On Thu, Sep 27, 2012 at 10:43:15AM +0300, Kasatkin, Dmitry wrote: > On Thu, Sep 27, 2012 at 5:12 AM, Dave Chinner <david@xxxxxxxxxxxxx> wrote: > > On Wed, Sep 26, 2012 at 11:22:14AM +0300, Kasatkin, Dmitry wrote: > > If I were an attacker, I could easily prevent detection from > > occurring simply by leaving an open file sitting around. IOWs, open > > all the files I wanted to modify, read them, drop the page cachend > > then modify the block device directly. And now the files full of > > unverified content will now be certified as valid... > > > > That is online attack. You need to be a root to modify block device directly... > But if you already became a root - game over. > Online protection is done by access control.. > IMA protects against offline modification.. > > >> > Seriously, if someone can modify your block device directly then > >> > you've already lost and no amount of after-the-fact verification > >> > will save you. > >> > >> Are you talking about offline or online modification? > >> Integrity protection against offline modification.. > >> Online is protected by Access Control... > > > > Either. Both. It doesn't matter. Someone modifying the block device > > directly means they either have already broken your access controls > > or they have physical access to your machine. > > > > It is different... > You might have physical access to your machine storage but no root access. > You could remove storage and plug it to another machine, modify data. > For example you could add user to /etc/sudoers or change root password. > But when when you plug it back to your machine, IMA verification fails, > and you will not be able to become a root. Three words: Full disk encryption. Besides, you're still missing the obvious attack for both online and offline attackers: replace the kernel or change kernel command line parameters to turn off IMA/EVM verification... > >> Are there any ways to detect that any of the pages have been dropped > >> from the kernel page cache? > > > > I don't think there's any reliable method for detecting that as > > present. > > > May be inode->i_mapping->nrpages counter might indicate that. > mm/filemap.c does ++ or -- Remove a page, add a page. nr_pages is still the same. Not reliable. Cheers, Dave. -- Dave Chinner david@xxxxxxxxxxxxx -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
