Re: [RFC 0/5] [TALPA] Intro to a linux interface for on access scanning

If we had stackable LSMs then the required functionality could simply be built into the LSM interface. Then the anti-malware would simply stack itself with other LSMs. In my opinion this is a perfect example for the argument of stackable LSMs. So far we mainly have LSMs which provide an extra access control mechanism (in addition to DAC). IMHO, Ideally DAC could be another stackable LSM (enabled by default). Other security schemes such as intrusion detection, firewalls/netfilter, anti-malware, and application restrictions (sandboxes such as jails or finer grained restrictions such as AppArmor) could all register LSMs onto the stack. Additional infrastructure would be necessary. Permissible security remains a item of contention. Perhaps I am naive but I think most LSMs could work based on accept/reject. Where every LSM must accept an action in order for it to be carried out. MHO, Cliffe. Casey Schaufler wrote:

quoted text

> Eric Paris wrote: >> Please contact me privately or (preferably the list) for questions, >> comments, discussions, flames, names, or anything. I'll do complete >> rewrites of the patches if someone tells me how they don't meet their >> needs or how they can be done better. I'm here to try to bridge the >> needs (and wants) of the anti-malware vendors with the technical >> realities of the kernel. So everyone feel free to throw in your two >> cents and I'll try to reconcile it all. These 5 patches are part 1. >> They give us a working able solution. >> >> >From my point of view patches forthcoming and mentioned below should >> help with performance for those who actually have userspace scanners but >> also could presents be implemented using this framework. >> >> > > The LSM list (CCed) should be included in this discussion. >> Background >> ... > > > -- > To unsubscribe from this list: send the line "unsubscribe > linux-security-module" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > >

unsubscribe notice

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/


linux-kernel:
Francis Moreau	Re: Disk geometry from /sys
Rafael J. Wysocki	[Bug #11407] suspend: unable to handle kernel paging request
Christoph Lameter	Re: [bug] SLUB + mm/slab.c boot crash in -rc9
Jeremy Fitzhardinge	Re: [2.6.25] compat VDSO option not disabling
Rafael J. Wysocki	[Bug #11551] Semi-repeatable hard lockup on 2.6.27-rc6
git:
Pat Thoyts	[PATCH] git-gui: use themed tk widgets with Tk 8.5
Tait	Re: [PATCH] Replace hard-coded path with one from <paths.h>
Frans Pop	'git gc --aggressive' effectively unusable
Stephan Beyer	Re: git sequencer prototype
Lynn Lin	Re: clearcase migration to git
linux-netdev:
William Allen Simpson	[net-next-2.6 PATCH v8 0/7] TCPCT part 1: cookie option exchange
Eric Dumazet	Re: [PATCH net-next-2.6] net: Introduce skb_orphan_try()
David Miller	Re: [PATCH] IPv6: preferred lifetime of address not getting updated
Eric Dumazet	Re: [PATCH net-next-2.6] net: Introduce skb_orphan_try()
Mark McLoughlin	Re: [PATCH 2/3] virtio: fix delayed xmit of packet and freeing of old packets.
git-commits-head:
Linux Kernel Mailing List	.gitignore: ignore *.lzo files
Linux Kernel Mailing List	sparc64: Fix sun4u execute bit check in TSB I-TLB load.
Linux Kernel Mailing List	init: Open /dev/console from rootfs
Linux Kernel Mailing List	udp: fix for unicast RX path optimization
Linux Kernel Mailing List	imxfb: Fix margin settings
openbsd-misc:
nixlists	Re: Which laptops do the developers use?
Robert	disklabel - cylinder rounding
admin	Drive a 2009 car from R799p/m
L. V. Lammert	OT, .. but has anyone seen a crontab editor
Darrin Chandler	Re: That whole "Linux stealing our code" thing