Re: LSM that blocks execution of the code from the anonymous pages

Re: LSM that blocks execution of the code from the anonymous pages

[Mimi Zohar]

Hi Igor,

(Reminder the Linux kernel mailing lists convention is to inline/bottom
post.)

On Thu, 2020-09-17 at 23:39 +0300, Igor Zhbanov wrote:
> My question is more about whether this functionality fits into IMA's
> responsibility. I.e. I can propose the changes as the extension of IMA's
> functionality (which I think it would be better), or I could create a separate
> LSM if this functionality doesn't align with IMA's purpose for some reason.
> This is the first question.
> 
> And the second question, what kind of operation modes do you think would
> be useful?
> 
> 1) no anonymous code for privileged processes (as currently),
> 2) no anonymous code for all processes,
> 3) no anonymous code for all processes with xattr-based exceptions (may be
>       with xattr value signing)

These are generic questions not dependent on whether this would be
upstreamed as an independent LSM or as part of IMA.  For this reason,
I've Cc'ed the LSM mailing list.

Mimi

> 
> For #3 I definitely would prefer to implement the code as a part of IMA
> because of sharing of xattrs cache, etc. to avoid reinventing the wheel.