Re: Read the "real_parent" field of task_struct

["Valdis Klētnieks" <valdis.kletnieks@vt.edu>]

[-- Attachment #1.1: Type: text/plain, Size: 1181 bytes --]

On Thu, 01 Oct 2020 19:49:02 +0200, John Wood said:

> Idea: The purpose of my LSM is to detect and mitigate a fork brute force
> attack. To do so, I need a hierarchy of fork processes. In other words, there
> is a pointer in the task_struct structure that points to an statistics data
> structure. This pointer is copied to the child process when a process forks.
> This way, all the tasks that fork with the same root share the same statistics.
> These statistics allow to compute the application crashing period and detect
> the attack.

How is this any better than applying a ulimit to the userid, and using the existing
audit subsystem for reporting the attack, which is what that subsystem was
designed for?

> But there is the case when the task 0 is allocated. In this case it's not
> possible to copy the parent pointer to the statistical data. The task 0 don't
> have parent. In this scenario a new statistics structure need to be allocated.

At that point, your LSM probably hasn't been initialized yet. If your LSM is being
called before task 0 (let alone task 1) is created, there's probably something
wonky going on.  Are you seeing this happen on an actual system?


[-- Attachment #1.2: Type: application/pgp-signature, Size: 832 bytes --]

[-- Attachment #2: Type: text/plain, Size: 170 bytes --]

_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies