[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <19646.59971.76978.642955@quad.stoffel.home>
Date: Wed, 20 Oct 2010 09:10:27 -0400
From: "John Stoffel" <john@...ffel.org>
To: Mimi Zohar <zohar@...ux.vnet.ibm.com>
Cc: Al Viro <viro@...IV.linux.org.uk>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Eric Paris <eparis@...hat.com>, linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org,
linux-fsdevel@...r.kernel.org, hch@...radead.org,
Mimi Zohar <zohar@...ibm.com>, warthog9@...nel.org,
david@...morbit.com, jmorris@...ei.org, kyle@...artin.ca,
hpa@...or.com, akpm@...ux-foundation.org, mingo@...e.hu
Subject: Re: [PATCH 1/3] IMA: move read/write counters into struct inode
>>>>> "Mimi" == Mimi Zohar <zohar@...ux.vnet.ibm.com> writes:
Mimi> On Tue, 2010-10-19 at 18:28 +0100, Al Viro wrote:
>> On Tue, Oct 19, 2010 at 10:03:48AM -0700, Linus Torvalds wrote:
>> > On Tue, Oct 19, 2010 at 9:55 AM, Al Viro <viro@...iv.linux.org.uk> wrote:
>> > >
>> > > a) i_writecount is about VM_DENYWRITE, basically. ?Reusing it for ima could
>> > > get unpleasant; when it's positive, we are fine, but it can get negative as
>> > > well. ?IMA will have interesting time dealing with that.
>> > >
>> > > b) i_count is simply a refcount for struct inode. ?Not exactly the number
>> > > of dentries, but that's the main contributor. ?Basically, that's "how many
>> > > pointers outside of inode hash chains point that that struct inode at the
>> > > moment".
>> >
>> > My question was deeper. More along the lines of "why would IMA care?"
>> >
>> > How/why could IMA ever care about the pointless and trivial
>> > differences between its current private open/read/write counts and the
>> > counts that we already maintain?
>> >
>> > Yes, yes, I realize that they have technical differences in what they
>> > count. That's not the question. The question is "Why would IMA care?"
Mimi> The filesystem prevents files being executed from being opened
Mimi> for write. The same guarantees that the file won't change,
Mimi> obviously, doesn't exist for files being opened for read. Thus
Mimi> measuring a file opened for read that has already been open for
Mimi> write, has no meaning. Unfortunately, since the inode counters
Mimi> don't provide this information, IMA maintains a separate set of
Mimi> counters.
Does this mean I can't replace /bin/sh on a running system using IMA
at all, even if just one process has it opened and is running? So how
the hell am I supposed to do live upgrades on a system?
Currently, /bin/sh gets replaced with the newer, better (for some
value of better :-) version, while currently running users aren't
impacted at all. New users pick up the new binary.
Gah! The only way to upgrade such a system would look be via a
reboot. Not very nice at all... or can the root user disable IMA,
upgrade a binary, then re-start IMA on a system?
So how does this improve security if root is compromised?
John
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists