Re: [Patch][RFC] fcntl: add ability to stop monitored processes

From: Neil Horman (nhorman_at_redhat.com)
Date: 06/13/05

  • Next message: Alan Cox: "Re: Odd IDE performance drop 2.4 vs 2.6?" 
    Date:	Mon, 13 Jun 2005 11:12:02 -0400
To: Alan Cox <alan@lxorguk.ukuu.org.uk>

    On Mon, Jun 13, 2005 at 03:03:32PM +0100, Alan Cox wrote:
    > On Llu, 2005-06-13 at 14:48, Neil Horman wrote:
    > > The idea I had was to catch processes which are preforming ostensibly
    > > undesireable filesystem operations (as defined by the actions that F_NOTIFY can
    > > monitor). I'm not sure how else to avoid the race condition that can arise
    > > between the delivery of the F_NOTIFY signal to the monitoring process, and the
    > > exiting of the monitored process. If you have another thought, I'm certainly
    > > open to it.
    >
    > I'm more worried you will make things worse not better. My first thought
    > was what stops me just filling up the file table with admin work
    > possibly also involving setuid processes so the end user cannot rescue
    > the situation.
    >
    I understand the concern here, but can't root always do desructive things to the
    system?

    > If its trying to do debugging then ptrace makes sense and the parent
    > would be notified. Ptrace deals with exit of tracer and security for
    > you. If you are trying to implement a security policy then the selinux
    > hooks already allow you to block access to those files by selected
    > processes anyway just as your F_NOTIFY hook would do, and you could even
    > write a new security layer with a daemon that decided for the F_NOTIFY
    > equivalents.
    >
    I'll certainly try this again using the ptrace interface, rather than fcntl. Do
    you think the whole F_NOTIFY function should move over, or just this particular
    feature?

    Neil
    > Alan
    > 

    -- 
/***************************************************
 *Neil Horman
 *Software Engineer
 *Red Hat, Inc.
 *nhorman@redhat.com
 *gpg keyid: 1024D / 0x92A74FA1
 *http://pgp.mit.edu
 ***************************************************/
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/
  • Next message: Alan Cox: "Re: Odd IDE performance drop 2.4 vs 2.6?"

    Relevant Pages

    • Re: Employee Monitoring S/W
      ... The concern here is to monitor the employee activities w.r.t data ... violating laws and probably violating confidentiality contracts. ... are seldom within the authority of the security manager to view. ...
      (comp.security.misc)
    • Re: Firewall Suggestions
      ... > Monitor on a single home PC on dial-up. ... security system for your home setup. ... Also use HijackThis to regularly monitor your system. ... I'd also strongly recommend alt.privacy.spyware if you are not already ...
      (comp.security.firewalls)
    • Re: Permission change monitor
      ... >using the MMC, Security Templates and Security ... be able to monitor ... >> and compare to a current snapshot of the same system to ... but none of them show permission changes (ie. ...
      (microsoft.public.security)
    • Re: [Full-disclosure] Windows 2003 Logging/Log Analysis Tool
      ... new interesting security products and will share this information with all ... ManageEngine EventLog Analyzer is a web-based event log management solution ... Monitor network-wide critical security events ... EventLog Analyzer improves security and reduces downtime of critical servers ...
      (Full-Disclosure)
    • Re: NFS ENOLCK problem with CONFIG_SECURITY=n
      ... > lockd: failed to monitor 10.0.0.5 ... portmap/rpc.statd from localhost/your client on your server/your server ... send the line "unsubscribe linux-kernel" in ...
      (Linux-Kernel)