lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20071129085148.5dff3636@freepuppy.rosehill>
Date:	Thu, 29 Nov 2007 08:51:48 -0800
From:	Stephen Hemminger <shemminger@...ux-foundation.org>
To:	Jon Masters <jcm@...hat.com>
Cc:	James Morris <jmorris@...ei.org>, tvrtko.ursulin@...hos.com,
	linux-kernel@...r.kernel.org, Greg KH <greg@...ah.com>
Subject: Re: Out of tree module using LSM

On Thu, 29 Nov 2007 11:27:45 -0500
Jon Masters <jcm@...hat.com> wrote:

> On Thu, 2007-11-29 at 11:12 +1100, James Morris wrote:
> > On Wed, 28 Nov 2007, tvrtko.ursulin@...hos.com wrote:
> > 
> > > So as there is no question the current code does some ugly things it is 
> > > even more true that we would be even more happy to use an official API. 
> > 
> > How about becoming involved in creating that official API ?
> 
> Sophos are interested in doing so, and we have spoken about this several
> times recently over the phone. This is why they sent the email in
> question yesterday, to kickstart debate. And that's awesome. I am trying
> to bring a few of these folks together at the moment, so that we can get
> a solution that is acceptable to upstream at some point in the future.
> 
> So, rather than criticise their current code, or their intentions, or
> blanketly dismiss the virus protection market, perhaps we can focus
> instead on the fact that there is a known third party who wishes to
> perform a task that is not well supportable at this moment. We can all
> agree the syscall table hacking isn't such a good idea - but these guys
> are *very* open to listening to useful alternative suggestions.
> 
> They (virus protection folks) generally think they want to intercept
> various system calls, such as open() and block until they have performed
> a scan operation on the file. I explained the mmap issue to several of
> these companies recently, in quite some detail, and I know they are
> interested in listening this time around :-) At the end of the day, what
> I have been lead to believe is that they don't care whether they
> intercept syscall entries, or use a better method, they just want to
> scan files and take some action if a file is "bad". That's it really.
> 
> I have been trying to put together an exact feature set that is needed
> from these different vendors, so we can discuss it further here, and
> hopefully actually get somewhere, too. There have been a few delays
> after I pointed out the mmap issues at some length.
> 

Perhaps this kind of scanning belongs in the application. Couldn't an
apache or samba have a plugin to do it?

-- 
Stephen Hemminger <shemminger@...ux-foundation.org>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ