Re: [malware-list] scanner interface proposal was: [TALPA] Intro linux interface for for access scanning

On Wed, 2008-08-20 at 10:33 -0700, david@lang.hm wrote:

quoted text

> if the system package manager says the syslogd binary doesn't match the > checksum that it has recorded should it be prevented from running? (a > strict policy would say no, but the sysadmin may have recompiled that one > binary and just wants a warning to be logged somewhere, not preventing the > process from running)

My belief is that if you choose to run a file scanner and that file scanner gets the answer wrong you need to look at the file scanner. There shouldn't be arbitrary overrides. If you don't accept the results of the scanner what's the point? Tell you package manager scanner that you changed it.

quoted text

> without the kernel support to clear the flags when the file is dirtied how > can these programs trust the xattr flags that say they scanned the file > before?

I don't understand what you mean about trust. This is an argument for kernel support now? What is it that you say needs and what doesn't need it? Can you explain exactly what your perfect solution from top down?

quoted text

> I'm not saying that xattr is the only way to store the info, it just seems > like a convienient place to store them without having to create a > completely new API or changing anything in on-disk formats.

And I saying we don't actually need any of this and if it is actually needed by someone in the real world they can easily build their own solution on top of my generic interface. I'm not making the assertion it is race free and don't think it is possible without making every sequential (hahahaha.) But I claim in the face of normal operation it's fine. My interface, as proposed, is very generic. Much more so than what I think you are trying to describe. I couldn't make mine more minimal or broad. --

unsubscribe notice

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/


linux-kernel:
Michael Trimarchi	Re: [PATCH] VFS: make file->f_pos access atomic on 32bit arch
Miklos Szeredi	[patch 14/15] vfs: more path_permission() conversions
Serge E. Hallyn	Re: [RFC v5][PATCH 7/8] Infrastructure for shared objects
Bernd Schmidt	Re: Dual-Licensing Linux Kernel with GPL V2 and GPL V3
Takashi Iwai	[PATCH 2/2] input: Add LED support to Synaptics device
git:
Junio C Hamano	Re: mingw, windows, crlf/lf, and git
Eyvind Bernhardsen	Re: Where has "git ls-remote" reference pattern matching gone?
Shawn O. Pearce	Re: Switching from CVS to GIT
Todd Zullinger	Re: [PATCH 2/2] send-email: rfc2047-quote subject lines with non-ascii characters
Santi Béjar	Re: How to use git-fmt-merge-msg?
linux-netdev:
Ramkrishna Vepa	[net-2.6 PATCH 1/10] Neterion: New driver: Driver help file
Mark Anthony	invitation / inquiry
Ingo Molnar	Re: [PATCH 08/16] dma-debug: add core checking functions
David Miller	Re: [PATCH 1/3] f_phonet: dev_kfree_skb instead of dev_kfree_skb_any in TX callback
Sascha Hauer	[PATCH 03/12] fec: do not typedef struct types
git-commits-head:
Linux Kernel Mailing List	amba: struct device - replace bus_id with dev_name(), dev_set_name()
Linux Kernel Mailing List	MIPS: Yosemite: Convert SMP startup lock to arch spinlock.
Linux Kernel Mailing List	ARM: S5PC100: IRQ and timer
Linux Kernel Mailing List	davinci: edma: clear interrupt status for interrupt enabled channels only
Linux Kernel Mailing List	x86, mm, kprobes: fault.c, simplify notify_page_fault()
openbsd-misc:
Daniel A. Ramaley	Re: [semi-OT] Can anyone recommend an OpenBSD-compatible colour laser printer?
Matthias Kilian	Re: can't get vesa @ 1280x800 or nv
Tobias Ulmer	Re: Problem after upgrade 4.5 to 4.6: ERR M
Philip Guenther	Re: SIGCHLD and libpthread.so
J.C. Roberts	Re: [semi-OT] Can anyone recommend an OpenBSD-compatible colour laser printer?