Re: [PATCH v3 0/1] NAX (No Anonymous Execution) LSM

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Igor,

On 8/20/21 12:12 AM, Igor Zhbanov wrote:
> [Overview]
> 
> Fileless malware attacks are becoming more and more popular, and even
> ready-to-use frameworks are available [1], [2], [3]. They are based on
> running of the malware code from anonymous executable memory pages (which
> are not backed by an executable file or a library on a filesystem.) This
> allows effectively hiding malware presence in a system, making filesystem
> integrity checking tools unable to detect the intrusion.
> 

[snip]

> 
> [TODO]
> - Implement xattrs support for marking privileged binaries on a per-file
>   basis.

If/when you plan to add that, adding the new xattr to the list of EVM-protected xattrs
may be worth discussing.

> - Store NAX attributes in the per-task LSM blob to implement special
>   launchers for the privileged processes, so all of the children processes
>   of such a launcher would be allowed to have anonymous executable pages
>   (but not to grandchildren).
> 

[snip]

Overall I'm pleased to see this patch and I have no more remarks,
outside of the few points Randy Dunlap raised.

Reviewed-by: THOBY Simon <Simon.THOBY@xxxxxxxxxx>

Thanks,
Simon




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux