Re: Should mprotect(..., PROT_EXEC) be checked by IMA?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2019-04-03 at 09:10 -0400, Stephen Smalley wrote:
> On 4/3/19 7:57 AM, Mimi Zohar wrote:

> > Let's separate the different types of attacks.  From an IMA
> > perspective, memory attacks are out of scope.  That leaves mmap'ed
> > files, possibly just mmap'ed shared files.  Currently IMA can be
> > configured to verify a file's integrity, based on signatures, being
> > mmap'ed execute.  Assuming that not all files opened require a file
> > signature, a file could be mmap'ed read/write and later changed to
> > execute to circumvent the mmap'ed execute signature requirement.  If
> > the existing LSMs are able to prevent this sort of attack, we could
> > just document this requirement.
> 
> I guess I don't understand why IMA isn't already being called from 
> security_file_mprotect(). security_file_mprotect() could just call 
> ima_file_mmap(vma->vm_file, prot) if all of the security hooks pass.
> 
> SELinux can be used to prevent unauthorized mprotect PROT_EXEC but it 
> won't perform a measurement of the file if it is allowed by policy.

>From a measurement perspective, this will at least measure the file,
but the call to ima_file_mmap() will verify the file signature against
the file, not what is currently in memory, right?

Mimi




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux