| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 05 Aug 2008 13:19:56 -0400 From: Eric Paris <eparis@...hat.com> To: "Press, Jonathan" <Jonathan.Press@...com> Cc: Greg KH <greg@...ah.com>, linux-kernel@...r.kernel.org, malware-list@...ts.printk.net, linux-security-module@...r.kernel.org Subject: RE: [malware-list] [RFC 0/5] [TALPA] Intro to a linux interfaceforon access scanning On Tue, 2008-08-05 at 12:37 -0400, Press, Jonathan wrote: > Regarding self-exclusion... We are doing write-time scanning, or more > accurately close-time scanning. We don't block the close, but we do > scan the file afterwards, and if it is infected, we perform any one of > several actions -- such as report to user, rename, quarantine, delete, > etc. I would not want a self-excluded executable to be able to write > something that I don't get to scan. With the current implementation there are 2 ways to be excluded. Both require root and I plan on both requiring the access to pass a newfangled LSM hook or maybe just require CAP_RAWIO. LSM people have thoughts? Method #1) Become a client listening for access decisions, basically just open /security/talpa/client/talpa-client and you are free of open/close scans. We have to make the scanner itself not cause its own opens and closes to need scanned, think infinite recursion. Method #2) Exclude yourself. This involves opening /security/talpa/exclude/talpa-exclude and writing "1" into it. this file is owned by root and is 600. Regular user processes cannot exclude themselves willy nilly nor can any configuration exclude them. It might be possible to do exclusions in userspace using the pid and non-caching results for things other than the scanning clients themselves. If you can outline the design of a better method that meets your needs I'd be glad to try to code it. In your mind how do you see programs being able to exclude others while not being a security risk? I assume your answer is that the program "giving out the exclusions" must be root, which we already satisfy. There is (or could be, I don't remember offhand) the option to disable thread exclusions in kernel (except for those threads that act as userspace clients, they MUST be excluded somehow). But really as it stands any root process could just enable them again. In the non-LSM case root processes already won so, they can just disable the whole infrastructure send kill -9 to all your clients and have at it..... -Eric -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists