On Mon, Aug 4, 2008 at 8:54 PM, Christoph Hellwig <hch@infradead.org> wrote:
quoted text
> On Mon, Aug 04, 2008 at 08:47:04PM -0400, Eric Paris wrote:
>> On Mon, 2008-08-04 at 20:26 -0400, Christoph Hellwig wrote:
>> > NACK, this kind of policy should be done in kernelspace.
>>
>> What?  You want to write and in kernel scanner for Window viruses?
>
> No, I want a sane security policy in kernelsapce that doesn't look
> at the content because doing security by content properly is equivalent
> to solving the halting problem.  I couldn't give a rats a** about
> windows viruses as they can't actually cause any harm on a Linux
> machine.

Much better solution:

Use SELinux or another similar Mandatory Access Control labeling
system.  Mark some things as "trusted" or "privileged" or whatever
your particular labeling methodology requires.  Mark other things as
"untrusted", "unprivileged", "internet file", etc.  Disallow most
interaction between "trusted" and "untrusted" things.  Configure your
userspace virus-scanner which is allowed to read "untrusted" files and
create "semi-trusted" files in a particular directory, where they can
then be picked up by "trusted" programs.

Problem solved.  Untrusted and possibly-compromised files can't be
executed, or even if they could be they can't do anything
interesting/harmful.  In order to execute some junk you just
downloaded from the internet you have to click "Yes I accept the
security risk" and run it through whatever virus-scanner you want.
Then you copy it from the virus-scanner output directory into
somewhere else and run it.

You can do the same thing with software updates downloaded from the
internet, just replace "trusted" with "installed package",
"semi-trusted" with "valid package", "untrusted" with "just-downloaded
package file", and "virus scanner" with "package signature
verification tool".

I could easily come up with a bunch more examples if you really care that much.

Cheers,
Kyle Moffett
--
unsubscribe notice
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/