[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <alpine.LRH.2.21.1906281552350.26685@linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.inter>
Date: Fri, 28 Jun 2019 16:27:28 -0700 (PDT)
From: Jaskaran Singh Khurana <jaskarankhurana@...ux.microsoft.com>
To: Eric Biggers <ebiggers@...nel.org>
cc: linux-security-module@...r.kernel.org,
linux-kernel@...r.kernel.org, linux-integrity@...r.kernel.org,
linux-fsdevel@...r.kernel.org, agk@...hat.com, snitzer@...hat.com,
dm-devel@...hat.com, jmorris@...ei.org, scottsh@...rosoft.com,
mpatocka@...hat.com, gmazyland@...il.com
Subject: Re: [RFC PATCH v5 0/1] Add dm verity root hash pkcs7 sig
validation.
Hello Eric,
On Fri, 28 Jun 2019, Eric Biggers wrote:
>> In a datacenter like environment, this will protect the system from below
>> attacks:
>>
>> 1.Prevents attacker from deploying scripts that run arbitrary executables on the system.
>> 2.Prevents physically present malicious admin to run arbitrary code on the
>> machine.
>>
>> Regards,
>> Jaskaran
>
> So you are trying to protect against people who already have a root shell?
>
> Can't they just e.g. run /usr/bin/python and type in some Python code?
>
> Or run /usr/bin/curl and upload all your secret data to their server.
>
> - Eric
>
You are correct, it would not be feasible for a general purpose distro,
but for embedded systems and other cases where there is a more tightly
locked-down system.
Regards,
Jaskaran.
Powered by blists - more mailing lists