Re: [ANNOUNCE] Release Digsig 1.5: kernel module forrun-timeauthentication of binaries

From: Arjan van de Ven
Date: Tue Apr 25 2006 - 12:56:35 EST


On Tue, 2006-04-25 at 18:11 +0200, Axelle Apvrille wrote:
> Hi all,
>
> Just my few cents on signed binaries and DigSig. It's
> kind of a very partial reply to several parts of
> various emails (Arjan, Ulrich, Nix ...), sorry for
> that ;-)
>
> 1- "does this also prevent people writing their own
> elf loader in a bit of perl and just mmap the code"
>
> I'm not sure to exactly understand what you mean:
>
> - if you mean writing an application able to read &
> 'interpret' an ELF executable: again, I think DigSig
> will prevent this, because when you mmap the code,
> this calls (at kernel level) do_mmap which triggers an
> LSM hook called file_mmap. And we implement checks in
> that hook...

this is not correct, you don't need mmap you can do a read just fine as
well.


> - finally, note you also have choice not to sign this
> elf loader of yours. If it isn't signed, it won't ever
> run ;-)

so you didn't sign perl ? or bash ?



-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/