lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <9a950016-0ea6-adec-5d9b-a1f1760d51a0@linux.alibaba.com>
Date:   Wed, 28 Mar 2018 09:02:29 +0800
From:   Jia Zhang <zhang.jia@...ux.alibaba.com>
To:     Jessica Yu <jeyu@...nel.org>
Cc:     Rusty Russell <rusty@...tcorp.com.au>, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v3 0/3][RESEND] modsign enhancement



On 2018/3/28 上午6:11, Jessica Yu wrote:
> +++ Jia Zhang [24/03/18 10:59 +0800]:
>> This patch series allows to disable module validity enforcement
>> in runtime through the control switch located in securityfs.
>>
>> In order to keep /sys/module/module/parameters/sig_enforce simple,
>> the disablement switch is located at
>> /sys/kernel/security/modsign/disable_enforce.
>>
>> Assuming CONFIG_MODULE_SIG_FORCE=n, here are the instructions to
>> test this control switch.
>>
>> # cat /sys/module/module/parameters/sig_enforce
>> N
>> # echo 1 > /sys/module/module/parameters/sig_enforce
>> # cat /sys/module/module/parameters/sig_enforce
>> Y
>> # echo -n 0 > no_sig_enforce
>> # openssl smime -sign -nocerts -noattr -binary -in no_sig_enforce \
>>    -inkey <system_trusted_key> -signer <cert> -outform der \
>>    -out /sys/kernel/security/modsign/disable_enforce
>> # cat /sys/module/module/parameters/sig_enforce
>> N
> 
> I'm not convinced we need this. And neither the use case nor the
> motivation is explained in the cover letter :-(
> 
> The way I see it - the only time you'd actually use this is in the
> situation where you have *already* enabled sig_enforce, and then later
> you change your mind - meaning you wanted to load unsigned modules
> after all. And if you ever plan on loading unsigned modules, why would
> you have enabled sig_enforce in the first place? If you want to keep

Similar SELinux, this is just providing a runtime switch to disable
modsign temporarily in a safer way. At least it is cannot be simply
disabled.

Thanks,
Jia

> the option of loading unsigned modules, don't have sig_enforce or
> CONFIG_MODULE_SIG_FORCE enabled.
> 
> [ CC'd Rusty in case he has some thoughts on this ]
> 
> Jessica

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ