Re: fanotify as syscalls

From: Davide Libenzi
Date: Wed Sep 23 2009 - 11:35:34 EST


On Wed, 23 Sep 2009, hch@xxxxxxxxxxxxx wrote:

> On Wed, Sep 23, 2009 at 09:39:33AM +0100, Tvrtko Ursulin wrote:
> > Lived with it because there was no other option. We used LSM while it was
> > available for modules but then it was taken away.
> >
> > And not all vendors even use syscall interception, not even across platforms,
> > of which you sound so sure about. You can't even scan something which is not
> > in your namespace if you are at the syscall level. And you can't catch things
> > like kernel nfsd. No, syscall interception is not really appropriate at all.
>
> The "Anti-Malware" industry is just snake oil anyway. I think the
> proper approach to support it is just to add various no-op exports claim
> to do something and all the people requiring anti-virus on Linux will be
> just as happy with it.

The fear is that this becomes a trojan horse (no pun intended) for more
and more hooks and "stuff", driven by we-really-need-this-too and
we-really-need-that-too. And once something it's in, it's harder to say no,
under the pressure of offering a "limited solution".
This ws the reason I threw the syscall tracing thing in, so they have a
low level generic hook, and they cam knock themselves out in their module
(might need a few exports, but that's about it).



- Davide


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/