Re: [PATCH] some cleanup + antiforkbomb

|| - add the antiforkbomb by using the LSM hook for task_create
|| - some clean up
|| - add a _temporaly_ logging facility via printk
|| - a sysdep.h (to clean up some code from engine.c)

|Your work is extremly good 

tnx

|and I'll appriciated it but I won't apply as
|is your patch for one reason. In the "AngeL meets LSM" thread, buffer
|pointed out that it would be bad to break down kernel compatibility with
|older releases (2.2 and 2.4) so I changed radically new directory layout
|in order to achieve:
|*) kernel related source code;
|*) anti attacks code indipendent from kernel ones

good

|So your work will be applied in my local copies meeting the new layout
|which is not yet public however... of course it will be applyed :)

any news about the CVS repository?

|One goal I want to reach is having a network attack core that is
|pluggable. 

good.

|I want to implement the netfilter hook with the capability to
|~ create a pool of function pointers that can be directed at run time
|after loading "anti network attack". So people can write a plugin like
|to stop sending worms, virues, even spam and they can share their code
|without waiting we release that code in official angel tarball.
|What do you think about it?

nice idea... but ... spam fighting in kernel_space could be
painfull since we may reduce the throughput of the system.
Identifying a spam message in kernel_space should be avoided
_IMHO_.


|| I have a little question, what about adding an "anti escape from chroot
|| jail"?

|Yes, we can play around chroot(2) call. Please do these hacks onto 0.9
|code, for me it simpler to propagade new feature from 0.9 than from 0.15

ok, i'll be glad to do it.

|| i would be very glad to code a "prison".
|Mmmh... it would be better to code an anti chroot escape code rather
|than closing every process in a jail... IMHO. 

as explained in my previous reply, i'm planning to do port the
FreeBSD Jail in a Linux Kernel Module without supplying an
additional Virtual Network Inteface.


|It's root task to decide
|what must be chrooted and what not, we must assure that people won't
|break the jail.

yes, that's what i wanna do.

BE AWARE: i'm talking about the "Free BSD Jail Functionalities" rather
than adding a "sys_jail" syscall.

I also wish to schedule a timer to double check if a "chrooted process"
has any open file descriptor poining outside the jail.
If this happen, a warning message will be logged by the angel log
facility.


|| I'm new in the ML, i don't know the whole story about the project ...


|| I have another question/proposal for the codying style:
|| since we're devoloping a kernel module, why don't use the linux-kernel
|| codying style?
|No problem about using lindent script before submitting patch...

tnx, i like the idea to use the same "Linux Kernel Codying Style".


|$>cd /pub
|$>more beer

$>/ ceres       :))


-- 

Daniele.




"I could have made money this way, and perhaps amused myself writing code. 
But I knew that at the end of my career, I would look back on years of 
building walls to divide people, and feel I had spent my life making the 
world a worse place."                               
                                                          Richard Stallman


________________________________________________________
http://www.sikurezza.org - Italian Security Mailing List