Sidebar to [malware-list] [RFC 0/5] [TALPA] Intro to a linux interfacefor on access scanning

[David Collier-Brown]

"Press, Jonathan" <Jonathan.Press@xxxxxx> wrote:
> > but close is... very limited in value. Open is a discrete event
> > traditionally associated withh permission checks.
> > Close... not so.  (And if you mmap memory, you can then close the file
> > and still write to it via the mmap)

Eric Paris wrote:
> I think we all agree that open is the most interesting time for scanning
> operations, but as Jonathan points out there is some value (even if not
> perfect value) in looking at closes as well.

Open for read is the "traditional" time for scanning, but the
sequence (open for write) -> change -> (time passes or close happens) 
is specifically a good time to do content checking, so as to have the 
answer to the check available for the open for read.

I'd suggest "read" and "write" are the two cases that are interesting,
and that we've been using 'open" an "close" for a not very good
approximation to them (;-))

--dave
--
David Collier-Brown            | Always do right. This will gratify
Sun Microsystems, Toronto      | some people and astonish the rest
davecb@xxxxxxx                 |                      -- Mark Twain
cell: (647) 833-9377, bridge: (877) 385-4099 code: 506 9191#
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/