[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Dazuko-devel] Re: 2.6.27 kernels

From: Frantisek Hrbata
Subject: Re: [Dazuko-devel] Re: 2.6.27 kernels
Date: Wed, 24 Sep 2008 13:35:40 +0200

On Tue, 23 Sep 2008 20:08:16 +0200
Jonathan Dumke <address@hidden> wrote:

> Hash: SHA1
> > On Thu, 28 Aug 2008 19:47:57 +0300
> > Sami Tikka <address@hidden> wrote:
> >
> >> Frantisek Hrbata kirjoitti 28.8.2008 kello 18.34:
> >>
> [...]
> >>> scanning besides logs or some other output?
> >> Probably not. I just asked because F-Secure AV software has always
> >> had settings for scan-on-open, scan-on-exec and scan-on-close.
> >> Scan-on- close is nice-to-have and I have never heard anyone using
> >> just one of scan-on-open or scan-on-exec.
> >
> > AVG has also options for scanOnOpen, scanOnExec and
> > scanOnCloseModified. I think that is because dazuko provides such
> > events :). Question is if it is necessary to notify user-space
> > scanner which event triggered the scanning at all.
> >
> > -FH
> In my opinion the scanOnExec option is a completly different to
> scanOnOpen, example of my understanding folloes here:
> sample cmd: vim ascript.sh
> scanOnExec should scan the vim, cause it is execited
> scanOnOpen should scan the script, cause it's opend or may be it scans
> both vim and the edited file.

During exec kernel calls regular file open functions(sys_execve ->
do_execve -> open_exec -> ...). So if you want to execute some binary
kernel will call open anyway.

I think that distinguish open and exec is good just for logging etc.
It would be nice to have both events I guess, but for security
reasons it is not crucial. I can not imagine situation when you would
like to scan only on-open or only on-exec. Open and exec events just go
hand in hand and disabling one of them will provide gap for malware to

> Just a nother thing. Because the kernel and its interfaces are still
> in progress, I think it should be a good idea to encapsulate the
> needed api-calls by a dazuko-framework-library.

I am not sure what do you mean by this. Dazuko provides same api
despite of which method it uses to get needed events(syscalls, lsm,
redirfs, dazukofs).

> Greets,
> Jhony Walldorf
> Version: GnuPG v1.4.6 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> JKEgfhxvHm9aIYsHZ4cMNgY=
> _______________________________________________
> Dazuko-devel mailing list
> address@hidden
> http://lists.nongnu.org/mailman/listinfo/dazuko-devel

reply via email to

[Prev in Thread] Current Thread [Next in Thread]