Re: [RFC 0/5] [TALPA] Intro to a linux interface for on access scanning

From: Cliffe
Date: Mon Aug 04 2008 - 23:09:35 EST

Next message: Atsushi Nemoto: "Re: cramfs and named-pipe"
Previous message: Pavel Roskin: "Re: pull request: wireless-2.6 2008-08-04"
In reply to: Casey Schaufler: "Re: [RFC 0/5] [TALPA] Intro to a linux interface for on access scanning"
Next in thread: Casey Schaufler: "Re: [RFC 0/5] [TALPA] Intro to a linux interface for on access scanning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

If we had stackable LSMs then the required functionality could simply be built into the LSM interface. Then the anti-malware would simply stack itself with other LSMs. In my opinion this is a perfect example for the argument of stackable LSMs. So far we mainly have LSMs which provide an extra access control mechanism (in addition to DAC). IMHO, Ideally DAC could be another stackable LSM (enabled by default). Other security schemes such as intrusion detection, firewalls/netfilter, anti-malware, and application restrictions (sandboxes such as jails or finer grained restrictions such as AppArmor) could all register LSMs onto the stack.

Additional infrastructure would be necessary. Permissible security remains a item of contention. Perhaps I am naive but I think most LSMs could work based on accept/reject. Where every LSM must accept an action in order for it to be carried out.

MHO,

Cliffe.

Casey Schaufler wrote:

Eric Paris wrote:
Please contact me privately or (preferably the list) for questions,
comments, discussions, flames, names, or anything. I'll do complete
rewrites of the patches if someone tells me how they don't meet their
needs or how they can be done better. I'm here to try to bridge the
needs (and wants) of the anti-malware vendors with the technical
realities of the kernel. So everyone feel free to throw in your two
cents and I'll try to reconcile it all. These 5 patches are part 1.
They give us a working able solution.

>From my point of view patches forthcoming and mentioned below should
help with performance for those who actually have userspace scanners but
also could presents be implemented using this framework.

The LSM list (CCed) should be included in this discussion.
Background
...

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Atsushi Nemoto: "Re: cramfs and named-pipe"
Previous message: Pavel Roskin: "Re: pull request: wireless-2.6 2008-08-04"
In reply to: Casey Schaufler: "Re: [RFC 0/5] [TALPA] Intro to a linux interface for on access scanning"
Next in thread: Casey Schaufler: "Re: [RFC 0/5] [TALPA] Intro to a linux interface for on access scanning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]