lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 7 Nov 2017 18:53:48 +0100 From: Roberto Sassu <roberto.sassu@...wei.com> To: Matthew Garrett <mjg59@...gle.com> CC: linux-integrity <linux-integrity@...r.kernel.org>, <linux-security-module@...r.kernel.org>, <linux-fsdevel@...r.kernel.org>, <linux-doc@...r.kernel.org>, <linux-kernel@...r.kernel.org>, <silviu.vlasceanu@...wei.com> Subject: Re: [PATCH v2 00/15] ima: digest list feature On 11/7/2017 3:49 PM, Matthew Garrett wrote: > On Tue, Nov 7, 2017 at 2:36 AM, Roberto Sassu <roberto.sassu@...wei.com> wrote: >> Finally, digest lists address also the third issue because Linux >> distribution vendors already provide the digests of files included in each >> RPM package. The digest list is stored in the RPM header, signed by the >> vendor. > > RPM's hardly universal, and distributions are in the process of moving > away from using it for distributing non-core applications (Flatpak and > Snap are becoming increasingly popular here). I think this needs to be > a generic solution rather than having the kernel tied to a specific > package format. Support for new digest list formats can be easily added. Digest list metadata includes the digest list type, so that the appropriate parser is selected. I defined a new generic format for digest lists in Patch 7/15. I would appreciate if we can discuss this format, and if you can give me suggestions about how to improve it. I think it would not be a problem to support your use case and associate metadata to each digest. Digest lists should be parsed directly by the kernel, because processing the lists in userspace would increase the chances that a compromised tool does not upload to the kernel the expected digests. Also, digest lists must be processed before init, otherwise appraisal will deny the execution. Lastly, the mechanism of parsing files from the kernel is already used to parse the IMA policy. Roberto -- HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063 Managing Director: Bo PENG, Qiuen PENG, Shengli WANG
Powered by blists - more mailing lists