Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 10 Sep 2020 23:21:58 +0200
From: Jann Horn <>
To: Kees Cook <>, John Wood <>
Cc: Kernel Hardening <>, 
	Matthew Wilcox <>, Jonathan Corbet <>, 
	Alexander Viro <>, Ingo Molnar <>, 
	Peter Zijlstra <>, Juri Lelli <>, 
	Vincent Guittot <>, Dietmar Eggemann <>, 
	Steven Rostedt <>, Ben Segall <>, Mel Gorman <>, 
	Luis Chamberlain <>, Iurii Zaikin <>, James Morris <>, 
	"Serge E. Hallyn" <>,, 
	kernel list <>, 
	linux-fsdevel <>, 
	linux-security-module <>
Subject: Re: [RFC PATCH 1/6] security/fbfam: Add a Kconfig to enable the fbfam feature

On Thu, Sep 10, 2020 at 10:21 PM Kees Cook <> wrote:
> From: John Wood <>
> Add a menu entry under "Security options" to enable the "Fork brute
> force attack mitigation" feature.
> +config FBFAM

Please give this a more descriptive name than FBFAM. Some name where,
if a random kernel developer sees an "#ifdef" with that name in some
random piece of kernel code, they immediately have a rough idea for
what kind of feature this is.

Perhaps something like THROTTLE_FORK_CRASHES. Or something else that
is equally descriptive.

> +       bool "Fork brute force attack mitigation"
> +       default n

"default n" is superfluous and should AFAIK be omitted.

> +       help
> +         This is a user defense that detects any fork brute force attack
> +         based on the application's crashing rate. When this measure is
> +         triggered the fork system call is blocked.

This help text claims that the mitigation will block fork(), but patch
6/6 actually kills the process hierarchy.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.