lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <1223400990.2994.2.camel@localhost.localdomain>
Date:	Tue, 07 Oct 2008 13:36:30 -0400
From:	Eric Paris <eparis@...hat.com>
To:	"Michael Morley, HCL America" <mmorley@....in>
Cc:	malware-list@...ts.printk.net, linux-kernel@...r.kernel.org
Subject: RE: [malware-list] [RFC] 0/11 fanotify: fscking all notifiction
	andfile access	system (intended for antivirus scanning and fileindexers)

On Tue, 2008-10-07 at 10:32 -0700, Michael Morley, HCL America wrote:
> > 
> > On Fri, 2008-09-26 at 23:05 -0700, david@...g.hm wrote:
> > > On Fri, 26 Sep 2008, Eric Paris wrote:
> > >
> > > > fanotify has 7 event types and only sends events for S_ISREG()
> files.
> > > > The event types are OPEN, READ, WRITE, CLOSE_WRITE, CLOSE_NOWRITE,
> > > > OPEN_ACCESS, and READ_ACCESS.  Events OPEN_ACCESS and READ_ACCESS
> > > > require that the listener return some sort of allow/deny/more_time
> > > > response as the original process blocks until it gets an event (or
> > times
> > > > out.)  listeners may register a group which will get notifications
> > about
> > > > any combination of these events.  Antivirus scanners will likely
> want
> > > > OPEN_ACCESS and READ_ACCESS while file indexers would likely use
> the
> > > > non-ACCESS form of these events.
> > >
> > > sending a message out for every READ/WRITE seems like it will
> generate a
> > > LOT of messages, and very few will be ones that anyone cares about.
> > >
> > > one of the nice things about the TALPA approach was that there was
> an
> > > ability to notify only on a change of state (i.e. when a file that
> had
> > > been scanned was changed)
> > >
> > > this could do a similar thing, but I think it would be a much more
> > > expensive process to do it all in userspace.
> > 
> > See the fastpath patch and explaination.  Doesn't help for writes...
> > 
> 
> Eric, have you considered the scenario where the listening process
> appears to have stopped responding to access events? Under your design,
> the original process would be released after 5 seconds. Too many of
> these timeouts could wreak havoc on the OS. There should be some logic
> in fanotify to remove the fanotify_group after a certain number of
> timeouts which may or may not have to be sequential.

anyone have thoughts on the topic?  Maybe I'll revisit it after I get a
new user interface.  25 missed permission events and I can just evict a
group altogether.  Should the counter be cleared if a listener makes a
decision?

> Less importantly, it would be nice if the listening process could set
> the timeout value when it registers with fanotify (with some limits of
> course).

noted.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ