This is the mail archive of the
systemtap@sourceware.org
mailing list for the systemtap project.
Re: Network Security for the Systemtap Client/Server
- From: Roland McGrath <roland at redhat dot com>
- To: fche at redhat dot com (Frank Ch. Eigler)
- Cc: Dave Brolley <brolley at redhat dot com>, systemtap <systemtap at sources dot redhat dot com>
- Date: Tue, 2 Dec 2008 18:23:25 -0800 (PST)
- Subject: Re: Network Security for the Systemtap Client/Server
- References: <4900E8AE.9090407@redhat.com> <y0mmygmx7lv.fsf@ton.toronto.redhat.com>
> The signature on such a module needs to be carried through right
> through to staprun - beyond stap-client - since staprun is the setuid
> piece that must ultimately decide whether to load/run a proposed
> module or not. It needs to perform the signature verification to
> assure the local system(admin) that the possibly unprivileged user who
> ran stap-client did not mess with the resulting module.
>
> (Doing all this via the kernel module-signing code in some kernels
> would not be appropriate, according to its author.)
However, carrying a similar signature in a similar fashion could work just
fine. That is, at build time, add a new ELF section to the .ko file
containing the signature bits. Then, check this signature against the .ko
file's contents before loading the module. Our check can be in staprun,
rather than inside the kernel itself as the old modsign scheme does it.
Both the signing phase and the checking phase are pretty easy to implement,
either crudely with scripts around objcopy or fairly cleanly via libelf and
the NSS libraries.
Thanks,
Roland