Hi Igor, On 8/20/21 12:12 AM, Igor Zhbanov wrote: > [Overview] > > Fileless malware attacks are becoming more and more popular, and even > ready-to-use frameworks are available [1], [2], [3]. They are based on > running of the malware code from anonymous executable memory pages (which > are not backed by an executable file or a library on a filesystem.) This > allows effectively hiding malware presence in a system, making filesystem > integrity checking tools unable to detect the intrusion. > [snip] > > [TODO] > - Implement xattrs support for marking privileged binaries on a per-file > basis. If/when you plan to add that, adding the new xattr to the list of EVM-protected xattrs may be worth discussing. > - Store NAX attributes in the per-task LSM blob to implement special > launchers for the privileged processes, so all of the children processes > of such a launcher would be allowed to have anonymous executable pages > (but not to grandchildren). > [snip] Overall I'm pleased to see this patch and I have no more remarks, outside of the few points Randy Dunlap raised. Reviewed-by: THOBY Simon <Simon.THOBY@xxxxxxxxxx> Thanks, Simon
