From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-0.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 873A1C433DB for ; Tue, 30 Mar 2021 17:35:31 +0000 (UTC) Received: from shelob.surriel.com (shelob.surriel.com [96.67.55.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 04B5861953 for ; Tue, 30 Mar 2021 17:35:30 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 04B5861953 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=gmx.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kernelnewbies-bounces@kernelnewbies.org Received: from localhost ([::1] helo=shelob.surriel.com) by shelob.surriel.com with esmtp (Exim 4.94) (envelope-from ) id 1lRIGn-0007o0-V3; Tue, 30 Mar 2021 13:35:13 -0400 Received: from mout.gmx.net ([212.227.17.22]) by shelob.surriel.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94) (envelope-from ) id 1lRIGm-0007nv-MV for kernelnewbies@kernelnewbies.org; Tue, 30 Mar 2021 13:35:12 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1617125710; bh=IzqoO2+7bTr9BJV6LsPAt96hqgSHHKrnQXWKhWv4HkQ=; h=X-UI-Sender-Class:Date:From:To:Subject; b=K1LcQYJrI4LEqwEltC5eMM4oxTSVtSE04BJpYltr4UM0O47XiygEdhIh+ZtNzKj/X +9HQoJtVrtuF6Q0DL6HWhxmSSu1vs+sDc91i7qwjIF7rZCUxeMrznEr1uRRCgkhk+U ziWWDKhXUVMruGUHn5GflbA2+eNTih41XMAN00C4= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from ubuntu ([83.52.229.153]) by mail.gmx.net (mrgmx105 [212.227.17.174]) with ESMTPSA (Nemesis) id 1MGhyc-1lMKT60SW2-00Drro for ; Tue, 30 Mar 2021 19:35:10 +0200 Date: Tue, 30 Mar 2021 19:34:59 +0200 From: John Wood To: kernelnewbies@kernelnewbies.org Subject: Notify special task kill using wait* functions Message-ID: <20210330173459.GA3163@ubuntu> MIME-Version: 1.0 Content-Disposition: inline X-Provags-ID: V03:K1:xuUC5m6YEd46s2CG2LKkgVsISDG1ImrLN/KrHuJqBrIciqNc5m4 YJMQmS2hC6C8ns5NdYy9wfNw7I7onkqJfln2D5OCcR6RgYugBHY4UiDdy7SSAFTSyzD4q7z ctXXhE68ZEvD1g79w7ehTexaYOGsxZvu/YcZKMBfxa69CfssOZVvE1Q80AAsrJ3cKEScilX Labe4injHUl0CGyi3dtMQ== X-UI-Out-Filterresults: notjunk:1;V03:K0:PNvTvCPvvbw=:LQ6K2VB2cY46jLsafXKYaG C7wHcLmYVJ7y8CxDzgNfiwfRZh1ddXD5UNXYrkPn0Uxu2+PJnflKYy6fGaUH0AUWGRKEJlKfY ZIJQzbvHHEbXpNC2oD3TxUsGM7oPsoP2hpbZkwKzLF1rlhONkDdxPRLXJTFBN7QnQmlaZuixx pk3GIdHJab+v7GnDuHymMe/vL+q0KjJwlly6y46tZEiHrEq5wguQQpDL4pOiUTM9/7d91ARcy xMGghyE0zd22VSDfTOrkOL/LRKxdY7Y9UxH3YA0VHsOYlAacNa2FRq2oWaQJxqBYFg0qXrzY0 E60r8d3RBnUU41Zbjb4D7g9EbFE+R67ZHjx8tkWd/Cg+tUNkYnyK/vqnvUGPIB6T9gJPPX/mV 80PCu7jDx5DYvrm2wZdYt1BaaD9NS5mtVHufAQ53u1cNIqqpcK6eFpZggpIqjp4FGgkAaKp/a yBbu6uGW9vWHtP09Qp29CxKkoWsi/XY4U2EFN41horVtXKfJk0Nk0+lnMAcrpuZiCXSrZnrKJ 3dP+rchT/y3tZFbuYxXqTDSemFjSEqAlTdLsLx7mKaoeEpa87Ed2tcgFHYdOLUdUcfc1DJjIf 9bnFPg07uga+UYY/xgPGgMz0oNw/xZS6FkLL9uCs2cQuUi70RPQ6tjxXNLkFXGemI29upsbr+ lWUSwA3Vu4csylmFgNS7Mbi4FWdNtkttgrcbNpyhIqzdrUdC/kqyTA3yyp5KMtJc5mSwqZSJk uqlWkhnFP9Vo8no59te7wov0P14+RS7iPun1WvVTuJsP142HyuCP6W//uXgD+VaBRQsW+zh6o jw9SPqtnwAJujxgaMJEQ/O2xD0ckSDnHzgpGB4YAQ17VxVeQi1tNP2EDXc6wOm0g9uQeD+g+K 3yh3yr2dejjezNirW+taOYNq5OxKpSMPiyvFG/PSXZ6pXk6j0r3z7xmBtKUpRyBNXASaSvy95 nJ5TIx8N6lbZME3a+D1x7supG0Q41rr7wQf+ra/Y2J8ODiGOSNn92XUS+vK9o5g/5UJ/+x0pN I5zvbyH1gdaaYV7uyVRM148jLYdRsc77Mq41bRS5y5nVQqZS2Qvc6YgRd2P33eJ2yffUsXmro iS5Tgz7OelyewtGs1BN5xxNv6ScVux/fi48VIro5Pt6NECKzfhHLav9ZVv0aLO2lglyYSWtoE XkUmPlh4tHQLiHJeKF70WDU35HiG8eVM9SG48vukHqJdkESbWqHRUleCMSnbXWCaK9Hvc= X-BeenThere: kernelnewbies@kernelnewbies.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Learn about the Linux kernel List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: kernelnewbies-bounces@kernelnewbies.org Hi, I'm working in a LSM whose goal is to detect and mitigate fork brute force attacks against vulnerable userspace applications. The detection and mitigation works as expected by I'm stuck at this point. The mitigation method used is to kill all the offending tasks involved in the attack. To do so, I kill the tasks using: do_send_sig_info(SIGKILL, SEND_SIG_PRIV, p, PIDTYPE_PID); The question is: How can I notify to wait* functions that the task has been killed by the "Brute" LSM. For example, in the function wait_task_zombie, in the "out_info:" label, the code is the following: out_info: infop = wo->wo_info; if (infop) { if ((status & 0x7f) == 0) { infop->cause = CLD_EXITED; infop->status = status >> 8; } else { infop->cause = (status & 0x80) ? CLD_DUMPED : CLD_KILLED; infop->status = status & 0x7f; } infop->pid = pid; infop->uid = uid; } I think I need to modify this code to achieve the commented goal. But I don't know how to proceed. Is it possible to kill a task in a way that this code can detect ? Now, with this code, we know that a task has been killed and with what signal. But is it possible to know that the task has been killed by the "Brute" LSM. Using for example the 8 upper bits in the status that I think are unused when a process is killed or dumped. It is possible to use the do_send_sig_info passing to the struct kernel_siginfo the necessary information to be able to detect this scenario in the wait* functions? If yes, what info I need to pass? The final purpose of all of this is that using the waitid function from userspace (or waitpid function) we can know that a child task has been killed by the "Brute" LSM or not. I try to inform to userspace that a task has been killed due to the "Brute" mitigation. Sorry, but I'm stuck at this point. Any help would be greatly appreciated. Regards, John Wood _______________________________________________ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies