| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20080805005415.GA10108@infradead.org> Date: Mon, 4 Aug 2008 20:54:15 -0400 From: Christoph Hellwig <hch@...radead.org> To: Eric Paris <eparis@...hat.com> Cc: Christoph Hellwig <hch@...radead.org>, Greg KH <greg@...ah.com>, malware-list@...ts.printk.net, linux-kernel@...r.kernel.org Subject: Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linux interface for on access scanning On Mon, Aug 04, 2008 at 08:47:04PM -0400, Eric Paris wrote: > On Mon, 2008-08-04 at 20:26 -0400, Christoph Hellwig wrote: > > On Mon, Aug 04, 2008 at 03:32:49PM -0700, Greg KH wrote: > > > > 1. Intercept file opens (exec also) for vetting (block until > > > > decision is made) and allow some userspace black magic to make > > > > decisions. > > > > NACK, this kind of policy should be done in kernelspace. > > What? You want to write and in kernel scanner for Window viruses? No, I want a sane security policy in kernelsapce that doesn't look at the content because doing security by content properly is equivalent to solving the halting problem. I couldn't give a rats a** about windows viruses as they can't actually cause any harm on a Linux machine. > > > > > > 6. Scan files directly not relying on path. Avoid races and problems with namespaces, chroot, containers, etc. > > > > Explain? > > The data connected with the file being opened must as reasonably as > possible be the data the 'scanner' looks at. Some foolish early > discussion wanted to do simplistic things like pass a pathname to a > scanner and have it call open on that path name. I'm willing to > entertain any other method of making the scanner look at the data the > process is about to get. Well, data can change all the time, as can the path name. This whole content scanning thing doesn't make any sense at all. > > > > 9. Mark a processes as exempt from on access scanning > > > > Nack, this completely defeats the purpose. > > What? it allows a process to open a file that contains malware, how is > that horrible. If a process says "I want to see malware" it can then > see malware. Doesn't in any way affect other processes or the system > security as a whole. If 'bad' data gets into a file its going to get > blocked from everything that doesn't actively choose to see it. So make this opt-in and in userspace. Just LD_PRELOAD some monster lib doing all the horrible things you propose and use it wherever you want. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists