[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: Configuration parameter request

Hi Ben and Debian Kernel team.
 
Thank you for this information.  I provided it to our team and we have an additional question and want to clarify what we see.
 
1.      Could you please let us know when these changes/features will be added and in what branches?
 
2.      you mention the following:
it still looks prone to deadlocks and it doesn't really prevent reading malware.
So I'll enable this but log a warning when it's used because it's not a
feature I really want to support.
 
KL: We have found that it is possible to create deadlocks using fanotify and even crash the whole operation system from the user space, the root cause of this is fanotify itself that is able to intercept file operations, not the fanotify access permission.
Since fanotify is already enabled in the Debian kernel we are not adding risks for the end-users by enabling the access permission feature in the kernel.  Therefore we are not sure why a warning would be given for enabling the access permission feature.
 
Thank you again for your support and feedback.
Regards
Linda
 
-----Original Message-----
From: Ben Hutchings [mailto:ben@decadent.org.uk]
Sent: Tuesday, July 12, 2016 5:56 PM
To: Linda Arens; debian-kernel@lists.debian.org
Cc: Olesya Golubkova
Subject: Re: Configuration parameter request
 
On Thu, 2016-06-30 at 17:41 +0000, Linda Arens wrote:
> Dear Debian Kernel Team,  We are reaching out to you at the
> recommendation of one of your community members.
>
> We, Kaspersky Lab develop anti-malware security software to secure
> Linux File Servers.
>
> We are reaching out to you to request that the following configuration
> parameters be enabled in Debian 8 and/or Debian9
 
As a general rule, we don't enable new features in existing stable releases, other than to extend hardware support.  Any changes would apply only to Debian 9 onward.
 
>                 CONFIG_FANOTIFY=y
 
This is already enabled.
 
> CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y
[...]
> *         We have entered a request for this change in https://bugs.d
> ebian.org/cgi-bin/bugreport.cgi?bug=690737
 
I can't see any references to Kaspersky software there, but OK, presumably you've already read the responses there.
 
> *         At this time  other Linux vendors (RedHat starting with v.7,
> Ubuntu starting with v.14.04.4) have included this option
> (FANOTIFY_ACCESS_PERMISSION) in their distributives
>
> In the next versions of our products we are going to support the
> fanotify technology for the OSs listed above, thus ensuring a higher
> level of protection for users of these operating systems.
>
> By not having the same functionality across all Linux vendors,
> increases the delivery time of protection updates and lowers the level
> of protection of Debian users.
[...]
 
As I see it, you (and several other AV vendors) are taking a strange approach to provide limited protection to *Windows* users.
 
Using the fanotify access control mechanism is less awful than hacking the system call table, but it still looks prone to deadlocks and it doesn't really prevent reading malware.
 
So I'll enable this but log a warning when it's used because it's not a feature I really want to support.
 
Ben.
 
--
 
Ben Hutchings
Sturgeon's Law: Ninety percent of everything is crap.
 
Reply to: