Re: [PATCH v3 0/1] NAX (No Anonymous Execution) LSM

From: THOBY Simon
Date: Fri Aug 20 2021 - 09:35:15 EST

Next message: Linus Walleij: "Re: [PATCH 2/2] clocksource/drivers/fttmr010: Be stricter on IRQs"
Previous message: irqchip-bot for Sven Peter: "[irqchip: irq/irqchip-next] irqchip/apple-aic: Fix irq_disable from within irq handlers"
In reply to: Randy Dunlap: "Re: [PATCH v3 1/1] NAX LSM: Add initial support"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Igor,

On 8/20/21 12:12 AM, Igor Zhbanov wrote:
> [Overview]
>
> Fileless malware attacks are becoming more and more popular, and even
> ready-to-use frameworks are available [1], [2], [3]. They are based on
> running of the malware code from anonymous executable memory pages (which
> are not backed by an executable file or a library on a filesystem.) This
> allows effectively hiding malware presence in a system, making filesystem
> integrity checking tools unable to detect the intrusion.
>

[snip]

>
> [TODO]
> - Implement xattrs support for marking privileged binaries on a per-file
> basis.

If/when you plan to add that, adding the new xattr to the list of EVM-protected xattrs
may be worth discussing.

> - Store NAX attributes in the per-task LSM blob to implement special
> launchers for the privileged processes, so all of the children processes
> of such a launcher would be allowed to have anonymous executable pages
> (but not to grandchildren).
>

[snip]

Overall I'm pleased to see this patch and I have no more remarks,
outside of the few points Randy Dunlap raised.

Reviewed-by: THOBY Simon <Simon.THOBY@xxxxxxxxxx>

Thanks,
Simon

Next message: Linus Walleij: "Re: [PATCH 2/2] clocksource/drivers/fttmr010: Be stricter on IRQs"
Previous message: irqchip-bot for Sven Peter: "[irqchip: irq/irqchip-next] irqchip/apple-aic: Fix irq_disable from within irq handlers"
In reply to: Randy Dunlap: "Re: [PATCH v3 1/1] NAX LSM: Add initial support"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]