Re: [ANNOUNCE] Release Digsig 1.3.1: kernel module for run-time authentication of binaries

[Chris Wright]

* Serge E. Hallyn (serue@xxxxxxxxxx) wrote:
> > Thing is, x86 makes no distinction btween r/x so, have you tried mmaping
> > with read, then executing (I haven't)?
> 
> Yup, clearly that will work on x86.  And so obviously DigSig is not
> a solution to format and buffer overflows  :)  Nor, unfortunately, a

heh

> solution to code which for whatever reason exploited this behavior.

That's what I was getting at.  Beats me what's out there that does this,
but I expect some stuff does, and it wouldn't get the same assurance.

> > This has nothing to do with file permissions aside of read.  All you need
> > is read permission, then you can mmap(PROT_EXEC) which will kick off the
> > check, and do deny_write_access.  It's a freeform way to lock writers
> > out of any readable file in the system.
> 
> No, not "any readable file," because DigSig will not lock non-ELF files.

Ahh, this is the part I had missed.

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/