Notify special task kill using wait* functions
john.wood at gmx.com
Fri Apr 2 08:49:32 EDT 2021
On Tue, Mar 30, 2021 at 02:40:38PM -0400, Valdis Klētnieks wrote:
> On Tue, 30 Mar 2021 19:34:59 +0200, John Wood said:
> > The question is: How can I notify to wait* functions that the task has
> > been killed by the "Brute" LSM.
> What wait* functions even *care* that your LSM was what killed it?
> If you're caring about somehow notifying userspace that it was your LSM
> specifically, remember that if your code works properly, only attackers
> get notified - and they can then determine "Ah, this system has Brute installed,
> we need to back off and fly under its radar".
> You're much better off sending a SIGKILL to the entire process group
> and be done with it. That way the bad guys get less information.
Thanks for the suggestion, but I will expose more info to try to clarify
why to notify to userspace can be useful. In a discussion with Andi Kleen
in the v5 review  he explain me some cons with the current mitiggation
method. Without entering in more detail, the mitigation kills all the tasks
involved in the attack, but a supervisor can respawn the processes killed and
the attack can be started again. So, he suggested that notifying to userspace
(via wait*() functions) that a child task has been killed by the "Brute" LSM,
the supervisor can adopt the correct policy and avoid respawn the killed
More information about the Kernelnewbies