From: Andrey Borzenkov <arvidjaar@gmail.com>
To: The development of GNU GRUB <grub-devel@gnu.org>
Cc: jonmccune@google.com
Subject: Re: [PATCH v4 2/4] load_env support for whitelisting which variables are read from an env file, even if check_signatures=enforce
Date: Wed, 25 Sep 2013 10:09:18 +0400 [thread overview]
Message-ID: <20130925100918.2087bec5@opensuse.site> (raw)
In-Reply-To: <1380074432-27299-3-git-send-email-jonmccune@google.com>
В Tue, 24 Sep 2013 19:00:30 -0700
Jon McCune <jonmccune@google.com> пишет:
> This version of the patch implements whitelisting in the envblk subsystem,
> instead of in loadenv.c. It seems to be cleaner than the previous patches.
>
> This works by adding an open_envblk_file_untrusted() method that bypasses
> signature checking, but only if the invocation of load_env includes a
> whitelist of one or more environment variables that are to be read from the
> file.
I do not really like such silent assumptions. Being able to load only
selected environment variables is useful by itself, but I still may
want to ensure file was not tampered with.
I suggest you simply add flag "--skip-signature-check" to load_env and
add support for explicit variable list. Then it is up to user how and
when to use it.
And please update also documentation for command changes.
> +static grub_file_t
> +open_envblk_file_untrusted (char *filename)
Why do you need extra function? Is not flag to open_envblk_file enough?
> +{
> + grub_file_filter_t curfilt[GRUB_FILE_FILTER_MAX];
> + grub_file_t file;
> +
> + /* Temporarily disable all filters so as to read the untrusted file */
> + grub_memcpy (curfilt, grub_file_filters_enabled, sizeof (curfilt));
> + grub_file_filter_disable_all ();
Why do you need to disable *all* filters? Assuming disabling
compression was good enough, you just need to disable signature
checking, right?
> void
> grub_envblk_iterate (grub_envblk_t envblk,
> + const grub_env_whitelist_t* whitelist,
> int hook (const char *name, const char *value))
Again, that's really too restrictive. Like with any other iterators,
I'd make hook accept extra pointer for hook-specific data and pass this
data to grub_envblk_iterate. This will let caller decide the policy.
next prev parent reply other threads:[~2013-09-25 6:09 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-09-25 2:00 [PATCH v4 0/4] Add whitelisting support for load_env Jon McCune
2013-09-25 2:00 ` [PATCH v4 1/4] style: indent --no-tabs --gnu-style grub-core/commands/loadenv.c Jon McCune
2013-09-25 6:11 ` Andrey Borzenkov
2013-09-25 15:02 ` Jonathan McCune
2013-09-25 2:00 ` [PATCH v4 2/4] load_env support for whitelisting which variables are read from an env file, even if check_signatures=enforce Jon McCune
2013-09-25 6:09 ` Andrey Borzenkov [this message]
2013-09-25 15:01 ` Jonathan McCune
2013-09-27 2:20 ` Andrey Borzenkov
2013-09-25 2:00 ` [PATCH v4 3/4] save_env should work, " Jon McCune
2013-09-25 2:00 ` [PATCH v4 4/4] Add (multiple) -k, --pubkey=FILE support to installation commands Jon McCune
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130925100918.2087bec5@opensuse.site \
--to=arvidjaar@gmail.com \
--cc=grub-devel@gnu.org \
--cc=jonmccune@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).