lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 5 Feb 2013 15:36:16 -0500
From:	Peter Jones <pjones@...hat.com>
To:	Dmitry Kasatkin <dmitry.kasatkin@...el.com>
Cc:	linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [RFC 2/2] initramfs with digital signature protection

On Tue, Feb 05, 2013 at 02:34:50PM +0200, Dmitry Kasatkin wrote:

> +static const char *secmnt = "/root";
> +static const char *initramfs_img = "/initramfs-sig.img";
> +
> +static int __init load_image(const char *from)
> +{
...
> +	err = sys_mount("tpmfs", (char *)secmnt, "tmpfs", MS_SILENT, NULL);
> +	if (err) {
> +		pr_err("sys_mount() = %d\n", err);
> +		goto out;
> +	}
> +
> +	sys_unshare(CLONE_FS | CLONE_FILES);
> +	sys_chdir(secmnt);
> +	sys_chroot(".");
> +	sys_setsid();
> +
> +	pr_info("unpack start\n");
> +	msg = unpack_to_rootfs(buf, offset);
...
> +}
> +
> +static int __init init_init(struct subprocess_info *info, struct cred *new)
> +{
> +	return load_image(initramfs_img);
> +}
> +
> +static void init_cleanup(struct subprocess_info *info)
> +{
> +	int err;
> +
> +	pr_info("cleanup\n");
> +
> +	err = sys_umount((char *)secmnt, MNT_DETACH);
> +	if (err)
> +		pr_err("unable to umount secmnt: %d\n", err);
> +}
> +
> +static int __init load_initramfs(void)
> +{
> +	static char *argv[] = { "pre-init", NULL, };
> +	extern char *envp_init[];
> +	int err;
> +
> +	/*
> +	 * In case that a resume from disk is carried out by linuxrc or one of
> +	 * its children, we need to tell the freezer not to wait for us.
> +	 */
> +	current->flags |= PF_FREEZER_SKIP;
> +
> +	err = call_usermodehelper_fns("/pre-init", argv, envp_init,
> +				      UMH_WAIT_PROC, init_init, init_cleanup,
> +				      NULL);
> +
> +	current->flags &= ~PF_FREEZER_SKIP;
> +
> +	pr_info("initramfs_sig /pre-init completed: %d\n", err);
> +
> +	return err;
> +}

So, there's another issue here - if you do want to run a fully-signed 
initramfs, and so there's nothing else in the container, you go through
this code and it mounts it.  In this case the wrapper initramfs which
includes the signed image is still in memory, and there's nothing e.g.
dracut can do about it.  Which means you've got two whole copies of the
initramfs in memory, and even if code later cleans up the one it sees,
you can't get rid of the other one.

(this would not be an issue without the wrapper.)

-- 
        Peter
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ