|
|
Sponsored Content
Top Forums
UNIX for Advanced & Expert Users
"Signed Linux" - Only executing signed programs
Post 302498987 by disaster on Wednesday 23rd of February 2011 03:20:16 AM
02-23-2011
"Signed Linux" - Only executing signed programs
Hey folks,
not sure whether this or the security board is the right forum. If I failed, please move
So here's the problem:
I need to build a Linux environment in which only "signed" processes are allowed to run. When I say signed I don't mean a VeriSign signature like you know it from Windows, but I mean signed by myself. I.e. I choose the software allowed to run, sign it, and then want to deny any other processes to run.
If it is somehow possible I'd like to extend this even to scripts and the kernel (i.e. no unsigned modules can be loaded).
Does anyone have a good idea how to solve this problem?
The bad thing is: I'm pretty fine with coding stuff myself in C, but have absolutely 0 experience or knowledge in kernel (module)-programming.
Any tipps, links, literature, finished programs will be appreciated, thanks
A short idea I had and almost forgot: How difficult is it to change the routine of linux which starts a process in such a way that it will call for every process start a little programm of myself which will then check the program to be executed and - in case of a missing signature - will cancel it?
not sure whether this or the security board is the right forum. If I failed, please move
So here's the problem:
I need to build a Linux environment in which only "signed" processes are allowed to run. When I say signed I don't mean a VeriSign signature like you know it from Windows, but I mean signed by myself. I.e. I choose the software allowed to run, sign it, and then want to deny any other processes to run.
If it is somehow possible I'd like to extend this even to scripts and the kernel (i.e. no unsigned modules can be loaded).
Does anyone have a good idea how to solve this problem?
The bad thing is: I'm pretty fine with coding stuff myself in C, but have absolutely 0 experience or knowledge in kernel (module)-programming.
Any tipps, links, literature, finished programs will be appreciated, thanks
A short idea I had and almost forgot: How difficult is it to change the routine of linux which starts a process in such a way that it will call for every process start a little programm of myself which will then check the program to be executed and - in case of a missing signature - will cancel it?
|
|
We Also Found This Discussion For You
1. Shell Programming and Scripting
Hi All,
i am trying to ssh to a remote machine and execute certain command to remote machine through script.
i am able to ssh but after its getting hung at the promt and after pressing ctrl +d i am gettin the out put as
expect: spawn id exp5 not open
while executing
"expect "$" {... (3 Replies)
Discussion started by: Siddharth shivh
3 Replies
LEARN ABOUT NETBSD
prop_number_create_integer
PROP_NUMBER(3) BSD Library Functions Manual PROP_NUMBER(3) NAME
prop_number, prop_number_create_integer, prop_number_create_unsigned_integer, prop_number_copy, prop_number_size, prop_number_unsigned, prop_number_integer_value, prop_number_unsigned_integer_value, prop_number_equals, prop_number_equals_integer, prop_number_equals_unsigned_integer -- numeric value property object LIBRARY
Property Container Object Library (libprop, -lprop) SYNOPSIS
#include <prop/proplib.h> prop_number_t prop_number_create_integer(int64_t val); prop_number_t prop_number_create_unsigned_integer(uint64_t val); prop_number_t prop_number_copy(prop_number_t number); int prop_number_size(prop_number_t number); bool prop_number_unsigned(prop_number_t number); int64_t prop_number_integer_value(prop_number_t number); uint64_t prop_number_unsigned_integer_value(prop_number_t number); bool prop_number_equals(prop_number_t num1, prop_number_t num2); bool prop_number_equals_integer(prop_number_t number, int64_t val); bool prop_number_equals_unsigned_integer(prop_number_t number, uint64_t val); DESCRIPTION
The prop_number family of functions operate on a numeric value property object type. Values are either signed or unsigned, and promoted to a 64-bit type (int64_t or uint64_t, respectively). It is possible to compare number objects that differ in sign. Such comparisons first test to see if each object is within the valid number range of the other: o Signed numbers that are greater than or equal to 0 can be compared to unsigned numbers. o Unsigned numbers that are less than or equal to the largest signed 64-bit value (INT64_MAX) can be compared to signed numbers. Number objects have a different externalized representation depending on their sign: o Signed numbers are externalized in base-10 (decimal). o Unsigned numbers are externalized in base-16 (hexadecimal). When numbers are internalized, the sign of the resulting number object (and thus its valid range) is determined by a set of rules evaluated in the following order: o If the first character of the number is a '-' then the number is signed. o If the first two characters of the number are '0x' then the number is unsigned. o If the number value fits into the range of a signed number then the number is signed. o In all other cases, the number is unsigned. prop_number_create_integer(int64_t val) Create a numeric value object with the signed value val. Returns NULL on failure. prop_number_create_unsigned_integer(uint64_t val) Create a numeric value object with the unsigned value val. Returns NULL on failure. prop_number_copy(prop_number_t number) Copy a numeric value object. If the supplied object isn't a numeric value, NULL is returned. prop_number_size(prop_number_t number) Returns 8, 16, 32, or 64, representing the number of bits required to hold the value of the object. If the supplied object isn't a numeric value, NULL is returned. prop_number_unsigned(prop_number_t number) Returns true if the numeric value object has an unsigned value. prop_number_integer_value(prop_number_t number) Returns the signed integer value of the numeric value object. If the supplied object isn't a numeric value, zero is returned. Thus, it is not possible to distinguish between ``not a prop_number_t'' and ``prop_number_t has a value of 0''. prop_number_unsigned_integer_value(prop_number_t number) Returns the unsigned integer value of the numeric value object. If the supplied object isn't a numeric value, zero is returned. Thus, it is not possible to distinguish between ``not a prop_number_t'' and ``prop_number_t has a value of 0''. prop_number_equals(prop_number_t num1, prop_number_t num2) Returns true if the two numeric value objects are equivalent. If at least one of the supplied objects isn't a numeric value, false is returned. prop_number_equals_integer(prop_number_t number, int64_t val) Returns true if the object's value is equivalent to the signed value val. If the supplied object isn't a numerical value or if val exceeds INT64_MAX, false is returned. prop_number_equals_unsigned_integer(prop_number_t number, uint64_t val) Returns true if the object's value is equivalent to the unsigned value val. If the supplied object isn't a numerical value or if val exceeds INT64_MAX, false is returned. SEE ALSO
prop_array(3), prop_bool(3), prop_data(3), prop_dictionary(3), prop_object(3), prop_string(3), proplib(3) HISTORY
The proplib property container object library first appeared in NetBSD 4.0. BSD
January 21, 2008 BSD