> Since you mentioned digsig, how does evm compare with it aside from what > you mention above? digsig seemed to go to great lengths to try to > prevent modification of the executable after validation, and made use of > the file_mmap hook for the actual checking, IIRC. Interesting question. EVM does not try to prevent this. Partly this is based on the Trusted Computing philosophy that you can't prevent malicious changes to the TCB, particularly against in-memory attacks, and against off-line attacks, but you do want at least to detect the TCB changes on next boot or next file verification. > > What is the plan for initialization and maintenance of these new > extended attributes? How do you intend to integrate with package > managers? Internally we have an alpha pilot which integrates all of this into our network installer front end to anaconda. This installation system automatically, as part of a normal install, initializes the TPM, builds all the sealed keys, and uses a modified rpmlib to label all files on the fly during install. The labeling utilities included in the tarball are mainly for labeling an existing system (or occasionally relabeling). > > Red flag: I see path_lookup(bprm->filename...) calls in your security > modules (both of them). Tell me what prevents that lookup from > returning a different result than the kernel received upon the > open_exec, thereby opening a trivial race condition/TOCTTOU > vulnerability in your security module? Why aren't you just using > bprm->file? D'oh. I am typing this on a system using bprm->file now. thanks. > > post_create-style hooks in the VFS are fundamentally racy, as the inode > is already accessible via the dcache to other threads at that point. > Are you sure you want them? What are you doing to address the potential > race? > EVM does have to update a file's hmac xattr post_create, because the data needed for the update is not available earlier. I thought we were handling the race with the evm_crypto semaphore, but I will double check. thanks for the excellent comments/questions... dave
This archive was generated by hypermail 2.1.3 : Tue Oct 18 2005 - 14:22:23 PDT