On Sun, Sep 15, 2019 at 11:24 PM Eric Biggers <ebiggers@xxxxxxxxxx> wrote: > > > This still doesn't make it crash-safe. So why is it okay? > > > > If Android is the load, this makes it crash safe 99% of the time and > > that is considerably better than 0% of the time. > > > > Who will use it if it isn't 100% safe? I suppose anyone using mutable data with IMA appraise should, unless they have a redundant power supply and a kernel that never crashes. In a way this is like asking if the ima-appraise should be there for mutable data at all. All this is doing is that it improves the crash recovery reliability without taking anything away. Anyway, I think I'm getting along with my understanding of the page writeback slowly and the journal support will eventually be there at least as an add-on patch for those that want to use it and really need the last 0.n% reliability. Note that even without that patch you can build ima-appraise based systems that are 99.999% reliable just by having the patch we're discussing here. Without it you would be orders of magnitude worse off. All we are doing is that we give it a fairly good chance to recover instead of giving up without even trying. That said, I'm not sure the 100% crash recovery is ever guaranteed in any Linux system. We just have to do what we can, no? -- Janne
