lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <alpine.LRH.2.21.1907130953130.21853@namei.org>
Date:   Sat, 13 Jul 2019 10:14:41 +1000 (AEST)
From:   James Morris <jmorris@...ei.org>
To:     Salvatore Mesoraca <s.mesoraca16@...il.com>
cc:     linux-kernel@...r.kernel.org, kernel-hardening@...ts.openwall.com,
        linux-mm@...ck.org, linux-security-module@...r.kernel.org,
        Alexander Viro <viro@...iv.linux.org.uk>,
        Brad Spengler <spender@...ecurity.net>,
        Casey Schaufler <casey@...aufler-ca.com>,
        Christoph Hellwig <hch@...radead.org>,
        Jann Horn <jannh@...gle.com>,
        Kees Cook <keescook@...omium.org>,
        PaX Team <pageexec@...email.hu>,
        "Serge E. Hallyn" <serge@...lyn.com>,
        Thomas Gleixner <tglx@...utronix.de>
Subject: Re: [PATCH v5 01/12] S.A.R.A.: add documentation

On Sat, 6 Jul 2019, Salvatore Mesoraca wrote:

> Adding documentation for S.A.R.A. LSM.

It would be good if you could add an operational overview to help people 
understand how it works in practice, e.g. setting policies for binaries 
via sara-xattr and global config via saractl (IIUC). It's difficult to 
understand if you have to visit several links to piece things together.

> +S.A.R.A.'s Submodules
> +=====================
> +
> +WX Protection
> +-------------
> +WX Protection aims to improve user-space programs security by applying:
> +
> +- `W^X enforcement`_
> +- `W!->X (once writable never executable) mprotect restriction`_
> +- `Executable MMAP prevention`_
> +
> +All of the above features can be enabled or disabled both system wide
> +or on a per executable basis through the use of configuration files managed by
> +`saractl` [2]_.

How complete is the WX protection provided by this module? How does it 
compare with other implementations (such as PaX's restricted mprotect).

> +Parts of WX Protection are inspired by some of the features available in PaX.

Some critical aspects are copied (e.g. trampoline emulation), so it's 
more than just inspired. Could you include more information in the 
description about what's been ported from PaX to SARA?
	

-- 
James Morris
<jmorris@...ei.org>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ