Re: [PATCH 0/3] kexec: limit kexec_load syscall

Mimi Zohar writes: > In environments that require the kexec kernel image to be signed, prevent > using the kexec_load syscall. In order for LSMs and IMA to differentiate > between kexec_load and kexec_file_load syscalls, this patch set adds a > call to

Re: [PATCH 2/3] kexec: call LSM hook for kexec_load syscall

On Thu, 2018-05-03 at 11:42 -0500, Eric W. Biederman wrote: > Casey Schaufler writes: > > > On 5/3/2018 8:51 AM, Eric W. Biederman wrote: > >> Mimi Zohar writes: > >> > >>> On Wed, 2018-05-02 at 09:45 -0500, Eric W. Biederman wrote: > Mimi

Re: [PATCH 0/3] kexec: limit kexec_load syscall

On Thu, May 3, 2018 at 1:13 PM Eric W. Biederman wrote: > Mimi Zohar writes: > > In environments that require the kexec kernel image to be signed, prevent > > using the kexec_load syscall. In order for LSMs and IMA to differentiate > > between

Re: [PATCH 2/3] kexec: call LSM hook for kexec_load syscall

Casey Schaufler writes: > On 5/3/2018 8:51 AM, Eric W. Biederman wrote: >> Mimi Zohar writes: >> >>> On Wed, 2018-05-02 at 09:45 -0500, Eric W. Biederman wrote: Mimi Zohar writes: > Allow LSMs and IMA to

Re: [PATCH 2/3] kexec: call LSM hook for kexec_load syscall

On 5/3/2018 8:51 AM, Eric W. Biederman wrote: > Mimi Zohar writes: > >> On Wed, 2018-05-02 at 09:45 -0500, Eric W. Biederman wrote: >>> Mimi Zohar writes: >>> Allow LSMs and IMA to differentiate between the kexec_load and

Re: [PATCH 2/3] kexec: call LSM hook for kexec_load syscall

Mimi Zohar writes: > On Wed, 2018-05-02 at 09:45 -0500, Eric W. Biederman wrote: >> Mimi Zohar writes: >> >> > Allow LSMs and IMA to differentiate between the kexec_load and >> > kexec_file_load syscalls by adding an "unnecessary" call to >>

Re: [PATCH 2/3] kexec: call LSM hook for kexec_load syscall

Mimi Zohar writes: > On Thu, 2018-05-03 at 11:42 -0500, Eric W. Biederman wrote: >> Casey Schaufler writes: >> >> > On 5/3/2018 8:51 AM, Eric W. Biederman wrote: >> >> Mimi Zohar writes: >> >> >> >>> On Wed,

Re: [PATCH 0/3] kexec: limit kexec_load syscall

On Thu, 2018-05-03 at 16:38 -0500, Eric W. Biederman wrote: > Mimi Zohar writes: > > > [Cc'ing Kees and kernel-hardening] > > > > On Thu, 2018-05-03 at 15:13 -0500, Eric W. Biederman wrote: > >> Mimi Zohar writes: > >> > >> > In environments

Re: [PATCH 0/3] kexec: limit kexec_load syscall

[Cc'ing Kees and kernel-hardening] On Thu, 2018-05-03 at 15:13 -0500, Eric W. Biederman wrote: > Mimi Zohar writes: > > > In environments that require the kexec kernel image to be signed, prevent > > using the kexec_load syscall. In order for LSMs and IMA to

Re: [PATCH 0/3] kexec: limit kexec_load syscall

Mimi Zohar writes: > [Cc'ing Kees and kernel-hardening] > > On Thu, 2018-05-03 at 15:13 -0500, Eric W. Biederman wrote: >> Mimi Zohar writes: >> >> > In environments that require the kexec kernel image to be signed, prevent >> > using the

Re: [PATCH 0/3] kexec: limit kexec_load syscall

Mimi Zohar writes: > On Thu, 2018-05-03 at 16:38 -0500, Eric W. Biederman wrote: >> Mimi Zohar writes: >> >> > [Cc'ing Kees and kernel-hardening] >> > >> > On Thu, 2018-05-03 at 15:13 -0500, Eric W. Biederman wrote: >> >> Mimi Zohar

Re: [PATCH 0/3] kexec: limit kexec_load syscall

Matthew Garrett writes: > On Thu, May 3, 2018 at 1:13 PM Eric W. Biederman > wrote: > >> Mimi Zohar writes: > >> > In environments that require the kexec kernel image to be signed, > prevent >> > using the kexec_load syscall.

Re: [PATCH 0/3] kexec: limit kexec_load syscall

On Thu, May 3, 2018 at 2:59 PM Eric W. Biederman wrote: > Matthew Garrett writes: > > kexec_load gives root arbitrary power to modify the running kernel image, > > including the ability to disable enforcement of module signatures. > No. It does

Re: [PATCH 0/3] kexec: limit kexec_load syscall

On Thu, 2018-05-03 at 18:03 -0500, Eric W. Biederman wrote: > Mimi Zohar writes: > > > On Thu, 2018-05-03 at 16:38 -0500, Eric W. Biederman wrote: > >> Mimi Zohar writes: > >> > >> > [Cc'ing Kees and kernel-hardening] > >> > > >> > On Thu,