Application Whitelisting with Mandos is an effective way to prevent unwanted applications from executing. But it must be made clear that there are limitations to what the Application Whitelister can do. This section explains some limitations.
- Mandos blocks execution (execve() and variants). Mandos doesn’t block dynamic libraries loaded with dlopen(), libraries on disk that have been replaced, or libraries loaded using $LD_PRELOAD.
- Scripts: Mandos will ignore any execution that isn’t a binary (i.e. shebang (#!) scripts). Additionally, a number of applications make use of temporary generated scripts which are treated as any script is.
- Best effort: Mandos is effectively in a race with the system, and it is possible for Mandos to be unable to assess an executable prior to execution. Additionally, a buffer overflow in a ‘good’ application will allow ‘bad’ code to be executed. This is where “defence in depth” plays an important role with the likes of ASLR.