Re: [OpenAFS] OpenAFS 1.8.7 on Linux systems running Crowdstrike falcon-sensor

> The bad news is, override_creds isn't going to fix this, because current->fs > isn't part of the creds. It's still going to be null (h/t jhutz) > The less bad news is, I think this will only affect closing a deleted file. > Other operations should not trigger cache I/O after a flush. (exit_file

RE: Re: [OpenAFS] OpenAFS 1.8.7 on Linux systems running Crowdstrike falcon-sensor

> The bad news is, override_creds isn't going to fix this, because current->fs > isn't part of the creds. It's still going to be null (h/t jhutz) > The less bad news is, I think this will only affect closing a deleted file. > Other operations should not trigger cache I/O after a flush. (exit_file

Re: [OpenAFS] OpenAFS 1.8.7 on Linux systems running Crowdstrike falcon-sensor

The bad news is, override_creds isn't going to fix this, because current->fs isn't part of the creds. It's still going to be null (h/t jhutz) The less bad news is, I think this will only affect closing a deleted file. Other operations should not trigger cache I/O after a flush. (exit_files, which o

RE: Re: [OpenAFS] OpenAFS 1.8.7 on Linux systems running Crowdstrike falcon-sensor

-info@openafs.org Cc: Martin Kelly Subject: [External] Re: [OpenAFS] OpenAFS 1.8.7 on Linux systems running Crowdstrike falcon-sensor Basically, this is what I'm running: # git describe --abbrev=4 openafs-stable-1_8_x openafs-stable-1_8_7-109-gb7bdd # rxdebug localhost 7001 -version Trying

Re: [OpenAFS] OpenAFS 1.8.7 on Linux systems running Crowdstrike falcon-sensor

Basically, this is what I'm running: # git describe --abbrev=4 openafs-stable-1_8_x openafs-stable-1_8_7-109-gb7bdd # rxdebug localhost 7001 -version Trying 127.0.0.1 (port 7001): AFS version: OpenAFS 1.8.7-109-gb7bdd 2021-03-08 mockbuild@ With this kmod and the latest RHEL7 kernel, this is the k

Re: Re: [OpenAFS] OpenAFS 1.8.7 on Linux systems running Crowdstrike falcon-sensor

> Do you know if it would be OK for me to share my kernel backtrace with the > OpenAFS list? Yes, please do! :��T���&j)b� b�өzpJ)ߢ�^��좸!��l��b��(���~�+��Y���b�ا~~ȧ~

Re: [OpenAFS] OpenAFS 1.8.7 on Linux systems running Crowdstrike falcon-sensor

On 3/8/2021 7:20 PM, Benjamin Kaduk (ka...@mit.edu) wrote: On Mon, Mar 08, 2021 at 07:35:19PM +, Martin Kelly wrote: Below is the LKML LSM thread regarding this. Please let me know if you have any other questions: https://www.spinics.net/lists/linux-security-module/msg39081.html https://ww

Re: Re: [OpenAFS] OpenAFS 1.8.7 on Linux systems running Crowdstrike falcon-sensor

Hi Martin, On Mon, Mar 08, 2021 at 07:35:19PM +, Martin Kelly wrote: > On Sun, Mar 7, 2021 at 4:34 PM Benjamin Kaduk wrote: > > > I don't use Crowdstrike so haven't seen it, but can you post the > > > backtrace? > > > Based on what I've heard from Mr. Proulx at MIT (an

RE: Re: [OpenAFS] OpenAFS 1.8.7 on Linux systems running Crowdstrike falcon-sensor

On Sun, Mar 7, 2021 at 4:34 PM Benjamin Kaduk wrote: > > I don't use Crowdstrike so haven't seen it, but can you post the backtrace? > Based on what I've heard from Mr. Proulx at MIT (and from others off-list), I > have put in a ticket with Crowdstrike asking if I can share

Re: [OpenAFS] OpenAFS 1.8.7 on Linux systems running Crowdstrike falcon-sensor

On Mon, Mar 08, 2021 at 09:56:02AM -0500, Jonathan D. Proulx wrote: : :We at MIT CSAIL stoped using crowdstrike partly becuase they refused :to fix this despite us providing a patch to falcon-sensor (whcih is :just a tarred pile of shell scripts). Slight correction, the AFS portion of our problems

Re: Re: [OpenAFS] OpenAFS 1.8.7 on Linux systems running Crowdstrike falcon-sensor

Do you know if it would be OK for me to share my kernel backtrace with the OpenAFS list? On Mon, Mar 8, 2021 at 2:37 PM Martin Kelly wrote: > On Sun, Mar 7, 2021 at 4:34 PM Benjamin Kaduk > wrote: > > > I don't use Crowdstrike so haven't seen it, but can you post the > bac

Re: [OpenAFS] OpenAFS 1.8.7 on Linux systems running Crowdstrike falcon-sensor

>We at MIT CSAIL stoped using crowdstrike partly becuase they refused >to fix this despite us providing a patch to falcon-sensor (whcih is >just a tarred pile of shell scripts). > >The need to excluse /afs from their scans there's several ways to do >this (they use "find" internally). > >We found t

Re: [OpenAFS] OpenAFS 1.8.7 on Linux systems running Crowdstrike falcon-sensor

On Sun, Mar 7, 2021 at 4:34 PM Benjamin Kaduk wrote: > I don't use Crowdstrike so haven't seen it, but can you post the backtrace? > Based on what I've heard from Mr. Proulx at MIT (and from others off-list), I have put in a ticket with Crowdstrike asking if I can share the kernel backtrace. I

Re: [OpenAFS] OpenAFS 1.8.7 on Linux systems running Crowdstrike falcon-sensor

On Mon, Mar 08, 2021 at 10:06:44AM -0500, Ken Hornstein wrote: :>We at MIT CSAIL stoped using crowdstrike partly becuase they refused :>to fix this despite us providing a patch to falcon-sensor (whcih is :>just a tarred pile of shell scripts). :> :>The need to excluse /afs from their scans there's

Re: [OpenAFS] OpenAFS 1.8.7 on Linux systems running Crowdstrike falcon-sensor

We at MIT CSAIL stoped using crowdstrike partly becuase they refused to fix this despite us providing a patch to falcon-sensor (whcih is just a tarred pile of shell scripts). The need to excluse /afs from their scans there's several ways to do this (they use "find" internally). We found them un

Re: [OpenAFS] OpenAFS 1.8.7 on Linux systems running Crowdstrike falcon-sensor

On Fri, Mar 05, 2021 at 09:07:43AM -0500, Jonathan Billings wrote: > Hello, > > Our university uses the Crowdstrike endpoint security tool, and we use > OpenAFS for both our user's home directory as well as serving software to > our students, faculty and researchers. Is anyone else using Crowdstr