Vivek Goyal <vgo...@redhat.com> writes: > On Wed, Jan 16, 2013 at 05:35:23PM -0500, Mimi Zohar wrote: >> On Tue, 2013-01-15 at 16:34 -0500, Vivek Goyal wrote: >> > If a binary is signed, verify its signature. If signature is not valid, do >> > not allow execution. If binary is not signed, execution is allowed >> > unconditionally. >> >> Basically you're building the policy into the executable. Anyone can >> rebuild the executable and, without signing it, install/replace an >> existing one. How is this safe? The signature verification policy >> needs to be defined independently of the executable. > > Upon signature verification this executable will also acquire a new > capability(say CAP_SIGNED). And some of the services can be allowed only > if process has that new capability. (TODO item)
Just a quick segway. The ptrace problem is solved by existing mechanisms if you have a capability that other binaries don't have. Eric -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
