On Thu 2007-11-29 23:58:44, Andi Kleen wrote:
> Alan Cox <[EMAIL PROTECTED]> writes:
> >
> > The simple case is
> > open
> > write cathedral and bazaar in some order
> > close
> > process -> label eric_t>
> >
> > open (eric_t) - SELinux "no"
> >
> >
> > Anyone smart will then w
Jon Masters wrote:
On Mon, 2007-12-03 at 23:45 +0100, Bodo Eggert wrote:
Jon Masters <[EMAIL PROTECTED]> wrote:
On Thu, 2007-11-29 at 11:11 -0800, Ray Lee wrote:
On Nov 29, 2007 10:56 AM, Jon Masters <[EMAIL PROTECTED]> wrote:
To lift Alan's example, a naive first implementation
would be to cr
On Mon, 2007-12-03 at 23:45 +0100, Bodo Eggert wrote:
> Jon Masters <[EMAIL PROTECTED]> wrote:
> > On Thu, 2007-11-29 at 11:11 -0800, Ray Lee wrote:
> >> On Nov 29, 2007 10:56 AM, Jon Masters <[EMAIL PROTECTED]> wrote:
> >> > On Thu, 2007-11-29 at 10:40 -0800, Ray Lee wrote:
> >> > > On Nov 29, 20
Jon Masters <[EMAIL PROTECTED]> wrote:
> On Thu, 2007-11-29 at 11:11 -0800, Ray Lee wrote:
>> On Nov 29, 2007 10:56 AM, Jon Masters <[EMAIL PROTECTED]> wrote:
>> > On Thu, 2007-11-29 at 10:40 -0800, Ray Lee wrote:
>> > > On Nov 29, 2007 9:36 AM, Alan Cox <[EMAIL PROTECTED]> wrote:
>> > > > > close
Hi!
> >Well... I'd really like to know what A/V people are trying to do.
> >
> >Indexing services are really different, and doable with recursive
> >m-time Jan is preparing...
> >
> m-time <=> modification time?
Yep.
> What am I preparing?
Not you, Jan Kara. Sorry.
On Dec 2 2007 22:56, Pavel Machek wrote:
>>
>> We probably want to hear related usages as well - what *besides*
>> A/V would be interested? Indexing services?
>
Indexing services would probably benefit much more from a
recursive-aware inotify, though that has its own sort of problems to
solve fir
On Sun 2007-12-02 16:09:55, [EMAIL PROTECTED] wrote:
> On Sun, 02 Dec 2007 21:22:40 +0100, Pavel Machek said:
> > Well, if you only want to detect viruses _sometimes_, you can just
> > LD_PRELOAD your scanner.
>
> And for some use cases, that probably *is* the best answer..
I'd say so.
> > I gue
On Sun, 02 Dec 2007 21:22:40 +0100, Pavel Machek said:
> Well, if you only want to detect viruses _sometimes_, you can just
> LD_PRELOAD your scanner.
And for some use cases, that probably *is* the best answer..
> I guess the A/V people should describe what they are trying to do, as
> in
>
> "fo
Hi!
> > So what you are trying to do is 'application may never read bad
> > sequence of bits from disk', right?
>
> No, in many of the use cases, we're trying to do "if application reads certain
> specified sequences of bits from disk we know about it", which is subtly
> different. Often, *absol
> and I don't think you can mmap() a socket anyhow,
> right?
You can mmap packet sockets.
-Andi
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read
On Sun, 02 Dec 2007 14:44:48 -0500
[EMAIL PROTECTED] wrote:
> On Sat, 01 Dec 2007 08:43:32 GMT, Pavel Machek said:
>
> > So what you are trying to do is 'application may never read bad
> > sequence of bits from disk', right?
>
> No, in many of the use cases, we're trying to do "if application
>
On Sat, 01 Dec 2007 08:43:32 GMT, Pavel Machek said:
> So what you are trying to do is 'application may never read bad
> sequence of bits from disk', right?
No, in many of the use cases, we're trying to do "if application reads certain
specified sequences of bits from disk we know about it", whic
Hi!
> > Personally I admit I never quite saw the point of intercepting all
> > file accesses for everything. That will just always be slow as often
> > demonstrated on other operating systems and racey and unreliable too.
> > And at least the internal daemons should be already reasonably well
> >
On Fri, 30 Nov 2007, Crispin Cowan wrote:
> > The only case of this so far has been Multiadm, although there seems to be
> > no reason for it to stay out of tree.
> >
> Dazuko. It has the same yucky code issues as Talpa, but AFAIK is pure
> GPL2 and thus is clean on the license issues.
>
> Tha
James Morris wrote:
> On Fri, 30 Nov 2007, Crispin Cowan wrote:
>> restored faces a lot of challenges, but I hope that some kind of
>> solution can be found, because the alternative is to effectively force
>> vendors like Sophos to do it the "dirty" way by fishing in memory for
>> the syscall table
On Fri, 30 Nov 2007, Crispin Cowan wrote:
> restored faces a lot of challenges, but I hope that some kind of
> solution can be found, because the alternative is to effectively force
> vendors like Sophos to do it the "dirty" way by fishing in memory for
> the syscall table.
I don't think this is
Tvrtko A. Ursulin wrote:
> During one recent LKML discussion
> (http://marc.info/?l=linux-kernel&m=119267398722085&w=2) about
> LSM going
> static you called for LSM users to speak up.
Great big clue: If "LSM" is in the subject line, then cc: the LSM list
[EMAIL PROTECTED]
For LSM readers seeing
Al Viro wrote
> On Thu, Nov 29, 2007 at 03:12:38PM -0700, Justin Banks wrote:
>
> > It's not perfect, but as was recently pointed out, if you can only get
> > 98% of the way there rather than 100% is that a reason for not trying to
> > make it possible?
>
> BTW, that's a fine example of a common
> Fortunately for all concerned, although Alan's self-modifying code is indeed a
> possibility, it's much less of an issue than the sort of malware that can be
> found with a simple "find this 27-byte sequence, which will be found in either
> block 36 or 37 of the file"
Thats a very old model of d
On Thu, 29 Nov 2007 18:34:33 EST, Jon Masters said:
>
> On Thu, 2007-11-29 at 21:45 +, Alan Cox wrote:
> > > Jargon File in all its glory. And if you still think you could look for
> > > patterns, how about executable code that self-modifies in random ways
> > > but when executed as a whole ac
On Thu, Nov 29, 2007 at 03:12:38PM -0700, Justin Banks wrote:
> It's not perfect, but as was recently pointed out, if you can only get
> 98% of the way there rather than 100% is that a reason for not trying to
> make it possible?
BTW, that's a fine example of a common fallacy: "$FOO is 98% of the
On Thu, 29 Nov 2007, Al Viro wrote:
> Incidentally, I would really love to see the threat profile we are talking
> about.
Exactly.
Please come up with a set of requirements that can be reviewed by the core
kernel folk, and perhaps then focus on how to meet those requirements once
they have b
On Thu, 2007-11-29 at 21:45 +, Alan Cox wrote:
> > Jargon File in all its glory. And if you still think you could look for
> > patterns, how about executable code that self-modifies in random ways
> > but when executed as a whole actually has the functionality of fetchmail
> > embedded within
On Thu, 2007-11-29 at 15:56 -0500, [EMAIL PROTECTED] wrote:
> On Thu, 29 Nov 2007 14:45:51 EST, Jon Masters said:
> > Ah, but I could write a sequence of pages that on their own looked
> > garbage, but in reality, when executed would print out a copy of the
> > Jargon File in all its glory. And if
Alan Cox <[EMAIL PROTECTED]> writes:
>
> The simple case is
> open
> write cathedral and bazaar in some order
> close
>process -> label eric_t>
>
> open (eric_t) - SELinux "no"
>
>
> Anyone smart will then write it out of order and keep the file open, or
That would
Alan Cox wrote
> > Jargon File in all its glory. And if you still think you could look for
> > patterns, how about executable code that self-modifies in random ways
> > but when executed as a whole actually has the functionality of fetchmail
> > embedded within it? How would you guard against that?
On Thu, Nov 29, 2007 at 03:56:28PM -0500, [EMAIL PROTECTED] wrote:
> Yes, most of these schemes *can* be bypassed because some malicious code does
> a
> mmap() or similar trick. But what is being overlooked here is that in most
> cases, what is *desired* is a way to filter things being handled by
> Jargon File in all its glory. And if you still think you could look for
> patterns, how about executable code that self-modifies in random ways
> but when executed as a whole actually has the functionality of fetchmail
> embedded within it? How would you guard against that?
Thats a problem for w
Alan Cox <[EMAIL PROTECTED]> writes:
> If I want I can have 16 threads executing code in a shared object being
> written to by ten other programs at once and shared over a network while
> we are at it. Its probably not a good idea but I can do it if I have
> reason to.
Actually the kernel prevent
On Thu, 29 Nov 2007 14:45:51 EST, Jon Masters said:
> Ah, but I could write a sequence of pages that on their own looked
> garbage, but in reality, when executed would print out a copy of the
> Jargon File in all its glory. And if you still think you could look for
> patterns, how about executable
On Thu, 2007-11-29 at 11:11 -0800, Ray Lee wrote:
> On Nov 29, 2007 10:56 AM, Jon Masters <[EMAIL PROTECTED]> wrote:
> > On Thu, 2007-11-29 at 10:40 -0800, Ray Lee wrote:
> > > On Nov 29, 2007 9:36 AM, Alan Cox <[EMAIL PROTECTED]> wrote:
> > > > > closed. But more importantly further access to it
On Nov 29, 2007 10:56 AM, Jon Masters <[EMAIL PROTECTED]> wrote:
> On Thu, 2007-11-29 at 10:40 -0800, Ray Lee wrote:
> > On Nov 29, 2007 9:36 AM, Alan Cox <[EMAIL PROTECTED]> wrote:
> > > > closed. But more importantly further access to it can be blocked until
> > > > appropriate actions are taken
On Thu, 2007-11-29 at 10:40 -0800, Ray Lee wrote:
> On Nov 29, 2007 9:36 AM, Alan Cox <[EMAIL PROTECTED]> wrote:
> > > closed. But more importantly further access to it can be blocked until
> > > appropriate actions are taken which also applies with your example, no? Is
> >
> > That bit is hard- v
Ray Lee wrote
> On Nov 29, 2007 9:45 AM, Greg KH <[EMAIL PROTECTED]> wrote:
> > > Perhaps if you looked at this outside of a file-server scenario, the
> > > problem would be clearer? Anti-malware companies want to check
> > > anything written to disk on a system, either at write time or blocking
>
On Nov 29, 2007 9:36 AM, Alan Cox <[EMAIL PROTECTED]> wrote:
> > closed. But more importantly further access to it can be blocked until
> > appropriate actions are taken which also applies with your example, no? Is
>
> That bit is hard- very hard.
In some sense it seems like the same problem faced
On Thu, 2007-11-29 at 11:19 -0700, Justin Banks wrote:
> Ray Lee wrote
> > On Nov 29, 2007 9:45 AM, Greg KH <[EMAIL PROTECTED]> wrote:
> > > > Perhaps if you looked at this outside of a file-server scenario, the
> > > > problem would be clearer? Anti-malware companies want to check
> > > > anythin
On Nov 29, 2007 9:45 AM, Greg KH <[EMAIL PROTECTED]> wrote:
> > Perhaps if you looked at this outside of a file-server scenario, the
> > problem would be clearer? Anti-malware companies want to check
> > anything written to disk on a system, either at write time or blocking
> > the open/mmap. That
On Thu, Nov 29, 2007 at 09:35:56AM -0800, Ray Lee wrote:
> Perhaps if you looked at this outside of a file-server scenario, the
> problem would be clearer? Anti-malware companies want to check
> anything written to disk on a system, either at write time or blocking
> the open/mmap. That means proa
On Thu, Nov 29, 2007 at 09:35:56AM -0800, Ray Lee wrote:
> On Nov 29, 2007 9:03 AM, Greg KH <[EMAIL PROTECTED]> wrote:
> > On Thu, Nov 29, 2007 at 05:53:33PM +0100, Jan Engelhardt wrote:
> > >
> > > On Nov 29 2007 08:47, Greg KH wrote:
> > > >On Thu, Nov 29, 2007 at 11:36:12AM -0500, Jon Masters wr
> closed. But more importantly further access to it can be blocked until
> appropriate actions are taken which also applies with your example, no? Is
That bit is hard- very hard.
> it possible to open for execute and have dirty mappings (or open for
> write) on a file at the same time?
If I w
On Nov 29, 2007 9:03 AM, Greg KH <[EMAIL PROTECTED]> wrote:
> On Thu, Nov 29, 2007 at 05:53:33PM +0100, Jan Engelhardt wrote:
> >
> > On Nov 29 2007 08:47, Greg KH wrote:
> > >On Thu, Nov 29, 2007 at 11:36:12AM -0500, Jon Masters wrote:
> > >> On Wed, 2007-11-28 at 17:07 -0800, Greg KH wrote:
> > >
> Can we please stop this useless discussion? Trying to check the content
> of files to see whether they might be malicious is inherently braindead,
> and no amounts of plugins in random places will fix this.
Actually it is quite effective especially for files whose content is
expected not to be
On Thu, Nov 29, 2007 at 12:05:36PM -0500, Jon Masters wrote:
>
> On Thu, 2007-11-29 at 08:47 -0800, Greg KH wrote:
> > On Thu, Nov 29, 2007 at 11:36:12AM -0500, Jon Masters wrote:
> > > On Wed, 2007-11-28 at 17:07 -0800, Greg KH wrote:
> > >
> > > > The easiest way is as Al described above, just
On Thu, 2007-11-29 at 08:47 -0800, Greg KH wrote:
> On Thu, Nov 29, 2007 at 11:36:12AM -0500, Jon Masters wrote:
> > On Wed, 2007-11-28 at 17:07 -0800, Greg KH wrote:
> >
> > > The easiest way is as Al described above, just have the userspace
> > > program that wrote the file to disk, check it th
On Thu, Nov 29, 2007 at 05:53:33PM +0100, Jan Engelhardt wrote:
>
> On Nov 29 2007 08:47, Greg KH wrote:
> >On Thu, Nov 29, 2007 at 11:36:12AM -0500, Jon Masters wrote:
> >> On Wed, 2007-11-28 at 17:07 -0800, Greg KH wrote:
> >>
> >> > The easiest way is as Al described above, just have the users
On Thu, Nov 29, 2007 at 05:53:33PM +0100, Jan Engelhardt wrote:
> >> But the problem is that this isn't just Samba, this is a countless
> >> myriad of different applications. And if one of them doesn't support
> >> on-access scanning, then the whole solution isn't worth using.
> >
> >Ok, which spec
On Nov 29 2007 08:47, Greg KH wrote:
>On Thu, Nov 29, 2007 at 11:36:12AM -0500, Jon Masters wrote:
>> On Wed, 2007-11-28 at 17:07 -0800, Greg KH wrote:
>>
>> > The easiest way is as Al described above, just have the userspace
>> > program that wrote the file to disk, check it then.
>>
>> But the
On Thu, 29 Nov 2007 11:27:45 -0500
Jon Masters <[EMAIL PROTECTED]> wrote:
> On Thu, 2007-11-29 at 11:12 +1100, James Morris wrote:
> > On Wed, 28 Nov 2007, [EMAIL PROTECTED] wrote:
> >
> > > So as there is no question the current code does some ugly things it is
> > > even more true that we woul
On Nov 29 2007 11:27, Jon Masters wrote:
>
>They (virus protection folks) generally think they want to intercept
>various system calls, such as open() and block until they have performed
>a scan operation on the file. I explained the mmap issue [...]
If open and close was everything, then that wo
On Thu, Nov 29, 2007 at 11:36:12AM -0500, Jon Masters wrote:
> On Wed, 2007-11-28 at 17:07 -0800, Greg KH wrote:
>
> > The easiest way is as Al described above, just have the userspace
> > program that wrote the file to disk, check it then.
>
> But the problem is that this isn't just Samba, this
On Thu, Nov 29, 2007 at 11:27:45AM -0500, Jon Masters wrote:
> On Thu, 2007-11-29 at 11:12 +1100, James Morris wrote:
> > On Wed, 28 Nov 2007, [EMAIL PROTECTED] wrote:
> >
> > > So as there is no question the current code does some ugly things it is
> > > even more true that we would be even more
[EMAIL PROTECTED] wrote on 28/11/2007 19:20:26:
> "Tvrtko A. Ursulin" <[EMAIL PROTECTED]> writes:
>
> > We here at Sophos (the fourth largest endpoint security vendor in
> the world)
> > have such a module called Talpa which is a part of our main
> endpoint security
> > product
>
> What is a
On Wed, 2007-11-28 at 17:07 -0800, Greg KH wrote:
> The easiest way is as Al described above, just have the userspace
> program that wrote the file to disk, check it then.
But the problem is that this isn't just Samba, this is a countless
myriad of different applications. And if one of them doesn
On Thu, 2007-11-29 at 11:12 +1100, James Morris wrote:
> On Wed, 28 Nov 2007, [EMAIL PROTECTED] wrote:
>
> > So as there is no question the current code does some ugly things it is
> > even more true that we would be even more happy to use an official API.
>
> How about becoming involved in cre
Al Viro <[EMAIL PROTECTED]> wrote on 28/11/2007 18:30:40:
> On Wed, Nov 28, 2007 at 01:15:05PM -0500, [EMAIL PROTECTED] wrote:
> > (Note that the concept has interesting implications in the other
> direction as
> > well - rather than stopping you from reading a file that has
> malware, you could
Alan Cox <[EMAIL PROTECTED]> wrote on 28/11/2007 19:50:42:
> > So as there is no question the current code does some ugly things it
is
> > even more true that we would be even more happy to use an official
API.
> > LSM was that and we were happily using it which we won't be able to do
if
> >
--- Jan Engelhardt <[EMAIL PROTECTED]> wrote:
>
> On Nov 28 2007 18:22, [EMAIL PROTECTED] wrote:
> >
> >Talpa is modular itself being composed of a set of kernel modules of which
> >not all are loaded simultaneously. Where possible LSM can be used and _no_
> >messing with syscall table will ta
On Thu, Nov 29, 2007 at 01:53:46AM +0100, Jan Engelhardt wrote:
>
> On Nov 28 2007 16:38, Greg KH wrote:
> >>
> >> And if we are talking about the situation when files are written to
> >> in controlled way (i.e. we are not concerned with malware running on
> >> the box in question and just want t
On Wed, Nov 28, 2007 at 12:42:52PM +, Tvrtko A. Ursulin wrote:
>
> Hi Linus, all,
>
> During one recent LKML discussion
> (http://marc.info/?l=linux-kernel&m=119267398722085&w=2) about LSM going
> static you called for LSM users to speak up.
>
> We here at Sophos (the fourth largest endpo
On Nov 28 2007 16:38, Greg KH wrote:
>>
>> And if we are talking about the situation when files are written to
>> in controlled way (i.e. we are not concerned with malware running on
>> the box in question and just want to stop it from passing through
>> mailsewer, etc.), then there's no damn nee
On Nov 28 2007 18:22, [EMAIL PROTECTED] wrote:
>
>Talpa is modular itself being composed of a set of kernel modules of which
>not all are loaded simultaneously. Where possible LSM can be used and _no_
>messing with syscall table will take place. Unfortunately where another
>LSM user is present
On Wed, Nov 28, 2007 at 06:30:40PM +, Al Viro wrote:
> On Wed, Nov 28, 2007 at 01:15:05PM -0500, [EMAIL PROTECTED] wrote:
> > (Note that the concept has interesting implications in the other direction
> > as
> > well - rather than stopping you from reading a file that has malware, you
> > cou
On Wed, 28 Nov 2007, [EMAIL PROTECTED] wrote:
> So as there is no question the current code does some ugly things it is
> even more true that we would be even more happy to use an official API.
How about becoming involved in creating that official API ?
"A person will stand on the top of a hil
On Wed, 28 Nov 2007 19:52:46 GMT, Alan Cox said:
> > It might be better to identify the services (gateway, samba, file
> > server whatever) that are actually dealing with possible infected
> > "external" files and then define some generic interface that would
> > allow you to check those as the dat
> It might be better to identify the services (gateway, samba, file
> server whatever) that are actually dealing with possible infected
> "external" files and then define some generic interface that would
> allow you to check those as the data appears.
I am wondering if the right interface is actu
> So as there is no question the current code does some ugly things it is
> even more true that we would be even more happy to use an official API.
> LSM was that and we were happily using it which we won't be able to do if
> it abruptly goes away. Yes it is not a perfect match but until it is
"Tvrtko A. Ursulin" <[EMAIL PROTECTED]> writes:
> We here at Sophos (the fourth largest endpoint security vendor in the world)
> have such a module called Talpa which is a part of our main endpoint security
> product
What is a "endpoint security product" exactly? A gateway that scans
files pass
On Wed, Nov 28, 2007 at 01:15:05PM -0500, [EMAIL PROTECTED] wrote:
> (Note that the concept has interesting implications in the other direction as
> well - rather than stopping you from reading a file that has malware, you
> could
> in theory write an anti-export package that would let you write o
[EMAIL PROTECTED] wrote on 28/11/2007 17:39:56:
> On Wed, 28 Nov 2007 16:46:13 +
> Christoph Hellwig <[EMAIL PROTECTED]> wrote:
>
> > On Wed, Nov 28, 2007 at 08:38:43AM -0800, Casey Schaufler wrote:
> > > Would you like to expound on that, or do you feel your claws
> > > are sharp enough alre
On Wed, 28 Nov 2007 16:46:13 GMT, Christoph Hellwig said:
> On Wed, Nov 28, 2007 at 08:38:43AM -0800, Casey Schaufler wrote:
> > Would you like to expound on that, or do you feel your claws
> > are sharp enough already?
>
> Just take a look at code.
Just to clarify - you're OK with the *concept*
On Wed, 28 Nov 2007 16:46:13 +
Christoph Hellwig <[EMAIL PROTECTED]> wrote:
> On Wed, Nov 28, 2007 at 08:38:43AM -0800, Casey Schaufler wrote:
> > Would you like to expound on that, or do you feel your claws
> > are sharp enough already?
>
> Just take a look at code.
>
The module in questio
On Wed, Nov 28, 2007 at 08:38:43AM -0800, Casey Schaufler wrote:
> Would you like to expound on that, or do you feel your claws
> are sharp enough already?
Just take a look at code.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTEC
--- Christoph Hellwig <[EMAIL PROTECTED]> wrote:
> On Wed, Nov 28, 2007 at 12:42:52PM +, Tvrtko A. Ursulin wrote:
> >
> > Hi Linus, all,
> >
> > During one recent LKML discussion
> > (http://marc.info/?l=linux-kernel&m=119267398722085&w=2) about LSM going
> > static you called for LSM us
On Wed, Nov 28, 2007 at 12:42:52PM +, Tvrtko A. Ursulin wrote:
>
> Hi Linus, all,
>
> During one recent LKML discussion
> (http://marc.info/?l=linux-kernel&m=119267398722085&w=2) about LSM going
> static you called for LSM users to speak up.
>
> We here at Sophos (the fourth largest endpo
Hi Linus, all,
During one recent LKML discussion
(http://marc.info/?l=linux-kernel&m=119267398722085&w=2) about LSM going
static you called for LSM users to speak up.
We here at Sophos (the fourth largest endpoint security vendor in the world)
have such a module called Talpa which is a part
75 matches
Mail list logo
