Re: [PATCH 1/1] fiemap: move i_op->fiemap() locking to the ioctl_fiemap()

linux-fsdevel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Dave Chinner <david@fromorbit.com>
To: "Kasatkin, Dmitry" <dmitry.kasatkin@intel.com>
Cc: sandeen@redhat.com, viro@zeniv.linux.org.uk, swhiteho@redhat.com,
	tytso@mit.edu, linux-fsdevel@vger.kernel.org,
	linux-security-module@vger.kernel.org, zohar@linux.vnet.ibm.com,
	Alan Cox <alan.cox@intel.com>
Subject: Re: [PATCH 1/1] fiemap: move i_op->fiemap() locking to the ioctl_fiemap()
Date: Thu, 27 Sep 2012 22:35:29 +1000	[thread overview]
Message-ID: <20120927123529.GU15236@dastard> (raw)
In-Reply-To: <CALLzPKYVooqFS9+GUDiqhNoboSOLs51PaiKLses3C6WGReMVTg@mail.gmail.com>

On Thu, Sep 27, 2012 at 10:43:15AM +0300, Kasatkin, Dmitry wrote:
> On Thu, Sep 27, 2012 at 5:12 AM, Dave Chinner <david@fromorbit.com> wrote:
> > On Wed, Sep 26, 2012 at 11:22:14AM +0300, Kasatkin, Dmitry wrote:
> > If I were an attacker, I could easily prevent detection from
> > occurring simply by leaving an open file sitting around. IOWs, open
> > all the files I wanted to modify, read them, drop the page cachend
> > then modify the block device directly.  And now the files full of
> > unverified content will now be certified as valid...
> >
> 
> That is online attack. You need to be a root to modify block device directly...
> But if you already became a root - game over.
> Online protection is done by access control..
> IMA protects against offline modification..
> 
> >> > Seriously, if someone can modify your block device directly then
> >> > you've already lost and no amount of after-the-fact verification
> >> > will save you.
> >>
> >> Are you talking about offline or online modification?
> >> Integrity protection against offline modification..
> >> Online is protected by Access Control...
> >
> > Either. Both. It doesn't matter. Someone modifying the block device
> > directly means they either have already broken your access controls
> > or they have physical access to your machine.
> >
> 
> It is different...
> You might have physical access to your machine storage but no root access.
> You could remove storage and plug it to another machine, modify data.
> For example you could add user to /etc/sudoers or change root password.
> But when when you plug it back to your machine, IMA verification fails,
> and you will not be able to become a root.

Three words: Full disk encryption.

Besides, you're still missing the obvious attack for both online and
offline attackers: replace the kernel or change kernel command line
parameters to turn off IMA/EVM verification...

> >> Are there any ways to detect that any of the pages have been dropped
> >> from the kernel page cache?
> >
> > I don't think there's any reliable method for detecting that as
> > present.
> 
> 
> May be inode->i_mapping->nrpages counter might indicate that.
> mm/filemap.c does ++ or --

Remove a page, add a page. nr_pages is still the same. Not reliable.

Cheers,

Dave.
-- 
Dave Chinner
david@fromorbit.com

next prev parent reply	other threads:[~2012-09-27 12:35 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-09-21 14:14 [PATCH 1/1] fiemap: move i_op->fiemap() locking to the ioctl_fiemap() Dmitry Kasatkin
2012-09-21 14:27 ` Steven Whitehouse
2012-09-21 14:33   ` Kasatkin, Dmitry
2012-09-21 14:39     ` Steven Whitehouse
2012-09-21 22:59 ` Dave Chinner
2012-09-24  8:13   ` Kasatkin, Dmitry
2012-09-24  9:18     ` Dave Chinner
2012-09-24 11:28       ` Kasatkin, Dmitry
2012-09-25  1:56         ` Dave Chinner
2012-09-26  8:22           ` Kasatkin, Dmitry
2012-09-27  2:12             ` Dave Chinner
2012-09-27  7:43               ` Kasatkin, Dmitry
2012-09-27 12:35                 ` Dave Chinner [this message]
2012-09-27 13:11                   ` Kasatkin, Dmitry

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20120927123529.GU15236@dastard \
    --to=david@fromorbit.com \
    --cc=alan.cox@intel.com \
    --cc=dmitry.kasatkin@intel.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=sandeen@redhat.com \
    --cc=swhiteho@redhat.com \
    --cc=tytso@mit.edu \
    --cc=viro@zeniv.linux.org.uk \
    --cc=zohar@linux.vnet.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).