Hi Igor,
On 8/20/21 12:12 AM, Igor Zhbanov wrote:
> [Overview]
>
> Fileless malware attacks are becoming more and more popular, and even
> ready-to-use frameworks are available [1], [2], [3]. They are based on
> running of the malware code from anonymous executable memory pages (which
> are not backed by an executable file or a library on a filesystem.) This
> allows effectively hiding malware presence in a system, making filesystem
> integrity checking tools unable to detect the intrusion.
>
[snip]
>
> [TODO]
> - Implement xattrs support for marking privileged binaries on a per-file
> basis.
If/when you plan to add that, adding the new xattr to the list of EVM-protected xattrs
may be worth discussing.
> - Store NAX attributes in the per-task LSM blob to implement special
> launchers for the privileged processes, so all of the children processes
> of such a launcher would be allowed to have anonymous executable pages
> (but not to grandchildren).
>
[snip]
Overall I'm pleased to see this patch and I have no more remarks,
outside of the few points Randy Dunlap raised.
Reviewed-by: THOBY Simon <[email protected]>
Thanks,
Simon