On Mon, Aug 21, 2000 at 08:31:28PM +0200, Martin MaD Douda wrote:
> Just a few questions for you:
> 1. How much slowes your module down the system?
It slows down the startup of binaries a little bit, depending on how big
the executable is. With my Celeron 333 CPU on a Sony VAIO Notebook, the
execution of a 40MB zero file took 4 seconds more.
So, if you are starting many processes in a small amount of time, you should
think twice about using it. However, from what I've tested, it's not that
bad.
> 2. You have kernel MD5ing a few megabyte executable. Are all processes
> other stopped (kernel is not reentrant) during this?
No, they aren't. I just checked it out again to make sure. During the 4
seconds the MD5 sum for the 40MB executable is computed, all processes
continue running. (er... by the way... why? I don't know very much about task
handling yet)
> 3. Do you solve shared libraries modification?
Uh, something I have not thought about yet. However, if I discover any
misbehaviour (that is, shared libraries are not checked), I'll include it in
the next version.
> 4. Isn't "chattr +i" sufficient protection with much less impact on
> performance?
If you are starting many processes in a small amount of time, you should not
use "sexec", or you should only use it for executables that a) you are
paranoid about and/or b) won't get called every second.
sexec only computes MD5 digests for executable that have an entry in the list.
There is virtually no performance loss for others.
You can't "lock down" +i as I understood. And I think it's a little harder
to keep track of the immutable files. You can use the same MD5 digest list
that sexec uses for other things. A distribution could come with a MD5 digest
list and initialize sexec for it. And chattr +i doesn't protect you from new
setuid root binaries (of course you already have a big problem if an attacker
is able to create them).
Julien
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Wed Aug 23 2000 - 21:00:05 EST