| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1249411815.2361.26.camel@dhcp231-106.rdu.redhat.com> Date: Tue, 04 Aug 2009 14:50:15 -0400 From: Eric Paris <eparis@...hat.com> To: John Stoffel <john@...ffel.org> Cc: Valdis.Kletnieks@...edu, Tvrtko Ursulin <tvrtko.ursulin@...hos.com>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "linux-fsdevel@...r.kernel.org" <linux-fsdevel@...r.kernel.org>, "malware-list@...sg.printk.net" <malware-list@...sg.printk.net>, "greg@...ah.com" <greg@...ah.com>, "jcm@...hat.com" <jcm@...hat.com>, Douglas Leeder <douglas.leeder@...hos.com>, "tytso@....edu" <tytso@....edu>, "arjan@...radead.org" <arjan@...radead.org>, "david@...g.hm" <david@...g.hm>, "jengelh@...ozas.de" <jengelh@...ozas.de>, "aviro@...hat.com" <aviro@...hat.com>, "mrkafk@...il.com" <mrkafk@...il.com>, "alexl@...hat.com" <alexl@...hat.com>, "jack@...e.cz" <jack@...e.cz>, "a.p.zijlstra@...llo.nl" <a.p.zijlstra@...llo.nl>, "hch@...radead.org" <hch@...radead.org>, "alan@...rguk.ukuu.org.uk" <alan@...rguk.ukuu.org.uk>, "mmorley@....in" <mmorley@....in>, "pavel@...e.cz" <pavel@...e.cz> Subject: Re: fanotify - overall design before I start sending patches On Tue, 2009-08-04 at 14:20 -0400, John Stoffel wrote: > >>>>> "Valdis" == Valdis Kletnieks <Valdis.Kletnieks@...edu> writes: > > Valdis> On Tue, 04 Aug 2009 12:27:48 EDT, Eric Paris said: > >> On Tue, 2009-08-04 at 17:09 +0100, Tvrtko Ursulin wrote: > >> > Would it make more sense to deny on timeouts and then evict? I am thinking it > >> > would be more secure with no significant drawbacks. Also for usages like HSM > >> > allowing it without data being in place might present wrong content to the > >> > user. > >> > >> I'd be willing to go that route as long as noone else complains. > > Valdis> Yes, in my world, "deny on timeout and evict" is the better > Valdis> design decision. For an HSM, you'd rather have a > Valdis> quick-and-ugly death on a failed file open than an app > Valdis> accidentally reading the HSM's stub data thinking it's the > Valdis> original data. > > Speaking as somone who is working slowly to deploy an HSM service, one > thing to note is that when you *do* see the stub file contents, you > know that your HSM is busted somehow. > > How will fanotify deal with this issue? Sorry, I haven't paid enough > attention to this thread though I know I should since it's up my $WORK > alley. fanotify doesn't explicitly deal with it at all. If the HSM implemented as a fanotify listener starts to misbehave and not respond, processes will start to get EACCES. If it misses 10 in a row it'll be evicted and processes will start to see the stubs. -Eric -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists