l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
August 5: Social gathering
Next Installfest:
TBD
Latest News:
Jul. 4: July, August and September: Security, Photography and Programming for Kids
Page last updated:
2008 Aug 22 11:36

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] Linux file/module security proposal.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] Linux file/module security proposal.



>>>>> On Fri, 22 Aug 2008 09:37:44 -0700, Bill Broadley <bill@cse.ucdavis.edu> said:

BB> I meant via root.  Does it work on your system by default?

Err...  Not actually sure.  I don't run SELinux by default since I have
a heavy development machine and it doesn't work perfectly (I'm a prime
example of someone who needs a better method for policy tweaking).

I suspect that there is a device I could write to that would let me
trump something in memory not assigned to the current process.  But I'm
not a heavy kernel hacker ;-)

BB> The signed modules has an implementation, and doesn't require the
BB> reboots.

I think I've come off too negative, btw.  I actually *do* want you to
succeed.  I was trying to point out all the things that need to be
thought about :-)  I do think they're all work-around-able.  They just
all need to be done.

One more thought: are you going to allow people to generate private keys
for loading privately compiled modules (preferably offline or on a
different system)?  IE, do you have any kernel modules loaded that
aren't distributed from your distro vendor?  Things like self-compiled
vmware, nvidia, etc drivers need to be signed...  If you only have a
distro key you've locked yourself out too (which is both good and bad).
-- 
"In the bathtub of history the truth is harder to hold than the soap,
 and much more difficult to find."  -- Terry Pratchett
_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Appahost Applications
For a significant contribution towards our projector, and a generous donation to allow us to continue meeting at the Davis Library.