[RFC PATCH 1/6] security/fbfam: Add a Kconfig to enable the fbfam feature
Jann Horn
jannh at google.com
Thu Sep 10 21:21:58 UTC 2020
On Thu, Sep 10, 2020 at 10:21 PM Kees Cook <keescook at chromium.org> wrote:
> From: John Wood <john.wood at gmx.com>
>
> Add a menu entry under "Security options" to enable the "Fork brute
> force attack mitigation" feature.
[...]
> +config FBFAM
Please give this a more descriptive name than FBFAM. Some name where,
if a random kernel developer sees an "#ifdef" with that name in some
random piece of kernel code, they immediately have a rough idea for
what kind of feature this is.
Perhaps something like THROTTLE_FORK_CRASHES. Or something else that
is equally descriptive.
> + bool "Fork brute force attack mitigation"
> + default n
"default n" is superfluous and should AFAIK be omitted.
> + help
> + This is a user defense that detects any fork brute force attack
> + based on the application's crashing rate. When this measure is
> + triggered the fork system call is blocked.
This help text claims that the mitigation will block fork(), but patch
6/6 actually kills the process hierarchy.
More information about the Linux-security-module-archive
mailing list