On Sun, 2010-11-21 at 16:33 -0500, Mimi Zohar wrote: > On Sun, 2010-11-21 at 09:56 -0800, Linus Torvalds wrote: > > On Sun, Nov 21, 2010 at 5:18 AM, Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote: > > > > > > IMA (and the proposed EVM/IMA-appraisal patches) detects file change > > > based on i_version. When the file is closed, if the file has changed, > > > IMA marks the file as needing to be re-measured. Of course this requires > > > the filesystem to be mounted with iversion. Don't know if this helps. > > > > If you only do this at close time, I see a _major_ security hole. > > > > The attacker can just write to the file, and keep it open. Ta-daa, > > everybody who reads it sees the new contents, but your IMA logic is > > oblivious and thinks it doesn't need to be re-measured. > > > > Linus > > Not exactly. While the file remains open for write, it doesn't make any > sense to re-measure the file, as there is nothing preventing the file > from continuing to change. Any measurement would thus be meaningless. > Only after the file closes, does it make sense to re-measure. I did not > mean to imply there isn't any indication of the problem in the > measurement list, there obviously is. > > Mimi > To elaborate a bit on Mimi's response - in the case of a malicious program keeping a file open for write to avoid measurement: 1. as she points out, the reason for i_writecount and i_readcount is to detect this "open_writer" problem and log it in both the measurement list and in the audit log. 2. the attacker program itself must have been measured before it was executed. dave -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
