On Wed, Mar 20, 2013 at 01:41:30PM -0400, Mimi Zohar wrote:
[..]
> Defining another Kconfig option will either memlock all signed
> executables or none. If a distro ships with this new Kconfig enabled,
> then the 'ima_appraise_tcb' boot command line option would result in all
> executables, owned
On Wed, 2013-03-20 at 11:21 -0400, Vivek Goyal wrote:
> On Tue, Mar 19, 2013 at 10:39:01AM -0400, Mimi Zohar wrote:
>
> [..]
> > > +#ifdef CONFIG_BINFMT_ELF_SIG
> > > + /* If executable is digitally signed. Lock down in memory */
> > > + /* Get file signature, if any */
> > > + retval = ima_file_s
On Tue, Mar 19, 2013 at 10:39:01AM -0400, Mimi Zohar wrote:
[..]
>
> Lastly, adding 'VM_LOCKED' here seems to change existing, expected
> behavior. According to the mlock(2) man pages, "Memory locks are not
> inherited by a child created via fork(2) and are automatically removed
> (unlocked) dur
On Tue, Mar 19, 2013 at 10:39:01AM -0400, Mimi Zohar wrote:
[..]
> > +#ifdef CONFIG_BINFMT_ELF_SIG
> > + /* If executable is digitally signed. Lock down in memory */
> > + /* Get file signature, if any */
> > + retval = ima_file_signature_alloc(bprm->file, &signature);
> > +
> > + /*
> > +
On Fri, 2013-03-15 at 16:35 -0400, Vivek Goyal wrote:
> Do elf executable signature verification (if one is present). If signature
> is present, it should be valid. Validly signed files are given a capability
> CAP_SIGNED.
>
> If file is unsigned, it can execute but it does not get the capability
On Mon, Mar 18, 2013 at 04:23:11PM -0400, Josh Boyer wrote:
> On Fri, Mar 15, 2013 at 4:35 PM, Vivek Goyal wrote:
> > Do elf executable signature verification (if one is present). If signature
> > is present, it should be valid. Validly signed files are given a capability
> > CAP_SIGNED.
> >
> > I
On Fri, Mar 15, 2013 at 4:35 PM, Vivek Goyal wrote:
> Do elf executable signature verification (if one is present). If signature
> is present, it should be valid. Validly signed files are given a capability
> CAP_SIGNED.
>
> If file is unsigned, it can execute but it does not get the capability
>
7 matches
Mail list logo
