lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1217956796.11547.12.camel@paris.rdu.redhat.com>
Date:	Tue, 05 Aug 2008 13:19:56 -0400
From:	Eric Paris <eparis@...hat.com>
To:	"Press, Jonathan" <Jonathan.Press@...com>
Cc:	Greg KH <greg@...ah.com>, linux-kernel@...r.kernel.org,
	malware-list@...ts.printk.net,
	linux-security-module@...r.kernel.org
Subject: RE: [malware-list] [RFC 0/5] [TALPA] Intro to a linux
	interfaceforon access scanning


On Tue, 2008-08-05 at 12:37 -0400, Press, Jonathan wrote:
> Regarding self-exclusion...  We are doing write-time scanning, or more
> accurately close-time scanning.  We don't block the close, but we do
> scan the file afterwards, and if it is infected, we perform any one of
> several actions -- such as report to user, rename, quarantine, delete,
> etc.  I would not want a self-excluded executable to be able to write
> something that I don't get to scan.

With the current implementation there are 2 ways to be excluded.  Both
require root and I plan on both requiring the access to pass a
newfangled LSM hook or maybe just require CAP_RAWIO.  LSM people have
thoughts?

Method #1)  Become a client listening for access decisions, basically
just open /security/talpa/client/talpa-client and you are free of
open/close scans.  We have to make the scanner itself not cause its own
opens and closes to need scanned, think infinite recursion.

Method #2) Exclude yourself.  This involves
opening /security/talpa/exclude/talpa-exclude and writing "1" into it.
this file is owned by root and is 600.  Regular user processes cannot
exclude themselves willy nilly nor can any configuration exclude them.
It might be possible to do exclusions in userspace using the pid and
non-caching results for things other than the scanning clients
themselves.

If you can outline the design of a better method that meets your needs
I'd be glad to try to code it.  In your mind how do you see programs
being able to exclude others while not being a security risk?  I assume
your answer is that the program "giving out the exclusions" must be
root, which we already satisfy.  There is (or could be, I don't remember
offhand) the option to disable thread exclusions in kernel (except for
those threads that act as userspace clients, they MUST be excluded
somehow).  But really as it stands any root process could just enable
them again.  In the non-LSM case root processes already won so, they can
just disable the whole infrastructure send kill -9 to all your clients
and have at it.....

-Eric

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ