[<prev] [next>] [day] [month] [year] [list]
Message-Id: <1223400990.2994.2.camel@localhost.localdomain>
Date: Tue, 07 Oct 2008 13:36:30 -0400
From: Eric Paris <eparis@...hat.com>
To: "Michael Morley, HCL America" <mmorley@....in>
Cc: malware-list@...ts.printk.net, linux-kernel@...r.kernel.org
Subject: RE: [malware-list] [RFC] 0/11 fanotify: fscking all notifiction
andfile access system (intended for antivirus scanning and fileindexers)
On Tue, 2008-10-07 at 10:32 -0700, Michael Morley, HCL America wrote:
> >
> > On Fri, 2008-09-26 at 23:05 -0700, david@...g.hm wrote:
> > > On Fri, 26 Sep 2008, Eric Paris wrote:
> > >
> > > > fanotify has 7 event types and only sends events for S_ISREG()
> files.
> > > > The event types are OPEN, READ, WRITE, CLOSE_WRITE, CLOSE_NOWRITE,
> > > > OPEN_ACCESS, and READ_ACCESS. Events OPEN_ACCESS and READ_ACCESS
> > > > require that the listener return some sort of allow/deny/more_time
> > > > response as the original process blocks until it gets an event (or
> > times
> > > > out.) listeners may register a group which will get notifications
> > about
> > > > any combination of these events. Antivirus scanners will likely
> want
> > > > OPEN_ACCESS and READ_ACCESS while file indexers would likely use
> the
> > > > non-ACCESS form of these events.
> > >
> > > sending a message out for every READ/WRITE seems like it will
> generate a
> > > LOT of messages, and very few will be ones that anyone cares about.
> > >
> > > one of the nice things about the TALPA approach was that there was
> an
> > > ability to notify only on a change of state (i.e. when a file that
> had
> > > been scanned was changed)
> > >
> > > this could do a similar thing, but I think it would be a much more
> > > expensive process to do it all in userspace.
> >
> > See the fastpath patch and explaination. Doesn't help for writes...
> >
>
> Eric, have you considered the scenario where the listening process
> appears to have stopped responding to access events? Under your design,
> the original process would be released after 5 seconds. Too many of
> these timeouts could wreak havoc on the OS. There should be some logic
> in fanotify to remove the fanotify_group after a certain number of
> timeouts which may or may not have to be sequential.
anyone have thoughts on the topic? Maybe I'll revisit it after I get a
new user interface. 25 missed permission events and I can just evict a
group altogether. Should the counter be cleared if a listener makes a
decision?
> Less importantly, it would be nice if the listening process could set
> the timeout value when it registers with fanotify (with some limits of
> course).
noted.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists