lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 19 Oct 2022 10:34:48 -0400 From: Mimi Zohar <zohar@...ux.ibm.com> To: Kees Cook <keescook@...omium.org> Cc: Paul Moore <paul@...l-moore.com>, James Morris <jmorris@...ei.org>, "Serge E. Hallyn" <serge@...lyn.com>, Dmitry Kasatkin <dmitry.kasatkin@...il.com>, Mickaël Salaün <mic@...ikod.net>, Petr Vorel <pvorel@...e.cz>, Borislav Petkov <bp@...e.de>, Takashi Iwai <tiwai@...e.de>, Jonathan McDowell <noodles@...com>, linux-security-module@...r.kernel.org, linux-integrity@...r.kernel.org, KP Singh <kpsingh@...nel.org>, Casey Schaufler <casey@...aufler-ca.com>, John Johansen <john.johansen@...onical.com>, linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org Subject: Re: [PATCH 2/9] security: Move trivial IMA hooks into LSM On Thu, 2022-10-13 at 15:36 -0700, Kees Cook wrote: > This moves the trivial hard-coded stacking of IMA LSM hooks into the > existing LSM infrastructure. The only thing trivial about making IMA and EVM LSMs is moving them to LSM hooks. Although static files may be signed and the signatures distributed with the file data through the normal distribution mechanisms (e.g. RPM), other files cannot be signed remotely (e.g. configuration files). For these files, both IMA and EVM may be configured to maintain persistent file state stored as security xattrs in the form of security.ima file hashes or security.evm HMACs. The LSM flexibility of enabling/disabling IMA or EVM on a per boot basis breaks this usage, potentially preventing subsequent boots. -- thanks, Mimi
Powered by blists - more mailing lists