On 2012-10-30 22:22, Al Viro wrote: > On Tue, Oct 30, 2012 at 09:02:33PM +0000, Arvid Brodin wrote: > >> +config PROC_TEXT_MD5SUM >> + bool "/proc/<pid>/text_md5sum support" >> + depends on PROC_FS >> + select CRYPTO >> + select CRYPTO_MD5 >> + help >> + Read /proc/<pid>/text_md5sum to get the kernel to perform an MD5 >> + checksum over the process' text segment and print the result. Can be >> + used to make sure a process' code has not been tampered with. > > Sorry, but this is pointless. Any attacker capable of modifying the code > will be just as capable of modifying pointers to functions in data segment. > IOW, you are not making sure of anything useful.
On 2012-10-30 22:23, Cyrill Gorcunov wrote: > I don't think this increments security by any means. start/end-code are rather > informative fields which are set when program being started, so one can ptrace > it, alloc new exec area, put evil code there, tuneup cs:ip and restore > original > program contents, you won't even notice that. You are both correct of course. Actually, I was kind of sloppy when I wrote the Kconfig help text. The following more accurately describes the intended use. Would this make the patch more acceptable? +config PROC_TEXT_MD5SUM + bool "/proc/<pid>/text_md5sum support" + depends on PROC_FS + select CRYPTO + select CRYPTO_MD5 + help + Read /proc/<pid>/text_md5sum to get the kernel to perform an MD5 + checksum over the process' text segment and print the result. This + can detect some cases where the system RAM has been disturbed by + e.g. EMC or cosmic radiation (on systems where ECC is not available). + It might also detect some accidental or malicious modifications of + executables, where the perpetrator has not bothered to cover up the + tracks. -- Arvid Brodin | Consultant (Linux) XDIN AB | Knarrarnäsgatan 7 | SE-164 40 Kista | Sweden | xdin.com-- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
