| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 29 Jul 2009 16:20:33 -0400 From: Eric Paris <eparis@...hat.com> To: Jon Masters <jonathan@...masters.org> Cc: linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org, malware-list@...sg.printk.net, Valdis.Kletnieks@...edu, greg@...ah.com, douglas.leeder@...hos.com, tytso@....edu, arjan@...radead.org, david@...g.hm, jengelh@...ozas.de, aviro@...hat.com, mrkafk@...il.com, alexl@...hat.com, jack@...e.cz, tvrtko.ursulin@...hos.com, a.p.zijlstra@...llo.nl, hch@...radead.org, alan@...rguk.ukuu.org.uk, mmorley@....in, pavel@...e.cz Subject: Re: fanotify - overall design before I start sending patches On Tue, 2009-07-28 at 07:48 -0400, Jon Masters wrote: > On Fri, 2009-07-24 at 16:13 -0400, Eric Paris wrote: > > > I plan to start sending patches for fanotify in the next week or two. > > Generally, I appreciate your effort (as I'm sure does everyone else). > > I agree with Jamie that it's good to consider extending inotify and also > that the special socket idea probably won't work for mainline. Also: The special socket idea was Alan Cox's idea and I haven't heard a usable alternative. > 1). Ability to watch only certain mount-points, not just directories. Or > directories and block on mount operations as Jamie suggested. Or both :) Show me the user and I'll consider it. > 2). Add event on mmap perhaps. Future theoretical cloud cuckoo land > ideas include forcing all mmap operations to be read-only and then > having the page fault handler fire an event for every write so that the > anti-malware thing can monitor every single touched page...joke. > > 3). Sounds a lot like netlink could be close enough. Kay and others have > been playing with in-kernel multiplexing and re-broadcasting of netlink > events, and I'm pretty sure most of the rest is doable. Jeez, about the 50th time someone has said netlink. I need to do the fd open in the context of the receiving process. How do I do that with netlink? It cannot be done at the netlink msg send side (which is the context of the original process accessing the file) > I'm looking forward to updatedb using this. Well, that's still in the future work, as all updatedb cares about it rename events, and the kernel does have enough information to send fanotify events during rename. > Let's try up-playing the use > cases outside malware for this stuff. I'm not playing any spin or bullshit. I've got HSM users who wants it. Readahead profiling wants it. I'm told that wine can properly do windows style notification with it instead of some hack they have now. I've also got a need to get people who want to run integrity checkers/virus scanners to stop binary patching/hacking my kernels. I'd say I've found plenty of use cases today even if you don't find them as sexy as beagle :) -Eric -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists