From owner-freebsd-stable@FreeBSD.ORG  Thu Apr 10 14:39:58 2008
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id BE7661065670;
	Thu, 10 Apr 2008 14:39:58 +0000 (UTC)
	(envelope-from kris@FreeBSD.org)
Received: from weak.local (freefall.freebsd.org [IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id F3A588FC27;
	Thu, 10 Apr 2008 14:39:57 +0000 (UTC)
	(envelope-from kris@FreeBSD.org)
Message-ID: <47FE26BC.3000305@FreeBSD.org>
Date: Thu, 10 Apr 2008 16:39:56 +0200
From: Kris Kennaway <kris@FreeBSD.org>
User-Agent: Thunderbird 2.0.0.12 (Macintosh/20080213)
MIME-Version: 1.0
To: Peter Wemm <peter@wemm.org>
References: <47F3DA07.4020209@forrie.com>	<20080402203859.GB80314@slackbox.xs4all.nl>	<ft2g30$7i7$2@ger.gmane.org>	<20080403164108.GA12190@slackbox.xs4all.nl>	<ft4qk0$ub9$2@ger.gmane.org>
	<20080404165541.GA675@slackbox.xs4all.nl>
	<e7db6d980804100713o4eec1a89s5ec755b5066e4082@mail.gmail.com>
In-Reply-To: <e7db6d980804100713o4eec1a89s5ec755b5066e4082@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: freebsd-stable@freebsd.org, Ivan Voras <ivoras@freebsd.org>
Subject: Re: Digitally Signed Binaries w/ Kernel support, etc.
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Apr 2008 14:39:58 -0000

Peter Wemm wrote:
> On Fri, Apr 4, 2008 at 9:55 AM, Roland Smith <rsmith@xs4all.nl> wrote:
>> On Fri, Apr 04, 2008 at 10:58:40AM +0200, Ivan Voras wrote:
>>  > >> Signing binaries could be naturally tied in with securelevel, where some
>>  > >> securelevel (1?) would mean kernel no longer accepts new keys.
>>  > >
>>  > > If you set the system immutable flag on the binaries, you cannot modify them at
>>  > > all at securelevel >0. Signing the binaries would be pointless in that case.
>>  >
>>  > I think these are separate things. Modifying binaries is separate from
>>  > introducing new binaries. SCHG would prevent the former, but not the latter.
>>
>>  If you set the SCHG flag on the directories in $PATH, you can't put
>>  anything new there as well.
> 
> There's nothing magical about $PATH.  A person could put a malicious
> binary in /tmp or $HOME and run it with /tmp/crashme or whatever.
> Sure, you could set SCHG on every single writeable directory on the
> system to prevent any files being created.  MNT_NOEXEC might be an
> option.  The existence of script languages or even scriptable binaries
> does diminish the strength of a lockdown, but it depends on what
> you're trying to achieve.  eg: If you're trying to prevent your users
> from downloading a self-built irc client or bot and running it, then
> yes, requiring signed binaries would be useful.
> 
> In any case, there are legitimate uses for signed binaries.  But I'm
> not volunteering to do it.
> 

csjp@ had a mac_chkexec module that looks like it was never committed.

http://groups.google.com/group/mailing.freebsd.hackers/msg/074eec7def84c52b

Shouldn't be hard to update it.

Kris