[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1217956796.11547.12.camel@paris.rdu.redhat.com>
Date: Tue, 05 Aug 2008 13:19:56 -0400
From: Eric Paris <eparis@...hat.com>
To: "Press, Jonathan" <Jonathan.Press@...com>
Cc: Greg KH <greg@...ah.com>, linux-kernel@...r.kernel.org,
malware-list@...ts.printk.net,
linux-security-module@...r.kernel.org
Subject: RE: [malware-list] [RFC 0/5] [TALPA] Intro to a linux
interfaceforon access scanning
On Tue, 2008-08-05 at 12:37 -0400, Press, Jonathan wrote:
> Regarding self-exclusion... We are doing write-time scanning, or more
> accurately close-time scanning. We don't block the close, but we do
> scan the file afterwards, and if it is infected, we perform any one of
> several actions -- such as report to user, rename, quarantine, delete,
> etc. I would not want a self-excluded executable to be able to write
> something that I don't get to scan.
With the current implementation there are 2 ways to be excluded. Both
require root and I plan on both requiring the access to pass a
newfangled LSM hook or maybe just require CAP_RAWIO. LSM people have
thoughts?
Method #1) Become a client listening for access decisions, basically
just open /security/talpa/client/talpa-client and you are free of
open/close scans. We have to make the scanner itself not cause its own
opens and closes to need scanned, think infinite recursion.
Method #2) Exclude yourself. This involves
opening /security/talpa/exclude/talpa-exclude and writing "1" into it.
this file is owned by root and is 600. Regular user processes cannot
exclude themselves willy nilly nor can any configuration exclude them.
It might be possible to do exclusions in userspace using the pid and
non-caching results for things other than the scanning clients
themselves.
If you can outline the design of a better method that meets your needs
I'd be glad to try to code it. In your mind how do you see programs
being able to exclude others while not being a security risk? I assume
your answer is that the program "giving out the exclusions" must be
root, which we already satisfy. There is (or could be, I don't remember
offhand) the option to disable thread exclusions in kernel (except for
those threads that act as userspace clients, they MUST be excluded
somehow). But really as it stands any root process could just enable
them again. In the non-LSM case root processes already won so, they can
just disable the whole infrastructure send kill -9 to all your clients
and have at it.....
-Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists