Re: [ANNOUNCE] Release Digsig 1.3.1: kernel module for run-time authentication of binaries

[Chris Wright]

* Makan Pourzandi (Makan.Pourzandi@xxxxxxxxxxxx) wrote:
> Hi Chris,
> 
> Chris Wright wrote:
> > * Makan Pourzandi (Makan.Pourzandi@xxxxxxxxxxxx) wrote:
> >>
> >>DSI development team would like to announce the release 1.3.1 of digsig.
> ...
> >>
> >>Changes from Digsig release 0.2 announced in this mailing list:
> >>================================================================
> >>
> >>     - the verification of signatures for the shared binaries has been
> >>     added.
> >>     - added support for caching of signatures
> >>     - added documentation for digsig
> >>     - added support for revoked signatures
> >>     - support to avoid vulnerability for rewrite of shared
> >>     libraries
> > 
> > 
> > Could you elaborate on this one?
> 
> We realized that when a shared library is opened by a binary it can 
> still be modified. To solve the problem, we block the write access to 
> the shared binary while it is loaded.

AFAICT, this means anybody with read access to a file can block all
writes.  This doesn't sound great.

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/