lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CALrft9-vWX6U+g5KduHWK7s_PE9Le6NL7B478MzGRjS40a34tw@mail.gmail.com>
Date:	Thu, 17 Jan 2013 10:37:11 +0200
From:	Elena Reshetova <elena.reshetova@...il.com>
To:	Vivek Goyal <vgoyal@...hat.com>
Cc:	Mimi Zohar <zohar@...ux.vnet.ibm.com>,
	"Eric W. Biederman" <ebiederm@...ssion.com>,
	linux-kernel@...r.kernel.org, pjones@...hat.com, hpa@...or.com,
	dhowells@...hat.com, jwboyer@...hat.com,
	Dmitry Kasatkin <dmitry.kasatkin@...el.com>,
	Andrew Morton <akpm@...ux-foundation.org>,
	linux-security-module@...r.kernel.org,
	Ryan Ware <ryan.r.ware@...el.com>
Subject: Re: [PATCH 2/3] binfmt_elf: Verify signature of signed elf binary

>> > Ok, that's the point I am missing. So I can sign a file and signatures
>> > are in a separate file. And these signatures are installed in extended
>> > attributes at file installation time (IOW rpm installation time) on
>> > target.
>> >
>> > If all this works, this sounds reasonable so far. Except the point of
>> > disabling ptrace and locking down memory.
>> >
>> > So what's the state of above work. Is there something I can play with.

Let me try to comment on this one a bit.
Thewhole idea behind extending rpm plugin interface was to have an extensive
 set of hooks that would allow rpm plugins to perform needed additional things.
Plugins can be different dependening on a ditsibution need, and if a
distribution
needs to bootstrap IMA signatures, this can also be done in  one of
plugins hooks.

Now about hook status: we have so far integrated to rpm master branch
only a subset of hooks.
Mainly the cause has been that I am far from working on it all the
time unfortunately.
Currently I am looking at the filesystem hooks and hoping to send some
version of that patch soon.

When the hooks will be integrated,it is really up to plugin
implementor to design how thing wil happen.
There will be a hook that would be called after file from a package is
placed to filesystem, where
plugin can do many things, like setting MAC labels or setting IMA
signatures on a file.
The way signature will be stored in a package is also currently open,
there can be a number of options here.
You can define a special rpm header TAG and during package build
embeed all the informaiton about
signatures there together with the file name. This way plugin can
parse the header tag info, get all signatures info
and when the right hook is called, setup the IMA signature attribute.
But as I said, this is just one way of doing it
and may not be the best one.

Best Regards,
Elena.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ