From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id DA75BC43460 for ; Sat, 3 Apr 2021 03:52:17 +0000 (UTC) Received: from shelob.surriel.com (shelob.surriel.com [96.67.55.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 50B4061177 for ; Sat, 3 Apr 2021 03:52:17 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 50B4061177 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=vt.edu Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kernelnewbies-bounces+kernelnewbies=archiver.kernel.org@kernelnewbies.org Received: from localhost ([::1] helo=shelob.surriel.com) by shelob.surriel.com with esmtp (Exim 4.94) (envelope-from ) id 1lSXKY-00050K-Ct for kernelnewbies@archiver.kernel.org; Fri, 02 Apr 2021 23:52:14 -0400 Received: from mail-qk1-x72f.google.com ([2607:f8b0:4864:20::72f]) by shelob.surriel.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94) (envelope-from ) id 1lSXIj-0003d1-4K for kernelnewbies@kernelnewbies.org; Fri, 02 Apr 2021 23:50:21 -0400 Received: by mail-qk1-x72f.google.com with SMTP id q3so6819476qkq.12 for ; Fri, 02 Apr 2021 20:50:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=vt-edu.20150623.gappssmtp.com; s=20150623; h=sender:from:to:cc:subject:in-reply-to:references:mime-version :content-transfer-encoding:date:message-id; bh=j36tGx9pIX8qbMJi68RmZPMw/5FI0yOaSwGNYd7C4xg=; b=WL1GMmRIqkN+M+D7o9ZUAmu92sKRGmVRV22SD/no+et4l2Bnt7IX8moRSd7vJmULCj nApNEIfEISzOPXCAEw0qtTvdDMz95HnHw0CWGEsRqldQj7gVDNb+kJvgDekaOLeVxuXa TFbRK/CMB16RfpdQlpoe+MMHBBqeiE1EaKEF74riDIl0EGcPr1/0PJhX5dLlohkia3w3 OL73QYxXjrIrq32CZMOa4MstWtLWDItxS2+Rgii5Jwr5nYmu3UEKp1PPbRfJmKudayfK 1qQQU1vLOhxZhnKT4K8pqJJR94rpb2F8Qqfcllt7O/vxqFT9aKlUHOT/0xMdvILy5NR4 edYA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:in-reply-to:references :mime-version:content-transfer-encoding:date:message-id; bh=j36tGx9pIX8qbMJi68RmZPMw/5FI0yOaSwGNYd7C4xg=; b=A1DE3syUe3X1q7ednkO/Z/VW8sHmrSMXUnCL2jx+1wraz4m994YWOI4+Z3h3gh+Y1U QYivCFiJMNxfU6iT7sR6Hk4NrJdYpMDygiiXpR6rlj+Oxw7OkXUqHvOT496/DAjIWNTN BGp6OCa7MxRQMKkW45m9ndewtHawZGhlY6K4HEtUyIUI8iZwSAZRBv5YVWKX1HFVA0tO 6g/i0MfhopYGF/DaWs1ThBIqpMT7cuWULxHod5uAwI16Bn9KWXr+44qNrR6pq3gy6qZO Be+w2TdtvcILWeRMOwuYJcWtD/UPrlBSQDdI45NNAWAR5f35CETVqTt3SJejS7TEx1to clxQ== X-Gm-Message-State: AOAM5320Bm6Iw93V0eFiwPOQ7W6qqKiqiqt3t7FwF+3/ZC41udSev8Uk a4+ekhTtU5y9QnWpa/RGMlDtsA== X-Google-Smtp-Source: ABdhPJx4/uU9Pk5Qa0Rj4lG+LVUmRHGayeFX5iH6jngBa+pP1IISxf71e8HQDtjgu2inEbwQ2G7yUw== X-Received: by 2002:a37:6c01:: with SMTP id h1mr16433245qkc.182.1617421820262; Fri, 02 Apr 2021 20:50:20 -0700 (PDT) Received: from turing-police ([2601:5c0:c380:d61::359]) by smtp.gmail.com with ESMTPSA id p5sm8902545qkj.35.2021.04.02.20.50.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 02 Apr 2021 20:50:19 -0700 (PDT) From: "Valdis Kl=?utf-8?Q?=c4=93?=tnieks" X-Google-Original-From: "Valdis Kl=?utf-8?Q?=c4=93?=tnieks" X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.7+dev To: John Wood Subject: Re: Notify special task kill using wait* functions In-Reply-To: <20210402124932.GA3012@ubuntu> References: <20210330173459.GA3163@ubuntu> <79804.1617129638@turing-police> <20210402124932.GA3012@ubuntu> Mime-Version: 1.0 Date: Fri, 02 Apr 2021 23:50:18 -0400 Message-ID: <106842.1617421818@turing-police> Cc: kernelnewbies@kernelnewbies.org X-BeenThere: kernelnewbies@kernelnewbies.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Learn about the Linux kernel List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============7840284171969332492==" Errors-To: kernelnewbies-bounces+kernelnewbies=archiver.kernel.org@kernelnewbies.org --===============7840284171969332492== Content-Type: multipart/signed; boundary="==_Exmh_1617421818_94693P"; micalg=pgp-sha1; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit --==_Exmh_1617421818_94693P Content-Type: text/plain; charset=us-ascii On Fri, 02 Apr 2021 14:49:32 +0200, John Wood said: > the attack can be started again. So, he suggested that notifying to userspace > (via wait*() functions) that a child task has been killed by the "Brute" LSM, > the supervisor can adopt the correct policy and avoid respawn the killed > processes. > [1] https://lore.kernel.org/kernel-hardening/20210227153013.6747-8-john.wood@gmx.com/ That patch contains the biggest problem with your idea: +Moreover, this method is based on the idea that the protection doesn't act if +the parent crashes. So, it would still be possible for an attacker to fork a +process and probe itself. Then, fork the child process and probe itself again. +This way, these steps can be repeated infinite times without any mitigation. In general, "security" that has an obvious and easy way to bypass it isn't providing any real security at all. If all it takes to bypass it is a double fork, everybody who didn't just fall out of the tree will do a double fork. In other words, anybody who's clued enough to write malware that actually works and does the sort of attack you're trying to prevent should be able to fix the malware to bypass your "security" with just a few added lines of code. --==_Exmh_1617421818_94693P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Comment: Exmh version 2.9.0 11/07/2018 iQIVAwUBYGfl+QdmEQWDXROgAQIkWhAAhxlW584IFrFhDFxIcEW/0dqA/IdG9Ri8 QZbDyB9CYyQILubIzdRIQG4UIjSXMxhbGcBSIdvckWzaUuklpTv5P46dt6xYGFOe sNUT02WEL+3cqlb478RyKFZ7cv7a7EIIL2k/X4dpbqaio6+Wb3bMkKUWkuezjuiw TpExYXteMq/7G4n+s+Pb9HRaVL+ZPX0l4rW+yQ+HE4fmOnTZXhLbnqrdnUOZGg41 dMuvlA601R5wOWo8UWOwhhKvl638NQ+A+vcTxxqMWKPPzcJEN9FaLAbPikuIgNlu eoAWHR2A6jwneZgNeYw0eno9SxzXIwxThX7D1KL8E0/aFXbMtIq5tj/OgeFvdGL+ n/jyC1G59GxOVnVBt+AhnPoyvZ6wEP7ize1PivhHGso/ISJEUwlaJqjKmwq/Y40f UL+RXR/9nTh1iXr1fXB2EvSuyHUMIN032yUpnOp7OZniJ0lhJRw165ZrI2ZkTLrS CVeCLvN9nrajo2xWAprd6KLFbSoBO+3f4z8vl6lrQEbXWuXtczVpEiX0itOEIcPb 6TkJgAtosXHot21dwxANhSBnnJB1ObBDq14HOVJfKwisbHOxiHyB0MquD0+kjln6 tC7QNMo3cdcvNSMh+f3j4n3Oacr+VLvIlXE5WQh4oMOa6w+MtcYj9wSmxcPgS62i 2Ubppyyh/a0= =BAZD -----END PGP SIGNATURE----- --==_Exmh_1617421818_94693P-- --===============7840284171969332492== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies --===============7840284171969332492==--