Re: [ANNOUNCE] Release Digsig 1.5: kernel module for run-timeauthentication of binaries

From: Serge E. Hallyn
Date: Fri Apr 28 2006 - 12:09:03 EST

Next message: Arjan van de Ven: "Re: [ANNOUNCE] Release Digsig 1.5: kernel module forrun-timeauthentication of binaries"
Previous message: Christoph Lameter: "Re: [PATCH] [1/1] slab: fix crash on __drain_alien_cahce() duringCPU Hotplug"
In reply to: Ulrich Drepper: "Re: [ANNOUNCE] Release Digsig 1.5: kernel module for run-timeauthentication of binaries"
Next in thread: Arjan van de Ven: "Re: [ANNOUNCE] Release Digsig 1.5: kernel module forrun-timeauthentication of binaries"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Quoting Ulrich Drepper (drepper@xxxxxxxxx):
> On 4/25/06, Axelle Apvrille <axelle_apvrille@xxxxxxxx> wrote:
> >1- "does this also prevent people writing their own
> >elf loader in a bit of perl and just mmap the code"
> >
> >I'm not sure to exactly understand what you mean:
> >
> >- if you mean writing an application able to read &
> >'interpret' an ELF executable: again, I think DigSig
> >will prevent this, because when you mmap the code,
> >this calls (at kernel level) do_mmap which triggers an
> >LSM hook called file_mmap. And we implement checks in
> >that hook...
> >
> >- if you mean modifying the ELF loader so that do_mmap
> >/ file_mmap aren't called, well you'll need to hack
> >the kernel, won't you ?
> >
> >- finally, note you also have choice not to sign this
> >elf loader of yours. If it isn't signed, it won't ever
> >run ;-)
>
> No, there no problem writing a loader. All you need is to create
> anonymous mappings. Via mmap, maybe on the stack, some heaps are
> still executable. Then you load the code, fix it up for the address,
> and be done. The kernel cannot and will not prevent a read(2) call on
> the binary. That's all that's needed. And without the SELinux
> support in place you cannot prevent non-exec memory creation and even

BS - you can stack another LSM to prevent that.

Or, stack it with SELinux. I've tested that combination before with no
problems.

> then, some people need it (jvms, OpenGL libs, etc) to generate code on
> the fly. So it's never completely ruled out. Again, look at the code
> in http://people.redhat.com/drepper/selinux-mem.html.
>
> Given you have executable anonymous memory it is a one-time small
> effort to write a loader and you're done. Nothing your signature

A one time effort to write it *and sign it*.

You could just as well write it and give it it's own domain with {
execheap execmem execstack execmod } permissions.

> detection code can do about it. This is snake oil.

-serge
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Arjan van de Ven: "Re: [ANNOUNCE] Release Digsig 1.5: kernel module forrun-timeauthentication of binaries"
Previous message: Christoph Lameter: "Re: [PATCH] [1/1] slab: fix crash on __drain_alien_cahce() duringCPU Hotplug"
In reply to: Ulrich Drepper: "Re: [ANNOUNCE] Release Digsig 1.5: kernel module for run-timeauthentication of binaries"
Next in thread: Arjan van de Ven: "Re: [ANNOUNCE] Release Digsig 1.5: kernel module forrun-timeauthentication of binaries"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]