Re: [RFC][PATCH] EVM and SLIM LSM modules

From: Serge Hallyn (serue@private)
Date: Wed Oct 26 2005 - 08:39:16 PDT

Quoting David Safford (safford@private):
> > Since you mentioned digsig, how does evm compare with it aside from what
> > you mention above?  digsig seemed to go to great lengths to try to
> > prevent modification of the executable after validation, and made use of
> > the file_mmap hook for the actual checking, IIRC.  
> Interesting question. EVM does not try to prevent this. Partly this
> is based on the Trusted Computing philosophy that you can't prevent
> malicious changes to the TCB, particularly against in-memory attacks,
> and against off-line attacks, but you do want at least to detect
> the TCB changes on next boot or next file verification.

Hmmm...  it looks like the most pathological case is p1 opens(write)
and mmap(write), then sits and waits for long-running p2 to open(read);
p1 makes a change;  p2 does not detect it.

as you say, i'm not surewhat can be done about this...  fortunately,
since i see this as most useful for protecting selinux xattrs and /boot,
the detect on next use philosophy seems appropriate.

perhaps there could be an option to force any mmap(write) on a protected
file be map_private?  but that probably just complicates matters


This archive was generated by hypermail 2.1.3 : Wed Oct 26 2005 - 08:39:43 PDT