From: Eric Paris <eparis@redhat.com>
To: david@lang.hm
Cc: Jan Harkes <jaharkes@cs.cmu.edu>,
Alan Cox <alan@lxorguk.ukuu.org.uk>,
tvrtko.ursulin@sophos.com, Theodore Tso <tytso@mit.edu>,
davecb@Sun.COM, Adrian Bunk <bunk@kernel.org>,
linux-kernel <linux-kernel@vger.kernel.org>,
malware-list@lists.printk.net,
Casey Schaufler <casey@schaufler-ca.com>,
Arjan van de Ven <arjan@infradead.org>
Subject: Re: [malware-list] scanner interface proposal was: [TALPA] Intro linux interface for for access scanning
Date: Wed, 20 Aug 2008 15:26:07 -0400 [thread overview]
Message-ID: <1219260367.3389.125.camel@localhost.localdomain> (raw)
In-Reply-To: <alpine.DEB.1.10.0808201004200.20991@asgard.lang.hm>
On Wed, 2008-08-20 at 10:33 -0700, david@lang.hm wrote:
> if the system package manager says the syslogd binary doesn't match the
> checksum that it has recorded should it be prevented from running? (a
> strict policy would say no, but the sysadmin may have recompiled that one
> binary and just wants a warning to be logged somewhere, not preventing the
> process from running)
My belief is that if you choose to run a file scanner and that file
scanner gets the answer wrong you need to look at the file scanner.
There shouldn't be arbitrary overrides. If you don't accept the results
of the scanner what's the point? Tell you package manager scanner that
you changed it.
> without the kernel support to clear the flags when the file is dirtied how
> can these programs trust the xattr flags that say they scanned the file
> before?
I don't understand what you mean about trust. This is an argument for
kernel support now? What is it that you say needs and what doesn't need
it? Can you explain exactly what your perfect solution from top down?
> I'm not saying that xattr is the only way to store the info, it just seems
> like a convienient place to store them without having to create a
> completely new API or changing anything in on-disk formats.
And I saying we don't actually need any of this and if it is actually
needed by someone in the real world they can easily build their own
solution on top of my generic interface. I'm not making the assertion
it is race free and don't think it is possible without making every
sequential (hahahaha.) But I claim in the face of normal operation it's
fine. My interface, as proposed, is very generic. Much more so than
what I think you are trying to describe. I couldn't make mine more
minimal or broad.
next prev parent reply other threads:[~2008-08-20 21:01 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <alpine.DEB.1.10.0808180444390.12859@asgard.lang.hm>
[not found] ` <20080818131628.1C2A22FE82F@pmx1.sophos.com>
2008-08-18 14:25 ` [malware-list] scanner interface proposal was: [TALPA] Intro to a linux interface for on access scanning Theodore Tso
2008-08-18 15:31 ` tvrtko.ursulin
2008-08-18 15:31 ` Alan Cox
2008-08-18 13:42 ` David Collier-Brown
2008-08-18 17:53 ` Alan Cox
2008-08-18 18:13 ` david
2008-08-18 15:58 ` tvrtko.ursulin
2008-08-18 17:13 ` david
2008-08-18 16:15 ` Eric Paris
2008-08-18 16:15 ` Alan Cox
2008-08-18 16:54 ` douglas.leeder
2008-08-18 16:40 ` Alan Cox
2008-08-18 17:28 ` Eric Paris
2008-08-18 17:25 ` Alan Cox
2008-08-18 17:54 ` Eric Paris
2008-08-18 18:30 ` Eric Paris
2008-08-18 18:51 ` Alan Cox
2008-08-18 18:35 ` Jan Harkes
2008-08-18 18:46 ` Eric Paris
2008-08-18 19:04 ` david
2008-08-20 2:44 ` [malware-list] scanner interface proposal was: [TALPA] Intro linux interface for for " david
2008-08-20 15:15 ` Eric Paris
2008-08-20 17:33 ` david
2008-08-20 19:26 ` Eric Paris [this message]
2008-08-21 0:42 ` david
2008-08-20 17:50 ` david
2008-08-21 14:35 ` [malware-list] scanner interface proposal was: [TALPA] Intro linux interface " douglas.leeder
2008-08-21 21:19 ` david
2008-08-22 15:09 ` [malware-list] scanner interface proposal was: [TALPA] Intro linux interface for " Pavel Machek
2008-08-23 7:28 ` david
2008-08-18 19:32 ` [malware-list] scanner interface proposal was: [TALPA] Intro to a linux interface for on " Jan Harkes
2008-08-18 17:38 ` david
2008-08-18 17:29 ` david
2008-08-18 17:39 ` Eric Paris
2008-08-18 18:09 ` david
2008-08-18 18:34 ` Eric Paris
2008-08-18 17:07 ` david
2008-08-19 8:40 ` tvrtko.ursulin
2008-08-18 22:40 ` Pavel Machek
2008-08-18 23:07 ` Eric Paris
2008-08-19 1:15 ` Peter Dolding
2008-08-19 8:09 ` douglas.leeder
2008-08-19 11:08 ` Peter Dolding
[not found] ` <20080819114040.2FD1B336880@pmx1.sophos.com>
2008-08-20 3:03 ` Peter Dolding
2008-08-18 16:28 ` douglas.leeder
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1219260367.3389.125.camel@localhost.localdomain \
--to=eparis@redhat.com \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=arjan@infradead.org \
--cc=bunk@kernel.org \
--cc=casey@schaufler-ca.com \
--cc=davecb@Sun.COM \
--cc=david@lang.hm \
--cc=jaharkes@cs.cmu.edu \
--cc=linux-kernel@vger.kernel.org \
--cc=malware-list@lists.printk.net \
--cc=tvrtko.ursulin@sophos.com \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.