lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 12 Apr 2017 08:05:34 +0200
From:   Oleksij Rempel <ore@...gutronix.de>
To:     Richard Weinberger <richard@....at>
Cc:     Christoph Hellwig <hch@...radead.org>,
        Oleksij Rempel <o.rempel@...gutronix.de>, dedekind1@...il.com,
        adrian.hunter@...el.com, linux-mtd@...ts.infradead.org,
        linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org,
        kernel@...gutronix.de
Subject: Re: [PATCH v2 2/3] fs: ubifs: update i_version on inode changes

On Tue, Apr 11, 2017 at 11:13:24PM +0200, Richard Weinberger wrote:
> Am 11.04.2017 um 18:05 schrieb Christoph Hellwig:
> > On Tue, Apr 11, 2017 at 11:50:54AM +0200, Oleksij Rempel wrote:
> >> increment i_version to notify security/IMA about changes
> >> made in inode.
> >>
> >> Signed-off-by: Oleksij Rempel <o.rempel@...gutronix.de>
> > 
> > And how is this stored on disk?
> > 
> 
> Hehe, I was about to ask the same question. :-)

No. it is not stored to fs.
Heh, the same question i asked my self. On linux-ima-user i found
this post (2009-07-23):
https://sourceforge.net/p/linux-ima/mailman/message/23152923/
---
When an inode entry is removed from dcache, the corresponding iint entry
is removed from the radix tree. Unmounting an fs will cause the inodes,
and by extension iint's, to be freed.  When the fs is remounted, any
file accessed will result in allocating a new iint structure with the
i_version set to 0.
---

The code seems to confirm it. So i assumed that IMA don't care if
i_version is stored to disk or not. And i_version is the only way
to notify IMA about inode changes.
Since IMA documentation explecitley set i_version as reqieremt, so this
option was provided as well.

-- 
Pengutronix e.K.                           |                             |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ