Notify special task kill using wait* functions

[John Wood]

Hi,

I'm working in a LSM whose goal is to detect and mitigate fork brute force
attacks against vulnerable userspace applications. The detection and
mitigation works as expected by I'm stuck at this point.

The mitigation method used is to kill all the offending tasks involved in
the attack. To do so, I kill the tasks using:

do_send_sig_info(SIGKILL, SEND_SIG_PRIV, p, PIDTYPE_PID);

The question is: How can I notify to wait* functions that the task has
been killed by the "Brute" LSM. For example, in the function
wait_task_zombie, in the "out_info:" label, the code is the following:

out_info:
	infop = wo->wo_info;
	if (infop) {
		if ((status & 0x7f) == 0) {
			infop->cause = CLD_EXITED;
			infop->status = status >> 8;
		} else {
			infop->cause = (status & 0x80) ? CLD_DUMPED : CLD_KILLED;
			infop->status = status & 0x7f;
		}
		infop->pid = pid;
		infop->uid = uid;
	}

I think I need to modify this code to achieve the commented goal. But
I don't know how to proceed.

Is it possible to kill a task in a way that this code can detect ? Now,
with this code, we know that a task has been killed and with what signal.
But is it possible to know that the task has been killed by the "Brute" LSM.
Using for example the 8 upper bits in the status that I think are unused
when a process is killed or dumped.

It is possible to use the do_send_sig_info passing to the struct kernel_siginfo
the necessary information to be able to detect this scenario in the wait*
functions? If yes, what info I need to pass?

The final purpose of all of this is that using the waitid function from
userspace (or waitpid function) we can know that a child task has been killed
by the "Brute" LSM or not. I try to inform to userspace that a task has been
killed due to the "Brute" mitigation.

Sorry, but I'm stuck at this point. Any help would be greatly appreciated.

Regards,
John Wood