Re: [RFC 0/5] [TALPA] Intro to a linux interface for on access scanning

From: Andi Kleen
Date: Tue Aug 05 2008 - 23:52:49 EST

Next message: Max Krasnyansky: "Re: [PATCH] cpuset: Rework sched domains and CPU hotplug handling(2.6.27-rc1)"
Previous message: Jeff Chua: "Re: 2.6.27rc1 cannot boot more than 8CPUs"
In reply to: Eric Paris: "Re: [RFC 0/5] [TALPA] Intro to a linux interface for on accessscanning"
Next in thread: David Wagner: "Re: [RFC 0/5] [TALPA] Intro to a linux interface for on access scanning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> I didn't consider it. Most likely at the end of the day the finding
> will be, "if you can write directly to the block device you already won
> since there as so many other things you can do to subvert the system."

This means your scheme is not generally supposed to protect against root?

I assume yes (since I can think of lots of other holes for
root), but you should state that explicitely in the spec since it
is a major limitation.

On the other hand it will also allow you to optimize significantly:

In particularly it also means that you can trust the permissions
and don't need to check any files which cannot be written by users
you don't control.

-Andi

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Max Krasnyansky: "Re: [PATCH] cpuset: Rework sched domains and CPU hotplug handling(2.6.27-rc1)"
Previous message: Jeff Chua: "Re: 2.6.27rc1 cannot boot more than 8CPUs"
In reply to: Eric Paris: "Re: [RFC 0/5] [TALPA] Intro to a linux interface for on accessscanning"
Next in thread: David Wagner: "Re: [RFC 0/5] [TALPA] Intro to a linux interface for on access scanning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]