lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1219082097.15566.82.camel@localhost.localdomain>
Date:	Mon, 18 Aug 2008 13:54:57 -0400
From:	Eric Paris <eparis@...hat.com>
To:	Alan Cox <alan@...rguk.ukuu.org.uk>
Cc:	tvrtko.ursulin@...hos.com, Theodore Tso <tytso@....edu>,
	davecb@....com, david@...g.hm, Adrian Bunk <bunk@...nel.org>,
	linux-kernel <linux-kernel@...r.kernel.org>,
	malware-list@...ts.printk.net,
	Casey Schaufler <casey@...aufler-ca.com>,
	Arjan van de Ven <arjan@...radead.org>
Subject: Re: [malware-list] scanner interface proposal was: [TALPA]
	Intro	to a linux interface for on access scanning

On Mon, 2008-08-18 at 18:25 +0100, Alan Cox wrote:
> > I think I'm going to stick with my special file in securityfs since it
> > makes it some simple to install the fd in the scanning process (as
> > opposed to netlink where I don't even know how it would be possible...)
> 
> AF_UNIX passes file handles just fine. I'm not sure netlink will help you
> here anyway - isn't it lossy under load ?

But the file being installed needs to be at least RD for AV/Indexer.
Particularly of interest to people here would be a file opened O_WRONLY
and then the indexer wouldn't have the ability to read the data that was
just written.  So we need a new FD, can't just send the old one.

I'd also assume that an HSM would need a WR file descriptor, which isn't
easy.  I've found that (through trial and error not understanding the
code) trying to make new descriptors for the new process have WR often
returned with ETXTBUSY....

I think I might just give RO file descriptors and if an HSM comes along
work with them to get WR fd's working....

> Also securityfs is more special purpose magic here - what does it have to
> do with a general purpose notifier API ? I'd actually generalise the
> notifier properly and go for a syscall.

Well, securityfs is really just a location for a bunch of interfaces.
The real 'magic' is that I defined my own read and write functions on a
special inode.

Lets assume a new syscall (and I know you tried to describe this too me
before but I can't remember it and I'm having some e-mail history
trouble) what would it look like?  A scanner constantly calls scan() to
block for data to be scanned?  So an AV, HSM, or indexer all would be
blocking in scan() just waiting for data?  How do they respond?  How is
it better, cleaner, or more general than a 'special' file they
read/write?

-Eric

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ