Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
security/brute: Notify to userspace "task killed"
Add a new SIGCHLD si_code to notify to userspace, using the "waitid" system call, that a task has been killed by Brute LSM to mitigate a brute force attack. This is useful to supervisors in order to decide if a process that has been killed to avoid an attack needs to be respawned. This way, it is possible to avoid the scenario where a brute force attack can be continued due to the respawn of a process. Although the xattr of the executable is accessible from userspace, in complex daemons this file may not be visible directly by the supervisor as it may be run through some wrapper. So, the waitid notification is necessary. To achieve this, use the task_struct security blob to hold a flag that shows when a task has been killed by Brute LSM, and also, test this flag in the "wait_task_zombie" and "do_notify_parent" functions. Suggested-by: Andi Kleen <ak@linux.intel.com> Signed-off-by: John Wood <john.wood@gmx.com>
- Loading branch information
Showing
6 changed files
with
85 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
/* SPDX-License-Identifier: GPL-2.0 */ | ||
#ifndef _BRUTE_H_ | ||
#define _BRUTE_H_ | ||
|
||
#include <linux/sched.h> | ||
|
||
#ifdef CONFIG_SECURITY_FORK_BRUTE | ||
bool brute_task_killed(const struct task_struct *task); | ||
#else | ||
static inline bool brute_task_killed(const struct task_struct *task) | ||
{ | ||
return false; | ||
} | ||
#endif | ||
|
||
#endif /* _BRUTE_H_ */ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters