[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 8 Aug 2009 12:34:46 +0200
From: Pavel Machek <pavel@....cz>
To: Eric Paris <eparis@...hat.com>
Cc: Peter Zijlstra <a.p.zijlstra@...llo.nl>,
Tvrtko Ursulin <tvrtko.ursulin@...hos.com>,
Douglas Leeder <douglas.leeder@...hos.com>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"linux-fsdevel@...r.kernel.org" <linux-fsdevel@...r.kernel.org>,
"malware-list@...sg.printk.net" <malware-list@...sg.printk.net>,
"Valdis.Kletnieks@...edu" <Valdis.Kletnieks@...edu>,
"greg@...ah.com" <greg@...ah.com>,
"jcm@...hat.com" <jcm@...hat.com>, "tytso@....edu" <tytso@....edu>,
"arjan@...radead.org" <arjan@...radead.org>,
"david@...g.hm" <david@...g.hm>,
"jengelh@...ozas.de" <jengelh@...ozas.de>,
"aviro@...hat.com" <aviro@...hat.com>,
"mrkafk@...il.com" <mrkafk@...il.com>,
"alexl@...hat.com" <alexl@...hat.com>,
"hch@...radead.org" <hch@...radead.org>,
"alan@...rguk.ukuu.org.uk" <alan@...rguk.ukuu.org.uk>,
"mmorley@....in" <mmorley@....in>
Subject: Re: fanotify - overall design before I start sending patches
Hi!
> > By the above you're hosed anyway since starting a new one will fail due
> > to there being no daemon, right? Might as well forfeit all security
> > measures once the daemon dies. That is let security depend on there
> > being a daemon connected.
>
> Nope. You should stop calling and thinking of it as a security system.
> As I've said multiple times it is at best an indexing and integrity
> checking system. We fail open. We don't prevent or care about
> malicious local attacks. When a group is evicted everything is going to
> just work. The whole reason for the timeout is because I don't trust
> userspace not to get it wrong and I'd rather not lose my box because of
> it. Yes, the reset I'm proposing allows userspace to screw the
Well, if you are using this for hierarchical storage, then this daemon
will bring the system down.
Face it, you _are_ developing a security system; otherwise features of
fanotify do not make sense. (And you are developing _bad_ security
system).
So... what about just scrapping the open vetoing -- at least from
initial version?
> > Seems like a weird thing to me, suppose you DoS the system on purpose
> > and all clients start getting wonky, you kill them all, and are left
> > with non, then you cannot access any of your files anymore and
> > everything grinds to a halt?
>
> Nope, you DoS the system on purpose all the listeners get evicted, now
> everything else will be able to open/read data without those listeners
> paying attention. When a group is evicted it's evicted. It no longer
> needs to say yes or no.
Yes so I hammer your web server and you loose your antivirus
protection.
> > Like said, having the filesystem block actions based on external
> > processes seems just asking for trouble.
>
> Or it seems like exactly what hierarchical storage management systems
> want....
Timeout does not make sense for hierarchical storage.
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists