From patchwork Sun Sep 6 15:21:27 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: John Wood X-Patchwork-Id: 11759565 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id DC141618 for ; Sun, 6 Sep 2020 15:31:43 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 7266B2080A for ; Sun, 6 Sep 2020 15:31:43 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=infradead.org header.i=@infradead.org header.b="Iv56LjyO"; dkim=pass (1024-bit key) header.d=gmx.net header.i=@gmx.net header.b="WdAsesRc" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728932AbgIFPbl (ORCPT ); Sun, 6 Sep 2020 11:31:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58346 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728807AbgIFPbh (ORCPT ); Sun, 6 Sep 2020 11:31:37 -0400 Received: from casper.infradead.org (casper.infradead.org [IPv6:2001:8b0:10b:1236::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 723CAC061573; Sun, 6 Sep 2020 08:31:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=Content-Transfer-Encoding:MIME-Version: Message-Id:Date:Subject:Cc:To:From:Resent-To:Resent-Message-ID:Resent-Date: Resent-From:Sender:Reply-To:Content-Type:Content-ID:Content-Description: In-Reply-To:References; bh=+LuTTLR0kikmiTPRNn7HRx+lG0J24aqE2GOmu3Oa2sw=; b=Iv 56LjyORAFwYrKSoOUcozZlC8D7x28mv1jADrDsw+d5sW6g3aVgTlH/ulJxo5BEfjsQsvAwKpwY5eo U9cM9I3Nn2wDS49/Yx1FLMPr0Bu0wOxD06M/tNVhvXLUk0NkfaTJaHZgOPxW2Nd4BrC8/D0kmmeS1 XCiERjXbTzGwNNPHv9iEwzUS4/T03+IKDl9UNjtmD3AkYZNf1pToaCDFjaastD2tY6r+KfSk4MXNe rkzWxfXqvBwRrhx6nEhpEsmZ+JZ4iTRbzUaMl40Wgv9c/0xes2avQbrCRhvofUQ4k5nWoyQ1VluI6 7w9yDYWxbOCq5u7mO8e5PlWgbvtZZW5g==; Received: from willy by casper.infradead.org with local (Exim 4.92.3 #3 (Red Hat Linux)) id 1kEwd7-0000ez-VR; Sun, 06 Sep 2020 15:30:58 +0000 Received: from mout.gmx.net ([212.227.15.19]) by casper.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kEwUS-0008VS-9s for willy@infradead.org; Sun, 06 Sep 2020 15:22:03 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1599405707; bh=OsxpPblvcfbkLBG7YNry2w3YzWs9opU/5ZYfutycyP4=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date; b=WdAsesRcMV68cWnh7AHo4lMG5EF3yv/IKp+HXjsNEtzXlYJLCQvPS16iqKGMbYpFc GeQ+OUaDxJR2iTy0ddSiIY8H0PJcWllNSempn1M5LhmizOlL2s8MpgJjMYYWY6sxcE DGXr+Rq8tBXFCu7HjqmBcGmAKRJjv5PbwQdcU5SY= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from localhost.localdomain ([79.150.73.70]) by mail.gmx.com (mrgmx005 [212.227.17.184]) with ESMTPSA (Nemesis) id 1MplXz-1ktiIY1sC5-00qDKx; Sun, 06 Sep 2020 17:21:47 +0200 From: John Wood To: Matthew Wilcox Cc: John Wood Subject: [RFC PATCH 1/9] security/fbfam: Add a Kconfig to enable the fbfam feature Date: Sun, 6 Sep 2020 17:21:27 +0200 Message-Id: <20200906152127.7041-1-john.wood@gmx.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Provags-ID: V03:K1:2u2gXcLhUDn9TTnBUfWY9zdvza+bDn2ZuoUGv9LzAMqYlfqshaa Z22NwRAHHZvIhSdQXi88KVnQ1rg7nvY7H2FTiiorpFOg2ffSlbtOP18HoALjboSFcC+Ueto /pbRLpyIfRM6wZzVwBKM1oL4G8hMozqdPTnwos/CcMGzCGKCPICbfZjVztn8vrzbkfWIZ4v xjOFWnELHWYuG+qIJGcUw== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:wuvmYeR2Az0=:0uNCS8Ux1zJup5fojaQl+4 FLaCs/qiZqatmVYg4glHtMKzy50ZZHloLDIlM4SsP4fo/70xx2O6rx7hn0+BRMUZlIfrfIuHX cJGuttkcQcAYStyQVC6r3xi7ImxkM15ClFybN1+TZNwvzVgzQfm17cy23wIa39WtxDydM1YIW 16d7ZExY7ZbydmJCtuibu5c1dyjkRYI211wgBbCV7QjAqJSqX6EOXDtrOFuHGZm3IrTUBSug2 6n0f7UwLNsgoCW1o4bcA687gmKVuH50VhOWQNnYln/m9iRoWFukUP8P5g94sqwsA8QqtBpohX yZEeHiTd96fK/3TMUSLOgO4Q9wiHe1m9xV5FNgJydekUcHtQB8TGhXeFqts2ycbHrLt0QeYcY GwB3BKyjXt+o2wZeZ4cYmAKNhD12FkT0REGVd3XAoeWVAPTVhD4SEDagbJLDmH66o3E3Xeh1Z D8Q242o4JYzk3Sapn9yZ65BIWULrdd+Io9VfbIwJkxy2RlwvBwq8Csm/vBZ9DYBuA/XfH54zp 531y0hUYW1MHoishQqHjtYMSa2bUpKNrm6wNeFIxjVZCN9HDuEv0TUA0OEVAbUXGwP03FNq2x 3aS5zegAFT9nIfpjrahgfUd0VROfZc3dNpIWEABGlUabGd6IukTpjHHrOoEzjSzzwOMewcrtO w6p3sGuNeo+vRXBzvzQiBc8V59wSBgAllOuFbKbZdcYm3Ylx1OPdhRruQ7zlOHYVXGCxb+T3W n0cTuwU0GxlFjr+hJGDcVpgyT4xHsamqy0pmV/jMJ5XouVvtKeNCiCIHyXEfoFmQ90mI7zTes K4u75/dOuv+fEMlh40wbQQYJM5Uhjk7VzDzgIPx/lIXIBBapMVNb0EgsysTN/eZf/BCZm63XD kkPDNNuJiDj3RpsOgDrtt+lGjgELTuBFM4qlDnzvwv4jFloi5t1XvJLiL4sEl8rJO9JGRfbgB e+v3RUa8seBXYVdTma+xunnR8SEWM9a+gBLeHYYyaxyQQO2DW3/ee40wZ+HoJL1DzFwYt0wNK 216DGqQ9lfAvAOdRc34npkrcnTLJcMV4xt7MKi7t3k7UDmfGL4QzvJ2GAn0HgtBHrHb2MenKU vJUZNWS8tNBfhOAYdUaYjiKE5G+luvICD3xuI+nlx28un4ETw46NWykmoJ1owkOkjyIye0OXV rxcZkSdBpumU6ltNhAlzdHNKzcVSuFOx6+V8DKzWMOMv2X1zLqKlV9v42WE1k1BWP4gA4ZGZN knMtrcHxA6p1RsqmropDN6BPqRT9tv50c7MwfOA== X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20200906_162200_565156_EBED4387 X-CRM114-Status: GOOD ( 11.55 ) X-Spam-Score: -2.6 (--) X-Spam-Report: SpamAssassin version 3.4.4 on casper.infradead.org summary: Content analysis details: (-2.6 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [212.227.15.19 listed in wl.mailspike.net] -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [212.227.15.19 listed in list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [john.wood[at]gmx.com] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: Add a menu entry under "Security options" to enable the "Fork brute force attack mitigation" feature. Signed-off-by: John Wood --- security/Kconfig | 1 + security/fbfam/Kconfig | 10 ++++++++++ 2 files changed, 11 insertions(+) create mode 100644 security/fbfam/Kconfig -- 2.25.1 diff --git a/security/Kconfig b/security/Kconfig index 7561f6f99f1d..00a90e25b8d5 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -290,6 +290,7 @@ config LSM If unsure, leave this as the default. source "security/Kconfig.hardening" +source "security/fbfam/Kconfig" endmenu diff --git a/security/fbfam/Kconfig b/security/fbfam/Kconfig new file mode 100644 index 000000000000..bbe7f6aad369 --- /dev/null +++ b/security/fbfam/Kconfig @@ -0,0 +1,10 @@ +# SPDX-License-Identifier: GPL-2.0 +config FBFAM + bool "Fork brute force attack mitigation" + default n + help + This is a user defense that detects any fork brute force attack + based on the application's crashing rate. When this measure is + triggered the fork system call is blocked. + + If you are unsure how to answer this question, answer N. From patchwork Sun Sep 6 15:22:05 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: John Wood X-Patchwork-Id: 11759573 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 93B6C92C for ; Sun, 6 Sep 2020 15:37:39 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 69B1D208C7 for ; Sun, 6 Sep 2020 15:37:39 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=infradead.org header.i=@infradead.org header.b="BQUMz09o"; dkim=fail reason="signature verification failed" (2048-bit key) header.d=infradead.org header.i=@infradead.org header.b="mF06nnFR"; dkim=pass (1024-bit key) header.d=gmx.net header.i=@gmx.net header.b="elLH0mlO" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728967AbgIFPhc (ORCPT ); Sun, 6 Sep 2020 11:37:32 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59222 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728692AbgIFPhT (ORCPT ); Sun, 6 Sep 2020 11:37:19 -0400 Received: from casper.infradead.org (casper.infradead.org [IPv6:2001:8b0:10b:1236::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D10D8C061574; Sun, 6 Sep 2020 08:37:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=Content-Transfer-Encoding:MIME-Version: Message-Id:Date:Subject:Cc:To:From:Resent-To:Resent-Message-ID:Resent-Date: Resent-From:Sender:Reply-To:Content-Type:Content-ID:Content-Description: In-Reply-To:References; bh=y0Rh3YlzbBctzi3WdY354Yyw3/889TYkzB9+yv3Ev/o=; b=BQ UMz09oAKHzRf2ZQKQmUfOckMBzZljf3nqEK2bmQNYYpt44che0Sa2kSPl74agb5dmfyaKzrjHHs29 gAKmfFNe+g5uEYSCFmKSSsW7CWxKVi9wTInjerEiCvDpog3GqQz4joZ4USrB1kpuPWhHQvc9lD6ZJ 5BW7bwxLhr1fmuWE0nuIR6sGNEnQPkJxjLKgFJIoWC1f5p3APwblFKAPt9hmqxU0qV0QlIrXahzro 55xLB7I2rTC6oihUu4q+DwwuaQRONi8oTYM2vIgoT2DbVCThT8ywDLPwNs8i4BP/9xSvLR/1cRWmd iIlEQJggt4L6UIJvKgAnSf5VnCw7imSg==; Received: from willy by casper.infradead.org with local (Exim 4.92.3 #3 (Red Hat Linux)) id 1kEwiw-0000yl-PX; Sun, 06 Sep 2020 15:36:58 +0000 Received: from merlin.infradead.org ([2001:8b0:10b:1231::1]) by casper.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kEwUv-000062-4a for willy@casper.infradead.org; Sun, 06 Sep 2020 15:22:29 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=merlin.20170209; h=Content-Transfer-Encoding:MIME-Version: Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:In-Reply-To:References; bh=y0Rh3YlzbBctzi3WdY354Yyw3/889TYkzB9+yv3Ev/o=; b=mF06nnFRpEvbNsoS33IxMOhS5N NumwzTBkXiHPlGwKIzlOt9IFGtqr6Zk4wt5yOHlHO1NYKAbitPcO3BDp1RuQUhThgI6UvPWC4gnDG muFVQtCcbet9s2PUAAFozGiQgFJe3CaWyOADkC6SbIZh2MBqiHNtsPwzPuAcpspT+YnMXzPlI1QzV RAwLE+BDaBVycn4Nwp75Q8I7flsPmi+WgLYFLsgYqGR7QhcOwHmBARwrpBeE5U67F6QZVGglwlf1q uq5soyYfPdT01WLIuEmEMnopvlPWZfcTRfCR1YUNPk21EOyJ93nzOEKKN1Hctg+khupgG2uu4U8ty 3U69Cbsg==; Received: from mout.gmx.net ([212.227.15.19]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kEwUt-00053R-4Z for willy@infradead.org; Sun, 06 Sep 2020 15:22:28 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1599405745; bh=x4JGcFUaDkLWdBvPJjm2HPbCsVaucqP6yPxA5Yn9DWQ=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date; b=elLH0mlOC5O6Az/FhmihqDhK5WzGQ2sxkNq02uTy4hNQmwkokjFB1b4uRz9vI8Xse EqoqIeSibAk0CLNVVhKSpM9WFwtrZLlKuSY1y8Tqq41CPJRW4vyVoRHqSsrRcjLKUJ qDFapOCCBz8AIaUuxADEjMLtM5QT8T8LSz5nD4HM= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from localhost.localdomain ([79.150.73.70]) by mail.gmx.com (mrgmx004 [212.227.17.184]) with ESMTPSA (Nemesis) id 1McH5a-1kp5bB1Rbo-00chcC; Sun, 06 Sep 2020 17:22:25 +0200 From: John Wood To: Matthew Wilcox Cc: John Wood Subject: [RFC PATCH 2/9] security/fbfam: Add the api to manage statistics Date: Sun, 6 Sep 2020 17:22:05 +0200 Message-Id: <20200906152205.7095-1-john.wood@gmx.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Provags-ID: V03:K1:CWgT2GRMCZRhinh/463FDuev+ft7FYh9kFYG3p5FLUJwRGuQ+Ns L+A5OPhlSFdwKcQJ1gDkDQq0Da8UEYYut6B7n0oDhnIJLdOinJkumdzzWy1za8oD1ypnb6w 7awtDim47JRB2JosEvZDvtznRYzxIu2Rbop4L+fXYkl086d77m79vHdKiz7cXCFa7ZAzTwR o8dnLfn7wqvf6N4vL6Ymw== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:6NGKTE8pME0=:lj/Zrv78yyGg1YOm8OqeJN sqn/+TPw2fgsZ6RowyZws60WmMyhUExWI6HBF+LSwgc8t831Qun1I3mEJVBr5RMxs02GDliCp uG/h+KCTukNLRmIcZ5zuJf8yCtL4ilRablnavsoO17s4jaDTG/ofslgzlFco6kXJlu5WEB71T 63zaCh5dqMXvIvOLYkzd0EVqw+FH6FxiqainSlkb74lsSoWUNE/M/ynHSK7BFKjk9FwMRxXjT SLqwb7S2yw16DKqYKmyv5fsCMgUgJPFH5aYa/2+2+8uQK/WG33X3Y/lcIUfRc8WF5lPIYJ1aV b8kClwvbyMYUm5RyelqzOrZh6AvWuob8AZy+n6fcJtJaqgtmoQf0RfaH7l6cNvZ7TtVrH8vOz TdfnttYHUu0s2agVudq9wPjBSl0vKVbkNgJ6NaD7HD+PYCXh8SPmzM5Fhl0WGaeE7ZOu8f5dp 83JDMFsy42NeE4UhtJl7X0EbL7Ck7BSH9OXPScjJRgbhtU5Xd2l/2M2lwzxfqD+6sH1piCDOV D/8n5T+/kZBw+qWbi7LKcZEaxlSwhxAO3rkFpykGq6h5fWqTUtERqgShI6mgyca+QsIkUrQEd pTz/GFGS73sYK45B/MZSZ/nYqP6CKJz+F05+l0WN0pAUuXt3lSLiqknRdhK9IB+bGODXiLiAi cH3fXYMyVrGHqF+Fy1Q+mT+qcqzeBbTzj/sj5VuavVpEc2hdbn1+Uggw8g/Jtiq6NlvSZeOYm h4dNzd5y4gYzI8jqJvUVQ6ViXe9bKmnFSN91M8k3l2nnE20HZwJZ+U9939DzrnnGUJCAErZ8Y mpy5b7PVWDT/43woEvnwkUUEgT3igrio1dJXW1Mf6RWkOzOwzfIqd8p/3EKxl14HA0YWQlmcb IOdgl0NU53PRkuzkGASKLRLFExK9orX4aVc6NHNuzM5XXZXEIAOhCsiJGQX9dtInlt6oXYt3Q ZPvmVLmidh2FAsoj2M67KWPYYGwbrX48R7DyG22h13ovUFFtayb/CPvZ5HBAtE9ffz0ybNxuP epS3rKt0crOQkD+EKIuiXanu9kBV/AqtbLTBl4pwS599wd24g3qpMQQBVdUaz3dYJVQA10DWN sbbV2yTU6DEM1+YxLgpTm2okGEo6B5wYPmu0YU8+VXsjI973iEwJXlL3mJJWcquJiVJudDnBo s2cTyUZW5W8v+WQlZeJ+SgnajaNB4ZKK5m+rMJnp6PxSabIcAPsLESuAxKM1iYVkWWDRzNyr4 vns93VnN8C7wsIF/SbAvB5NAZPXhoSrnfghiGCA== X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20200906_112227_418338_B1339D84 X-CRM114-Status: GOOD ( 29.52 ) X-Spam-Score: -0.7 (/) X-Spam-Report: SpamAssassin version 3.4.4 on merlin.infradead.org summary: Content analysis details: (-0.7 points) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [john.wood[at]gmx.com] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [212.227.15.19 listed in wl.mailspike.net] -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [212.227.15.19 listed in list.dnswl.org] 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: Create a statistical data structure to hold all the necessary information involve in a fork brute force attack. This info is a timestamp for the first fork or execve and the number of crashes since then. Moreover, due to this statitistical data will be shared between different tasks, a reference counter it is necessary. For a correct management of an attack it is also necessary that all the tasks hold statistical data. The same statistical data needs to be shared between all the tasks that hold the same memory contents or in other words, between all the tasks that have been forked without any execve call. When a forked task calls the execve system call, the memory contents are set with new values. So, in this scenario the parent's statistical data no need to be share. Instead, a new statistical data structure must be allocated to start a new cycle. The statistical data that every task holds needs to be clear when a task exits. Due to this data is shared across multiples tasks, the reference counter is useful to free the previous allocated data only when there are not other pointers to the same data. Or in other words, when the reference counter reaches zero. So, based in all the previous information add the api to manage all the commented cases. Also, add to the struct task_struct a new field to point to the statitistical data related to an attack. This way, all the tasks will have access to this information. Signed-off-by: John Wood --- include/fbfam/fbfam.h | 18 +++++ include/linux/sched.h | 4 + security/Makefile | 4 + security/fbfam/Makefile | 2 + security/fbfam/fbfam.c | 163 ++++++++++++++++++++++++++++++++++++++++ 5 files changed, 191 insertions(+) create mode 100644 include/fbfam/fbfam.h create mode 100644 security/fbfam/Makefile create mode 100644 security/fbfam/fbfam.c -- 2.25.1 diff --git a/include/fbfam/fbfam.h b/include/fbfam/fbfam.h new file mode 100644 index 000000000000..b5b7d1127a52 --- /dev/null +++ b/include/fbfam/fbfam.h @@ -0,0 +1,18 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +#ifndef _FBFAM_H_ +#define _FBFAM_H_ + +#include + +#ifdef CONFIG_FBFAM +int fbfam_fork(struct task_struct *child); +int fbfam_execve(void); +int fbfam_exit(void); +#else +static inline int fbfam_fork(struct task_struct *child) { return 0; } +static inline int fbfam_execve(void) { return 0; } +static inline int fbfam_exit(void) { return 0; } +#endif + +#endif /* _FBFAM_H_ */ + diff --git a/include/linux/sched.h b/include/linux/sched.h index 93ecd930efd3..f3f0cc169204 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -1315,6 +1315,10 @@ struct task_struct { struct callback_head mce_kill_me; #endif +#ifdef CONFIG_FBFAM + struct fbfam_stats *fbfam_stats; +#endif + /* * New fields for task_struct should be added above here, so that * they are included in the randomized portion of task_struct. diff --git a/security/Makefile b/security/Makefile index 3baf435de541..36dc4b536349 100644 --- a/security/Makefile +++ b/security/Makefile @@ -36,3 +36,7 @@ obj-$(CONFIG_BPF_LSM) += bpf/ # Object integrity file lists subdir-$(CONFIG_INTEGRITY) += integrity obj-$(CONFIG_INTEGRITY) += integrity/ + +# Object fbfam file lists +subdir-$(CONFIG_FBFAM) += fbfam +obj-$(CONFIG_FBFAM) += fbfam/ diff --git a/security/fbfam/Makefile b/security/fbfam/Makefile new file mode 100644 index 000000000000..f4b9f0b19c44 --- /dev/null +++ b/security/fbfam/Makefile @@ -0,0 +1,2 @@ +# SPDX-License-Identifier: GPL-2.0 +obj-$(CONFIG_FBFAM) += fbfam.o diff --git a/security/fbfam/fbfam.c b/security/fbfam/fbfam.c new file mode 100644 index 000000000000..0387f95f6408 --- /dev/null +++ b/security/fbfam/fbfam.c @@ -0,0 +1,163 @@ +// SPDX-License-Identifier: GPL-2.0 +#include +#include +#include +#include +#include +#include +#include + +/** + * struct fbfam_stats - Fork brute force attack mitigation statistics. + * @refc: Reference counter. + * @faults: Number of crashes since jiffies. + * @jiffies: First fork or execve timestamp. + * + * The purpose of this structure is to manage all the necessary information to + * compute the crashing rate of an application. So, it holds a first fork or + * execve timestamp and a number of crashes since then. This way the crashing + * rate in milliseconds per fault can be compute when necessary with the + * following formula: + * + * u64 delta_jiffies = get_jiffies_64() - fbfam_stats::jiffies; + * u64 delta_time = jiffies64_to_msecs(delta_jiffies); + * u64 crashing_rate = delta_time / (u64)fbfam_stats::faults; + * + * If the fbfam_stats::faults is zero, the above formula can't be used. In this + * case, the crashing rate is zero. + * + * Moreover, since the same allocated structure will be used in every fork + * since the first one or execve, it's also necessary a reference counter. + */ +struct fbfam_stats { + refcount_t refc; + unsigned int faults; + u64 jiffies; +}; + +/** + * fbfam_new_stats() - Allocation of new statistics structure. + * + * If the allocation is successful the reference counter is set to one to + * indicate that there will be one task that points to this structure. The + * faults field is initialize to zero and the timestamp for this moment is set. + * + * Return: NULL if the allocation fails. A pointer to the new allocated + * statistics structure if it success. + */ +static struct fbfam_stats *fbfam_new_stats(void) +{ + struct fbfam_stats *stats = kmalloc(sizeof(struct fbfam_stats), + GFP_KERNEL); + + if (stats) { + refcount_set(&stats->refc, 1); + stats->faults = 0; + stats->jiffies = get_jiffies_64(); + } + + return stats; +} + +/* + * fbfam_fork() - Fork management. + * @child: Pointer to the child task that will be created with the fork system + * call. + * + * For a correct management of a fork brute force attack it is necessary that + * all the tasks hold statistical data. The same statistical data needs to be + * shared between all the tasks that hold the same memory contents or in other + * words, between all the tasks that have been forked without any execve call. + * + * To ensure this, if the current task doesn't have statistical data when forks + * (only possible in the first fork of the zero task), it is mandatory to + * allocate a new one. This way, the child task always will share the statistics + * with its parent. + * + * Return: -ENOMEN if the allocation of the new statistics structure fails. + * Zero otherwise. + */ +int fbfam_fork(struct task_struct *child) +{ + struct fbfam_stats **stats = ¤t->fbfam_stats; + + if (!*stats) { + *stats = fbfam_new_stats(); + if (!*stats) + return -ENOMEM; + } + + refcount_inc(&(*stats)->refc); + child->fbfam_stats = *stats; + return 0; +} + +/** + * fbfam_execve() - Execve management. + * + * When a forked task calls the execve system call, the memory contents are set + * with new values. So, in this scenario the parent's statistical data no need + * to be share. Instead, a new statistical data structure must be allocated to + * start a new cycle. This condition is detected when the statistics reference + * counter holds a value greater than or equal to two (a fork always sets the + * statistics reference counter to two since the parent and the child task are + * sharing the same data). + * + * However, if the execve function is called immediately after another execve + * call, althought the memory contents are reset, there is no need to allocate + * a new statistical data structure. This is possible because at this moment + * only one task (the task that calls the execve function) points to the data. + * In this case, the previous allocation is used and only the faults and time + * fields are reset. + * + * Return: -ENOMEN if the allocation of the new statistics structure fails. + * -EFAULT if the current task doesn't have statistical data. Zero + * otherwise. + */ +int fbfam_execve(void) +{ + struct fbfam_stats **stats = ¤t->fbfam_stats; + + if (!*stats) + return -EFAULT; + + if (!refcount_dec_not_one(&(*stats)->refc)) { + /* execve call after an execve call */ + (*stats)->faults = 0; + (*stats)->jiffies = get_jiffies_64(); + return 0; + } + + /* execve call after a fork call */ + *stats = fbfam_new_stats(); + if (!*stats) + return -ENOMEM; + + return 0; +} + +/** + * fbfam_exit() - Exit management. + * + * The statistical data that every task holds needs to be clear when a task + * exits. Due to this data is shared across multiples tasks, the reference + * counter is useful to free the previous allocated data only when there are + * not other pointers to the same data. Or in other words, when the reference + * counter reaches zero. + * + * Return: -EFAULT if the current task doesn't have statistical data. Zero + * otherwise. + */ +int fbfam_exit(void) +{ + struct fbfam_stats *stats = current->fbfam_stats; + + if (!stats) + return -EFAULT; + + if (refcount_dec_and_test(&stats->refc)) + kfree(stats); + + return 0; +} + From patchwork Sun Sep 6 15:22:47 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: John Wood X-Patchwork-Id: 11759569 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 76886746 for ; Sun, 6 Sep 2020 15:37:27 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 44BDA2078E for ; Sun, 6 Sep 2020 15:37:27 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=infradead.org header.i=@infradead.org header.b="IasJ6Yi7"; dkim=pass (1024-bit key) header.d=gmx.net header.i=@gmx.net header.b="FZbgTomJ" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728779AbgIFPhW (ORCPT ); Sun, 6 Sep 2020 11:37:22 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59220 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726931AbgIFPhT (ORCPT ); Sun, 6 Sep 2020 11:37:19 -0400 Received: from casper.infradead.org (casper.infradead.org [IPv6:2001:8b0:10b:1236::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C8F0EC061573; Sun, 6 Sep 2020 08:37:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=Content-Transfer-Encoding:MIME-Version: Message-Id:Date:Subject:Cc:To:From:Resent-To:Resent-Message-ID:Resent-Date: Resent-From:Sender:Reply-To:Content-Type:Content-ID:Content-Description: In-Reply-To:References; bh=OFf0LPWq+N5jrV9Hhs2llP5KAHSXD0S5GihZT+xebI4=; b=Ia sJ6Yi7B98vow3nzVLL4ha0Ta5WV8OKVhUrmpaiee+0osbuZJgqXUhXSmK6tZ1ZiBQDg53CuyRK9z1 T0Dv2mgMhTgmLDksZpVKyb5iN/asVQDSILwbhZFm97Gy1Cb78DLrvGoH6b21kz9J2FH7DrIGlKS/1 qBCnlR+aNV83DEgKu51k3yrccVHB0D/Nee8TuF+wbzXpQ+ddClABuzizsJjd7/eBTJ6C4DDQd8+ih y69rG+kszOaM52MZC7Smebe5ZCAS9CwZ/FpPoL84HxWSVsHvqZR/wqbeL6yCLX+suvmfoYXK8MAOb CEvLjwjnKQjky+gMl6q57Uv6nbMFzzeQ==; Received: from willy by casper.infradead.org with local (Exim 4.92.3 #3 (Red Hat Linux)) id 1kEwj3-0000zA-6k; Sun, 06 Sep 2020 15:37:05 +0000 Received: from mout.gmx.net ([212.227.15.18]) by casper.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kEwVY-00008c-Jk for willy@infradead.org; Sun, 06 Sep 2020 15:23:11 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1599405780; bh=fba9t+vlFsupMOni3Mo/UQizfPkPJvT3QjxaFpkfifc=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date; b=FZbgTomJ+SWeWevRqWlDcnL2J2UxgRF0XOLBsTo4tpX/4uEBk/Jw7ixkkwA3aEdU+ HF+F+yF1KDobGLuZ53XqZh5C5vf6OIf2JYa8Ora1pyzs5HpixJmvR6Q2oytw6W38OL IId6khKAqjHvZwjX0c59O35gRxTEk9ndznPjtJck= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from localhost.localdomain ([79.150.73.70]) by mail.gmx.com (mrgmx004 [212.227.17.184]) with ESMTPSA (Nemesis) id 1MFKKh-1kLl4X15LN-00Fgmz; Sun, 06 Sep 2020 17:23:00 +0200 From: John Wood To: Matthew Wilcox Cc: John Wood Subject: [RFC PATCH 3/9] security/fbfam: Use the api to manage statistics Date: Sun, 6 Sep 2020 17:22:47 +0200 Message-Id: <20200906152247.7149-1-john.wood@gmx.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Provags-ID: V03:K1:bHGDCe2f9IdRjz+Z2EcseIpWCNmVqy7VoDUkIQMHvARMpch9oPy sLIdXtp8nldEo+0Qp5YGrA8qrWU5UNaNCeqf0kUWJYOv70CWhUMwFy//Ml12DoS7fCRRCoG SllBrrbQlvmjviNPkBl8WB1hDra9FPOK5FaJKu10ZkYeAeN+Kyp9EurwjscifPATUGEY86H 2k2+zPpeef+SRCBJ4yIYQ== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:SM2qnhGHBgQ=:R9di0UH+SKUFpdPnM1Sw/c 5ZnoIaM5b6FGMhJ90RN+v6ZPt7f+9LwBj1/e2bPGM1/5+crFZPb79fBoI4zH0WYdg77E2afbA BqtNmMgF5PiMroCbOFWVMvS57sV55b4AP1iS7lhE7EhbysoY8Su6CeVTFrP5fRxZTSb5JANrk EQkrHAxS7B+7ZqpcMskw/NtpFtnTcvM+3U+7Co1sNjZlqKtamTqAaXPYTQOZ4PabsUSM1kjPA GPUNYU0CT7LGSzDbrxLcO8aPlouzKTpdB1hKIpUYLVP3E6KE6sPIUlh0NJ5lMgB0L3WI7OGVF 14QgXQsypOPttv7QjprqQqgD3ptb0o53rskAbYfSHUtp60+qIPcKUSdREtS/UXg8wATqU82z6 9yGOuM6WOFZ3HV3u5MINlGLbtAFPqiPS0ya1EG02VCfA8lGtiXWybNT7qCi5viz/7RcM2x8Hf L5X/71kkZuYgy6bmXckyTW0PxabG6zckus+UBdmGu+kLHpa+xNUK1nCxZP7dceL+Ay+of4Ymf jYc/WkNht3uEpci+Zvib7wDykp+n0RADTg/hmia+LRHgpObJCKPbs7ZwULgjoF7sCF5P0Sw8x x0FQQ6Gp0oNMJGsrZIYWsYZCNj4a6b/exILpr8tlq+Yh4y4xtO0tUJ2o0KCyWAQQfCAnungyd lSboN1rEPhKeB2E+JRlsMIKvdFka00lFXlMFHd7PPRwxMjrtOkJbqMbM07doqVveeIBQXeOiD KzoDokXLINb7FEiI1fe3BScLofnPaf/e0QjKHbmgUEytkuVp5tuXHw8UXcdqbVxufsG/TxvJ5 RcZOxJDYWxuDOROTnBN3KA/Io0ADMR8R/xJZA0ySdAuf9aeZ/ctYoUPcpHFu1JVBDPAyXW9Fp J9aFKkibdquA2E+p7Dvcmyp9OW95g3ET/FSPyAyfSZNoyfTr5M4ZFLyJvQHIgqHyKZRKSoIwe TgFM1VSOV4+Ld0Lzf730+GyyeDs7HYkn33753nXvaz/j5sT8vmkE++ApqHHw6+lfTyMUon2Rw I96Ws9qO7ppRrzRoC5qNunV6rUYTj7+sOVQsT0y0wMsikuo/+yiBb+QquRdGHX+1rmNRPNhZ7 jBNOKufgcF+N4NXxZ41SZEYAtuBTvZGGNhvAp60FD+TTeI2joOyIO8o6tFBkOoDowdVs7RCwq 24pWJZL64iJiShvujzlVQjaDzEq90bNkgXNbg3tmH+IaIzMgWYRabf76TxBY/Ojv/1mZeKj0X AKm/ha5fI19ggGdpayfABMknuQKAnjUghOFbxsg== X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20200906_162308_907096_153AC323 X-CRM114-Status: UNSURE ( 9.81 ) X-CRM114-Notice: Please train this message. X-Spam-Score: -2.6 (--) X-Spam-Report: SpamAssassin version 3.4.4 on casper.infradead.org summary: Content analysis details: (-2.6 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [212.227.15.18 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [212.227.15.18 listed in wl.mailspike.net] -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [john.wood[at]gmx.com] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: Use the previous defined api to manage statistics calling it accordingly when a task forks, calls execve or exits. Signed-off-by: John Wood --- fs/exec.c | 2 ++ kernel/exit.c | 2 ++ kernel/fork.c | 4 ++++ 3 files changed, 8 insertions(+) -- 2.25.1 diff --git a/fs/exec.c b/fs/exec.c index a91003e28eaa..b30118674d32 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -71,6 +71,7 @@ #include "internal.h" #include +#include static int bprm_creds_from_file(struct linux_binprm *bprm); @@ -1940,6 +1941,7 @@ static int bprm_execve(struct linux_binprm *bprm, task_numa_free(current, false); if (displaced) put_files_struct(displaced); + fbfam_execve(); return retval; out: diff --git a/kernel/exit.c b/kernel/exit.c index 733e80f334e7..39a6139dcf31 100644 --- a/kernel/exit.c +++ b/kernel/exit.c @@ -67,6 +67,7 @@ #include #include #include +#include static void __unhash_process(struct task_struct *p, bool group_dead) { @@ -852,6 +853,7 @@ void __noreturn do_exit(long code) __this_cpu_add(dirty_throttle_leaks, tsk->nr_dirtied); exit_rcu(); exit_tasks_rcu_finish(); + fbfam_exit(); lockdep_free_task(tsk); do_task_dead(); diff --git a/kernel/fork.c b/kernel/fork.c index 4d32190861bd..088aa5b62634 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -107,6 +107,8 @@ #define CREATE_TRACE_POINTS #include +#include + /* * Minimum number of threads to boot the kernel */ @@ -941,6 +943,8 @@ static struct task_struct *dup_task_struct(struct task_struct *orig, int node) #ifdef CONFIG_MEMCG tsk->active_memcg = NULL; #endif + + fbfam_fork(tsk); return tsk; free_stack: From patchwork Sun Sep 6 15:23:17 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: John Wood X-Patchwork-Id: 11759579 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id D4E1892C for ; Sun, 6 Sep 2020 15:38:24 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id B46CC21481 for ; Sun, 6 Sep 2020 15:38:24 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=infradead.org header.i=@infradead.org header.b="vRzoyIgE"; dkim=pass (1024-bit key) header.d=gmx.net header.i=@gmx.net header.b="cMQ4hK2t" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729006AbgIFPiM (ORCPT ); Sun, 6 Sep 2020 11:38:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59238 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728905AbgIFPh0 (ORCPT ); Sun, 6 Sep 2020 11:37:26 -0400 Received: from casper.infradead.org (casper.infradead.org [IPv6:2001:8b0:10b:1236::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1B8ACC061573; Sun, 6 Sep 2020 08:37:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=Content-Transfer-Encoding:MIME-Version: Message-Id:Date:Subject:Cc:To:From:Resent-To:Resent-Message-ID:Resent-Date: Resent-From:Sender:Reply-To:Content-Type:Content-ID:Content-Description: In-Reply-To:References; bh=HHWFRuEjpwIOXF7bCKWeM4a7Gbd1H7mpKL9VNiaPJTA=; b=vR zoyIgEAi4iUhcGAfu05yIGRGLtx/nVRFtggn80AnqsYPDc9KL0pFhrF5eAvXu05ZCOVw3QuT6tpXj htudfgpaP0aaDyrLM9l+i9zd1q7qlKDcFQVpB8dvPDI+7OSGvsFrSMMOlCK/dOz4dLSwEFr9X6jlq bXn9NPZbHQgtuIz8pNOn530Cmny6hS0qylaxd7FIv1qIAZpSJF7rGp8BRPaCjOGtmVqeKIt79APua SUEUAMoCXInqPnxmEDVDTLCJnqxwwU9hkt1nkTC5dhxWfmzFrJAXdKBGSaI8eO9seRoIKsHCzs4QW yTivDneKttLGahhNvYJF1PZHs1mBjhxw==; Received: from willy by casper.infradead.org with local (Exim 4.92.3 #3 (Red Hat Linux)) id 1kEwj8-0000zW-71; Sun, 06 Sep 2020 15:37:10 +0000 Received: from mout.gmx.net ([212.227.17.22]) by casper.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kEwW8-0000AK-Lu for willy@infradead.org; Sun, 06 Sep 2020 15:23:47 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1599405812; bh=VROIkO5uZFKsGitKUg2bOT0YSmMyUgd5L55Q6L52pS0=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date; b=cMQ4hK2ttARkZw4TLHsi6zh7VJQMCP0tMItp+XlAPEUO04XF/56UG12jK9keoDhw/ atx93ZFSUod4OJLvP3k9lX6suGyu7qUNqqDg5gspwLZElUzNYRB1YHEqwph8sxKjO+ Soiv3XirEippebRHbB9uAgskbXsmQl5AfVsn0V34= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from localhost.localdomain ([79.150.73.70]) by mail.gmx.com (mrgmx105 [212.227.17.174]) with ESMTPSA (Nemesis) id 1M2O6Y-1kGZsT3j1q-003tW0; Sun, 06 Sep 2020 17:23:32 +0200 From: John Wood To: Matthew Wilcox Cc: John Wood Subject: [RFC PATCH 4/9] security/fbfam: Add a new sysctl to control the crashing rate threshold Date: Sun, 6 Sep 2020 17:23:17 +0200 Message-Id: <20200906152317.7205-1-john.wood@gmx.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Provags-ID: V03:K1:mk3kJe9rY10ZeHn2yGb+zOmUatUjQwSkdPG9zxQvSGz0VpSRDFT IiAQRrxOwA+CJlE/QUXh740SI2r5nCQs+fY1wqF2ebIeiLQO7Z+yDcbV/FjQinR55Fnm9+q KbYjFECz43ELE1KRM8Gf3ceLvkzveOwV8N/5UNMlCcnJ9OJ9d4bJIuuw4rR9xjkjDM9xyfH orAdS6Vsi7VrOAkLAlHHw== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:hEo3Gmz3Nb4=:IXXiDAOW56JBjOT/9+Rxas BoSQiGtyiEBmcCkFqqi617lG6/SGc7E1JS+NXfE6yLikbfTZ2sm/+gVsGpVmmzhkowL1FwVfk QOS8hKUw/zyR5mGXxlCjCet5M+ZFfNbPidlyU7g3kj+YWsTxXO3IQsNIn9hN98+L0uZjPBczX ky0Mm4R/zouGShz0EcRqfEtxWPwTIKoUhkXkID01ByYrHJYSeTcoT89Z882clzdohXppwLeJc zJaTiQ7ZB2jEsEzAQIY1BApv+fOkexJQod86QUhjtFxAo+Su0ARS0jX4IV8rt0VQOY3m1pRrV 4uErMsfnQx+cTaDqvgS6ZSKMS3VKkQQbvY7PuNrVH9gs8pVo131tzA3JizrnTaTZkgRf/Bgei HDLRJbaPcPneREctNQ+9x1DkUQcVD3va7jPXpCCNoxoP4aRhZyOKaXJ8hnlHpe3zWjonVnqx8 sEXolQ3V9bVYVsAlUFbK7oXRUYUrM0H3ExMcLWM74ziZEOrlUjiYTVszAie2TRisfryo2/mS4 YW/QTETlIpgCcDw0SsqngN5fhcx8SLUDUWEthjzCAyAkyiYXaa8ej8i1lNPzInu5DT+HGcOg5 GDj8huOz26tYRz5Q+VOL2CTClGAnScQTgLMBT9sc+8RdodgMqGI6jMx1wLBYyK2tna7jjAHwh tGsdIFaBp+PGBxa7mGLWs4S6Z0tSZxT+mBFbP9hP/1fb47uTFiXo5IICsEbtFdLMrQNocqJMv Qk1h3TIBLHl31wFyL4AvJ0hwcbV+n4+Fp8UOrZM3EvqxFqKwkApKMsZdK1seuSzzm3tQKapUm qc7si+tMvt9iOYqwkRB47voi3h9J57vAFcpgGUoenNgMmNlTo/+B9Jl0K/ArtMzY2A1/H731T aPYm2ADr/lmxdHy7iMcNBhXnr+rpmnmmMLU/7KmbPEExGkr+Q5tCwr3IAjpg4HIwIbyrcb/Lx Wb9vHPOf8xzBltd6p1mMyQKTzP+S682jxIAoPLbuGhH/CQOj+oe9QVO/74BONmsZc9AaW/Gwv G5cyBd66SF4jkEKQYN9L5YrXrRa5fCCdGkH+QqlhWiIRTVyesvLqSMDzf4KRJ5ZKIKcA06I8Q MNosmeXK8sf38Q0T4U0qvhGSFRJcGDVv7jw2yMdPfSHl806KY3AkmzVdCghR6woP3KJQSgeLg K3nOWHgEaQw8rCKcEmNam0EUuXvIbZ8fbkLW+IuTcT9kUFmPHlU5qbq1pDFOvIE5ur78qf37+ +LO4gV8rcRpZnfOo9adVVS1cu3ifVAICvUbmZIw== X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20200906_162344_889745_5F17CC16 X-CRM114-Status: GOOD ( 15.38 ) X-Spam-Score: -2.6 (--) X-Spam-Report: SpamAssassin version 3.4.4 on casper.infradead.org summary: Content analysis details: (-2.6 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [212.227.17.22 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [212.227.17.22 listed in wl.mailspike.net] -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [john.wood[at]gmx.com] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: This is a previous step to add the detection feature. A fork brute force attack will be detected when an application crashes quickly. Since, a rate can be defined as a time per fault, add a new sysctl to control the crashing rate threshold. This way, each system can tune the detection's sensibility adjusting the milliseconds per fault. So, if the application's crashing rate falls under this threshold an attack will be detected. So, the higher this value, the faster an attack will be detected. Signed-off-by: John Wood --- include/fbfam/fbfam.h | 4 ++++ kernel/sysctl.c | 9 +++++++++ security/fbfam/Makefile | 1 + security/fbfam/fbfam.c | 11 +++++++++++ security/fbfam/sysctl.c | 20 ++++++++++++++++++++ 5 files changed, 45 insertions(+) create mode 100644 security/fbfam/sysctl.c -- 2.25.1 diff --git a/include/fbfam/fbfam.h b/include/fbfam/fbfam.h index b5b7d1127a52..2cfe51d2b0d5 100644 --- a/include/fbfam/fbfam.h +++ b/include/fbfam/fbfam.h @@ -3,8 +3,12 @@ #define _FBFAM_H_ #include +#include #ifdef CONFIG_FBFAM +#ifdef CONFIG_SYSCTL +extern struct ctl_table fbfam_sysctls[]; +#endif int fbfam_fork(struct task_struct *child); int fbfam_execve(void); int fbfam_exit(void); diff --git a/kernel/sysctl.c b/kernel/sysctl.c index 287862f91717..104b70c98251 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -77,6 +77,8 @@ #include #include +#include + #ifdef CONFIG_X86 #include #include @@ -2661,6 +2663,13 @@ static struct ctl_table kern_table[] = { .extra1 = SYSCTL_ZERO, .extra2 = SYSCTL_ONE, }, +#endif +#ifdef CONFIG_FBFAM + { + .procname = "fbfam", + .mode = 0555, + .child = fbfam_sysctls, + }, #endif { } }; diff --git a/security/fbfam/Makefile b/security/fbfam/Makefile index f4b9f0b19c44..b8d5751ecea4 100644 --- a/security/fbfam/Makefile +++ b/security/fbfam/Makefile @@ -1,2 +1,3 @@ # SPDX-License-Identifier: GPL-2.0 obj-$(CONFIG_FBFAM) += fbfam.o +obj-$(CONFIG_SYSCTL) += sysctl.o diff --git a/security/fbfam/fbfam.c b/security/fbfam/fbfam.c index 0387f95f6408..9be4639b72eb 100644 --- a/security/fbfam/fbfam.c +++ b/security/fbfam/fbfam.c @@ -7,6 +7,17 @@ #include #include +/** + * sysctl_crashing_rate_threshold - Crashing rate threshold. + * + * The rate's units are in milliseconds per fault. + * + * A fork brute force attack will be detected if the application's crashing rate + * falls under this threshold. So, the higher this value, the faster an attack + * will be detected. + */ +unsigned long sysctl_crashing_rate_threshold = 30000; + /** * struct fbfam_stats - Fork brute force attack mitigation statistics. * @refc: Reference counter. diff --git a/security/fbfam/sysctl.c b/security/fbfam/sysctl.c new file mode 100644 index 000000000000..430323ad8e9f --- /dev/null +++ b/security/fbfam/sysctl.c @@ -0,0 +1,20 @@ +// SPDX-License-Identifier: GPL-2.0 +#include + +extern unsigned long sysctl_crashing_rate_threshold; +static unsigned long ulong_one = 1; +static unsigned long ulong_max = ULONG_MAX; + +struct ctl_table fbfam_sysctls[] = { + { + .procname = "crashing_rate_threshold", + .data = &sysctl_crashing_rate_threshold, + .maxlen = sizeof(sysctl_crashing_rate_threshold), + .mode = 0644, + .proc_handler = proc_doulongvec_minmax, + .extra1 = &ulong_one, + .extra2 = &ulong_max, + }, + { } +}; + From patchwork Sun Sep 6 15:23:48 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: John Wood X-Patchwork-Id: 11759581 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 7DA5B746 for ; Sun, 6 Sep 2020 15:38:59 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 38F09207BB for ; Sun, 6 Sep 2020 15:38:59 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=infradead.org header.i=@infradead.org header.b="aCrzbhqA"; dkim=fail reason="signature verification failed" (2048-bit key) header.d=infradead.org header.i=@infradead.org header.b="pb+O6KRb"; dkim=pass (1024-bit key) header.d=gmx.net header.i=@gmx.net header.b="Z8bCWCfC" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729020AbgIFPi4 (ORCPT ); Sun, 6 Sep 2020 11:38:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59246 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728910AbgIFPh2 (ORCPT ); Sun, 6 Sep 2020 11:37:28 -0400 Received: from casper.infradead.org (casper.infradead.org [IPv6:2001:8b0:10b:1236::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 37642C061574; Sun, 6 Sep 2020 08:37:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=Content-Transfer-Encoding:MIME-Version: Message-Id:Date:Subject:Cc:To:From:Resent-To:Resent-Message-ID:Resent-Date: Resent-From:Sender:Reply-To:Content-Type:Content-ID:Content-Description: In-Reply-To:References; bh=LfLL8EfsLWPIVjA/qPAWihJpKpYF6WwKrtOh6YoaCRo=; b=aC rzbhqAhDdhaB2zSoT939OFEKayNRNESuNwWSR/JF0bT4K//OcKN8+QFwA8C/NiMCgTNL2oua4W9gW FHLpoF1wcgMTLoMDODfT1V67DVfGTSpbhKdKPeRBXPy4G1jG+81pBgtiLjdJrDoE26xk64CTxm7+k nTtKzxJLAhbZMHfqArqJeN/5ARe/Qv9ZbmyodB/LCJp3aUoZU0sHcvepWW3F+sT/6a2vf3fgpTRwJ GL4kEAauGYoyY+gBjUuwdx2eDo0O2quAioJCVGNxdjw+YQovBTRqhqdMjm0q8mv4/MsmcEtIn6cLy AuHAnC1voBrpBLrN0fl0TzCXjUKQ9bAg==; Received: from willy by casper.infradead.org with local (Exim 4.92.3 #3 (Red Hat Linux)) id 1kEwjC-0000zo-Aw; Sun, 06 Sep 2020 15:37:14 +0000 Received: from merlin.infradead.org ([2001:8b0:10b:1231::1]) by casper.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kEwWV-0000B1-Ck for willy@casper.infradead.org; Sun, 06 Sep 2020 15:24:07 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=merlin.20170209; h=Content-Transfer-Encoding:MIME-Version: Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:In-Reply-To:References; bh=LfLL8EfsLWPIVjA/qPAWihJpKpYF6WwKrtOh6YoaCRo=; b=pb+O6KRbKVxzlOQ0kZphehB/5E RVuu8H/S5OHCMHe/NIZ1UQPRbT3j+Cdmwn3Mf0X2PMrwjYi2CPCAGc4hOyc7O4fRRrCeUciLj2caO Bln7S4omLUOQS+8nm0H8Ppm7WmF5GvICpKqKzGR8VUfBdd+xbxvA1HJ4uupx4C/KrhD49r6casVYu 1EBUOAaWeO0wfOY9WrAVNvU9C+7Azt704JTp+leOt6FuskxiXNjuPllvxm9Ys/z9yNc8NbISIgp6C 9HGeO2RDOyUVU0xTEU1fGhPKerS7PGTHSZb6+UHpZu4wlWrcWNxR+4W62/VEOVfVVKGq48XNXa3Fo sq4rVOvQ==; Received: from mout.gmx.net ([212.227.15.18]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kEwWT-0005b2-M0 for willy@infradead.org; Sun, 06 Sep 2020 15:24:06 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1599405842; bh=wSyb8ELnZwbF8mdKE3qNGQu3+WS5EHnrrE3a8pgI2FU=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date; b=Z8bCWCfC/qHhUYXb1rHkj/UlgrP+oHynklr36+cT9GPsMpokFn5k/MmXQKsOQRXYv zEyu9hQoc4UNtVjBk1yAutAzRZq4DZU8Iocf1N0v5QdWK8FTlGNfPlJNvAzZUrFTTJ Q01JbsibVDee+D+HZdqtT8hbTwGQFRQpQamhAc/A= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from localhost.localdomain ([79.150.73.70]) by mail.gmx.com (mrgmx004 [212.227.17.184]) with ESMTPSA (Nemesis) id 1N79uI-1kbluA1E3I-017Vsn; Sun, 06 Sep 2020 17:24:02 +0200 From: John Wood To: Matthew Wilcox Cc: John Wood Subject: [RFC PATCH 5/9] security/fbfam: Detect a fork brute force attack Date: Sun, 6 Sep 2020 17:23:48 +0200 Message-Id: <20200906152348.7259-1-john.wood@gmx.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Provags-ID: V03:K1:ce2fa8zkw8hMoZnGJWba4J2u0Ujafy2LgQ4ULuHrUMjjsmanX5K 6v4vD1h+jltrylt2Ue/wdj1v+DBJElQbaqLQobQ+pG2EltTZOkdj7HACMGJ3g14c9cLnDST m9pIo7lhC+fxNlDbcnNimV/RH9A15m7E8nMVfLP9pt3uJwzKIiMCdrCFMcjuiHviF3QNDo/ Xgu37dEsD2lz64fANXFZg== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:i6jAOeTSv58=:mXKQksFzPVbuhbFTajnYyj 29QmE2sPzW7hE6LrZCYWkld5zJTd9z1RQ5kO+H68PXLqu2aj+R6aJ1+umeRBsH1RryMZHnaYA IrtpSYprCvxjFF2/+MHHXtYPq7CmvHmmJBsyxYULoH/cu6M7KDYs/dpHJ6gvoviP28jgBqYqy oKDMV5Eio4mW4Nzu3oiQcu2DU8c3+7/3W0GETgESK4I84F2eMuYafPHOHRxJPEeYl3fe8JmlW oRfv784ZgSRvEgJuGjjk5kgk4QL8nivIDNeMr9Ci5HAOTyl+k3Q4hLxkmq6+2/nnho9Vbk8zo JO5/Ac99uMfyMoH0qvRVDIfUEKaFeqxwQBap2Csu4pEcvksQjlizvaBkuWM5QPLgnmAZFEf/z 0zPGzkZFiF29KVLdNOPsBnJ8hbiK2xNGI5NJTAvIadG6zcKBvX4M1VXgbEKk46GfM0wNfbF4P bVW5F9d1gXbyXVFwv1LCaEugELL0eL7Jw/kpke0P2FR0EXTZjB4eR99W0e4ZfheI7zokaMMSF 7savyd4dhvISCJ7iUAEAmm5RVSc00eBEQPn3jNnamDjB0doj9gQn5y1dR8Y5cHCR0umaIwbxY Kjw2GLhj1VddMRaR9IwBzhomN8d8qHc53r74qdGFS2zin4WDSDVcA+uJyDjOOJ89iKUpSNNmq mrrXIW5+vhrUU/AtTxkMjJO0pxMWIPEtUB+VLvfj2+3Gl42LH2JyW5SR1fxADR6mHBjFuwIZm o5AlwhSe+XkSAmQVtNR4Jf7xj04Ig/CSqrKZBm6rNO++Tn38e6Tk6yPlU8Ia2WF4X6FHIvL7y GyKmFfMHsfe2qd8MeSG1D0jDoRcJ9+3tAWj7Z+SQPxTH69Z92rYDYjyINHs64bB9P7M1BgIVw d9n41NTk3PY+Q3UqwR1Gl752Lf6aL7WFZrFQ2R850Q2YAP98j2Wash+kXNy0XEGqocSQdha8J QW/m2K8Byq0OjvZCawv8bJiA5u8j8qC1nSyfo0Yvc1cjAYgSBRekizTQPQgx4ePqKHst028KX /9hcWuK1MN9a9jDl0+e4ryCoV9j3wECLeNrOveOJubdsE297JiDTiKcmYCYzKNg7NJIEgEn/H Vbx/tJDoW/KZWEzOO0T+uXTVoS1XcDsw4pYnGT2dv6Ikb6PBCwiFHQVmAti98Z0fKbiwMh9zP 3kfweGCVu2L0m01Ukd6eISRu6cyKW4TScWjMavIPM5CetQULNg3I/o5YPjiDjuEJ3AY98pItr y7lOi2vLi4HuWZ8d80rN5DeNL1dKiQVHFx5EeyA== X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20200906_112405_925120_0F385A79 X-CRM114-Status: GOOD ( 16.18 ) X-Spam-Score: -0.7 (/) X-Spam-Report: SpamAssassin version 3.4.4 on merlin.infradead.org summary: Content analysis details: (-0.7 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [212.227.15.18 listed in list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [john.wood[at]gmx.com] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [212.227.15.18 listed in wl.mailspike.net] 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: To detect a fork brute force attack it is necessary to compute the crashing rate of the application. This calculation is performed in each fatal fail of a task, or in other words, when a core dump is triggered. If this rate shows that the application is crashing quickly, there is a clear signal that an attack is happening. Since the crashing rate is computed in milliseconds per fault, if this rate goes under a certain threshold a warning is triggered. Signed-off-by: John Wood --- fs/coredump.c | 2 ++ include/fbfam/fbfam.h | 2 ++ security/fbfam/fbfam.c | 39 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 43 insertions(+) -- 2.25.1 diff --git a/fs/coredump.c b/fs/coredump.c index 76e7c10edfc0..d4ba4e1828d5 100644 --- a/fs/coredump.c +++ b/fs/coredump.c @@ -51,6 +51,7 @@ #include "internal.h" #include +#include int core_uses_pid; unsigned int core_pipe_limit; @@ -825,6 +826,7 @@ void do_coredump(const kernel_siginfo_t *siginfo) fail_creds: put_cred(cred); fail: + fbfam_handle_attack(siginfo->si_signo); return; } diff --git a/include/fbfam/fbfam.h b/include/fbfam/fbfam.h index 2cfe51d2b0d5..9ac8e33d8291 100644 --- a/include/fbfam/fbfam.h +++ b/include/fbfam/fbfam.h @@ -12,10 +12,12 @@ extern struct ctl_table fbfam_sysctls[]; int fbfam_fork(struct task_struct *child); int fbfam_execve(void); int fbfam_exit(void); +int fbfam_handle_attack(int signal); #else static inline int fbfam_fork(struct task_struct *child) { return 0; } static inline int fbfam_execve(void) { return 0; } static inline int fbfam_exit(void) { return 0; } +static inline int fbfam_handle_attack(int signal) { return 0; } #endif #endif /* _FBFAM_H_ */ diff --git a/security/fbfam/fbfam.c b/security/fbfam/fbfam.c index 9be4639b72eb..3aa669e4ea51 100644 --- a/security/fbfam/fbfam.c +++ b/security/fbfam/fbfam.c @@ -4,7 +4,9 @@ #include #include #include +#include #include +#include #include /** @@ -172,3 +174,40 @@ int fbfam_exit(void) return 0; } +/** + * fbfam_handle_attack() - Fork brute force attack detection. + * @signal: Signal number that causes the core dump. + * + * The crashing rate of an application is computed in milliseconds per fault in + * each crash. So, if this rate goes under a certain threshold there is a clear + * signal that the application is crashing quickly. At this moment, a fork brute + * force attack is happening. + * + * Return: -EFAULT if the current task doesn't have statistical data. Zero + * otherwise. + */ +int fbfam_handle_attack(int signal) +{ + struct fbfam_stats *stats = current->fbfam_stats; + u64 delta_jiffies, delta_time; + u64 crashing_rate; + + if (!stats) + return -EFAULT; + + if (!(signal == SIGILL || signal == SIGBUS || signal == SIGKILL || + signal == SIGSEGV || signal == SIGSYS)) + return 0; + + stats->faults += 1; + + delta_jiffies = get_jiffies_64() - stats->jiffies; + delta_time = jiffies64_to_msecs(delta_jiffies); + crashing_rate = delta_time / (u64)stats->faults; + + if (crashing_rate < (u64)sysctl_crashing_rate_threshold) + pr_warn("fbfam: Fork brute force attack detected\n"); + + return 0; +} + From patchwork Sun Sep 6 15:24:19 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: John Wood X-Patchwork-Id: 11759619 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 01D2C92C for ; Sun, 6 Sep 2020 15:48:07 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id A1DD32075A for ; Sun, 6 Sep 2020 15:48:06 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=infradead.org header.i=@infradead.org header.b="N6iE7zMw"; dkim=fail reason="signature verification failed" (2048-bit key) header.d=infradead.org header.i=@infradead.org header.b="jHdrNayA"; dkim=pass (1024-bit key) header.d=gmx.net header.i=@gmx.net header.b="GQBAQka9" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728910AbgIFPrt (ORCPT ); Sun, 6 Sep 2020 11:47:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59252 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728932AbgIFPha (ORCPT ); Sun, 6 Sep 2020 11:37:30 -0400 Received: from casper.infradead.org (casper.infradead.org [IPv6:2001:8b0:10b:1236::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C36A8C061575; Sun, 6 Sep 2020 08:37:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=Content-Transfer-Encoding:MIME-Version: Message-Id:Date:Subject:Cc:To:From:Resent-To:Resent-Message-ID:Resent-Date: Resent-From:Sender:Reply-To:Content-Type:Content-ID:Content-Description: In-Reply-To:References; bh=/u0+yrSlw03aBtAYCusgZd8I7ARa19CGm1otMTTspw0=; b=N6 iE7zMwzDHtR87N3toXZeISABN9RMyEko3UXEinJBb9CrEcERuqvtMhVt66RHkyAZ3ZOWXvjfYEx+6 eK3x8bJfCVTMIOmEelmx4GGAyHgZjbZCX314Ht+Kehbe2vW29HYru4BNoGFhpCfQJ20QWz+kum9Qg JEVW6+ZMNbJ3U5ZECWgm1zmg2EQ2mJXwlX7vLGrLx8vjOsijxmXXxi1ijcvB58hA9gRNzCoUYejl5 ylgG/sTj5yvZb40eIkEO/MZ/ZS7PVaIHjCzN8/HL22MSaES0JQg5rnkgavR8sadk0LUcKnX1syEYl 20PDa3X/5CcR193tcKKNA4mLdy+waEcA==; Received: from willy by casper.infradead.org with local (Exim 4.92.3 #3 (Red Hat Linux)) id 1kEwjG-00010C-Hv; Sun, 06 Sep 2020 15:37:18 +0000 Received: from merlin.infradead.org ([2001:8b0:10b:1231::1]) by casper.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kEwWx-0000CM-8o for willy@casper.infradead.org; Sun, 06 Sep 2020 15:24:36 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=merlin.20170209; h=Content-Transfer-Encoding:MIME-Version: Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:In-Reply-To:References; bh=/u0+yrSlw03aBtAYCusgZd8I7ARa19CGm1otMTTspw0=; b=jHdrNayA+D0+l3TsROlqvEngbU hhhOYtZcw+hNeSQGFBo7oVYykFLUCi3zXdviK/z559iiv9B34eCDWuy/r8gVGuNF6UkPgyNz9Uv8z 4slgUBNC5rvKyVW0st5lSkincFgyV+6KwjP/KMSN0FgG9jmWEQq++H/JTCAD75Lvs3PH3BkS6/CMF wIxqiHmDldo3slS3TlkoIriWRePv6lzUncIzzM2miMyC/ff+HCYTa97x3ozzLHLvfZEA89LCs+gz8 uwOWwcn3AP1+O0iVJkxPhMSanoaO2XLPriKpJ3ZTwBtVaU0t/vdSuAhhdf7fh2a6yog1Wj2nuG6DD StOuEDZw==; Received: from mout.gmx.net ([212.227.15.19]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kEwWv-0005h9-DM for willy@infradead.org; Sun, 06 Sep 2020 15:24:34 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1599405872; bh=FGUtm7UcaPXHO1b8O1ignGpXik1HpzO5bGlUoqXvgqQ=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date; b=GQBAQka9GqYlQb18RoC4xepBLLtdIfIEWARSBCiDa6U566emMfgWg+uJH0gXX9b4K Pv9RjjwdHMQp9PkDgK7Y+M8rBOe6YzUBEMLohqKRxhoP+ZVXMspMJc8LmQMT74l5Sq Esvm9IBqBCk5A7rTsixN8BUA9oq/P9tWNnmNW6I8= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from localhost.localdomain ([79.150.73.70]) by mail.gmx.com (mrgmx004 [212.227.17.184]) with ESMTPSA (Nemesis) id 1Ml6mE-1kxr7k07Ei-00lSsJ; Sun, 06 Sep 2020 17:24:32 +0200 From: John Wood To: Matthew Wilcox Cc: John Wood Subject: [RFC PATCH 6/9] security/fbfam: Mitigate a fork brute force attack Date: Sun, 6 Sep 2020 17:24:19 +0200 Message-Id: <20200906152419.7313-1-john.wood@gmx.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Provags-ID: V03:K1:CWSxwusOyPimutvXHB158vpVFv4Ki0ydyrkpH0mlS9pJ3Ew2sds dXaet9nquVcKEfdgC3lVUbJ9laiwsvcBwR2RWY+RJTwhQx689k0tIqq7okI6ubG8eZoJIYy jgZnaq59cZ96/Cw0Fj9GLzUxA8YKnjHFA+xDYDD7US/anfPfWt1U50MxQ7o91+Qt7djzfDm ldPlNhljTAUuM8y/p9+Lg== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:CHkubrO+3ek=:wHfRzU0dt2zIbkMp8pYQqw MB/Z/K+9PCGdVftPoVytsQDjXHNFoVPGUQEohybAq8XeFODkbIw5xLYGrOP3pWBxjkcDP5Ksy Ve3Q3TcRm3pwESSUjDq23+iZHjdLeaO9/RXqmybZj+HqOuqzyEbr8yI0dqHTMqwz3H41OweE9 j6x3l1DyxewM3t2cMGnCG5mpHx8+NyMiaNjwAGuhxFTVXaErkazCKW7QYqBfQSagtevaqQEcg PwiokvxbdkI07QMSetZOx58RCy7718c3kQIhyiJJyNltjc+uAUrV+TzrCCyYE8NT7w38lX+yt Bde9hHGWEDlwAAg6Ai/uK0fchm7UjO0vmDS9ZS4rwsjA/7zHx/Eh1BdzmPCd/AGYrhbYsQ7fu 0Ssfla7ZOjkCaE5xrdLOCwCtAnKymoIn6CIflGgq4i3hhqKZedcxmdeYAGpwqLUnVaEQbx61O kbIZlkqRynFvlcrJ3ogllMzuvoFyyTg9Zf+O9FAi5w6UP6K/TUGPeBFU9Fm+Zfrau+QCkgJQ1 iXp8rMUTJgT2d9i0AeHZEU5G53nzDDhwzLwJ81y7ampcJrQbZNFomqUIWs6vBg4jKswMIGy/D eejpACotpeoI/85Q6UdsdQ7/yM6/PQ2fEM+xoOwXfNynt7UGB/6ILXfkj/sRWkF6G/ow7Judv wQR1CFlxdjNgKSCE6i+1BjGgGFBQvqTZEILvIAdV3g0YNo1IRv1E4q7qHbGUWIzAY5XBQ8QxH Ttgu92Gm41urcgD9bEChfdekIOejJm2G4DuFEDkE/ss86vfWp6IqJvuIIBq5FVcj26XX9tRJP ebop0NXreSJAg27lQyp7XtZd9c8T8RxJgAJSjqoK47jrGhlU2F93ggP+BC1fTJsz247ToZPOg 2aAm27iEvPaOgMiMuuZ2DINMGttTBfXXFz381n23bO5k1u1T3MGqKoJS4/Oxk1oLwIBkxTzqt gVdS3204IGRFCeuHrZCkQcnVxtiNXReegsF5bF8ziDOpoSWDEoN0U36WBGAkyu50eF7tEqNN3 fvXwFYSfoYM9cQLcSv64mm/tTmm8x+agQgqUUgRiUqst7DYUGT0pIym6RbazJMCiKnI9lvM7j Y98beh4/mGgs08Dv2c2UKCScZK0BiekmY6LenGSfU2Bkl372Lqvk4BYCWBQrRJ+2GkGASCJ1J UsKT+WjcjLHPhFJbABqTAtnZsavRnXuFmO8aRqdwkc720x5vKwa+dsojZR+Gnu/xoZ8DCiI+1 7UuxcDhJ/rcvWbqHiZz+5n9tTMHMVopUxWsPpUQ== X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20200906_112433_668709_02F8DBC4 X-CRM114-Status: GOOD ( 21.35 ) X-Spam-Score: -0.7 (/) X-Spam-Report: SpamAssassin version 3.4.4 on merlin.infradead.org summary: Content analysis details: (-0.7 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [212.227.15.19 listed in list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [john.wood[at]gmx.com] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [212.227.15.19 listed in wl.mailspike.net] 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: In order to mitigate a fork brute force attack it is necessary to kill all the offending tasks. This tasks are all the ones that share the statistical data with the current task (the task that has crashed). Since the attack detection is done in the function fbfam_handle_attack() that is called every time a core dump is triggered, only is needed to kill the others tasks that share the same statistical data, not the current one as this is in the path to be killed. When the SIGKILL signal is sent to the offending tasks from the function fbfam_kill_tasks(), this one will be called again during the core dump due to the shared statistical data shows a quickly crashing rate. So, to avoid kill again the same tasks due to a recursive call of this function, it is necessary to disable the attack detection. To disable this attack detection, add a condition in the function fbfam_handle_attack() to not compute the crashing rate when the jiffies stored in the statistical data are set to zero. Signed-off-by: John Wood --- security/fbfam/fbfam.c | 76 +++++++++++++++++++++++++++++++++++++++--- 1 file changed, 71 insertions(+), 5 deletions(-) -- 2.25.1 diff --git a/security/fbfam/fbfam.c b/security/fbfam/fbfam.c index 3aa669e4ea51..173a6122390f 100644 --- a/security/fbfam/fbfam.c +++ b/security/fbfam/fbfam.c @@ -4,8 +4,11 @@ #include #include #include +#include #include +#include #include +#include #include #include @@ -24,7 +27,8 @@ unsigned long sysctl_crashing_rate_threshold = 30000; * struct fbfam_stats - Fork brute force attack mitigation statistics. * @refc: Reference counter. * @faults: Number of crashes since jiffies. - * @jiffies: First fork or execve timestamp. + * @jiffies: First fork or execve timestamp. If zero, the attack detection is + * disabled. * * The purpose of this structure is to manage all the necessary information to * compute the crashing rate of an application. So, it holds a first fork or @@ -175,13 +179,69 @@ int fbfam_exit(void) } /** - * fbfam_handle_attack() - Fork brute force attack detection. + * fbfam_kill_tasks() - Kill the offending tasks + * + * When a fork brute force attack is detected it is necessary to kill all the + * offending tasks. Since this function is called from fbfam_handle_attack(), + * and so, every time a core dump is triggered, only is needed to kill the + * others tasks that share the same statistical data, not the current one as + * this is in the path to be killed. + * + * When the SIGKILL signal is sent to the offending tasks, this function will be + * called again during the core dump due to the shared statistical data shows a + * quickly crashing rate. So, to avoid kill again the same tasks due to a + * recursive call of this function, it is necessary to disable the attack + * detection setting the jiffies to zero. + * + * To improve the for_each_process loop it is possible to end it when all the + * tasks that shared the same statistics are found. + * + * Return: -EFAULT if the current task doesn't have statistical data. Zero + * otherwise. + */ +static int fbfam_kill_tasks(void) +{ + struct fbfam_stats *stats = current->fbfam_stats; + struct task_struct *p; + unsigned int to_kill, killed = 0; + + if (!stats) + return -EFAULT; + + to_kill = refcount_read(&stats->refc) - 1; + if (!to_kill) + return 0; + + /* Disable the attack detection */ + stats->jiffies = 0; + rcu_read_lock(); + + for_each_process(p) { + if (p == current || p->fbfam_stats != stats) + continue; + + do_send_sig_info(SIGKILL, SEND_SIG_PRIV, p, PIDTYPE_PID); + pr_warn("fbfam: Offending process with PID %d killed\n", + p->pid); + + killed += 1; + if (killed >= to_kill) + break; + } + + rcu_read_unlock(); + return 0; +} + +/** + * fbfam_handle_attack() - Fork brute force attack detection and mitigation. * @signal: Signal number that causes the core dump. * * The crashing rate of an application is computed in milliseconds per fault in * each crash. So, if this rate goes under a certain threshold there is a clear * signal that the application is crashing quickly. At this moment, a fork brute - * force attack is happening. + * force attack is happening. Under this scenario it is necessary to kill all + * the offending tasks in order to mitigate the attack. * * Return: -EFAULT if the current task doesn't have statistical data. Zero * otherwise. @@ -195,6 +255,10 @@ int fbfam_handle_attack(int signal) if (!stats) return -EFAULT; + /* The attack detection is disabled */ + if (!stats->jiffies) + return 0; + if (!(signal == SIGILL || signal == SIGBUS || signal == SIGKILL || signal == SIGSEGV || signal == SIGSYS)) return 0; @@ -205,9 +269,11 @@ int fbfam_handle_attack(int signal) delta_time = jiffies64_to_msecs(delta_jiffies); crashing_rate = delta_time / (u64)stats->faults; - if (crashing_rate < (u64)sysctl_crashing_rate_threshold) - pr_warn("fbfam: Fork brute force attack detected\n"); + if (crashing_rate >= (u64)sysctl_crashing_rate_threshold) + return 0; + pr_warn("fbfam: Fork brute force attack detected\n"); + fbfam_kill_tasks(); return 0; }