From patchwork Sun Sep 6 15:23:17 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: John Wood X-Patchwork-Id: 11759579 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id D4E1892C for ; Sun, 6 Sep 2020 15:38:24 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id B46CC21481 for ; Sun, 6 Sep 2020 15:38:24 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=infradead.org header.i=@infradead.org header.b="vRzoyIgE"; dkim=pass (1024-bit key) header.d=gmx.net header.i=@gmx.net header.b="cMQ4hK2t" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729006AbgIFPiM (ORCPT ); Sun, 6 Sep 2020 11:38:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59238 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728905AbgIFPh0 (ORCPT ); Sun, 6 Sep 2020 11:37:26 -0400 Received: from casper.infradead.org (casper.infradead.org [IPv6:2001:8b0:10b:1236::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1B8ACC061573; Sun, 6 Sep 2020 08:37:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=Content-Transfer-Encoding:MIME-Version: Message-Id:Date:Subject:Cc:To:From:Resent-To:Resent-Message-ID:Resent-Date: Resent-From:Sender:Reply-To:Content-Type:Content-ID:Content-Description: In-Reply-To:References; bh=HHWFRuEjpwIOXF7bCKWeM4a7Gbd1H7mpKL9VNiaPJTA=; b=vR zoyIgEAi4iUhcGAfu05yIGRGLtx/nVRFtggn80AnqsYPDc9KL0pFhrF5eAvXu05ZCOVw3QuT6tpXj htudfgpaP0aaDyrLM9l+i9zd1q7qlKDcFQVpB8dvPDI+7OSGvsFrSMMOlCK/dOz4dLSwEFr9X6jlq bXn9NPZbHQgtuIz8pNOn530Cmny6hS0qylaxd7FIv1qIAZpSJF7rGp8BRPaCjOGtmVqeKIt79APua SUEUAMoCXInqPnxmEDVDTLCJnqxwwU9hkt1nkTC5dhxWfmzFrJAXdKBGSaI8eO9seRoIKsHCzs4QW yTivDneKttLGahhNvYJF1PZHs1mBjhxw==; Received: from willy by casper.infradead.org with local (Exim 4.92.3 #3 (Red Hat Linux)) id 1kEwj8-0000zW-71; Sun, 06 Sep 2020 15:37:10 +0000 Received: from mout.gmx.net ([212.227.17.22]) by casper.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kEwW8-0000AK-Lu for willy@infradead.org; Sun, 06 Sep 2020 15:23:47 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1599405812; bh=VROIkO5uZFKsGitKUg2bOT0YSmMyUgd5L55Q6L52pS0=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date; b=cMQ4hK2ttARkZw4TLHsi6zh7VJQMCP0tMItp+XlAPEUO04XF/56UG12jK9keoDhw/ atx93ZFSUod4OJLvP3k9lX6suGyu7qUNqqDg5gspwLZElUzNYRB1YHEqwph8sxKjO+ Soiv3XirEippebRHbB9uAgskbXsmQl5AfVsn0V34= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from localhost.localdomain ([79.150.73.70]) by mail.gmx.com (mrgmx105 [212.227.17.174]) with ESMTPSA (Nemesis) id 1M2O6Y-1kGZsT3j1q-003tW0; Sun, 06 Sep 2020 17:23:32 +0200 From: John Wood To: Matthew Wilcox Cc: John Wood Subject: [RFC PATCH 4/9] security/fbfam: Add a new sysctl to control the crashing rate threshold Date: Sun, 6 Sep 2020 17:23:17 +0200 Message-Id: <20200906152317.7205-1-john.wood@gmx.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Provags-ID: V03:K1:mk3kJe9rY10ZeHn2yGb+zOmUatUjQwSkdPG9zxQvSGz0VpSRDFT IiAQRrxOwA+CJlE/QUXh740SI2r5nCQs+fY1wqF2ebIeiLQO7Z+yDcbV/FjQinR55Fnm9+q KbYjFECz43ELE1KRM8Gf3ceLvkzveOwV8N/5UNMlCcnJ9OJ9d4bJIuuw4rR9xjkjDM9xyfH orAdS6Vsi7VrOAkLAlHHw== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:hEo3Gmz3Nb4=:IXXiDAOW56JBjOT/9+Rxas BoSQiGtyiEBmcCkFqqi617lG6/SGc7E1JS+NXfE6yLikbfTZ2sm/+gVsGpVmmzhkowL1FwVfk QOS8hKUw/zyR5mGXxlCjCet5M+ZFfNbPidlyU7g3kj+YWsTxXO3IQsNIn9hN98+L0uZjPBczX ky0Mm4R/zouGShz0EcRqfEtxWPwTIKoUhkXkID01ByYrHJYSeTcoT89Z882clzdohXppwLeJc zJaTiQ7ZB2jEsEzAQIY1BApv+fOkexJQod86QUhjtFxAo+Su0ARS0jX4IV8rt0VQOY3m1pRrV 4uErMsfnQx+cTaDqvgS6ZSKMS3VKkQQbvY7PuNrVH9gs8pVo131tzA3JizrnTaTZkgRf/Bgei HDLRJbaPcPneREctNQ+9x1DkUQcVD3va7jPXpCCNoxoP4aRhZyOKaXJ8hnlHpe3zWjonVnqx8 sEXolQ3V9bVYVsAlUFbK7oXRUYUrM0H3ExMcLWM74ziZEOrlUjiYTVszAie2TRisfryo2/mS4 YW/QTETlIpgCcDw0SsqngN5fhcx8SLUDUWEthjzCAyAkyiYXaa8ej8i1lNPzInu5DT+HGcOg5 GDj8huOz26tYRz5Q+VOL2CTClGAnScQTgLMBT9sc+8RdodgMqGI6jMx1wLBYyK2tna7jjAHwh tGsdIFaBp+PGBxa7mGLWs4S6Z0tSZxT+mBFbP9hP/1fb47uTFiXo5IICsEbtFdLMrQNocqJMv Qk1h3TIBLHl31wFyL4AvJ0hwcbV+n4+Fp8UOrZM3EvqxFqKwkApKMsZdK1seuSzzm3tQKapUm qc7si+tMvt9iOYqwkRB47voi3h9J57vAFcpgGUoenNgMmNlTo/+B9Jl0K/ArtMzY2A1/H731T aPYm2ADr/lmxdHy7iMcNBhXnr+rpmnmmMLU/7KmbPEExGkr+Q5tCwr3IAjpg4HIwIbyrcb/Lx Wb9vHPOf8xzBltd6p1mMyQKTzP+S682jxIAoPLbuGhH/CQOj+oe9QVO/74BONmsZc9AaW/Gwv G5cyBd66SF4jkEKQYN9L5YrXrRa5fCCdGkH+QqlhWiIRTVyesvLqSMDzf4KRJ5ZKIKcA06I8Q MNosmeXK8sf38Q0T4U0qvhGSFRJcGDVv7jw2yMdPfSHl806KY3AkmzVdCghR6woP3KJQSgeLg K3nOWHgEaQw8rCKcEmNam0EUuXvIbZ8fbkLW+IuTcT9kUFmPHlU5qbq1pDFOvIE5ur78qf37+ +LO4gV8rcRpZnfOo9adVVS1cu3ifVAICvUbmZIw== X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20200906_162344_889745_5F17CC16 X-CRM114-Status: GOOD ( 15.38 ) X-Spam-Score: -2.6 (--) X-Spam-Report: SpamAssassin version 3.4.4 on casper.infradead.org summary: Content analysis details: (-2.6 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [212.227.17.22 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [212.227.17.22 listed in wl.mailspike.net] -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [john.wood[at]gmx.com] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: This is a previous step to add the detection feature. A fork brute force attack will be detected when an application crashes quickly. Since, a rate can be defined as a time per fault, add a new sysctl to control the crashing rate threshold. This way, each system can tune the detection's sensibility adjusting the milliseconds per fault. So, if the application's crashing rate falls under this threshold an attack will be detected. So, the higher this value, the faster an attack will be detected. Signed-off-by: John Wood --- include/fbfam/fbfam.h | 4 ++++ kernel/sysctl.c | 9 +++++++++ security/fbfam/Makefile | 1 + security/fbfam/fbfam.c | 11 +++++++++++ security/fbfam/sysctl.c | 20 ++++++++++++++++++++ 5 files changed, 45 insertions(+) create mode 100644 security/fbfam/sysctl.c -- 2.25.1 diff --git a/include/fbfam/fbfam.h b/include/fbfam/fbfam.h index b5b7d1127a52..2cfe51d2b0d5 100644 --- a/include/fbfam/fbfam.h +++ b/include/fbfam/fbfam.h @@ -3,8 +3,12 @@ #define _FBFAM_H_ #include +#include #ifdef CONFIG_FBFAM +#ifdef CONFIG_SYSCTL +extern struct ctl_table fbfam_sysctls[]; +#endif int fbfam_fork(struct task_struct *child); int fbfam_execve(void); int fbfam_exit(void); diff --git a/kernel/sysctl.c b/kernel/sysctl.c index 287862f91717..104b70c98251 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -77,6 +77,8 @@ #include #include +#include + #ifdef CONFIG_X86 #include #include @@ -2661,6 +2663,13 @@ static struct ctl_table kern_table[] = { .extra1 = SYSCTL_ZERO, .extra2 = SYSCTL_ONE, }, +#endif +#ifdef CONFIG_FBFAM + { + .procname = "fbfam", + .mode = 0555, + .child = fbfam_sysctls, + }, #endif { } }; diff --git a/security/fbfam/Makefile b/security/fbfam/Makefile index f4b9f0b19c44..b8d5751ecea4 100644 --- a/security/fbfam/Makefile +++ b/security/fbfam/Makefile @@ -1,2 +1,3 @@ # SPDX-License-Identifier: GPL-2.0 obj-$(CONFIG_FBFAM) += fbfam.o +obj-$(CONFIG_SYSCTL) += sysctl.o diff --git a/security/fbfam/fbfam.c b/security/fbfam/fbfam.c index 0387f95f6408..9be4639b72eb 100644 --- a/security/fbfam/fbfam.c +++ b/security/fbfam/fbfam.c @@ -7,6 +7,17 @@ #include #include +/** + * sysctl_crashing_rate_threshold - Crashing rate threshold. + * + * The rate's units are in milliseconds per fault. + * + * A fork brute force attack will be detected if the application's crashing rate + * falls under this threshold. So, the higher this value, the faster an attack + * will be detected. + */ +unsigned long sysctl_crashing_rate_threshold = 30000; + /** * struct fbfam_stats - Fork brute force attack mitigation statistics. * @refc: Reference counter. diff --git a/security/fbfam/sysctl.c b/security/fbfam/sysctl.c new file mode 100644 index 000000000000..430323ad8e9f --- /dev/null +++ b/security/fbfam/sysctl.c @@ -0,0 +1,20 @@ +// SPDX-License-Identifier: GPL-2.0 +#include + +extern unsigned long sysctl_crashing_rate_threshold; +static unsigned long ulong_one = 1; +static unsigned long ulong_max = ULONG_MAX; + +struct ctl_table fbfam_sysctls[] = { + { + .procname = "crashing_rate_threshold", + .data = &sysctl_crashing_rate_threshold, + .maxlen = sizeof(sysctl_crashing_rate_threshold), + .mode = 0644, + .proc_handler = proc_doulongvec_minmax, + .extra1 = &ulong_one, + .extra2 = &ulong_max, + }, + { } +}; +