From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754535AbdKQBJK (ORCPT ); Thu, 16 Nov 2017 20:09:10 -0500 Received: from mail-it0-f50.google.com ([209.85.214.50]:40600 "EHLO mail-it0-f50.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754350AbdKQBI7 (ORCPT ); Thu, 16 Nov 2017 20:08:59 -0500 X-Google-Smtp-Source: AGs4zMbZXx+MHngcSgk+SfUU3oQCFqrVEbQMchjIVRKgAGTuICtF9t/KRVMWmgKmjfhhqL2KYv0eNzvuYy8PKhr4kQU= MIME-Version: 1.0 In-Reply-To: References: <20171107103710.10883-1-roberto.sassu@huawei.com> <1510061855.3425.113.camel@linux.vnet.ibm.com> From: Kees Cook Date: Thu, 16 Nov 2017 17:08:57 -0800 X-Google-Sender-Auth: 42H5spqFH1XxsmA_LvrXqtjxwlI Message-ID: Subject: Re: [PATCH v2 00/15] ima: digest list feature To: Roberto Sassu Cc: Mimi Zohar , linux-integrity@vger.kernel.org, linux-security-module , "linux-fsdevel@vger.kernel.org" , linux-doc@vger.kernel.org, LKML , silviu.vlasceanu@huawei.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Nov 7, 2017 at 8:45 AM, Roberto Sassu wrote: > On 11/7/2017 2:37 PM, Mimi Zohar wrote: >> Normally, the protection of kernel memory is out of scope for IMA. >> This patch set introduces an in kernel white list, which would be a >> prime target for attackers looking for ways of by-passing IMA- >> measurement, IMA-appraisal and IMA-audit. Others might disagree, but >> from my perspective, this risk is too high. BTW, which part of the series does the whitelist? I'd agree generally, though: we don't want to make things writable if they're normally read-only. > It would be much easier for an attacker to just set ima_policy_flag to > zero. That's a fair point. I wonder if ima_policy_flag could be marked __ro_after_init? Most of the writes are from __init sections, but I haven't looked closely at when ima_update_policy() gets called. -Kees -- Kees Cook Pixel Security From mboxrd@z Thu Jan 1 00:00:00 1970 From: keescook@chromium.org (Kees Cook) Date: Thu, 16 Nov 2017 17:08:57 -0800 Subject: [PATCH v2 00/15] ima: digest list feature In-Reply-To: References: <20171107103710.10883-1-roberto.sassu@huawei.com> <1510061855.3425.113.camel@linux.vnet.ibm.com> Message-ID: To: linux-security-module@vger.kernel.org List-Id: linux-security-module.vger.kernel.org On Tue, Nov 7, 2017 at 8:45 AM, Roberto Sassu wrote: > On 11/7/2017 2:37 PM, Mimi Zohar wrote: >> Normally, the protection of kernel memory is out of scope for IMA. >> This patch set introduces an in kernel white list, which would be a >> prime target for attackers looking for ways of by-passing IMA- >> measurement, IMA-appraisal and IMA-audit. Others might disagree, but >> from my perspective, this risk is too high. BTW, which part of the series does the whitelist? I'd agree generally, though: we don't want to make things writable if they're normally read-only. > It would be much easier for an attacker to just set ima_policy_flag to > zero. That's a fair point. I wonder if ima_policy_flag could be marked __ro_after_init? Most of the writes are from __init sections, but I haven't looked closely at when ima_update_policy() gets called. -Kees -- Kees Cook Pixel Security -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html