Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linuxinterfaceforon access scanning

[Alan Cox]

> > Scripts
> 
> get either opened or exec'd...
> 
> (ignoring stdin-fed scripts right now.. but that's a problem regardless)

Don't forget pty/tty pairs, ioctls to type chars etc

> > Attempts to screen content
> 
> can you explain?

One common use for scanning is to scan content not looking for executable
stuff but for things like malformed image files and the like. It's also
useful for indexing and in those cases you don't really want ld.so in the
way.

> > Exec occuring after ld.so is compromised
> 
> this is post-compromise scenario; if you have enough root rights to do
> that then it's game over.

You still want to know if you spot this. And the root rights thing
assumes no selinux. For a large case of uses I would agree however.

Alan
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/