IMA-appraisal is mostly being used in the embedded or single purpose
closed system environments. In these environments, both the Kconfig
options and the userspace tools can be modified appropriately to limit
syscalls. For stock kernels, userspace applications need to continue to
work with older k
On Thu, 2018-05-03 at 18:03 -0500, Eric W. Biederman wrote:
> Mimi Zohar writes:
>
> > On Thu, 2018-05-03 at 16:38 -0500, Eric W. Biederman wrote:
> >> Mimi Zohar writes:
> >>
> >> > [Cc'ing Kees and kernel-hardening]
> >> >
> >> > On Thu, 2018-05-03 at 15:13 -0500, Eric W. Biederman wrote:
> >
Mimi Zohar writes:
> On Thu, 2018-05-03 at 16:38 -0500, Eric W. Biederman wrote:
>> Mimi Zohar writes:
>>
>> > [Cc'ing Kees and kernel-hardening]
>> >
>> > On Thu, 2018-05-03 at 15:13 -0500, Eric W. Biederman wrote:
>> >> Mimi Zohar writes:
>> >>
>> >> > In environments that require the kexec
On Thu, May 3, 2018 at 2:59 PM Eric W. Biederman
wrote:
> Matthew Garrett writes:
> > kexec_load gives root arbitrary power to modify the running kernel
image,
> > including the ability to disable enforcement of module signatures.
> No. It does absolutely nothing to the running kernel image.
>
Matthew Garrett writes:
> On Thu, May 3, 2018 at 1:13 PM Eric W. Biederman
> wrote:
>
>> Mimi Zohar writes:
>
>> > In environments that require the kexec kernel image to be signed,
> prevent
>> > using the kexec_load syscall. In order for LSMs and IMA to
> differentiate
>> > between kexec_load
On Thu, 2018-05-03 at 16:38 -0500, Eric W. Biederman wrote:
> Mimi Zohar writes:
>
> > [Cc'ing Kees and kernel-hardening]
> >
> > On Thu, 2018-05-03 at 15:13 -0500, Eric W. Biederman wrote:
> >> Mimi Zohar writes:
> >>
> >> > In environments that require the kexec kernel image to be signed, pre
Mimi Zohar writes:
> [Cc'ing Kees and kernel-hardening]
>
> On Thu, 2018-05-03 at 15:13 -0500, Eric W. Biederman wrote:
>> Mimi Zohar writes:
>>
>> > In environments that require the kexec kernel image to be signed, prevent
>> > using the kexec_load syscall. In order for LSMs and IMA to differ
[Cc'ing Kees and kernel-hardening]
On Thu, 2018-05-03 at 15:13 -0500, Eric W. Biederman wrote:
> Mimi Zohar writes:
>
> > In environments that require the kexec kernel image to be signed, prevent
> > using the kexec_load syscall. In order for LSMs and IMA to differentiate
> > between kexec_load
On Thu, May 3, 2018 at 1:13 PM Eric W. Biederman
wrote:
> Mimi Zohar writes:
> > In environments that require the kexec kernel image to be signed,
prevent
> > using the kexec_load syscall. In order for LSMs and IMA to
differentiate
> > between kexec_load and kexec_file_load syscalls, this patc
Mimi Zohar writes:
> In environments that require the kexec kernel image to be signed, prevent
> using the kexec_load syscall. In order for LSMs and IMA to differentiate
> between kexec_load and kexec_file_load syscalls, this patch set adds a
> call to security_kernel_read_file() in kexec_load_c
In environments that require the kexec kernel image to be signed, prevent
using the kexec_load syscall. In order for LSMs and IMA to differentiate
between kexec_load and kexec_file_load syscalls, this patch set adds a
call to security_kernel_read_file() in kexec_load_check().
Signed-off-by: Mimi
11 matches
Mail list logo