lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20130308154033.GA8219@redhat.com>
Date:	Fri, 8 Mar 2013 10:40:33 -0500
From:	Vivek Goyal <vgoyal@...hat.com>
To:	"Kasatkin, Dmitry" <dmitry.kasatkin@...el.com>
Cc:	Mimi Zohar <zohar@...ux.vnet.ibm.com>,
	Eric Paris <eparis@...isplace.org>,
	linux kernel mailing list <linux-kernel@...r.kernel.org>,
	LSM List <linux-security-module@...r.kernel.org>
Subject: Re: IMA: How to manage user space signing policy with others

On Fri, Mar 08, 2013 at 10:09:48AM +0200, Kasatkin, Dmitry wrote:

[..]
> > - File could have invalid signature still iint->DIGSIG could be set and
> >   security hook will return success.
> >         - Assume system has booted with ima_appraise_tcb policy.
> >         - A binary executes. bprm_check() is called and it will
> >           set iint->DIGSIG.
> >         - User goes ahead and replaces appraise policy with some
> >           other policy so no appraisal rule will match for same file.
> 
> Policy can only be replaced once. So if policy has been initialized at
> early-user-space,
> then it cannot be replaced...

Sure, but early user space does not have to initialize the "policy",
isn't. Atleast currently kernel can not enforce it. So root always
can decide to load the policy some time late. assume ima_appraise_tcb is
enabled at kernel command line.

Given that in secureboot environment we are not trusting root, it atleast
gives root a way to deceive IMA due to caching.
 
[..]
> > In summary, we can still solve the problem we can do few things.
> >
> > - Provide a reliable way to disable caching of iint->DIGSIG, digest
> >   and appraisal results.
> >
> > - Provide functions to access iint->DIGSIG after every file execution.

Actually if we have to disbale caching to make it work reliably, then
means we are not storing iint->DIGSIG and that means we can't access it
later with a helper function. So status of iint->DIGSIG has to be returned
with the hook itself and current security hooks don't have any extra
fields to do that.

Thanks
Vivek
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ