On Mon, Aug 04, 2008 at 08:47:04PM -0400, Eric Paris wrote:
quoted text > On Mon, 2008-08-04 at 20:26 -0400, Christoph Hellwig wrote:
> > On Mon, Aug 04, 2008 at 03:32:49PM -0700, Greg KH wrote:
> > > > 1. Intercept file opens (exec also) for vetting (block until
> > > > decision is made) and allow some userspace black magic to make
> > > > decisions.
> >
> > NACK, this kind of policy should be done in kernelspace.
>
> What? You want to write and in kernel scanner for Window viruses?
No, I want a sane security policy in kernelsapce that doesn't look
at the content because doing security by content properly is equivalent
to solving the halting problem. I couldn't give a rats a** about
windows viruses as they can't actually cause any harm on a Linux
machine.
quoted text > >
> > > > 6. Scan files directly not relying on path. Avoid races and problems with namespaces, chroot, containers, etc.
> >
> > Explain?
>
> The data connected with the file being opened must as reasonably as
> possible be the data the 'scanner' looks at. Some foolish early
> discussion wanted to do simplistic things like pass a pathname to a
> scanner and have it call open on that path name. I'm willing to
> entertain any other method of making the scanner look at the data the
> process is about to get.
Well, data can change all the time, as can the path name. This whole
content scanning thing doesn't make any sense at all.
quoted text > > > > 9. Mark a processes as exempt from on access scanning
> >
> > Nack, this completely defeats the purpose.
>
> What? it allows a process to open a file that contains malware, how is
> that horrible. If a process says "I want to see malware" it can then
> see malware. Doesn't in any way affect other processes or the system
> security as a whole. If 'bad' data gets into a file its going to get
> blocked from everything that doesn't actively choose to see it.
So make this opt-in and in userspace. Just LD_PRELOAD some monster lib
doing all the horrible things you propose and use it wherever you want.
--
unsubscribe notice To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to
majordomo@vger.kernel.org
More majordomo info at
http://vger.kernel.org/majordomo-info.html
Please read the FAQ at
http://www.tux.org/lkml/ Messages in current thread:
Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linux inte ... , Christoph Hellwig , (Mon Aug 4, 5:54 pm)
