>>>>> "Mimi" == Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> writes: Mimi> On Tue, 2010-10-19 at 18:28 +0100, Al Viro wrote: >> On Tue, Oct 19, 2010 at 10:03:48AM -0700, Linus Torvalds wrote: >> > On Tue, Oct 19, 2010 at 9:55 AM, Al Viro <viro@xxxxxxxxxxxxxxxxxx> wrote: >> > > >> > > a) i_writecount is about VM_DENYWRITE, basically. ?Reusing it for ima could >> > > get unpleasant; when it's positive, we are fine, but it can get negative as >> > > well. ?IMA will have interesting time dealing with that. >> > > >> > > b) i_count is simply a refcount for struct inode. ?Not exactly the number >> > > of dentries, but that's the main contributor. ?Basically, that's "how many >> > > pointers outside of inode hash chains point that that struct inode at the >> > > moment". >> > >> > My question was deeper. More along the lines of "why would IMA care?" >> > >> > How/why could IMA ever care about the pointless and trivial >> > differences between its current private open/read/write counts and the >> > counts that we already maintain? >> > >> > Yes, yes, I realize that they have technical differences in what they >> > count. That's not the question. The question is "Why would IMA care?" Mimi> The filesystem prevents files being executed from being opened Mimi> for write. The same guarantees that the file won't change, Mimi> obviously, doesn't exist for files being opened for read. Thus Mimi> measuring a file opened for read that has already been open for Mimi> write, has no meaning. Unfortunately, since the inode counters Mimi> don't provide this information, IMA maintains a separate set of Mimi> counters. Does this mean I can't replace /bin/sh on a running system using IMA at all, even if just one process has it opened and is running? So how the hell am I supposed to do live upgrades on a system? Currently, /bin/sh gets replaced with the newer, better (for some value of better :-) version, while currently running users aren't impacted at all. New users pick up the new binary. Gah! The only way to upgrade such a system would look be via a reboot. Not very nice at all... or can the root user disable IMA, upgrade a binary, then re-start IMA on a system? So how does this improve security if root is compromised? John -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
