[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1217994234.27684.227.camel@localhost.localdomain>
Date: Tue, 05 Aug 2008 23:43:54 -0400
From: Eric Paris <eparis@...hat.com>
To: Andi Kleen <andi@...stfloor.org>
Cc: malware-list@...ts.printk.net, linux-kernel@...r.kernel.org
Subject: Re: [RFC 0/5] [TALPA] Intro to a linux interface for on access
scanning
On Wed, 2008-08-06 at 04:35 +0200, Andi Kleen wrote:
> Eric Paris <eparis@...hat.com> writes:
>
> > 5. Fine-grained caching
> > -----------------------
> > It is necessary to select which filesystems can be safely cached and
> > which must not be. For example it is not a good idea to allow caching of
> > network filesystems because their content can be changed invisibly. Disk
> > based and some virtual filesystems can be cached safely on the other
> > hand.
>
> Actually local disk file systems can be changed invisibly to the VFS too by
> directly writing to the block device. This does not change the
> page cache, but the on disk copy and when a page is pruned from
> RAM and reloaded VFS will see the new contents without knowing
> about any change. How would you stop that in your
> proposal? I assume you could always require a special LKM that
> forbids block writes for anything mounted, but that has other problems
> too and one wuld need to be extremly careful of holes in
> such a protection scheme (e.g. overlapping partitions)
I didn't consider it. Most likely at the end of the day the finding
will be, "if you can write directly to the block device you already won
since there as so many other things you can do to subvert the system."
Admittedly its the first technical point brought up on list that I
didn't consider at all (lots of other things brought up on list that
need more thought that weren't exactly technical details, don't let me
seem like I'm downplaying those)
-Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists