Quoting David Safford (safford@private): > > > Since you mentioned digsig, how does evm compare with it aside from what > > you mention above? digsig seemed to go to great lengths to try to > > prevent modification of the executable after validation, and made use of > > the file_mmap hook for the actual checking, IIRC. > > Interesting question. EVM does not try to prevent this. Partly this > is based on the Trusted Computing philosophy that you can't prevent > malicious changes to the TCB, particularly against in-memory attacks, > and against off-line attacks, but you do want at least to detect > the TCB changes on next boot or next file verification. Hmmm... it looks like the most pathological case is p1 opens(write) and mmap(write), then sits and waits for long-running p2 to open(read); p1 makes a change; p2 does not detect it. as you say, i'm not surewhat can be done about this... fortunately, since i see this as most useful for protecting selinux xattrs and /boot, the detect on next use philosophy seems appropriate. perhaps there could be an option to force any mmap(write) on a protected file be map_private? but that probably just complicates matters needlessly... -serge
This archive was generated by hypermail 2.1.3 : Wed Oct 26 2005 - 08:39:43 PDT