Re: [PATCH 2 of 4] ima: related Makefile compile order change and Readme

From: Pavel Machek (pavel@private)
Date: Tue May 24 2005 - 11:47:52 PDT

Previous message: Stephen Smalley: "Re: New stacker performance results"
In reply to: Reiner Sailer: "Re: [PATCH 2 of 4] ima: related Makefile compile order change and Readme"
Next in thread: Reiner Sailer: "Re: [PATCH 2 of 4] ima: related Makefile compile order change and Readme"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi!

> > * remove all the buffer overflows. I.e. if grub contains buffer
> >    overflow in parsing menu.conf... that is not a security hole
> >    (as of now) because only administrator can modify menu.conf.
> >    With IMA enabled, it would make your certification useless...
> 
> Taking your example: Even if you run a buffer-overflow grub, IMA will 
> enable remote parties to differentiate between systems that run
> the vulnerable grub and systems that don't. IMA in this case actually
> can put value to running better software.

Yes, but see above: that buffer overflow in grub was *not* a
vulnerability... not until you introduce IMA.

That is my biggest concern. You are completely changing rules for
userland code. Buffer overflow that only root could exploit used to be
okay. It used to be okay to read config files without communicating
with TPM.
								Pavel

Previous message: Stephen Smalley: "Re: New stacker performance results"
In reply to: Reiner Sailer: "Re: [PATCH 2 of 4] ima: related Makefile compile order change and Readme"
Next in thread: Reiner Sailer: "Re: [PATCH 2 of 4] ima: related Makefile compile order change and Readme"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Tue May 24 2005 - 12:44:52 PDT