On Thu, 2016-06-30 at 17:41 +0000, Linda Arens wrote:
> Dear Debian Kernel Team, We are reaching out to you at the
> recommendation of one of your community members.
>
> We, Kaspersky Lab develop anti-malware security software to secure
> Linux File Servers.
>
> We are reaching out to you to request that the following
> configuration parameters be enabled in Debian 8 and/or Debian9
As a general rule, we don't enable new features in existing stable
releases, other than to extend hardware support. Any changes would
apply only to Debian 9 onward.
> CONFIG_FANOTIFY=y
This is already enabled.
> CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y
[...]
> * We have entered a request for this change in
https://bugs.d
> ebian.org/cgi-bin/bugreport.cgi?bug=690737
I can't see any references to Kaspersky software there, but OK,
presumably you've already read the responses there.
> * At this time other Linux vendors (RedHat starting with
> v.7, Ubuntu starting with v.14.04.4) have included this option
> (FANOTIFY_ACCESS_PERMISSION) in their distributives
>
> In the next versions of our products we are going to support the
> fanotify technology for the OSs listed above, thus ensuring a higher
> level of protection for users of these operating systems.
>
> By not having the same functionality across all Linux vendors,
> increases the delivery time of protection updates and lowers the
> level of protection of Debian users.
[...]
As I see it, you (and several other AV vendors) are taking a strange
approach to provide limited protection to *Windows* users.
Using the fanotify access control mechanism is less awful than hacking
the system call table, but it still looks prone to deadlocks and it
doesn't really prevent reading malware.
So I'll enable this but log a warning when it's used because it's not a
feature I really want to support.
Ben.
--
Ben Hutchings
Sturgeon's Law: Ninety percent of everything is crap.