Re: [PATCH 1/3] IMA: move read/write counters into struct inode
From: John Stoffel
Date: Wed Oct 20 2010 - 09:11:31 EST
>>>>> "Mimi" == Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> writes:
Mimi> On Tue, 2010-10-19 at 18:28 +0100, Al Viro wrote:
>> On Tue, Oct 19, 2010 at 10:03:48AM -0700, Linus Torvalds wrote:
>> > On Tue, Oct 19, 2010 at 9:55 AM, Al Viro <viro@xxxxxxxxxxxxxxxxxx> wrote:
>> > >
>> > > a) i_writecount is about VM_DENYWRITE, basically. ?Reusing it for ima could
>> > > get unpleasant; when it's positive, we are fine, but it can get negative as
>> > > well. ?IMA will have interesting time dealing with that.
>> > >
>> > > b) i_count is simply a refcount for struct inode. ?Not exactly the number
>> > > of dentries, but that's the main contributor. ?Basically, that's "how many
>> > > pointers outside of inode hash chains point that that struct inode at the
>> > > moment".
>> >
>> > My question was deeper. More along the lines of "why would IMA care?"
>> >
>> > How/why could IMA ever care about the pointless and trivial
>> > differences between its current private open/read/write counts and the
>> > counts that we already maintain?
>> >
>> > Yes, yes, I realize that they have technical differences in what they
>> > count. That's not the question. The question is "Why would IMA care?"
Mimi> The filesystem prevents files being executed from being opened
Mimi> for write. The same guarantees that the file won't change,
Mimi> obviously, doesn't exist for files being opened for read. Thus
Mimi> measuring a file opened for read that has already been open for
Mimi> write, has no meaning. Unfortunately, since the inode counters
Mimi> don't provide this information, IMA maintains a separate set of
Mimi> counters.
Does this mean I can't replace /bin/sh on a running system using IMA
at all, even if just one process has it opened and is running? So how
the hell am I supposed to do live upgrades on a system?
Currently, /bin/sh gets replaced with the newer, better (for some
value of better :-) version, while currently running users aren't
impacted at all. New users pick up the new binary.
Gah! The only way to upgrade such a system would look be via a
reboot. Not very nice at all... or can the root user disable IMA,
upgrade a binary, then re-start IMA on a system?
So how does this improve security if root is compromised?
John
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/