Re: [RFC][PATCH] EVM and SLIM LSM modules

From: David Safford (safford@private)
Date: Tue Oct 18 2005 - 14:21:34 PDT

Previous message: David Safford: "Re: [RFC][PATCH] EVM and SLIM LSM modules"
In reply to: Stephen Smalley: "Re: [RFC][PATCH] EVM and SLIM LSM modules"
Next in thread: Serge Hallyn: "Re: [RFC][PATCH] EVM and SLIM LSM modules"
Next in thread: Bob Oh: "Re: [RFC][PATCH] EVM and SLIM LSM modules"
Reply: Serge Hallyn: "Re: [RFC][PATCH] EVM and SLIM LSM modules"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

> Since you mentioned digsig, how does evm compare with it aside from what
> you mention above?  digsig seemed to go to great lengths to try to
> prevent modification of the executable after validation, and made use of
> the file_mmap hook for the actual checking, IIRC.  

Interesting question. EVM does not try to prevent this. Partly this
is based on the Trusted Computing philosophy that you can't prevent
malicious changes to the TCB, particularly against in-memory attacks,
and against off-line attacks, but you do want at least to detect
the TCB changes on next boot or next file verification.
> 
> What is the plan for initialization and maintenance of these new
> extended attributes?  How do you intend to integrate with package
> managers?

Internally we have an alpha pilot which integrates all of this
into our network installer front end to anaconda. This installation
system automatically, as part of a normal install, initializes
the TPM, builds all the sealed keys, and uses a modified rpmlib to
label all files on the fly during install. The labeling utilities
included in the tarball are mainly for labeling an existing system
(or occasionally relabeling).
> 
> Red flag:  I see path_lookup(bprm->filename...) calls in your security
> modules (both of them).  Tell me what prevents that lookup from
> returning a different result than the kernel received upon the
> open_exec, thereby opening a trivial race condition/TOCTTOU
> vulnerability in your security module?  Why aren't you just using
> bprm->file? 

D'oh. I am typing this on a system using bprm->file now. 
thanks.

> 
> post_create-style hooks in the VFS are fundamentally racy, as the inode
> is already accessible via the dcache to other threads at that point.
> Are you sure you want them?  What are you doing to address the potential
> race?
> 
EVM does have to update a file's hmac xattr post_create, because the
data needed for the update is not available earlier. I thought we 
were handling the race with the evm_crypto semaphore, but I will
double check.

thanks for the excellent comments/questions...

dave

Previous message: David Safford: "Re: [RFC][PATCH] EVM and SLIM LSM modules"
In reply to: Stephen Smalley: "Re: [RFC][PATCH] EVM and SLIM LSM modules"
Next in thread: Serge Hallyn: "Re: [RFC][PATCH] EVM and SLIM LSM modules"
Next in thread: Bob Oh: "Re: [RFC][PATCH] EVM and SLIM LSM modules"
Reply: Serge Hallyn: "Re: [RFC][PATCH] EVM and SLIM LSM modules"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Tue Oct 18 2005 - 14:22:23 PDT