From: Vivek Goyal <vgoyal@redhat.com>
To: "Kasatkin, Dmitry" <dmitry.kasatkin@intel.com>
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>,
linux-kernel@vger.kernel.org, ebiederm@xmission.com,
pjones@redhat.com, hpa@zytor.com, dhowells@redhat.com,
jwboyer@redhat.com
Subject: Re: [PATCH 2/3] binfmt_elf: Verify signature of signed elf binary
Date: Thu, 17 Jan 2013 12:42:37 -0500 [thread overview]
Message-ID: <20130117174237.GC2237@redhat.com> (raw)
In-Reply-To: <CALLzPKYHUDj6gxz44_bOe1ggoeqZd2HaA3R34OXgHqGR9X7AcQ@mail.gmail.com>
On Thu, Jan 17, 2013 at 07:01:40PM +0200, Kasatkin, Dmitry wrote:
> commit f6bf2c4c0339dabac435f518bb1fcb617fdef8f1
> Author: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
> Date: Thu Jan 17 18:50:43 2013 +0200
>
> ima: lock down memory if binary is digitally signed
>
> This patch set a flag in the linux_binprm structure if binary is
> digitally signed. The flag is used to lock down memory when loading
> ELF binary.
>
> Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
>
> diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
> index 0c42cdb..ba94d13 100644
> --- a/fs/binfmt_elf.c
> +++ b/fs/binfmt_elf.c
> @@ -44,6 +44,8 @@
> #define user_siginfo_t siginfo_t
> #endif
>
> +#define LSM_UNSAFE_DIGSIG 16
> +
> static int load_elf_binary(struct linux_binprm *bprm);
> static int load_elf_library(struct file *);
> static unsigned long elf_map(struct file *, unsigned long, struct elf_phdr *,
> @@ -788,6 +790,9 @@ static int load_elf_binary(struct linux_binprm *bprm)
>
> elf_flags = MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE;
>
> + if (bprm->unsafe & LSM_UNSAFE_DIGSIG)
> + elf_flags |= MAP_LOCKED;
> +
Couple of thoughts.
- I think my patch does not take care of locking down future mappings. I
think we might have to do.
current->mm->def_flags = VM_LOCKED;
Along the lines of do_mlockall().
- Also there is still a small window open where changes to file contents
by directly writing to block will not be detected. We are doing IMA
check first and then faulting in pages in memory. It might have happend
that write to disk block happened after IMA check but before page was
read back from disk.
so some kind of post verification also is probably needed. Or just map
it first and then do the verification.
Thanks
Vivek
next prev parent reply other threads:[~2013-01-17 17:45 UTC|newest]
Thread overview: 62+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-01-15 21:34 [PATCH 0/3] ELF executable signing and verification Vivek Goyal
2013-01-15 21:34 ` [PATCH 1/3] module: export couple of functions for use in process signature verification Vivek Goyal
2013-01-15 21:34 ` [PATCH 2/3] binfmt_elf: Verify signature of signed elf binary Vivek Goyal
2013-01-16 4:30 ` Eric W. Biederman
2013-01-16 4:55 ` Mimi Zohar
2013-01-16 7:10 ` Eric W. Biederman
2013-01-16 14:00 ` Mimi Zohar
2013-01-16 14:48 ` Vivek Goyal
2013-01-16 15:33 ` Mimi Zohar
2013-01-16 15:54 ` Vivek Goyal
2013-01-16 17:24 ` Mimi Zohar
2013-01-16 18:21 ` Vivek Goyal
2013-01-16 18:45 ` Mimi Zohar
2013-01-16 18:57 ` Vivek Goyal
2013-01-16 19:37 ` Mimi Zohar
2013-01-16 19:47 ` Vivek Goyal
2013-01-16 20:25 ` Mimi Zohar
2013-01-16 21:55 ` Vivek Goyal
2013-01-17 8:37 ` Elena Reshetova
2013-01-17 14:39 ` Kasatkin, Dmitry
2013-01-17 14:35 ` Kasatkin, Dmitry
2013-01-16 16:34 ` Vivek Goyal
2013-01-16 18:08 ` Mimi Zohar
2013-01-16 18:28 ` Vivek Goyal
2013-01-16 19:24 ` Mimi Zohar
2013-01-16 21:53 ` Vivek Goyal
2013-01-17 14:58 ` Kasatkin, Dmitry
2013-01-17 15:06 ` Kasatkin, Dmitry
2013-01-17 15:21 ` Vivek Goyal
2013-01-17 15:18 ` Vivek Goyal
2013-01-17 16:27 ` Kasatkin, Dmitry
2013-01-17 20:33 ` Frank Ch. Eigler
2013-01-17 20:55 ` Vivek Goyal
2013-01-17 21:46 ` Kasatkin, Dmitry
2013-01-17 21:52 ` Vivek Goyal
2013-01-20 16:36 ` Mimi Zohar
2013-01-21 16:42 ` Vivek Goyal
2013-01-21 18:30 ` Mimi Zohar
2013-01-16 22:35 ` Mimi Zohar
2013-01-16 22:51 ` Vivek Goyal
2013-01-16 23:16 ` Eric W. Biederman
2013-01-17 15:37 ` Mimi Zohar
2013-01-17 15:51 ` Vivek Goyal
2013-01-17 16:32 ` Mimi Zohar
2013-01-17 17:01 ` Kasatkin, Dmitry
2013-01-17 17:03 ` Kasatkin, Dmitry
2013-01-17 17:42 ` Vivek Goyal [this message]
2013-01-17 17:36 ` Vivek Goyal
2013-01-20 17:20 ` Mimi Zohar
2013-01-21 15:45 ` Vivek Goyal
2013-01-21 18:44 ` Mimi Zohar
2013-01-20 16:17 ` H. Peter Anvin
2013-01-20 16:55 ` Mimi Zohar
2013-01-20 17:00 ` H. Peter Anvin
2013-01-15 21:34 ` [PATCH 3/3] binfmt_elf: Do not allow exec() if signed binary has intepreter Vivek Goyal
2013-01-15 21:37 ` [PATCH 4/3] User space utility "signelf" to sign elf executable Vivek Goyal
2013-01-15 22:27 ` [PATCH 0/3] ELF executable signing and verification richard -rw- weinberger
2013-01-15 23:15 ` Vivek Goyal
2013-01-15 23:17 ` richard -rw- weinberger
2013-01-17 16:22 ` Kasatkin, Dmitry
2013-01-17 17:25 ` Vivek Goyal
2013-01-22 4:22 ` Rusty Russell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130117174237.GC2237@redhat.com \
--to=vgoyal@redhat.com \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@intel.com \
--cc=ebiederm@xmission.com \
--cc=hpa@zytor.com \
--cc=jwboyer@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=pjones@redhat.com \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).