From: "mark at klomp dot org" <sourceware-bugzilla@sourceware.org>
To: elfutils-devel@sourceware.org
Subject: [Bug debuginfod/28204] extend webapi / verification with forthcoming signed-contents archives
Date: Tue, 29 Aug 2023 13:09:04 +0000 [thread overview]
Message-ID: <bug-28204-10460-1z3LqjCUaX@http.sourceware.org/bugzilla/> (raw)
In-Reply-To: <bug-28204-10460@http.sourceware.org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=28204
--- Comment #28 from Mark Wielaard <mark at klomp dot org> ---
(In reply to Ryan Goldberg from comment #27)
> (In reply to Mark Wielaard from comment #24)
> > BTW. How does this interact with the "section" queries?
> Since these aren't ima verifiable anyways wdyt of just skipping verification
> all together (i.e treat that query in the same way as the ignore policy)
Assuming ima verification is so one can be sure bits are what a distro really
distributes I don't think a default to ignore policy is useful. I think in
enforcing mode there is no good way to fetch just the section data and the
client has to fall back onto requesting the full executable or debuginfo file,
verify the ima signature, and then locally extract the section data (of course
this is somewhat inefficient).
> Tweaking the above to something like:
> 2008 if(NULL != url_ima_policies && ignore !=
> url_ima_policies[committed_to] && NULL == section) { ... }
>
> (In reply to Mark Wielaard from comment #25)
> > Includes an "undefined" policy?
> Just used internally when parsing DEBUGINFOD_URLS
> > Is the k += DATA_SIZE correct? Can't pread return an n < DATA_SIZE?
> Fixed
> > If the cert_paths = strdup (...) fails cert_paths gets assigned a static string?
> Fixed
Thanks. It would be good to post a patch with these fixes (maybe rebased to
current git trunk). So it is more clear what exact change you intent to commit.
> (In reply to Mark Wielaard from comment #26)
> > If we have an permissive mode then I think it should work like the selinux
> > permissive mode.
> > That is, it should always check the signature, but instead of failing with
> > EPERM, it should
> > always produce a warning (whether or not we are in verbose mode or not).
> I would be ok with this kind of permissive mode
This would have my preference too. Or just simply have either an ignore or
enforcing mode.
But from our discussion on irc I think Frank believes it is better to see
permissive mode as a kind of possible checksum mode. I am not sure about that
use case.
Given that we have reliable transports a checksum mode might be something for
the server to do (assuming the server doesn't trust its own storage). The
server could do an ima check before sending any file and simply don't sent it
if the ima check(sum) fails. This then would be independent of the client ima
check (enforced or not).
--
You are receiving this mail because:
You are on the CC list for the bug.
next prev parent reply other threads:[~2023-08-29 13:09 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-06 21:11 [Bug debuginfod/28204] New: " fche at redhat dot com
2021-08-12 18:13 ` [Bug debuginfod/28204] " fche at redhat dot com
2021-08-26 20:53 ` mark at klomp dot org
2021-09-08 11:26 ` fche at redhat dot com
2022-06-10 17:19 ` fche at redhat dot com
2022-07-13 19:44 ` rgoldber at redhat dot com
2022-07-14 16:32 ` fche at redhat dot com
2022-07-27 14:52 ` mark at klomp dot org
2022-08-04 19:45 ` rgoldber at redhat dot com
2022-10-20 21:10 ` mark at klomp dot org
2022-10-20 23:11 ` mark at klomp dot org
2023-07-06 19:49 ` rgoldber at redhat dot com
2023-07-23 21:05 ` mark at klomp dot org
2023-07-23 21:07 ` mark at klomp dot org
2023-07-23 21:08 ` mark at klomp dot org
2023-07-23 21:57 ` mark at klomp dot org
2023-07-23 22:23 ` mark at klomp dot org
2023-07-31 14:27 ` rgoldber at redhat dot com
2023-08-02 16:37 ` mark at klomp dot org
2023-08-07 17:04 ` fche at redhat dot com
2023-08-09 18:17 ` rgoldber at redhat dot com
2023-08-17 15:39 ` mark at klomp dot org
2023-08-17 16:25 ` rgoldber at redhat dot com
2023-08-25 15:00 ` mark at klomp dot org
2023-08-25 15:21 ` rgoldber at redhat dot com
2023-08-25 15:24 ` mark at klomp dot org
2023-08-25 16:43 ` mark at klomp dot org
2023-08-26 22:25 ` mark at klomp dot org
2023-08-28 14:40 ` rgoldber at redhat dot com
2023-08-29 13:09 ` mark at klomp dot org [this message]
2024-06-03 15:28 ` fche at redhat dot com
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-28204-10460-1z3LqjCUaX@http.sourceware.org/bugzilla/ \
--to=sourceware-bugzilla@sourceware.org \
--cc=elfutils-devel@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).