Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp1971164pxj; Sat, 5 Jun 2021 08:30:28 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxc5QSwxLizU7KDstFfi4gASWlbWhZ9+oDL9rCCwKyMyOl3wSIa00cWolTlunUXBVbpZmH3 X-Received: by 2002:a17:906:c311:: with SMTP id s17mr9466564ejz.202.1622907028037; Sat, 05 Jun 2021 08:30:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1622907028; cv=none; d=google.com; s=arc-20160816; b=oPWs081IMdBCd5AYarscTw3JSPdxTwByf+kwsvM+7LEkDZON7sXGOeNFRy5fUND4iU bl+VZIbvnl+PM49bO+mj1ZQ8e/RYb40mZefuADX43qTu9X5FJJiumvsSsD18ZTRYR/X7 nwza1gUH+861Y6DaSiFaPF5zpioKQnzQkRPFXHZ+aT3EoBSv40GzaFGqThUL61sBBse/ H7FAJiDOPbV5bxZhEb8jyH0dK/r9X0/0xLBPPZwPiMSWo3Cw06zngY4gz3IrhGsNqe0x Eo13m0NKLScuWBpZ/IXu/JBy3pxRls0W29vYjpSreB7+aOgJexCVK1PxDdzZaZA6NdIe fHZQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=Q0BNgy1vHbelKSVrKtNOXIE9pweA5TzdlP4dURfduqs=; b=MU7GvBQpGZtZByv0hQ5h8MnhB8McAt67Y6un8eSvVv0xuxb2lu+Btovyya3vbmVY9c ckzAIIMFOQ1fNXNnrjHwZ79I6TGg02GcA8m4a6gY8PX4hxWLhV+bMt5feypE8JnKlG+z bQHGRCrdyOiQRuzRJ84DRw0S/O5ZoPdH9ue+S3Bevg1tMxTDbOrDd1Q6HVkHvPKBiJaA h8wguDWrPlxbZM/FzCINA1QtOJ0nLYw9C+r/0bsTR2Yod3LNioeqUxulB0Td73xdI9dV 6zcwSkYZQiWgGk0LuKP7eDWlt3pH0Z1QzxF5gsxqxT+JNXTEHBfFQouMtGFJJc/x5JGB 84Mg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmx.net header.s=badeba3b8450 header.b=iojLmS3o; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=gmx.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w22si8393746edi.259.2021.06.05.08.30.04; Sat, 05 Jun 2021 08:30:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmx.net header.s=badeba3b8450 header.b=iojLmS3o; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=gmx.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230022AbhFEP3l (ORCPT + 99 others); Sat, 5 Jun 2021 11:29:41 -0400 Received: from mout.gmx.net ([212.227.15.18]:42997 "EHLO mout.gmx.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229930AbhFEP3k (ORCPT ); Sat, 5 Jun 2021 11:29:40 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1622906786; bh=V+/W+fEoSiOjB3w8FDJE2wQ1DNe8mLPtzk6quPwutvo=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date:In-Reply-To:References; b=iojLmS3oTN1DZsuRR/9kSaXZCGZfZFJdGoPfE4LYE35NzhqE+PH0i8QWuoSoO3ig4 0JngVPtJQX19ChfEqfqd/uYPbTfQMIgFOXT9yfcsDzgp5iQWkZ6M5rdwdgYtppmBQ+ AgsMyUCQsUzlrWcQ2uUUGoVQflciOPKlRo41cXxA= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from localhost.localdomain ([83.52.228.41]) by mail.gmx.net (mrgmx005 [212.227.17.184]) with ESMTPSA (Nemesis) id 1MxUnz-1lQzxz0ynB-00xwA9; Sat, 05 Jun 2021 17:26:26 +0200 From: John Wood To: Kees Cook , Jann Horn , Jonathan Corbet , James Morris , "Serge E. Hallyn" , Shuah Khan , Thomas Gleixner , Ingo Molnar , Borislav Petkov , x86@kernel.org, "H. Peter Anvin" , Arnd Bergmann Cc: John Wood , Andi Kleen , valdis.kletnieks@vt.edu, Greg Kroah-Hartman , Randy Dunlap , Andrew Morton , linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-arch@vger.kernel.org, linux-hardening@vger.kernel.org, kernel-hardening@lists.openwall.com Subject: [PATCH v8 1/8] security: Add LSM hook at the point where a task gets a fatal signal Date: Sat, 5 Jun 2021 17:03:58 +0200 Message-Id: <20210605150405.6936-2-john.wood@gmx.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210605150405.6936-1-john.wood@gmx.com> References: <20210605150405.6936-1-john.wood@gmx.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:AXIG8C6g+ihrnMi0Z4HkpARpgiKyCwVIo4zDsrAYAVY7GlNoZU6 7O/98xMjJRXPp5Qat/wXAqITJjdc3Cg9KVDUkv9jMTAC4TmaJiwFSk+4T6TOSiObnjiNVug 5nZhRlb2yHN0s2og2Qe+i3xYhvcGTiItAt6TDApjVwCMOjKleIr60AAiwo95nL9p1fVQ/6I S8e6Adp97nN0pqVcqVFpQ== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:+rmuCovomkA=:ToTPjaCqTPRANlpKwgY+BI Td9B1Od85sW7rN2BHlZx0S9yGMlNrRoNPYKw30EdwZpFQCw0MJ1R0CK7jNGYsnXyO/JWmtABx BP8IkODttWs14kSIcSCNKNy4q9JWsUjjZTaSYWrXwi64xsSYLhWaaddKFpk8MUuuvSv9uqJAX E/hUUtc0B9GArMYdIA78pHLTWuSIdCh8Q6yZFjSzqfSAR3zBStXRTFgc6GEb7llc9k4u8FD+R XtlGDWysWOLPvtgnghV5DjcNE6AUKsVR7/3NR/PDlkpUufHxi09Ppq7iL9YoFl0WE5upzqFIj q2ZzkVHB18mUQ06x7p6IFopYkvLGrVWFazETXmveEJbPqu/5Xu7Riy03cOUfz3v11HrIzMpMz +aIux0EuCwEfa60cVU4z8Nv7Zm4W7JsHaheyBhL6dxdOf/4gr4Hgajen8Eh3d8F6FbVSPOsxt s6Uybc/P9ER94vsN5/ev4rT+BM0jb2diW8cHTOUaV3rYTpxStwxWfbvo2PowP9gpvZVXNz+hx TSva2yUeepFKks37O8PHbO7IArxS+MAlRplA68Dn18k9iGuaEofOOzhOSpZcTTyMvillCS1iM xqv87MAi6Ut/ohkzwdAmStfNxUwBmvnY7nV9e8iChfcxFcplTo9Rx6RldUnyeSImra4jB7Vzx RpXyAAGqsDguITO8wNAo58W2qV5VbIh+W+g4Bv/8q+pxIopd3BEaf7KRG3D8XZq/xwcthsF6j wqyLd1NJlM3kM3uZl0ZVlHGMTBb4M37rkjQU5DqMJuu5YsZffDQO5e6ZNnBtcnt+pa8zge1yT auceOueO8F+cLAD8VsMsN/Y5wu6H3S0/kPvI24SydTLiJRY6XYuHqkDh2qVoyPCJnfkeGgDa7 l+JKO2UYiadlnCcOEv/DRYUnCcD3MQAWGmIgoIUXbLesQfwXrIwoUVlqfxVLY+/2X5KxnltMR lU21EnKuEaYy41oQ7lvgOfWYYsSQ4i/w/egMQ05Hi30jVL3FoXlaWlI9UMRBTcs13VMp4M3JP cpn10EqaCybbccD3nURqqCVccxWiBfvbdBPp/8NvdtR7Uibubz38DMLWBhCZoPwm+Cn4J4NwY 1+oTCRz76ExaLmdSmDYJMKJUpA2ai+aDo4z Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Add a security hook that allows a LSM to be notified when a task gets a fatal signal. This patch is a previous step on the way to compute the task crash period by the "brute" LSM (linux security module to detect and mitigate fork brute force attack against vulnerable userspace processes). Signed-off-by: John Wood Reviewed-by: Kees Cook =2D-- include/linux/lsm_hook_defs.h | 1 + include/linux/lsm_hooks.h | 4 ++++ include/linux/security.h | 4 ++++ kernel/signal.c | 1 + security/security.c | 5 +++++ 5 files changed, 15 insertions(+) diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index 04c01794de83..e28468e84300 100644 =2D-- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -225,6 +225,7 @@ LSM_HOOK(int, -ENOSYS, task_prctl, int option, unsigne= d long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5) LSM_HOOK(void, LSM_RET_VOID, task_to_inode, struct task_struct *p, struct inode *inode) +LSM_HOOK(void, LSM_RET_VOID, task_fatal_signal, const kernel_siginfo_t *s= iginfo) LSM_HOOK(int, 0, ipc_permission, struct kern_ipc_perm *ipcp, short flag) LSM_HOOK(void, LSM_RET_VOID, ipc_getsecid, struct kern_ipc_perm *ipcp, u32 *secid) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 5c4c5c0602cb..fc8bef0f15d9 100644 =2D-- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -799,6 +799,10 @@ * security attributes, e.g. for /proc/pid inodes. * @p contains the task_struct for the task. * @inode contains the inode structure for the inode. + * @task_fatal_signal: + * This hook allows security modules to be notified when a task gets a + * fatal signal. + * @siginfo contains the signal information. * * Security hooks for Netlink messaging. * diff --git a/include/linux/security.h b/include/linux/security.h index 06f7c50ce77f..609c76c6c764 100644 =2D-- a/include/linux/security.h +++ b/include/linux/security.h @@ -433,6 +433,7 @@ int security_task_kill(struct task_struct *p, struct k= ernel_siginfo *info, int security_task_prctl(int option, unsigned long arg2, unsigned long arg= 3, unsigned long arg4, unsigned long arg5); void security_task_to_inode(struct task_struct *p, struct inode *inode); +void security_task_fatal_signal(const kernel_siginfo_t *siginfo); int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag); void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid); int security_msg_msg_alloc(struct msg_msg *msg); @@ -1183,6 +1184,9 @@ static inline int security_task_prctl(int option, un= signed long arg2, static inline void security_task_to_inode(struct task_struct *p, struct i= node *inode) { } +static inline void security_task_fatal_signal(const kernel_siginfo_t *sig= info) +{ } + static inline int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag) { diff --git a/kernel/signal.c b/kernel/signal.c index f7c6ffcbd044..4380763b3d8d 100644 =2D-- a/kernel/signal.c +++ b/kernel/signal.c @@ -2804,6 +2804,7 @@ bool get_signal(struct ksignal *ksig) /* * Anything else is fatal, maybe with a core dump. */ + security_task_fatal_signal(&ksig->info); current->flags |=3D PF_SIGNALED; if (sig_kernel_coredump(signr)) { diff --git a/security/security.c b/security/security.c index b38155b2de83..208e3e7d4284 100644 =2D-- a/security/security.c +++ b/security/security.c @@ -1891,6 +1891,11 @@ void security_task_to_inode(struct task_struct *p, = struct inode *inode) call_void_hook(task_to_inode, p, inode); } +void security_task_fatal_signal(const kernel_siginfo_t *siginfo) +{ + call_void_hook(task_fatal_signal, siginfo); +} + int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag) { return call_int_hook(ipc_permission, 0, ipcp, flag); =2D- 2.25.1