RE: [ANNOUNCE] Release Digsig 1.5: kernel module for run-timeauthentication of binaries

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2006-04-24 at 12:27 -0400, Makan Pourzandi (QB/EMC) wrote:
> Hi Arjan, 
> 
> I hope I correctly understood your question, DigSig uses LSM hooks to
> check the digital signature before loading it, then as long as your elf
> loader uses kernel system calls, it's covered by DigSig. 

ok I have to admit that this answer worries me.

how can it be covered? How do you distinguish an elf loader application
(which just uses open + mmap after all) with... say a grep-calling perl
script?

As long as you allow apps to mmap (or even just read() a file into
memory).... they can start acting like an elf loader if they chose to do
so. And.. remember it's not the files WITH signature you're protecting
against (which you could check) but the ones WITHOUT. And there are many
of those; and you can't sign ALL files I think, not without going
through really great hoops anyway.



-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux