To: "Press, Jonathan" <Jonathan.Press@ca.com>
Cc: "Eric Paris" <eparis@redhat.com>, "Greg KH" <greg@kroah.com>,
       <linux-kernel@vger.kernel.org>, <malware-list@lists.printk.net>
Subject: Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linux interface foron access scanning
From: Andi Kleen <andi@firstfloor.org>
References: <1217883616.27684.19.camel@localhost.localdomain>
	<20080804223249.GA10517@kroah.com>
	<1217896374.27684.53.camel@localhost.localdomain>
	<2629CC4E1D22A64593B02C43E855530304807431@USILMS12.ca.com>
Date: Wed, 06 Aug 2008 04:46:05 +0200
In-Reply-To: <2629CC4E1D22A64593B02C43E855530304807431@USILMS12.ca.com> (Jonathan Press's message of "Tue, 5 Aug 2008 10:41:44 -0400")
Message-ID: <87vdye6etu.fsf@basil.nowhere.org>
User-Agent: Gnus/5.1008 (Gnus v5.10.8) Emacs/21.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1097
Lines: 26

"Press, Jonathan" <Jonathan.Press@ca.com> writes:
>
> Also...  I was one of the people who brought up the idea of a process
> exclusion when the requirements list was being developed.  I intended it
> as a way that an AV application could exclude specific OTHER processes
> by name (as selected by the AV user)

There's no fixed process name in Linux that cannot be easily faked: 

Use process name -- every process can change that by writing to its own
environment.
Use comm name -- there's a prctl to change that and there can be collisions
Use path name of binary -- breaks with chroot and name spaces. Also existing
binaries can be subverted.
Use inode of binary -- can be faked with fuse and breaks when the binaries
is copied ...
Use dev, inode -- breaks when copying binary and when running on network
file systems without a device node

-Andi

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/