Re: [ANNOUNCE] Release Digsig 1.5: kernel module for run-timeauthentication of binaries

---

• From: Arjan van de Ven <arjan@xxxxxxxxxxxxx>
• Date: Mon, 24 Apr 2006 22:45:26 +0200

---

On Mon, 2006-04-24 at 21:32 +0100, Nix wrote:

On 24 Apr 2006, Arjan van de Ven announced authoritatively:

On Mon, 2006-04-24 at 12:27 -0400, Makan Pourzandi (QB/EMC) wrote:

Hi Arjan,

I hope I correctly understood your question, DigSig uses LSM hooks to
check the digital signature before loading it, then as long as your elf
loader uses kernel system calls, it's covered by DigSig.

ok I have to admit that this answer worries me.

how can it be covered? How do you distinguish an elf loader application
(which just uses open + mmap after all) with... say a grep-calling perl
script?

It checks mmap and mprotect with PROT_EXEC, and execve().

so no jvm's or flash plugins.

and the stack can be executable if the app wants it to be as well...
so it's not all that easy as you make it sound

will sign every ELF shared object and executable on the system.

but it won't sign the not-really-elf-but-virus-anyway files.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

---

• Follow-Ups:
  • Re: [ANNOUNCE] Release Digsig 1.5: kernel module for run-timeauthentication of binaries
    • From: Nix

• References:
  • RE: [ANNOUNCE] Release Digsig 1.5: kernel module for run-timeauthentication of binaries
    • From: Makan Pourzandi \(QB/EMC\)
  • RE: [ANNOUNCE] Release Digsig 1.5: kernel module for run-timeauthentication of binaries
    • From: Arjan van de Ven
  • Re: [ANNOUNCE] Release Digsig 1.5: kernel module for run-timeauthentication of binaries
    • From: Nix

• Prev by Date: Re: [RFC][PATCH 0/11] security: AppArmor - Overview
• Next by Date: Re: C++ pushback
• Previous by thread: Re: [ANNOUNCE] Release Digsig 1.5: kernel module for run-timeauthentication of binaries
• Next by thread: Re: [ANNOUNCE] Release Digsig 1.5: kernel module for run-timeauthentication of binaries
• Index(es):
  • Date
  • Thread

---

Relevant Pages RE: [ANNOUNCE] Release Digsig 1.5: kernel module for run-timeauthentication of binaries ... I hope I correctly understood your question, DigSig uses LSM hooks to ... check the digital signature before loading it, then as long as your elf ... loader uses kernel system calls, ... How do you distinguish an elf loader application ... (Linux-Kernel) RE: [ANNOUNCE] Release Digsig 1.5: kernel module for run-timeauthentication of binaries ... I hope I correctly understood your question, DigSig uses LSM hooks to ... check the digital signature before loading it, then as long as your elf ... loader uses kernel system calls, ... (Linux-Kernel) Re: simpler boot loader ... That's what the various loader steps ... BSD kernel. ... kernel (in ELF format I believe). ... the pre-boot environment and load and execute the kernel. ... (freebsd-questions) Re: [ANNOUNCE] Release Digsig 1.5: kernel module for run-timeauthentication of binaries ... you don't sign nor need to sign perl or bash scripts. ... Why would a loader ... be written in ELF itself? ... There's absolutely no reason for that. ... (Linux-Kernel)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(10)