James Morris wrote: > > Loadable kernel modules used by antivirus software temporarily modify syscall tables > > ( http://stackoverflow.com/questions/13876369/system-call-interception-in-linux-kernel-module-kernel-3-5 ) > > in order to register hooks for execve()/open()/close(). It is very frustrating for > > many users if you enforce CONFIG_MODULES=n or forbid post-__init registration of hooks. > > We don't cater to out of tree code. > > Additionally, I'd also seriously question whether the security benefits of > kernel AV outweigh its security risks. Are you aware that loadable kernel modules used by antivirus software are used for relaying events to userspace daemons? Such modules don't do scanning inside kernel. Why such modules are considered as security risks? Are you aware that SELinux (or AppArmor or whatever so-called MAC) is not always enabled in all enterprise systems? Are you aware that there are systems where administrators cannot afford using rule based access restriction mechanisms? In such systems, the security benefits of loadable security modules (provided by AV or alike) can outweigh read only LSM hooks. > diff --git a/security/Kconfig b/security/Kconfig > index 118f454..f6f90c4 100644 > --- a/security/Kconfig > +++ b/security/Kconfig > @@ -31,6 +31,11 @@ config SECURITY > > If you are unsure how to answer this question, answer N. > > +config SECURITY_WRITABLE_HOOKS > + depends on SECURITY > + bool > + default n > + This configuration option must not be set to N without big fat explanation about implications of setting this option to N. Honestly, I still don't like this option, regardless of whether SELinux needs this option or not. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
