| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 20 Oct 2010 09:10:27 -0400 From: "John Stoffel" <john@...ffel.org> To: Mimi Zohar <zohar@...ux.vnet.ibm.com> Cc: Al Viro <viro@...IV.linux.org.uk>, Linus Torvalds <torvalds@...ux-foundation.org>, Eric Paris <eparis@...hat.com>, linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org, linux-fsdevel@...r.kernel.org, hch@...radead.org, Mimi Zohar <zohar@...ibm.com>, warthog9@...nel.org, david@...morbit.com, jmorris@...ei.org, kyle@...artin.ca, hpa@...or.com, akpm@...ux-foundation.org, mingo@...e.hu Subject: Re: [PATCH 1/3] IMA: move read/write counters into struct inode >>>>> "Mimi" == Mimi Zohar <zohar@...ux.vnet.ibm.com> writes: Mimi> On Tue, 2010-10-19 at 18:28 +0100, Al Viro wrote: >> On Tue, Oct 19, 2010 at 10:03:48AM -0700, Linus Torvalds wrote: >> > On Tue, Oct 19, 2010 at 9:55 AM, Al Viro <viro@...iv.linux.org.uk> wrote: >> > > >> > > a) i_writecount is about VM_DENYWRITE, basically. ?Reusing it for ima could >> > > get unpleasant; when it's positive, we are fine, but it can get negative as >> > > well. ?IMA will have interesting time dealing with that. >> > > >> > > b) i_count is simply a refcount for struct inode. ?Not exactly the number >> > > of dentries, but that's the main contributor. ?Basically, that's "how many >> > > pointers outside of inode hash chains point that that struct inode at the >> > > moment". >> > >> > My question was deeper. More along the lines of "why would IMA care?" >> > >> > How/why could IMA ever care about the pointless and trivial >> > differences between its current private open/read/write counts and the >> > counts that we already maintain? >> > >> > Yes, yes, I realize that they have technical differences in what they >> > count. That's not the question. The question is "Why would IMA care?" Mimi> The filesystem prevents files being executed from being opened Mimi> for write. The same guarantees that the file won't change, Mimi> obviously, doesn't exist for files being opened for read. Thus Mimi> measuring a file opened for read that has already been open for Mimi> write, has no meaning. Unfortunately, since the inode counters Mimi> don't provide this information, IMA maintains a separate set of Mimi> counters. Does this mean I can't replace /bin/sh on a running system using IMA at all, even if just one process has it opened and is running? So how the hell am I supposed to do live upgrades on a system? Currently, /bin/sh gets replaced with the newer, better (for some value of better :-) version, while currently running users aren't impacted at all. New users pick up the new binary. Gah! The only way to upgrade such a system would look be via a reboot. Not very nice at all... or can the root user disable IMA, upgrade a binary, then re-start IMA on a system? So how does this improve security if root is compromised? John -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists