On Sun, 2010-11-21 at 09:56 -0800, Linus Torvalds wrote: > On Sun, Nov 21, 2010 at 5:18 AM, Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote: > > > > IMA (and the proposed EVM/IMA-appraisal patches) detects file change > > based on i_version. When the file is closed, if the file has changed, > > IMA marks the file as needing to be re-measured. Of course this requires > > the filesystem to be mounted with iversion. Don't know if this helps. > > If you only do this at close time, I see a _major_ security hole. > > The attacker can just write to the file, and keep it open. Ta-daa, > everybody who reads it sees the new contents, but your IMA logic is > oblivious and thinks it doesn't need to be re-measured. > > Linus Not exactly. While the file remains open for write, it doesn't make any sense to re-measure the file, as there is nothing preventing the file from continuing to change. Any measurement would thus be meaningless. Only after the file closes, does it make sense to re-measure. I did not mean to imply there isn't any indication of the problem in the measurement list, there obviously is. Mimi -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
