RE: F36 Change: DIGLIM (System-Wide Change proposal)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi everyone

I have very exciting news to share.

Given the difficulty to have the DIGLIM kernel patches
accepted, I checked if I could achieve the same goals
with an eBPF program.

I focused only on the functionality side, it is probably
required some support from the kernel to have the
same security guarantees of an LSM integrated in the
kernel.

But, at least for the functionality part, I would say that
thanks to the very extensive support from eBPF, I managed
to almost match what I provided with the kernel patches
(at least for appraisal, not for measurement).

This is the repo with the code:

https://github.com/robertosassu/diglim-ebpf

and the Copr project with binary packages:

https://copr.fedorainfracloud.org/coprs/robertosassu/DIGLIM-eBPF/

Unfortunately, due to a feature introduced only recently
(allow sleepable programs to use the inode map), it will
work only with Fedora 36. Probably, commit 0fe4b381a59e
("bpf: Allow bpf_local_storage to be used by sleepable programs)
applied to the kernel 5.16 would be sufficient to use
DIGLIM eBPF also in Fedora 35.

Unlike the previous version of DIGLIM, this one does not
have any dependency (I just had to add rpmplugin.h in
the rpm-devel package).

It can be configured with two simple commands (please
do it in a testing VM):

# dnf copr enable robertosassu/DIGLIM-eBPF
# diglim_setup.sh install --default

After reboot, the kernel will refuse to execute anything
that is not in a package. Updating a package or installing
new ones is supported, DIGLIM eBPF takes care of loading
the new reference values.

Adding custom software is also possible, as shown with the
following commands:

# ./script.sh
-bash: ./script.sh: /bin/bash: bad interpreter: Operation not permitted
# compact_gen -d /etc/digest_lists -i script.sh
# diglim_user_client -o add -p /etc/digest_lists/0-file_list-compact-script.sh
Digest list command successful
# ./script.sh
Hello world!

I know it is too late for Fedora 36, but I hope you could
consider this version for Fedora 37. In the meantime, I will
work on the security guarantees (signature verification of
the digest lists, avoid unplugging of the LSM).

Any comment or suggestion is very appreciated!

Thanks

Roberto

HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Zhong Ronghua
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux