4.9.20: Run only signed application
Hello,
My embedded PC is running vanilla 4.9.20(x64) + busybox. I have a new requirement: Linux can run only busybox utilities (e.g ls) and only specific applications signed offline by me. Is it possible ? If yes - What part in kernel is responsible for running applications ? My idea is to add a little code that can decide which application to run. Thank you, Zvika |
Quote:
Especially since you've asked about user space, signed applications, launching applications in different sessions, etc., etc. What have you actually DONE and TRIED to make your idea work??? Can do things like this with basic user permissions, sudo, etc., not to mention simply writing your own shell interpreter. At what point are you going to be able to apply anything you've been told in the past? |
Hi TBOne,
I did not implement my idea because I do not know how. This is the reason I asked the question. I developed few kernel modules - so what ? It does not mean that I'm Linus Torvalds. The part in kernel responsible for running applications is the process manager. Does it make sense to add code to this manager ? Thank you, Zvika |
Quote:
After fifteen years being a developer, do you seriously have NO IDEAS AT ALL on how to write code to do what you want??? You AGAIN don't describe fully what you need/want, but if this is your job and your 'requirement', and you have a 'team' working on custom hardware, you should easily know your full environment, what you have to work with, and be able to discuss things with your 'team' to come up with ideas. Have you done that??? |
Hi TBOne,
The signed application should run automatically upon boot completion. Currently it runs from /etc/init.d/rcS (not signed) So I'm not sure writing my own shell interpreter will help. Thank you, Zvika |
Quote:
If this application is only ever going to be run by the system at boot, then you should have MANY ideas on how to check its validity. Especially after fifteen years working with low-level code, right??? Since you *AGAIN* tell us nothing about the system, what it is/does, what this mystery application is, language it's written in, etc., why do you expect us to continue to play guessing games??? YOU are the developer; YOU wrote the code; YOU know what you want it to do, and YOU won't tell us anything about this system, despite us asking for YEARS now. You and your 'team' should be able to figure something out. |
Hi TBOne,
The executable is a C++ application. I know how to check the validity of the signed binary file (compiled by Intel compiler) But I want that the system can run only this application. If an attacker copies another application into the system's disk that was not created by me, it will not run. Thank you, Zvika |
Quote:
What are you expecting people here to tell you when we have no information about your system, hardware, software, OS, etc. All of it is custom and you refuse to answer questions about it. This needs to be figured out by you and your team...there is NOTHING anyone can tell you, since you won't answer questions or pay attention to what you're being told. ::EDIT:: Since you've apparently carpet-bombed other forums with this same question, why don't you take those other similar answers as well??? |
Yes, I just don't understand.
As far as I see they should run after the boot is completed, automatically. And who has access to that computer? You can simply deny to log in to anyone, except you, and in that case nobody will use that host. |
Quote:
|
pan64 - Thank you for your reply.
TBOne - The CPU in the PC is Intel's Pentium M. Legacy BIOS. Using iptables, I plan to block all IP protocols (e.g ping, ssh, telnet) But this can be hacked by attacker. Am I wrong ? Thank you, Zvika |
I just don't understand you. What is it all about? You need to switch off all the ports/protocols you don't use. But you can't block if they are really in use. Anyway. without knowing some useful details hard to say anything.
|
Quote:
Quote:
If someone can get to the console at power-on, they can do whatever they want, including booting it from a USB stick, and mounting the hard drive to do whatever they want, right??? Your question keeps changing and you don't ask something clearly. Why don't you work with your 'team' and figure out a solution, since you won't tell anyone here any meaningful details. |
All times are GMT -5. The time now is 04:26 AM. |