Re: [ANNOUNCE] Release Digsig 1.3.1: kernel module for run-time authenticationof binaries

From: Makan Pourzandi
Date: Thu Sep 09 2004 - 15:54:31 EST

Next message: Chris Wright: "Re: [1/1][PATCH] nproc v2: netlink access to /proc information"
Previous message: Ingo Molnar: "Re: [patch] generic-hardirqs-2.6.9-rc1-mm4.patch"
In reply to: Serge E. Hallyn: "Re: [ANNOUNCE] Release Digsig 1.3.1: kernel module for run-time authentication of binaries"
Next in thread: Chris Wright: "Re: [ANNOUNCE] Release Digsig 1.3.1: kernel module for run-time authentication of binaries"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Serge E. Hallyn wrote:

Quoting Chris Wright (chrisw@xxxxxxxx):

* Makan Pourzandi (Makan.Pourzandi@xxxxxxxxxxxx) wrote:

...

We realized that when a shared library is opened by a binary it can still be modified. To solve the problem, we block the write access to the shared binary while it is loaded.

AFAICT, this means anybody with read access to a file can block all
writes. This doesn't sound great.

True.

I want to narrow down the discussion, I believe that some people could get confused with the mention of "file" here. AFAICT, the above problem only concerns the shared libraries. Digsig applies only to binaries: in digsig_file_mmap() implementing the file_mmap LSM hook, if the file is not executable there is a return and no verification or any other blocking is done.

For executables, there is no meaning to load them on read mode, you should have execute permission. if you then load them for execution IMHO, it makes sense to block the writing on that file.

For shared libraries, you're right. the problem exists, the shared libraries can be loaded being only readable (even though I remember reading in exec.c:sys_uselib() kernel 2.6.8.1 that the shared libraries must be both readable and executable due to "security reasons", but I'm not an expert and definitely readable is enough to load the shared library but I'll be happy to learn more about this.)

This could be fixed by adding a check at the top of dsi_file_mmap for
file->f_dentry->d_inode->i_mode & MAY_EXEC. Of course then shared
libraries which are installed without execute permissions will cause
apps to break. On my quick test, I couldn't run xterm or vi :)

Note that blocking writes requires that the file be a valid ELF file,
as this is all that digsig mediates. So I'm not sure which we worry
about more - the fact that all shared libraries have to be installed
with execute permissions (under the proposed solution), or that write

My 2 cents, a quick browsing on my machine (fedora core 1) shows that almost all my shared libraries are installed with both execution and read permissions. IMHO, I don't believe then that this should be considered as a major issue.

to an ELF file can be prevented by mmap(PROT_EXEC). Presumably, if

Regards,
Makan

you are replacing an ELF file, you will always want to do "mv foo.so foo.so.del; cp new/foo.so foo.so" anyway.

Thoughts?

thanks,
-serge

--

Makan Pourzandi, Open Systems Lab
Ericsson Research, Montreal, Canada
*This email does not represent or express the opinions of Ericsson Inc.*

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Chris Wright: "Re: [1/1][PATCH] nproc v2: netlink access to /proc information"
Previous message: Ingo Molnar: "Re: [patch] generic-hardirqs-2.6.9-rc1-mm4.patch"
In reply to: Serge E. Hallyn: "Re: [ANNOUNCE] Release Digsig 1.3.1: kernel module for run-time authentication of binaries"
Next in thread: Chris Wright: "Re: [ANNOUNCE] Release Digsig 1.3.1: kernel module for run-time authentication of binaries"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]