| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 5 May 2020 10:52:12 -0700
From: Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>
To: Mimi Zohar <zohar@...ux.ibm.com>, linux-integrity@...r.kernel.org
Cc: Casey Schaufler <casey@...aufler-ca.com>,
Jann Horn <jannh@...gle.com>,
Stephen Smalley <stephen.smalley.work@...il.com>,
Eric Biggers <ebiggers@...nel.org>,
linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [RFC PATCH v1] ima: verify mprotect change is consistent with
mmap policy
On 5/5/20 10:30 AM, Mimi Zohar wrote:
> Files can be mmap'ed read/write and later changed to execute to circumvent
> IMA's mmap appraise policy rules. Due to locking issues (mmap semaphore
> would be taken prior to i_mutex), files can not be measured or appraised at
> this point. Eliminate this integrity gap, by denying the mprotect
> PROT_EXECUTE change, if an mmap appraise policy rule exists.
>
> On mprotect change success, return 0. On failure, return -EACESS.
>
> Signed-off-by: Mimi Zohar <zohar@...ux.ibm.com>
> ---
> Changelog v1:
> - Reverse tests to remove code indentation. (Lakshmi Ramasubramanian)
> - General code cleanup, including adding comments.
>
> include/linux/ima.h | 7 ++++++
> security/integrity/ima/ima_main.c | 51 +++++++++++++++++++++++++++++++++++++++
> security/security.c | 7 +++++-
> 3 files changed, 64 insertions(+), 1 deletion(-)
Reviewed-by: Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>
Powered by blists - more mailing lists