[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CALrft9-vWX6U+g5KduHWK7s_PE9Le6NL7B478MzGRjS40a34tw@mail.gmail.com>
Date: Thu, 17 Jan 2013 10:37:11 +0200
From: Elena Reshetova <elena.reshetova@...il.com>
To: Vivek Goyal <vgoyal@...hat.com>
Cc: Mimi Zohar <zohar@...ux.vnet.ibm.com>,
"Eric W. Biederman" <ebiederm@...ssion.com>,
linux-kernel@...r.kernel.org, pjones@...hat.com, hpa@...or.com,
dhowells@...hat.com, jwboyer@...hat.com,
Dmitry Kasatkin <dmitry.kasatkin@...el.com>,
Andrew Morton <akpm@...ux-foundation.org>,
linux-security-module@...r.kernel.org,
Ryan Ware <ryan.r.ware@...el.com>
Subject: Re: [PATCH 2/3] binfmt_elf: Verify signature of signed elf binary
>> > Ok, that's the point I am missing. So I can sign a file and signatures
>> > are in a separate file. And these signatures are installed in extended
>> > attributes at file installation time (IOW rpm installation time) on
>> > target.
>> >
>> > If all this works, this sounds reasonable so far. Except the point of
>> > disabling ptrace and locking down memory.
>> >
>> > So what's the state of above work. Is there something I can play with.
Let me try to comment on this one a bit.
Thewhole idea behind extending rpm plugin interface was to have an extensive
set of hooks that would allow rpm plugins to perform needed additional things.
Plugins can be different dependening on a ditsibution need, and if a
distribution
needs to bootstrap IMA signatures, this can also be done in one of
plugins hooks.
Now about hook status: we have so far integrated to rpm master branch
only a subset of hooks.
Mainly the cause has been that I am far from working on it all the
time unfortunately.
Currently I am looking at the filesystem hooks and hoping to send some
version of that patch soon.
When the hooks will be integrated,it is really up to plugin
implementor to design how thing wil happen.
There will be a hook that would be called after file from a package is
placed to filesystem, where
plugin can do many things, like setting MAC labels or setting IMA
signatures on a file.
The way signature will be stored in a package is also currently open,
there can be a number of options here.
You can define a special rpm header TAG and during package build
embeed all the informaiton about
signatures there together with the file name. This way plugin can
parse the header tag info, get all signatures info
and when the right hook is called, setup the IMA signature attribute.
But as I said, this is just one way of doing it
and may not be the best one.
Best Regards,
Elena.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists