| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 18 Aug 2008 13:54:57 -0400 From: Eric Paris <eparis@...hat.com> To: Alan Cox <alan@...rguk.ukuu.org.uk> Cc: tvrtko.ursulin@...hos.com, Theodore Tso <tytso@....edu>, davecb@....com, david@...g.hm, Adrian Bunk <bunk@...nel.org>, linux-kernel <linux-kernel@...r.kernel.org>, malware-list@...ts.printk.net, Casey Schaufler <casey@...aufler-ca.com>, Arjan van de Ven <arjan@...radead.org> Subject: Re: [malware-list] scanner interface proposal was: [TALPA] Intro to a linux interface for on access scanning On Mon, 2008-08-18 at 18:25 +0100, Alan Cox wrote: > > I think I'm going to stick with my special file in securityfs since it > > makes it some simple to install the fd in the scanning process (as > > opposed to netlink where I don't even know how it would be possible...) > > AF_UNIX passes file handles just fine. I'm not sure netlink will help you > here anyway - isn't it lossy under load ? But the file being installed needs to be at least RD for AV/Indexer. Particularly of interest to people here would be a file opened O_WRONLY and then the indexer wouldn't have the ability to read the data that was just written. So we need a new FD, can't just send the old one. I'd also assume that an HSM would need a WR file descriptor, which isn't easy. I've found that (through trial and error not understanding the code) trying to make new descriptors for the new process have WR often returned with ETXTBUSY.... I think I might just give RO file descriptors and if an HSM comes along work with them to get WR fd's working.... > Also securityfs is more special purpose magic here - what does it have to > do with a general purpose notifier API ? I'd actually generalise the > notifier properly and go for a syscall. Well, securityfs is really just a location for a bunch of interfaces. The real 'magic' is that I defined my own read and write functions on a special inode. Lets assume a new syscall (and I know you tried to describe this too me before but I can't remember it and I'm having some e-mail history trouble) what would it look like? A scanner constantly calls scan() to block for data to be scanned? So an AV, HSM, or indexer all would be blocking in scan() just waiting for data? How do they respond? How is it better, cleaner, or more general than a 'special' file they read/write? -Eric -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists