Re: [ANNOUNCE] Release Digsig 1.3.1: kernel module for run-time authenticationof binaries

From: Makan Pourzandi
Date: Fri Sep 10 2004 - 16:04:52 EST

Next message: Roland Dreier: "Re: TG3 doesn't work in kernel 2.4.27 (David S. Miller)"
Previous message: Chris Friesen: "problems with remap_page_range() and virt_to_phys() -- solved"
In reply to: Chris Wright: "Re: [ANNOUNCE] Release Digsig 1.3.1: kernel module for run-time authentication of binaries"
Next in thread: Chris Wright: "Re: [ANNOUNCE] Release Digsig 1.3.1: kernel module for run-time authentication of binaries"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi all,

see below:

Chris Wright wrote:

* Makan Pourzandi (Makan.Pourzandi@xxxxxxxxxxxx) wrote:

Serge E. Hallyn wrote:

Quoting Chris Wright (chrisw@xxxxxxxx):

AFAICT, this means anybody with read access to a file can block all
writes. This doesn't sound great.

True.

This could be fixed by adding a check at the top of dsi_file_mmap for
file->f_dentry->d_inode->i_mode & MAY_EXEC. Of course then shared
libraries which are installed without execute permissions will cause
apps to break. On my quick test, I couldn't run xterm or vi :)

Note that blocking writes requires that the file be a valid ELF file,
as this is all that digsig mediates. So I'm not sure which we worry
about more - the fact that all shared libraries have to be installed
with execute permissions (under the proposed solution), or that write

My 2 cents, a quick browsing on my machine (fedora core 1) shows that almost all my shared libraries are installed with both execution and read permissions. IMHO, I don't believe then that this should be considered as a major issue.

This has nothing to do with file permissions aside of read. All you need
is read permission, then you can mmap(PROT_EXEC) which will kick off the
check, and do deny_write_access. It's a freeform way to lock writers
out of any readable file in the system. This is why MAP_EXECUTABLE and
MAP_DENYWRITE are masked off at syscall entry.

Chris, my understanding is that Serge's patch even though it restricts a little the system admin, is the best solution we have for time being. Am I right?
If this is the case I'll include Serge's patch in the cvs source code and send out a new release soon.

regards,
Makan

thanks,
-chris

--

Makan Pourzandi, Open Systems Lab
Ericsson Research, Montreal, Canada
*This email does not represent or express the opinions of Ericsson Inc.*

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Roland Dreier: "Re: TG3 doesn't work in kernel 2.4.27 (David S. Miller)"
Previous message: Chris Friesen: "problems with remap_page_range() and virt_to_phys() -- solved"
In reply to: Chris Wright: "Re: [ANNOUNCE] Release Digsig 1.3.1: kernel module for run-time authentication of binaries"
Next in thread: Chris Wright: "Re: [ANNOUNCE] Release Digsig 1.3.1: kernel module for run-time authentication of binaries"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]