lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <alpine.DEB.1.10.0809262259290.4229@asgard.lang.hm>
Date:	Fri, 26 Sep 2008 23:05:25 -0700 (PDT)
From:	david@...g.hm
To:	Eric Paris <eparis@...hat.com>
cc:	linux-kernel@...r.kernel.org, malware-list@...ts.printk.net,
	arjan@...radead.org, bunk@...nel.org, tytso@....edu,
	tvrtko.ursulin@...hos.com, alan@...rguk.ukuu.org.uk,
	hch@...radead.org, andi@...stfloor.org, viro@...IV.linux.org.uk,
	peterz@...radead.org, Jonathan.Press@...com, riel@...hat.com
Subject: Re: [RFC] 0/11 fanotify: fscking all notifiction and file access
 system (intended for antivirus scanning and file indexers)

On Fri, 26 Sep 2008, Eric Paris wrote:

> fanotify has 7 event types and only sends events for S_ISREG() files.
> The event types are OPEN, READ, WRITE, CLOSE_WRITE, CLOSE_NOWRITE,
> OPEN_ACCESS, and READ_ACCESS.  Events OPEN_ACCESS and READ_ACCESS
> require that the listener return some sort of allow/deny/more_time
> response as the original process blocks until it gets an event (or times
> out.)  listeners may register a group which will get notifications about
> any combination of these events.  Antivirus scanners will likely want
> OPEN_ACCESS and READ_ACCESS while file indexers would likely use the
> non-ACCESS form of these events.

sending a message out for every READ/WRITE seems like it will generate a 
LOT of messages, and very few will be ones that anyone cares about.

one of the nice things about the TALPA approach was that there was an 
ability to notify only on a change of state (i.e. when a file that had 
been scanned was changed)

this could do a similar thing, but I think it would be a much more 
expensive process to do it all in userspace.

David Lang

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ