Re: [PATCH 2 of 4] ima: related Makefile compile order change and Readme

[Pavel Machek]

Hi!

> > > 
> > > If I understand you, then you are claiming that steps (ii) to (v) 
> > > introduce buffer overflows in bash or show_etc_issue. How?
> > 
> > No, I'm not claiming that. You are certainly *not* introducing any new
> > problems.
> > 
> > But some problems that used to be harmless (buffer overrun in
> > show_etc_issue command) are not harmless any more.
> 
> How is a buffer overrun in a script/application less "harmless" with IMA? 
> Please be specific. Preliminary IMA patches are out on the mailing lists.
> 
> The only thing that IMA does with respect to existing known buffer 
> overruns is that it enables remote parties to know that there is an application 
> with a known buffer overrun if this application/script was measured. Such 
> information is sensitive and this is one reason why direct access to the 
> measurements are restricted to authorized/trusted parties.

Well, you'll have to add measurement of any security-sensitive config
file, any script, and will have to make sure that all parsing of
system config files does not contain buffer-overrun problems. That's
lot of work before IMA is usefull. It is true you do not make
situation any worse.

Good luck and go ahead.
								Pavel
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/