Notify special task kill using wait* functions

[Valdis Kl=?utf-8?Q?=c4=93?=tnieks]

On Fri, 02 Apr 2021 14:49:32 +0200, John Wood said:

> the attack can be started again. So, he suggested that notifying to userspace
> (via wait*() functions) that a child task has been killed by the "Brute" LSM,
> the supervisor can adopt the correct policy and avoid respawn the killed
> processes.

> [1] https://lore.kernel.org/kernel-hardening/20210227153013.6747-8-john.wood@gmx.com/

That patch contains the biggest problem with your idea:

+Moreover, this method is based on the idea that the protection doesn't act if
+the parent crashes. So, it would still be possible for an attacker to fork a
+process and probe itself. Then, fork the child process and probe itself again.
+This way, these steps can be repeated infinite times without any mitigation.

In general, "security" that has an obvious and easy way to bypass it isn't
providing any real security at all. If all it takes to bypass it is a double fork,
everybody who didn't just fall out of the tree will do a double fork.  In other
words, anybody who's clued enough to write malware that actually works
and does the sort of attack you're trying to prevent should be able to fix
the malware to bypass your "security" with just a few added lines of code.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20210402/a6d04dae/attachment.sig>