Notify special task kill using wait* functions

John Wood john.wood at gmx.com
Fri Apr 2 08:49:32 EDT 2021


Hi,

On Tue, Mar 30, 2021 at 02:40:38PM -0400, Valdis Klētnieks wrote:
> On Tue, 30 Mar 2021 19:34:59 +0200, John Wood said:
>
> > The question is: How can I notify to wait* functions that the task has
> > been killed by the "Brute" LSM.
>
> What wait* functions even *care* that your LSM was what killed it?
>
> If you're caring about somehow notifying userspace that it was your LSM
> specifically, remember that if your code works properly, only attackers
> get notified - and they can then determine "Ah, this system has Brute installed,
> we need to back off and fly under its radar".
>
> You're much better off sending a SIGKILL to the entire process group
> and be done with it. That way the bad guys get less information.

Thanks for the suggestion, but I will expose more info to try to clarify
why to notify to userspace can be useful. In a discussion with Andi Kleen
in the v5 review [1] he explain me some cons with the current mitiggation
method. Without entering in more detail, the mitigation kills all the tasks
involved in the attack, but a supervisor can respawn the processes killed and
the attack can be started again. So, he suggested that notifying to userspace
(via wait*() functions) that a child task has been killed by the "Brute" LSM,
the supervisor can adopt the correct policy and avoid respawn the killed
processes.

[1] https://lore.kernel.org/kernel-hardening/20210227153013.6747-8-john.wood@gmx.com/

Thanks,
John Wood



More information about the Kernelnewbies mailing list