| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1523572911-16363-1-git-send-email-zohar@linux.vnet.ibm.com>
Date: Thu, 12 Apr 2018 18:41:48 -0400
From: Mimi Zohar <zohar@...ux.vnet.ibm.com>
To: David Howells <dhowells@...hat.com>
Cc: Matthew Garrett <mjg59@...gle.com>,
Mimi Zohar <zohar@...ux.vnet.ibm.com>,
linux-integrity@...r.kernel.org,
linux-security-module@...r.kernel.org,
Eric Biederman <ebiederm@...ssion.com>,
kexec@...ts.infradead.org, linux-kernel@...r.kernel.org
Subject: [PATCH 0/3] kexec: limit kexec_load syscall
In environments that require the kexec kernel image to be signed, prevent
using the kexec_load syscall. In order for LSMs and IMA to differentiate
between kexec_load and kexec_file_load syscalls, this patch set adds a
call to security_kernel_read_file() in kexec_load_check().
Signed-off-by: Mimi Zohar <zohar@...ux.vnet.ibm.com>
Mimi Zohar (3):
ima: based on the "secure_boot" policy limit syscalls
kexec: call LSM hook for kexec_load syscall
ima: based on policy require signed kexec kernel images
kernel/kexec.c | 11 +++++++++++
security/integrity/ima/ima.h | 1 +
security/integrity/ima/ima_main.c | 9 +++++++++
security/integrity/ima/ima_policy.c | 27 ++++++++++++++++++++-------
4 files changed, 41 insertions(+), 7 deletions(-)
--
2.7.5
Powered by blists - more mailing lists