Re: [ANNOUNCE] Release Digsig 1.3.1: kernel module for run-time authentication of binaries

[Serge E. Hallyn]

Quoting Chris Wright (chrisw@xxxxxxxx):
> * Makan Pourzandi (Makan.Pourzandi@xxxxxxxxxxxx) wrote:
...
> > We realized that when a shared library is opened by a binary it can 
> > still be modified. To solve the problem, we block the write access to 
> > the shared binary while it is loaded.
> 
> AFAICT, this means anybody with read access to a file can block all
> writes.  This doesn't sound great.

True.

This could be fixed by adding a check at the top of dsi_file_mmap for
file->f_dentry->d_inode->i_mode & MAY_EXEC.  Of course then shared
libraries which are installed without execute permissions will cause
apps to break.  On my quick test, I couldn't run xterm or vi  :)

Note that blocking writes requires that the file be a valid ELF file,
as this is all that digsig mediates.  So I'm not sure which we worry
about more - the fact that all shared libraries have to be installed
with execute permissions (under the proposed solution), or that write
to an ELF file can be prevented by mmap(PROT_EXEC).  Presumably, if
you are replacing an ELF file, you will always want to do 
"mv foo.so foo.so.del; cp new/foo.so foo.so" anyway.

Thoughts?

thanks,
-serge
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/