Vivek Goyal <vgoyal at redhat.com> writes: > On Thu, Nov 01, 2012 at 02:52:25PM +0000, Matthew Garrett wrote: >> On Thu, Nov 01, 2012 at 10:43:04AM -0400, Vivek Goyal wrote: >> >> > So I think this does satisfy the requirement matthew specified. Isn't it? >> > Matthew, what do you think? >> >> Sure, if you can ensure that. You'll need to figure out how to get the >> build system to sign the userspace binaries and you'll need to ensure >> that they're statically linked and don't dlopen anything (including the >> nsswitch modules), but otherwise that should work. >> > > [ CC peter jones ] > > Ok, so even if we build kexec-tools statically with glibc, we have the > issue of name service switch modules. glibc will still do dlopen on > these modules. So what are options now. > > - Sign glibc and associated shared libraries. Do not allow unsigned > shared library to dynamically link with signed executable. > > - Peter mentioned that work with uClibc for kexec-tools. > > I personally think that however hard it is but first option sounds like > a long term solution. We might have more user space processes which > we might have to trust a generic solution will help with that. For example, > we might have to sign and trust qemu at some point of time. > > Are there other ways of handing glibc issue? It needs to be checked but /sbin/kexec should not use any functions that trigger nss switch. No user or password or host name lookup should be happening. This is one part in hardening /sbin/kexec to deal with hostile root users. We need to check crazy things like do the files we open on /proc actually point to /proc after we have opened them. I believe glibc has some code which triggers for suid root applications that we should ensure gets triggered that avoid trusting things like LD_LIBRARY_PATH and company. Eric
