On Tue, 2008-08-05 at 12:37 -0400, Press, Jonathan wrote:
With the current implementation there are 2 ways to be excluded. Both
require root and I plan on both requiring the access to pass a
newfangled LSM hook or maybe just require CAP_RAWIO. LSM people have
thoughts?
Method #1) Become a client listening for access decisions, basically
just open /security/talpa/client/talpa-client and you are free of
open/close scans. We have to make the scanner itself not cause its own
opens and closes to need scanned, think infinite recursion.
Method #2) Exclude yourself. This involves
opening /security/talpa/exclude/talpa-exclude and writing "1" into it.
this file is owned by root and is 600. Regular user processes cannot
exclude themselves willy nilly nor can any configuration exclude them.
It might be possible to do exclusions in userspace using the pid and
non-caching results for things other than the scanning clients
themselves.
If you can outline the design of a better method that meets your needs
I'd be glad to try to code it. In your mind how do you see programs
being able to exclude others while not being a security risk? I assume
your answer is that the program "giving out the exclusions" must be
root, which we already satisfy. There is (or could be, I don't remember
offhand) the option to disable thread exclusions in kernel (except for
those threads that act as userspace clients, they MUST be excluded
somehow). But really as it stands any root process could just enable
them again. In the non-LSM case root processes already won so, they can
just disable the whole infrastructure send kill -9 to all your clients
and have at it.....
-Eric
--
