Re: [patch] Add basic sanity checks to the syscall execution patch

From: Andi Kleen
Date: Fri Sep 05 2008 - 16:45:25 EST


On Fri, Sep 05, 2008 at 09:42:48PM +0200, pageexec@xxxxxxxxxxx wrote:
> On 5 Sep 2008 at 19:26, Andi Kleen wrote:
>
> >
> > First such checkers already exist -- they are called root kit checkers.
> > There are various around.
> > Usually operate from user space. You could run them in a cron job.
>
> how trivial do you think it is for *kernel* code to evade *userland*
> checking it? ;) otherwise agreed with rest.

It depends on where the userland runs. e.g. if it's under a hypervisor
and in a separate domain it should be reasonably safe.

And then I don't think it is much difference between Ingo's kernel
checker and a user land checker. Both can be disabled it you know
about them.

-Andi

--
ak@xxxxxxxxxxxxxxx
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/