Re: Out of tree module using LSM

From: Stephen Hemminger
Date: Thu Nov 29 2007 - 11:53:21 EST

Next message: Jan Engelhardt: "Re: Out of tree module using LSM"
Previous message: Jan Engelhardt: "Re: Out of tree module using LSM"
In reply to: Jan Engelhardt: "Re: Out of tree module using LSM"
Next in thread: Jan Engelhardt: "Re: Out of tree module using LSM"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 29 Nov 2007 11:27:45 -0500
Jon Masters <jcm@xxxxxxxxxx> wrote:

> On Thu, 2007-11-29 at 11:12 +1100, James Morris wrote:
> > On Wed, 28 Nov 2007, tvrtko.ursulin@xxxxxxxxxx wrote:
> >
> > > So as there is no question the current code does some ugly things it is
> > > even more true that we would be even more happy to use an official API.
> >
> > How about becoming involved in creating that official API ?
>
> Sophos are interested in doing so, and we have spoken about this several
> times recently over the phone. This is why they sent the email in
> question yesterday, to kickstart debate. And that's awesome. I am trying
> to bring a few of these folks together at the moment, so that we can get
> a solution that is acceptable to upstream at some point in the future.
>
> So, rather than criticise their current code, or their intentions, or
> blanketly dismiss the virus protection market, perhaps we can focus
> instead on the fact that there is a known third party who wishes to
> perform a task that is not well supportable at this moment. We can all
> agree the syscall table hacking isn't such a good idea - but these guys
> are *very* open to listening to useful alternative suggestions.
>
> They (virus protection folks) generally think they want to intercept
> various system calls, such as open() and block until they have performed
> a scan operation on the file. I explained the mmap issue to several of
> these companies recently, in quite some detail, and I know they are
> interested in listening this time around :-) At the end of the day, what
> I have been lead to believe is that they don't care whether they
> intercept syscall entries, or use a better method, they just want to
> scan files and take some action if a file is "bad". That's it really.
>
> I have been trying to put together an exact feature set that is needed
> from these different vendors, so we can discuss it further here, and
> hopefully actually get somewhere, too. There have been a few delays
> after I pointed out the mmap issues at some length.
>

Perhaps this kind of scanning belongs in the application. Couldn't an
apache or samba have a plugin to do it?

--
Stephen Hemminger <shemminger@xxxxxxxxxxxxxxxxxxxx>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Jan Engelhardt: "Re: Out of tree module using LSM"
Previous message: Jan Engelhardt: "Re: Out of tree module using LSM"
In reply to: Jan Engelhardt: "Re: Out of tree module using LSM"
Next in thread: Jan Engelhardt: "Re: Out of tree module using LSM"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]