From: Mimi Zohar <zohar@linux.ibm.com>
To: Igor Zhbanov <i.zhbanov@omprussia.ru>,
linux-integrity <linux-integrity@vger.kernel.org>
Cc: linux-security-module <linux-security-module@vger.kernel.org>
Subject: Re: LSM that blocks execution of the code from the anonymous pages
Date: Thu, 17 Sep 2020 16:53:50 -0400 [thread overview]
Message-ID: <7488a57e29dd33440ae98d6883f8f92d5833b97a.camel@linux.ibm.com> (raw)
In-Reply-To: <88b9444e-08bc-4240-7943-298070dfc47c@omprussia.ru>
Hi Igor,
(Reminder the Linux kernel mailing lists convention is to inline/bottom
post.)
On Thu, 2020-09-17 at 23:39 +0300, Igor Zhbanov wrote:
> My question is more about whether this functionality fits into IMA's
> responsibility. I.e. I can propose the changes as the extension of IMA's
> functionality (which I think it would be better), or I could create a separate
> LSM if this functionality doesn't align with IMA's purpose for some reason.
> This is the first question.
>
> And the second question, what kind of operation modes do you think would
> be useful?
>
> 1) no anonymous code for privileged processes (as currently),
> 2) no anonymous code for all processes,
> 3) no anonymous code for all processes with xattr-based exceptions (may be
> with xattr value signing)
These are generic questions not dependent on whether this would be
upstreamed as an independent LSM or as part of IMA. For this reason,
I've Cc'ed the LSM mailing list.
Mimi
>
> For #3 I definitely would prefer to implement the code as a part of IMA
> because of sharing of xattrs cache, etc. to avoid reinventing the wheel.
prev parent reply other threads:[~2020-09-17 21:22 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-03 16:20 LSM that blocks execution of the code from the anonymous pages Igor Zhbanov
2020-09-17 18:11 ` Mimi Zohar
2020-09-17 20:39 ` Igor Zhbanov
2020-09-17 20:53 ` Mimi Zohar [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7488a57e29dd33440ae98d6883f8f92d5833b97a.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=i.zhbanov@omprussia.ru \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.