Read the "real_parent" field of task_struct
Valdis Kl=?utf-8?Q?=c4=93?=tnieks
valdis.kletnieks at vt.edu
Thu Oct 1 20:29:58 EDT 2020
On Thu, 01 Oct 2020 19:49:02 +0200, John Wood said:
> Idea: The purpose of my LSM is to detect and mitigate a fork brute force
> attack. To do so, I need a hierarchy of fork processes. In other words, there
> is a pointer in the task_struct structure that points to an statistics data
> structure. This pointer is copied to the child process when a process forks.
> This way, all the tasks that fork with the same root share the same statistics.
> These statistics allow to compute the application crashing period and detect
> the attack.
How is this any better than applying a ulimit to the userid, and using the existing
audit subsystem for reporting the attack, which is what that subsystem was
designed for?
> But there is the case when the task 0 is allocated. In this case it's not
> possible to copy the parent pointer to the statistical data. The task 0 don't
> have parent. In this scenario a new statistics structure need to be allocated.
At that point, your LSM probably hasn't been initialized yet. If your LSM is being
called before task 0 (let alone task 1) is created, there's probably something
wonky going on. Are you seeing this happen on an actual system?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20201001/08d34c94/attachment.sig>
More information about the Kernelnewbies
mailing list