Re: [ANNOUNCE] Release Digsig 1.3.1: kernel module for run-time authentication of binaries

[Makan Pourzandi <Makan.Pourzandi@ericsson.com>]

Serge E. Hallyn wrote:
> Quoting Chris Wright (chrisw@osdl.org):
> 
>>* Makan Pourzandi (Makan.Pourzandi@ericsson.com) wrote:
> 
> ...
> 
>>>We realized that when a shared library is opened by a binary it can 
>>>still be modified. To solve the problem, we block the write access to 
>>>the shared binary while it is loaded.
>>
>>AFAICT, this means anybody with read access to a file can block all
>>writes.  This doesn't sound great.
> 
> 
> True.
> 

I want to narrow down the discussion, I believe that some people could 
get confused with the mention of "file" here. AFAICT, the above problem 
only concerns the shared libraries. Digsig applies only to binaries: in 
digsig_file_mmap() implementing the file_mmap LSM hook, if the file is 
not executable there is a return and no verification or any other 
blocking is done.

For executables, there is no meaning to load them on read mode, you 
should have execute permission. if you then load them for execution 
IMHO, it makes sense to block the writing on that file.

For shared libraries, you're right. the problem exists, the shared 
libraries can be loaded being only readable (even though I remember 
reading in exec.c:sys_uselib() kernel 2.6.8.1 that the shared libraries 
must be both readable and executable due to "security reasons", but I'm 
not an expert and definitely readable is enough to load the shared 
library but I'll be happy to learn more about this.)

> This could be fixed by adding a check at the top of dsi_file_mmap for
> file->f_dentry->d_inode->i_mode & MAY_EXEC.  Of course then shared
> libraries which are installed without execute permissions will cause
> apps to break.  On my quick test, I couldn't run xterm or vi  :)
> 
> Note that blocking writes requires that the file be a valid ELF file,
> as this is all that digsig mediates.  So I'm not sure which we worry
> about more - the fact that all shared libraries have to be installed
> with execute permissions (under the proposed solution), or that write


My 2 cents, a quick browsing on my machine (fedora core 1) shows that 
almost all my shared libraries are installed with both execution and 
read permissions.  IMHO, I don't believe then that this should be 
considered as a major issue.


> to an ELF file can be prevented by mmap(PROT_EXEC).  Presumably, if

Regards,
Makan

> you are replacing an ELF file, you will always want to do 
> "mv foo.so foo.so.del; cp new/foo.so foo.so" anyway.
> 
> Thoughts?
> 
> thanks,
> -serge
> 

-- 

Makan Pourzandi, Open Systems Lab
Ericsson Research, Montreal, Canada
*This email does not represent or express the opinions of Ericsson Inc.*