lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20071129174528.GA14431@kroah.com>
Date:	Thu, 29 Nov 2007 09:45:28 -0800
From:	Greg KH <greg@...ah.com>
To:	Ray Lee <ray-lk@...rabbit.org>
Cc:	Jan Engelhardt <jengelh@...putergmbh.de>,
	Jon Masters <jonathan@...masters.org>, Valdis.Kletnieks@...edu,
	Christoph Hellwig <hch@...radead.org>,
	Al Viro <viro@....linux.org.uk>,
	Casey Schaufler <casey@...aufler-ca.com>,
	"Tvrtko A. Ursulin" <tvrtko.ursulin@...hos.com>,
	linux-kernel@...r.kernel.org
Subject: Re: Out of tree module using LSM

On Thu, Nov 29, 2007 at 09:35:56AM -0800, Ray Lee wrote:
> On Nov 29, 2007 9:03 AM, Greg KH <greg@...ah.com> wrote:
> > On Thu, Nov 29, 2007 at 05:53:33PM +0100, Jan Engelhardt wrote:
> > >
> > > On Nov 29 2007 08:47, Greg KH wrote:
> > > >On Thu, Nov 29, 2007 at 11:36:12AM -0500, Jon Masters wrote:
> > > >> On Wed, 2007-11-28 at 17:07 -0800, Greg KH wrote:
> > > >>
> > > >> > The easiest way is as Al described above, just have the userspace
> > > >> > program that wrote the file to disk, check it then.
> > > >>
> > > >> But the problem is that this isn't just Samba, this is a countless
> > > >> myriad of different applications. And if one of them doesn't support
> > > >> on-access scanning, then the whole solution isn't worth using.
> > > >
> > > >Ok, which specific applications do they care about?  Last time I asked
> > > >it was still limited to a very small handful, all of which would be
> > > >trivial to add such a hook to.
> > > >
> > > Well, think bash, syscalls. While you can add a plugin to samba "easily",
> > > it seems overkill to do the same for rm, mv, cp, bash.
> >
> > Again, these are not things that these companies care about.
> 
> Perhaps if you looked at this outside of a file-server scenario, the
> problem would be clearer? Anti-malware companies want to check
> anything written to disk on a system, either at write time or blocking
> the open/mmap. That means proactively protecting email programs with
> known vulnerabilities that have yet to be patched, web browsers
> writing and reading their caches, an Apache instance running WebDAV,
> the list goes on. And these are on desktop systems, with no attached
> file/network server.

Ok, if they want to check on every open/mmap then just hook in glibc to
do this.  Especially as they want to run userspace code at this point in
time.

Again, let's wait for some code to show up before discussing this
further.

thanks,

greg k-h
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ