Re: [PATCH 2 of 4] ima: related Makefile compile order change and Readme

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi!

> > > 
> > > If I understand you, then you are claiming that steps (ii) to (v) 
> > > introduce buffer overflows in bash or show_etc_issue. How?
> > 
> > No, I'm not claiming that. You are certainly *not* introducing any new
> > problems.
> > 
> > But some problems that used to be harmless (buffer overrun in
> > show_etc_issue command) are not harmless any more.
> 
> How is a buffer overrun in a script/application less "harmless" with IMA? 
> Please be specific. Preliminary IMA patches are out on the mailing lists.
> 
> The only thing that IMA does with respect to existing known buffer 
> overruns is that it enables remote parties to know that there is an application 
> with a known buffer overrun if this application/script was measured. Such 
> information is sensitive and this is one reason why direct access to the 
> measurements are restricted to authorized/trusted parties.

Well, you'll have to add measurement of any security-sensitive config
file, any script, and will have to make sure that all parsing of
system config files does not contain buffer-overrun problems. That's
lot of work before IMA is usefull. It is true you do not make
situation any worse.

Good luck and go ahead.
								Pavel
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux