| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 07 Oct 2008 13:36:30 -0400 From: Eric Paris <eparis@...hat.com> To: "Michael Morley, HCL America" <mmorley@....in> Cc: malware-list@...ts.printk.net, linux-kernel@...r.kernel.org Subject: RE: [malware-list] [RFC] 0/11 fanotify: fscking all notifiction andfile access system (intended for antivirus scanning and fileindexers) On Tue, 2008-10-07 at 10:32 -0700, Michael Morley, HCL America wrote: > > > > On Fri, 2008-09-26 at 23:05 -0700, david@...g.hm wrote: > > > On Fri, 26 Sep 2008, Eric Paris wrote: > > > > > > > fanotify has 7 event types and only sends events for S_ISREG() > files. > > > > The event types are OPEN, READ, WRITE, CLOSE_WRITE, CLOSE_NOWRITE, > > > > OPEN_ACCESS, and READ_ACCESS. Events OPEN_ACCESS and READ_ACCESS > > > > require that the listener return some sort of allow/deny/more_time > > > > response as the original process blocks until it gets an event (or > > times > > > > out.) listeners may register a group which will get notifications > > about > > > > any combination of these events. Antivirus scanners will likely > want > > > > OPEN_ACCESS and READ_ACCESS while file indexers would likely use > the > > > > non-ACCESS form of these events. > > > > > > sending a message out for every READ/WRITE seems like it will > generate a > > > LOT of messages, and very few will be ones that anyone cares about. > > > > > > one of the nice things about the TALPA approach was that there was > an > > > ability to notify only on a change of state (i.e. when a file that > had > > > been scanned was changed) > > > > > > this could do a similar thing, but I think it would be a much more > > > expensive process to do it all in userspace. > > > > See the fastpath patch and explaination. Doesn't help for writes... > > > > Eric, have you considered the scenario where the listening process > appears to have stopped responding to access events? Under your design, > the original process would be released after 5 seconds. Too many of > these timeouts could wreak havoc on the OS. There should be some logic > in fanotify to remove the fanotify_group after a certain number of > timeouts which may or may not have to be sequential. anyone have thoughts on the topic? Maybe I'll revisit it after I get a new user interface. 25 missed permission events and I can just evict a group altogether. Should the counter be cleared if a listener makes a decision? > Less importantly, it would be nice if the listening process could set > the timeout value when it registers with fanotify (with some limits of > course). noted. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists