[PATCH v3 0/1] NAX (No Anonymous Execution) LSM

THOBY Simon Simon.THOBY at viveris.fr
Fri Aug 20 13:35:08 UTC 2021


Hi Igor,

On 8/20/21 12:12 AM, Igor Zhbanov wrote:
> [Overview]
> 
> Fileless malware attacks are becoming more and more popular, and even
> ready-to-use frameworks are available [1], [2], [3]. They are based on
> running of the malware code from anonymous executable memory pages (which
> are not backed by an executable file or a library on a filesystem.) This
> allows effectively hiding malware presence in a system, making filesystem
> integrity checking tools unable to detect the intrusion.
> 

[snip]

> 
> [TODO]
> - Implement xattrs support for marking privileged binaries on a per-file
>   basis.

If/when you plan to add that, adding the new xattr to the list of EVM-protected xattrs
may be worth discussing.

> - Store NAX attributes in the per-task LSM blob to implement special
>   launchers for the privileged processes, so all of the children processes
>   of such a launcher would be allowed to have anonymous executable pages
>   (but not to grandchildren).
> 

[snip]

Overall I'm pleased to see this patch and I have no more remarks,
outside of the few points Randy Dunlap raised.

Reviewed-by: THOBY Simon <Simon.THOBY at viveris.fr>

Thanks,
Simon


More information about the Linux-security-module-archive mailing list