From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dave Chinner Subject: Re: [PATCH 1/1] fiemap: move i_op->fiemap() locking to the ioctl_fiemap() Date: Thu, 27 Sep 2012 22:35:29 +1000 Message-ID: <20120927123529.GU15236@dastard> References: <20120921225910.GB20960@dastard> <20120924091811.GH20960@dastard> <20120925015638.GT11511@dastard> <20120927021211.GI15236@dastard> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: sandeen@redhat.com, viro@zeniv.linux.org.uk, swhiteho@redhat.com, tytso@mit.edu, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, zohar@linux.vnet.ibm.com, Alan Cox To: "Kasatkin, Dmitry" Return-path: Content-Disposition: inline In-Reply-To: Sender: linux-security-module-owner@vger.kernel.org List-Id: linux-fsdevel.vger.kernel.org On Thu, Sep 27, 2012 at 10:43:15AM +0300, Kasatkin, Dmitry wrote: > On Thu, Sep 27, 2012 at 5:12 AM, Dave Chinner wrote: > > On Wed, Sep 26, 2012 at 11:22:14AM +0300, Kasatkin, Dmitry wrote: > > If I were an attacker, I could easily prevent detection from > > occurring simply by leaving an open file sitting around. IOWs, open > > all the files I wanted to modify, read them, drop the page cachend > > then modify the block device directly. And now the files full of > > unverified content will now be certified as valid... > > > > That is online attack. You need to be a root to modify block device directly... > But if you already became a root - game over. > Online protection is done by access control.. > IMA protects against offline modification.. > > >> > Seriously, if someone can modify your block device directly then > >> > you've already lost and no amount of after-the-fact verification > >> > will save you. > >> > >> Are you talking about offline or online modification? > >> Integrity protection against offline modification.. > >> Online is protected by Access Control... > > > > Either. Both. It doesn't matter. Someone modifying the block device > > directly means they either have already broken your access controls > > or they have physical access to your machine. > > > > It is different... > You might have physical access to your machine storage but no root access. > You could remove storage and plug it to another machine, modify data. > For example you could add user to /etc/sudoers or change root password. > But when when you plug it back to your machine, IMA verification fails, > and you will not be able to become a root. Three words: Full disk encryption. Besides, you're still missing the obvious attack for both online and offline attackers: replace the kernel or change kernel command line parameters to turn off IMA/EVM verification... > >> Are there any ways to detect that any of the pages have been dropped > >> from the kernel page cache? > > > > I don't think there's any reliable method for detecting that as > > present. > > > May be inode->i_mapping->nrpages counter might indicate that. > mm/filemap.c does ++ or -- Remove a page, add a page. nr_pages is still the same. Not reliable. Cheers, Dave. -- Dave Chinner david@fromorbit.com