brute: Fine tuning the attack detection Message-ID: <202103211038.99C87F12@keescook> References: <20210307113031.11671-1-john.wood@gmx.com> <20210307113031.11671-5-john.wood@gmx.com> <202103171957.16C0560D@keescook> <20210320154648.GC3023@ubuntu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210320154648.GC3023@ubuntu> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Mar 20, 2021 at 04:46:48PM +0100, John Wood wrote: > On Wed, Mar 17, 2021 at 09:00:51PM -0700, Kees Cook wrote: > > On Sun, Mar 07, 2021 at 12:30:27PM +0100, John Wood wrote: > > > +/** > > > + * brute_reset_stats() - Reset the statistical data. > > > + * @stats: Statistics to be reset. > > > + * @is_setid: The executable file has the setid flags set. > > > + * > > > + * Reset the faults and period and set the last crash timestamp to now. This > > > + * way, it is possible to compute the application crash period at the next > > > + * fault. Also, save the credentials of the current task and update the > > > + * bounds_crossed flag based on a previous network activity and the is_setid > > > + * parameter. > > > + * > > > + * The statistics to be reset cannot be NULL. > > > + * > > > + * Context: Must be called with interrupts disabled and brute_stats_ptr_lock > > > + * and brute_stats::lock held. > > > + */ > > > +static void brute_reset_stats(struct brute_stats *stats, bool is_setid) > > > +{ > > > + const struct cred *cred = current_cred(); > > > + > > > + stats->faults = 0; > > > + stats->jiffies = get_jiffies_64(); > > > + stats->period = 0; > > > + stats->saved_cred.uid = cred->uid; > > > + stats->saved_cred.gid = cred->gid; > > > + stats->saved_cred.suid = cred->suid; > > > + stats->saved_cred.sgid = cred->sgid; > > > + stats->saved_cred.euid = cred->euid; > > > + stats->saved_cred.egid = cred->egid; > > > + stats->saved_cred.fsuid = cred->fsuid; > > > + stats->saved_cred.fsgid = cred->fsgid; > > > + stats->bounds_crossed = stats->network || is_setid; > > > +} > > > > I would include brute_reset_stats() in the first patch (and add to it as > > needed). To that end, it can start with a memset(stats, 0, sizeof(*stats)); > > So, need all the struct fields to be introduced in the initial patch? > Even if they are not needed in the initial patch? I'm confused. No, I meant try to introduce as much infrastructure as possible early in the series. In this case, I was suggesting having introduced brute_reset_stats() at the start, so that in this patch you'd just be adding the new fields to the function. (Instead of both adding new fields and changing the execution pattern.) > > > +/** > > > + * brute_network() - Target for the socket_sock_rcv_skb hook. > > > + * @sk: Contains the sock (not socket) associated with the incoming sk_buff. > > > + * @skb: Contains the incoming network data. > > > + * > > > + * A previous step to detect that a network to local boundary has been crossed > > > + * is to detect if there is network activity. To do this, it is only necessary > > > + * to check if there are data packets received from a network device other than > > > + * loopback. > > > + * > > > + * It's mandatory to disable interrupts before acquiring brute_stats_ptr_lock > > > + * and brute_stats::lock since the task_free hook can be called from an IRQ > > > + * context during the execution of the socket_sock_rcv_skb hook. > > > + * > > > + * Return: -EFAULT if the current task doesn't have statistical data. Zero > > > + * otherwise. > > > + */ > > > +static int brute_network(struct sock *sk, struct sk_buff *skb) > > > +{ > > > + struct brute_stats **stats; > > > + unsigned long flags; > > > + > > > + if (!skb->dev || (skb->dev->flags & IFF_LOOPBACK)) > > > + return 0; I wonder if you need to also ignore netlink, unix sockets, etc, or does the IFF_LOOPBACK cover those too? > > > + > > > + stats = brute_stats_ptr(current); > > > > Uhh, is "current" valid here? I actually don't know this hook very well. > > I think so, but I will try to study it. Thanks for noted this. I think you might need to track the mapping of task to sock via security_socket_post_create(), security_socket_accept(), and/or security_socket_connect()? Perhaps just mark it once with security_socket_post_create(), instead of running a hook on every incoming network packet, too? -Kees > > > + read_lock_irqsave(&brute_stats_ptr_lock, flags); > > > + > > > + if (!*stats) { > > > + read_unlock_irqrestore(&brute_stats_ptr_lock, flags); > > > + return -EFAULT; > > > + } > > > + > > > + spin_lock(&(*stats)->lock); > > > + (*stats)->network = true; > > > + spin_unlock(&(*stats)->lock); > > > + read_unlock_irqrestore(&brute_stats_ptr_lock, flags); > > > + return 0; > > > +} > > Thanks, > John Wood -- Kees Cook