Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linux interfacefor on access scanning

[Christoph Hellwig]

On Mon, Aug 04, 2008 at 03:32:49PM -0700, Greg KH wrote:
> >   1. Intercept file opens (exec also) for vetting (block until
> >   decision is made) and allow some userspace black magic to make
> >   decisions.

NACK, this kind of policy should be done in kernelspace.

> >   2. Intercept file closes for scanning post access

Not  even possible for mmap, and dumb otherwise, NACK.

> >   6. Scan files directly not relying on path.  Avoid races and problems with namespaces, chroot, containers, etc.

Explain? 

> >   9. Mark a processes as exempt from on access scanning

Nack, this completely defeats the purpose.

> >  11. Exclude sub-trees from scanning based on filesystem path
> >  12. Include only certain sub-trees from scanning based on filesystem path

Nack, please no pathname based idiocies.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/