On Thu, Apr 03, 2008 at 05:29:50PM -0700, Michael Corcoran wrote: > Thanks Gary. > > Reading through the 1.1 Design doc for validated execution, it's clear > that there is a bit of interaction between these two projects. At the > very least mmapfd(2) or more likely mmapobj(2) will need to be added to > Section 2 along with the following block diagram. > > I don't see anything in mmapfd that would conflict with valex but valex > would have to add some logic to mmapfd to call signedexec_validate(). > Since other binaries, such as Java will not be mapped via mmapfd, the > mmap modifications for PROT_EXEC still seem necessary. I was hoping > that they could be eliminated, but that does not appear to be the case.
Slightly OT (reply-to set -- please honor it): Please see the discussion on the valex-discuss list this week. IMO mmap() and mmapobj() shouldn't be validating file signatures because either the caller should have done so already when it called open(). That the valex project proposes to do so for some calls to mmap() is indicative of a problem: finding all user-land code that should have config files, interpretable code, etc... verified, and modifying it to do so, does not scale. Darren Moffat and I propose a file attribute to deal with this that would, incidentally, make the need for mmap() and mmapobj() to validate files go away. Nico --
