[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20080805103840.1aaa64a5@infradead.org>
Date: Tue, 5 Aug 2008 10:38:40 -0700
From: Arjan van de Ven <arjan@...radead.org>
To: Eric Paris <eparis@...hat.com>
Cc: "Press, Jonathan" <Jonathan.Press@...com>,
Greg KH <greg@...ah.com>, linux-kernel@...r.kernel.org,
malware-list@...ts.printk.net,
linux-security-module@...r.kernel.org
Subject: Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linux
interfaceforon access scanning
On Tue, 05 Aug 2008 13:19:56 -0400
Eric Paris <eparis@...hat.com> wrote:
> If you can outline the design of a better method that meets your needs
> I'd be glad to try to code it. In your mind how do you see programs
> being able to exclude others while not being a security risk?
ok so lets be specific.
You are trying to prevent an application from opening a "damaged" file,
or from someone starting a "damaged" file.
You are not trying to prevent anything once you have executed a damaged
file; once you execute one of these for this part it's game over (to
limit the damage other tools like selinux exist, but are outside the
scope of talpa).
So... as long as /sbin/init isn't compromised... intercepting exec and
open (in all variants) is all you need.
And this can be done from userland with the preload: the "workaround"
from the preload assumes you've already executed malicious code, which
is outside of your protection scope.
What am I missing?
--
If you want to reach me at my work email, use arjan@...ux.intel.com
For development, discussion and tips for power savings,
visit http://www.lesswatts.org
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists