lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20130207170542.GF6462@redhat.com>
Date:	Thu, 7 Feb 2013 12:05:43 -0500
From:	Vivek Goyal <vgoyal@...hat.com>
To:	Dmitry Kasatkin <dmitry.kasatkin@...el.com>
Cc:	linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [RFC 2/2] initramfs with digital signature protection

On Tue, Feb 05, 2013 at 02:34:50PM +0200, Dmitry Kasatkin wrote:

[..]
> +static int __init load_initramfs(void)
> +{
> +	static char *argv[] = { "pre-init", NULL, };
> +	extern char *envp_init[];
> +	int err;
> +
> +	/*
> +	 * In case that a resume from disk is carried out by linuxrc or one of
> +	 * its children, we need to tell the freezer not to wait for us.
> +	 */
> +	current->flags |= PF_FREEZER_SKIP;
> +
> +	err = call_usermodehelper_fns("/pre-init", argv, envp_init,
> +				      UMH_WAIT_PROC, init_init, init_cleanup,
> +				      NULL);
> +
> +	current->flags &= ~PF_FREEZER_SKIP;
> +
> +	pr_info("initramfs_sig /pre-init completed: %d\n", err);
> +

Dmitry, 

How do we make sure that this is the first call to user mode helpers. I
see that we first unpacked unsigned initramfs. Then after a while we 
unpacked signed initramfs on /root and did a chroot. But now there is
a window before chroot, where kernel might call into /sbin/hotplug or
/sbin/modprobe from unsigned initramfs?

Specifically, I put some printk and I am seeing calls to /sbin/hotplug
before we even unpacked signed initramfs.

Thanks
Vivek
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ